US warns of cyberattacks by Russia on anniversary of Ukraine war

The US Cybersecurity and Infrastructure Security Agency has issued an advisory urging organizations to increase cybersecurity vigilance today, the anniversary of Russia’s invasion of Ukraine, in the wake of a cyberattack against several Ukrainian government websites.

“The United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord,” the CISA advisory said.

The cyberattack in Ukraine, detected yesterday, hit the websites of a number of central and local authorities, “modifying the content of some of their webpages,” according to a statement from the State Service of Special Communication and Information Protection of Ukraine.

“Apparently, on the eve of the anniversary of the full-scale invasion, Russia is attempting to stay visible in cyberspace where it acts, traditionally, as a terrorist state by attacking civilian targets,” the Ukrainian state agency said.

The attack did not cause critical system interruptions, and most of the affected information resources were quickly recovered, the agency said.

The websites were breached using a backdoor planted in December 2021, according to the Computer Emergency Response Team of Ukraine (CERT-UA), which discovered the attacks after investigating a web shell on one of the hacked websites that the threat actors used to install malware.

The web shell was used to install several backdoors (dubbed CredPump, HoaxPen, and HoaxApe) a year ago, and created an index.php file in the root web directory, which modified the content of the affected sites, CERT-UA said.

Ukraine cyberattack attributed Russia-aligned Ember Bear group

CERT-UA attributed the cyberattack to the Ember Bear threat group, also known as UAC-0056, or Lorec53.  Ember Bear is thought to be a cyberespionage group that has operated organizations in Eastern Europe since early 2021.

“Based on the set of signs, we can make a preliminary conclusion that the violation of the normal operation mode of the investigated web resources was carried out by the UAC-0056 group,” CERT-UA said.

Russian government-backed attackers ramped up cyberattacks beginning in 2021 during the run-up to the invasion, according to a report from Google’s Threat Analysis Group week. In 2022, Russia increased the targeting of users in Ukraine by 250% compared to 2020, and the targeting of users in NATO countries increased over 300% in the same period, Google said.

“We assess with high confidence that Russian government-backed attackers will continue to conduct cyberattacks against Ukraine and NATO partners to further Russian strategic objectives,” the report said. 

The report also said that Moscow will increase disruptive and destructive attacks in response to developments on the battlefield that fundamentally shift the balance toward Ukraine “These attacks will primarily target Ukraine, but increasingly expand to include NATO partners,” Google said in the report. 

Russian or Russia-aligned groups have increasingly been targeting nations that have shown support to Ukraine. On Tuesday this week, Mike Burgess, director general of the Australian Security Intelligence Organisation (ASIO), said in a speech that a Russian spy ring whose members were posing as diplomats in Australia was dismantled. The spies were highly trained and used sophisticated tradecraft to try to disguise their activities, and have been expelled from the country, he said.

A report Friday in the Sydney Morning Herald said that the spy ring had been operating for 18 months before being dismantled.

In its advisory, CISA said that it maintains cybersecurity resources including Shields Up, which it describes as “one-stop webpage that provides resources to increase organizational vigilance and keep the public informed about current cybersecurity threats.”