The War in Ukraine: Pulse of Cyber Defense - April 4, 2022 Weekly analytics from the State Service of Special Communication and Information ...

 
CONTINUE READING
The War in Ukraine:
Pulse of Cyber Defense

April 4, 2022
Weekly analytics from the State Service of Special
Communication and Information Protection of Ukraine
UKRAINIAN CYBERHUB
The largest since World War II, war on the European continent continues
not only on the land and in the air, but also in cyberspace.

The State Service of Special Communication and Information Protection of
Ukraine is responsible for the standards of cybersecurity in the country and
takes an active part in its defense. The lessons of this war are extremely
important for enhancing the protection of democratic states attacked by
aggressive countries like russia.

To this end, SSSCIP Ukraine initiates providing public analytical report as
to the state and means of cyberdefense. Cyberhub of SSSCIP Ukraine will
publish its data and conclusions that may be used by the world community
for their own defense.

KEY MOMENTS
   • During the first month of the war, Ukraine suffered from three times
     as many attacks as compared to the same period last year.

   • During a week, from March 23 till March 29, CERT–UA registered the
     increase in the number of cyberattacks by 8%; the focus of hackers
     and their methods remain unchanged.

   • As previously, Ukraine was attacked by military hackers from russia
     and belarus.

   • On March 28, hackers launched a powerful attack against the
     infrastructure of one of Ukraine’s largest providers Ukrtelecom. Less
     than within 24 hours, the provider’s work was restored by 85%.

   • The research on the safety of using DJI drones in Ukraine confirmed
     that the company helps the russians in their attacks against Ukrainian
     unmanned aerial vehicles and their operators.

   • Cybersanction of the week: “Kaspersky Laboratory” and CERT teams
     from russia and belarus.

                                                              April 4, 2022
                                                              Weekly analytics
DETAILS
1. During the first month of the war, the number of cyberattacks increased
almost threefold as compared to the same period last year

During the month of the war, CERT–UA registered 198 cyberattacks. During
the same period of time last year, their number was 76.

Top five branches that suffer from cyberattacks are: central and local
governments, security and defense sector, commercial organizations,
financial sector, and telecom.

More than half of the attacks are attempts to collect information and to
spread malicious software. Among the top five methods of cyberattacks
are: intrusion, loss of availability, and loss of information properties.

                                                             April 4, 2022
                                                             Weekly analytics
2. Between March 23 and March 29, russia continued its cyberattacks
against Ukraine’s critical information infrastructure and state institutions

All in all, between March 23 and March 29, CERT–UA registered 65
cyberattacks. That is five attacks more than the previous week. Both focus
and popular methods of attacks remain unchanged.

Similar to the previous reporting period, the State Service of Special
Communication and Information Protection of Ukraine did not register
activities as serious as those registered at the beginning of the year.

                                                              April 4, 2022
                                                              Weekly analytics
3. The attackers are military hackers from russian federation and belarus

During the reporting period, Ukraine’s infrastructure was cyberattacked by
at least the following groupings (according to CERT–UA classification):

  NNUAC-0056: GrimPlant, GraphSteel

  NNUAC-0051 aka unc1151: Cobalt Strike Beacon

  NNUAC-0041: MarsStelaer

These groupings are affiliated with the governments of russia and belarus.
It’s not the first time when they attack Ukraine’s state bodies. The primary
aim of these groupings is collecting the users’ data as well as spreading
malware.

Additional information about the groupings that attack Ukraine:

  NNUAC-0056’s activities are ascribed to the russian hackers SaintBear,
    UNC2589 and TA471;

  NNUAC-051 aka unc1151 is a grouping of cyberspies associated with the
    government of russian federation; besides Ukraine, they previously
    attacked other countries of Eastern and Northern Europe (Poland,
    Latvia, Lithuania);

  NNUAC-0041’s activities are aimed at stealing users’ authentication data.

4. On March 28, the hackers launched a powerful attack against the
infrastructure of one of Ukraine’s largest providers Ukrtelecom

On March 28, a powerful cyberattack against infrastructure of
telecom-operator Ukrtelecom was launched. For the sake of preserving
network infrastructure and further providing services to Ukraine’s
Armed Forces, other military formations and critical infrastructure users,
Ukrtelecom temporarily limited its services to the majority of private users
and business clients.

Cybersecurity specialists promptly reacted to the attack. Less than within
24 hours, the provider’s work was restored by 85%.

                                                              April 4, 2022
                                                              Weekly analytics
On March 31, russian professional edition on cybersecurity spread
information that the State Service of Special Communication and
Information Protection of Ukraine accused russian hackers of the attack
though by March 31, no official information as to its investigation had been
published.

5. Research as to the safety of using DJI drones in Ukraine confirmed that
the company assists the russians in their attacks against the Ukrainian
unmanned aerial vehicles and against their operators

 Since the beginning of March, information was received from different
sources that AeroScope complexes were switched off for Ukraine. Not
only for the drones used by the militaries, but also for those used at other
objects. Technical possibility for joining new vehicles is absent either.

The research conducted by Ukraine confirmed that the company assists the
russians in their attacks against Ukrainian UAVs and their operators.

We have evidence that the technology keeps on working on the same type
of complexes purchased by the russian side, because artillery fire at the
starting points of DJI drones used by the Ukrainians is of a mass character.

    Explanation: every DJI drone sold since 2017 automatically transmits a signal
    that defines the location, altitude, velocity, direction, serial number and
    position of the drone’s operator. This data can be obtained with the help of
    AeroScope complex.

The fire at the taking off positions for the drones Mavic 2, Mavic 3, Phantom,
Air 2S and even Mini 2 has been registered.

The Minister of Digital Transformation Mykhailo Fedorov forwarded a
letter to DJI CEO Tao Wang, in which he called the company to suspend
business in russian federation till the end of the russian aggression in Ukraine
and asked to provide information to the Ukrainian Government about the
company’s products registered in Ukraine. He also asked to switch on the
expanded function DJI AeroSpace for the Ukrainian users, to block all the
products that operate in Ukraine, but were purchased in other countries
and to block all DJI products purchased and activated in the russian
language in russian federation, Syria and Lebanon.

In response, the company noted that it was impossible to switch off the
function of transmitting information about the flight to the receivers of
DJI AeroScope, DJI also claims that they did not introduce any functional

                                                                      April 4, 2022
                                                                      Weekly analytics
changes to AeroScope system in Ukraine and that “a lot of Ukarainian
AeroScope blocks are still in operation.” The company stipulated that
Ukrainian AeroScope complexes could have been switched off because of
the absence of power or internet connection. But we know that it is not the
case.

Ukraine offered its recommendations as to the use of DJI drones. They
decrease the AeroSpace capabilities and allow to protect the operators.
But even the application of these recommendations does not guarantee
complete safety both for our militaries and other users.

The only thing that could guarantee the safety of exploiting DJI drones is
blocking all DJI products operating in Ukraine that were purchased and
activated in other countries as well as those purchased and activated in the
russian language in russian federation Syria and Lebanon.

6. Cybersanctions against russia

Because of their aggression against Ukraine and the entire civilized world,
russia and russian specialists in cybersecurity are under sanctions

The USA FCC added “Kaspersky Laboratory” to the list of communication
equipment and services providers that can pose a threat to the United
States. Besides, the platform for bug identification for remuneration
HackerOne that stimulates the search for program mistakes\ is no longer
available for “Kaspersky Laboratory”.

russian and belarus computer emergency response teams, including
“Kaspersky Laboratory” team, were excluded from the Forum of
Incident Response and Security Teams (FIRST). Thus, now russians and
belarusians will not receive operative information from the international
community FIRST about different kinds of cyber incidents and indicators
of compromise. It will considerably reduce the efficiency of the countries-
aggressors’ protection against cyberthreats.

russia officially denies that IT and IS specialists are fleeing the country because
of the sanctions and impossible working conditions and simultaneously
introduces new benefits for such specialists. In particular, postponement
from the army, preferential mortgage, tax benefits, etc. The list of benefits
is to be expanded.

                                                                    April 4, 2022
                                                                    Weekly analytics
The analytical document is prepared by the experts
and analysts from the State Service of Special Communication
            and Information Protection of Ukraine.

           If you want to receive regular updates,
        please subscribe to our analytical mailing at
          https://forms.gle/qWJWGqAUd5habwiz5

   Follow the State Service of Special Communication and
             Information Protection of Ukraine:

                          www.cip.gov.ua

                  www.facebook.com/dsszzi

                 www.Instagram.com/dsszzi

                   www.t.me/dsszzi_official

                    www.twitter.com/dsszzi

               Prepared with the support of the European Union

                                                                 April 4, 2022
                                                                 Weekly analytics
You can also read