Native technologies are being used in cyberattacks between Russia and Ukraine, according to a new analysis by Aqua Security.
The conflict between Russia and Ukraine rages not only on the physical realm, but also on the cyber front, where governments, hacktivist groups and individuals are trying to play their part.
Russian Cyberwarfare: Wiper Malware
According to Team Nautilus, part of Aqua Security, the military action was preceded by a sophisticated cyber attack by Russia against several Ukrainian organizations. It contained highly destructive malware called IsaacWiper and HermeticWizard, which are new variants of Wiper malware. The malware attack, alongside the military campaign, aimed to influence the conflict.
The malware was installed on hundreds of computers in Ukraine, followed by a wave of distributed denial-of-service attacks. The new wipers can corrupt the data on a machine and make it inaccessible. Besides the worm’s ability to spread over a local network to infect more computers, they can also launch a ransomware attack and encrypt files on the compromised computer.
“To our knowledge, this new wiper attack only targets Windows systems,” says Aqua Security.
“According to internal research by Team Nautilus, most cloud-native environments (96%) are based on Linux. Therefore, we estimate the risk for cloud-native environments from this type of wiper malware to be low.
“However, Russia’s cyber arsenal may contain similar tools designed to attack Linux environments.”
As the conflict between Russia and Ukraine unfolded, it caught the attention of global threat actors such as the hacktivist group Anonymous.
Anonymous regularly launches cyberattacks in support of its social and political ideals, and against governments and their resources. In this case, Anonymous Russia has declared cyberwar and called on hackers around the world to attack Russian organizations and governments.
Cloud-native technologies used in cyber campaigns
“The attacks caught our attention and we at Team Nautilus have been following recent events to get an overview of the cyber attacks that have taken place. We collected data from public repositories that contain code and tools that target both sides,” the company says.
“Among the repositories, we analyzed container images in Docker Hub, as well as popular code libraries and software packages, including PyPI, NPM, and Ruby. We looked for specific names and text labels that called for active action against both sides.
“We examined types of activity on these public sources. About 40% of the packets we observed were related to Denial of Service (DoS) activities aimed at disrupting network traffic of online services. Other public repositories provided information for Ukrainian and Russian citizens or tools to block user networks from the conflict area,” it said.
“We also saw activity with a banner to add to a website in support of Ukraine. In addition, there have been sources that have suggested doxing, in which personal information of high-ranking individuals is publicly disclosed. Finally, a resource raised donations to Ukrainian citizens.”
Analysis of container images in Docker Hub
Next, Team Nautilus analyzed the container images abagayev/stop-russia:latest and erikmnkl/stoppropaganda:latest uploaded to Docker Hub. The main reason for the study was that they achieved more than 150,000 moves together, it is said.
“These container images have published instructions and source code on GitHub, including a list of targets with Russian website addresses. The guidelines explained, among other things, how to initiate an attack and which tools to download, so that non-professionals can launch an attack on their own,” says the company.
“As we can see, repositories have played an important role in the ongoing virtual conflict by making cloud-native tools widely available to a less tech-savvy audience. This shows once again that you don’t need to be an experienced hacker to take part in cyber warfare today.”
To analyze the container images, Team Nautilus scanned them with Aqua’s Dynamic Threat Analysis scanner. It ran the container images in a secure sandbox, allowing them to gain more insight into these tools and their impact.
- The abagayev/stop-russia:latest container image contains a DoS attack tool that targets financial data and service providers in Russia.
- The erikmnkl/stoppropaganda:latest container image contains a DDoS attack tool over the TCP protocol through multiple connection requests. It is used to initiate the attack and targets multiple service providers in Russia.
- Both container images also included attack tools that trigger a DNS flood running over the UDP protocol, sending large numbers of DNS queries to UDP on port 53 and targeting Russian banks.
Attacks in the wild
“As part of our research efforts, we regularly use honeypots, which are misconfigured cloud-native applications based on Docker and Kubernetes or other widely used applications such as databases,” says Aqua Security.
“We analyzed the data recorded by our honeypots focusing on attacks that launched DDoS attacks in the wild and collected only IP addresses belonging to Russia and Ukraine.
“Based on the data collected in our honeypots, we found that 84% of the targets were associated with IP addresses in Russia and only 16% in Ukraine,” it said.
“Further sector segmentation of the organizational metadata associated with IP addresses shows that network and media organizations were the primary targets and were most frequently attacked.”
Aqua Security says the Team Nautilus findings highlight the significant role the cyberdomain can play in modern geopolitical conflict.
“As technology advances, experienced threat actors can create and distribute simple automated tools that enable less experienced individuals to participate in cyber warfare,” it says.
“These advances also allow individuals and organized hacker groups to influence the conflict by using their knowledge and resources. We can see how relevant new technologies are to this effort and can have an impact.”