Russia-Ukraine Malicious Cyber Activity

The Ukrainian government confirmed yesterday afternoon that another large-scale cyber attack is taking place; this is less than a week since websites were last targeted in a similar attack. “We’ve not seen something [like this] that’s taken it to a completely different level,” an official told the BBC.

This large-scale cyber attack preceded Russia’s invasion of Ukraine earlier today, rendering the websites for Ukraine’s defence, foreign, and interior ministries unresponsive or slow to load after suspected distributed denial-of-service (DDoS) attacks struck.

The cyber attacks were long anticipated by officials to precede and accompany the Russian military offensive against Ukraine.

In mid-January, a cyber attack hit 70 central- and local-government websites, leaving many of them crudely defaced. A message appeared, warning Ukrainians to “prepare for the worst”.

Last week, DDoS attacks hit Ukrainian banks and the Ministry of Defence. A Ukrainian cyber security official called it the largest attack of its kind in the country’s history.

“Ukraine has experienced probably more cyber activity than almost any other country,” a Western official told the BBC. “They are very, very used to this.”

Home Secretary, Priti Patel, says the UK’s opposition to President Putin’s aggression against Ukraine is likely to have consequences at home.

Patel says the warning lights for Russia have been “flashing red” for several years.

“Look at Salisbury, look at the cyber attacks”, she says, “just look at attempts to interfere in our democracy”.

The home secretary adds: “The risk is alive. And on that basis, we are absolutely stepping up everything that we need to domestically.”

It is understood that no new specific threats to the UK, the US, nor the West have been identified as a result of the current situation in Ukraine.

The National Cyber Security Centre (NCSC) and other government entities in the West have urged organisations to ensure their cyber security measures are up to date as detailed in our Threat Horizon issued on 18 February.

ITC’s SOC continues to be vigilant in relation to the situation in Russia-Ukraine along with the rapidly evolving cyber threat landscape. Our analysts carry out proactive threat hunting to search for related indicators of compromise and establish if there has been any malicious activity targeting our customer networks. 

For ITC customers who have our Managed Detection and Response (MDR) service, ITC has heightened surveillance where up-to-date signatures have been deployed for threat actors such as: ACTINIUM (Tracked by Microsoft Threat Intelligence Centre) who are targeting organisations in Ukraine spanning government, military, non-government organisations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organisations.

The Ukraine has been subject to WhisperGate related attacks and security researchers have evidence that the executables used in the attacks are signed by “Hermetica Digital”. Hermetica Digital is whitelisted on the allowed certs which means they can bypass checks when that cert is present on an executable. ITC advises to set up blocking for any files where the signer is Hermetica Digital. This information can be seen in the DeviceFileCertificateInfo table from the Advanced Hunting section on Microsoft Defender.

ITC will work with its MDR customers to communicate mitigations or workarounds to reduce the impact of this threat and further threats going forward. 

For all ITC Managed Service customers, ITC will continue to monitor customer estates and will run regular threat hunting activities to detect and respond accordingly.