Cybersecurity · cyberwar · Information operations · Information Warfare · Russia · Ukraine

Researchers uncover sophisticated botnet aimed at possible attack inside Ukraine

Protester waving state flag of Ukraine expressing his support during clashes in Kiev, Ukraine. (Wikicommons)

As of right now, any association with a Russia source is based on only coincidental or “loose” evidence.

As for Ukraine being a target, upcoming Ukraine’s holidays for May and June 2018:

May 27 Sunday Orthodox Pentecost National holiday, Orthodox
May 27 Sunday Cultural Workers and Folk Artists Day Observance
May 27 Sunday Kiev Day Observance
May 28 Monday Orthodox Pentecost holiday National holiday, Orthodox
Jun 21 Thursday June Solstice Season
Jun 23 Saturday Special Working Day Observance
Jun 28 Thursday Constitution Day National holiday
Jun 29 Friday Constitution Day Holiday National holiday

Russia’s upcoming holidays (none in May):

Jun 9 Saturday Working day – moved weekend Working day (moved weekend)
Jun 11 Monday Russia Day Weekend National holiday
Jun 12 Tuesday Russia Day National holiday
Jun 21 Thursday June Solstice Season

There are no overlaps.

For the US:

May 25 Friday National Missing Children’s Day Observance
May 27 Sunday Trinity Sunday Christian
May 28 Monday Memorial Day Federal Holiday
May 28 Monday Jefferson Davis Birthday Local observance Mississippi
May 31 Thursday Corpus Christi Christian
Jun 1 Friday Statehood Day Local observance Kentucky, Tennessee
Jun 3 Sunday Jefferson Davis Birthday Local observance Florida
Jun 4 Monday Jefferson Davis Birthday State holiday Alabama
Jun 6 Wednesday D-Day Observance
Jun 10 Sunday Lailat al-Qadr Muslim
Jun 11 Monday Kamehameha Day State holiday Hawaii
Jun 14 Thursday Army Birthday Observance
Jun 14 Thursday Flag Day Observance
Jun 15 Friday Eid al-Fitr Muslim
Jun 17 Sunday Father’s Day Observance
Jun 17 Sunday Bunker Hill Day State holiday Massachusetts
Jun 18 Monday Bunker Hill Day observed State holiday Massachusetts
Jun 19 Tuesday Juneteenth Local observance All except HIMDMPMTNDNHSDTXUT
Jun 19 Tuesday Emancipation Day State holiday Texas
Jun 20 Wednesday West Virginia Day State holiday West Virginia
Jun 20 Wednesday American Eagle Day Observance
Jun 21 Thursday June Solstice Season

The 27 May Memorial Day weekend in the US is significant, it coincides with Kyiv Day.   If the US hopes to support Ukraine from a Russian-launched cyber attack, this may be a good time.  Otherwise, nothing jumps out at me.

</end editorial>

Researchers uncover sophisticated botnet aimed at possible attack inside Ukraine

A massive hacking operation that’s co-opted more than 500,000 routers into a botnet looms over Ukraine, according to cybersecurity researchers and people familiar with the matter who spoke with CyberScoop.

Over the last several days, a combination of at least three groups — Cisco’s cybersecurity unit Talos, the non-profit information sharing group Cyber Threat Alliance (CTA) and U.S. law enforcement — have all been quietly notifying companies about what appears to be the early stages of a potentially expansive cyberattack against Ukraine.

The scheme carries indicators that suggests a Russian government-linked hacking group may be involved, but so far that connection is only tentative. The public notifications are ahead of a massive international soccer match, which will be hosted in Kiev, on May 26 and an important domestic holiday in Ukraine on June 28.

Last year, there was a delayed reaction inside Ukraine to the NotPetya attack due to it being launched a day before a Ukrainian holiday.

More than 500,000 routers and other internet gateway devices in at least 54 countries were compromised in recent months as part of this large and complex botnet, according to Talos researchers.

In recent weeks, beginning on May 8, there’s been a noticeable spike in systems specifically located in Ukraine being targeted and successfully breached through this same botnet. The latest revelation — in combination with the underlying malware’s unique and devastating capabilities — has alarmed researchers, who originally began warning router makers and regional governments of the activity months ago.

Dubbed “VPNFilter,” the sophisticated modular malware framework allows for an attacker to scan the internet for vulnerable systems and quickly infect devices that are both extremely popular and difficult to patch. Affected networking gear comes from big brands like Linksys, MikroTik, NETGEAR and TP-Link.

Researchers say that the VPNFilter-enabled botnet is capable of doing significant harm, including permanently disabling the hacked devices through a method known as “bricking,” which could cause thousands of companies to immediately lose internet connection and therefore likely lose business.

In addition to bricking a breached device, VPNFilter can also be used to steal website administrator credentials and for monitoring SCADA protocols. SCADA, an abbreviation of Supervisory Control and Data Acquisition, relates to data about industrial control equipment that’s used in power plants, nuclear facilities and manufacturing factories. Bricking a device means making it disfunctional through a malicious reboot. With VPNFilter it bricks the system permanently by deleting critical computer code.

“The type of devices targeted by this actor are difficult to defend,” a Cisco blog post reads. “They are frequently on the perimeter of the network, with no intrusion protection system (IPS) in place, and typically do not have an available host-based protection system such as an anti-virus (AV) package. We are unsure of the particular exploit used in any given case, but most devices targeted, particularly in older versions, have known public exploits or default credentials that make compromise relatively straightforward. All of this has contributed to the quiet growth of this threat since at least 2016.”

Neil Jenkins, a former Homeland Security official and the current chief analytics officer for CTA, said that his organization has been notifying all their partners about the VPNFilter issue. CTA members mostly include cybersecurity companies, not networking gear makers.

Jenkins said there’s a broad and focused effort right now quietly taking place between law enforcement and industry to built a distributable mitigation of some sort, which could help alleviate some risk to businesses that rely on vulnerable systems. Several major cybersecurity vendors are already working with the router makers in this emergency-driven partnership. 

VPNFilter, according to Talos researchers and other experts, carries unique code that’s loosely tied to an infamous Russian malware variant labelled “BlackEnergy.” BlackEnergy was used in a hacking operation that knocked multiple Ukrainian energy companies offline two years ago.

The coding overlap and targeting profile, designed to impact Ukraine, has some insiders believing that Russia is the main culprit behind VPNFilter. The group behind BlackEnergy is known as “Sandworm” to the security research community. Sandworm is widely associated with a Russian intelligence agency named the GRU (Main Intelligence Directorate).

While Sandworm is sometimes connected to another Russian hacking team that’s most famous for penetrating email servers belonging to the Democratic National Committee (DNC) in 2016, named APT28 or “Fancy Bear,” some analysts contend that the two teams are different in scope and mission. Both Fancy Bear and Sandworm are, however, similarly linked as having some tie to the GRU; further blurring the line for attribution and analysis.

What makes VPNFilter so advanced, among other reasons, is the fact that it can maintain persistence even after a device is restarted. Simply put, that capability is rarely seen in relation to malware that affects so-called “internet of things” devices — like routers, DVRs, smart home appliances and internet-connected security cameras. In practice, the malware provides the hackers with not only espionage options, but also data destruction; making it especially dangerous.

In a statement to Reuters, Ukraine’s SBU security service blamed Russia for orchestrating a digital attack ahead of the Champions League final taking place this upcoming week.

“Security Service experts believe that the infection of hardware on the territory of Ukraine is preparation for another act of cyber-aggression by the Russian Federation, aimed at destabilising the situation during the Champions League final,” the statement reads.