The War in Ukraine: Pulse of Cyber Defense - April 4, 2022 Weekly analytics from the State Service of Special Communication and Information ...
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
The War in Ukraine: Pulse of Cyber Defense April 4, 2022 Weekly analytics from the State Service of Special Communication and Information Protection of Ukraine
UKRAINIAN CYBERHUB The largest since World War II, war on the European continent continues not only on the land and in the air, but also in cyberspace. The State Service of Special Communication and Information Protection of Ukraine is responsible for the standards of cybersecurity in the country and takes an active part in its defense. The lessons of this war are extremely important for enhancing the protection of democratic states attacked by aggressive countries like russia. To this end, SSSCIP Ukraine initiates providing public analytical report as to the state and means of cyberdefense. Cyberhub of SSSCIP Ukraine will publish its data and conclusions that may be used by the world community for their own defense. KEY MOMENTS • During the first month of the war, Ukraine suffered from three times as many attacks as compared to the same period last year. • During a week, from March 23 till March 29, CERT–UA registered the increase in the number of cyberattacks by 8%; the focus of hackers and their methods remain unchanged. • As previously, Ukraine was attacked by military hackers from russia and belarus. • On March 28, hackers launched a powerful attack against the infrastructure of one of Ukraine’s largest providers Ukrtelecom. Less than within 24 hours, the provider’s work was restored by 85%. • The research on the safety of using DJI drones in Ukraine confirmed that the company helps the russians in their attacks against Ukrainian unmanned aerial vehicles and their operators. • Cybersanction of the week: “Kaspersky Laboratory” and CERT teams from russia and belarus. April 4, 2022 Weekly analytics
DETAILS 1. During the first month of the war, the number of cyberattacks increased almost threefold as compared to the same period last year During the month of the war, CERT–UA registered 198 cyberattacks. During the same period of time last year, their number was 76. Top five branches that suffer from cyberattacks are: central and local governments, security and defense sector, commercial organizations, financial sector, and telecom. More than half of the attacks are attempts to collect information and to spread malicious software. Among the top five methods of cyberattacks are: intrusion, loss of availability, and loss of information properties. April 4, 2022 Weekly analytics
2. Between March 23 and March 29, russia continued its cyberattacks against Ukraine’s critical information infrastructure and state institutions All in all, between March 23 and March 29, CERT–UA registered 65 cyberattacks. That is five attacks more than the previous week. Both focus and popular methods of attacks remain unchanged. Similar to the previous reporting period, the State Service of Special Communication and Information Protection of Ukraine did not register activities as serious as those registered at the beginning of the year. April 4, 2022 Weekly analytics
3. The attackers are military hackers from russian federation and belarus During the reporting period, Ukraine’s infrastructure was cyberattacked by at least the following groupings (according to CERT–UA classification): NNUAC-0056: GrimPlant, GraphSteel NNUAC-0051 aka unc1151: Cobalt Strike Beacon NNUAC-0041: MarsStelaer These groupings are affiliated with the governments of russia and belarus. It’s not the first time when they attack Ukraine’s state bodies. The primary aim of these groupings is collecting the users’ data as well as spreading malware. Additional information about the groupings that attack Ukraine: NNUAC-0056’s activities are ascribed to the russian hackers SaintBear, UNC2589 and TA471; NNUAC-051 aka unc1151 is a grouping of cyberspies associated with the government of russian federation; besides Ukraine, they previously attacked other countries of Eastern and Northern Europe (Poland, Latvia, Lithuania); NNUAC-0041’s activities are aimed at stealing users’ authentication data. 4. On March 28, the hackers launched a powerful attack against the infrastructure of one of Ukraine’s largest providers Ukrtelecom On March 28, a powerful cyberattack against infrastructure of telecom-operator Ukrtelecom was launched. For the sake of preserving network infrastructure and further providing services to Ukraine’s Armed Forces, other military formations and critical infrastructure users, Ukrtelecom temporarily limited its services to the majority of private users and business clients. Cybersecurity specialists promptly reacted to the attack. Less than within 24 hours, the provider’s work was restored by 85%. April 4, 2022 Weekly analytics
On March 31, russian professional edition on cybersecurity spread information that the State Service of Special Communication and Information Protection of Ukraine accused russian hackers of the attack though by March 31, no official information as to its investigation had been published. 5. Research as to the safety of using DJI drones in Ukraine confirmed that the company assists the russians in their attacks against the Ukrainian unmanned aerial vehicles and against their operators Since the beginning of March, information was received from different sources that AeroScope complexes were switched off for Ukraine. Not only for the drones used by the militaries, but also for those used at other objects. Technical possibility for joining new vehicles is absent either. The research conducted by Ukraine confirmed that the company assists the russians in their attacks against Ukrainian UAVs and their operators. We have evidence that the technology keeps on working on the same type of complexes purchased by the russian side, because artillery fire at the starting points of DJI drones used by the Ukrainians is of a mass character. Explanation: every DJI drone sold since 2017 automatically transmits a signal that defines the location, altitude, velocity, direction, serial number and position of the drone’s operator. This data can be obtained with the help of AeroScope complex. The fire at the taking off positions for the drones Mavic 2, Mavic 3, Phantom, Air 2S and even Mini 2 has been registered. The Minister of Digital Transformation Mykhailo Fedorov forwarded a letter to DJI CEO Tao Wang, in which he called the company to suspend business in russian federation till the end of the russian aggression in Ukraine and asked to provide information to the Ukrainian Government about the company’s products registered in Ukraine. He also asked to switch on the expanded function DJI AeroSpace for the Ukrainian users, to block all the products that operate in Ukraine, but were purchased in other countries and to block all DJI products purchased and activated in the russian language in russian federation, Syria and Lebanon. In response, the company noted that it was impossible to switch off the function of transmitting information about the flight to the receivers of DJI AeroScope, DJI also claims that they did not introduce any functional April 4, 2022 Weekly analytics
changes to AeroScope system in Ukraine and that “a lot of Ukarainian AeroScope blocks are still in operation.” The company stipulated that Ukrainian AeroScope complexes could have been switched off because of the absence of power or internet connection. But we know that it is not the case. Ukraine offered its recommendations as to the use of DJI drones. They decrease the AeroSpace capabilities and allow to protect the operators. But even the application of these recommendations does not guarantee complete safety both for our militaries and other users. The only thing that could guarantee the safety of exploiting DJI drones is blocking all DJI products operating in Ukraine that were purchased and activated in other countries as well as those purchased and activated in the russian language in russian federation Syria and Lebanon. 6. Cybersanctions against russia Because of their aggression against Ukraine and the entire civilized world, russia and russian specialists in cybersecurity are under sanctions The USA FCC added “Kaspersky Laboratory” to the list of communication equipment and services providers that can pose a threat to the United States. Besides, the platform for bug identification for remuneration HackerOne that stimulates the search for program mistakes\ is no longer available for “Kaspersky Laboratory”. russian and belarus computer emergency response teams, including “Kaspersky Laboratory” team, were excluded from the Forum of Incident Response and Security Teams (FIRST). Thus, now russians and belarusians will not receive operative information from the international community FIRST about different kinds of cyber incidents and indicators of compromise. It will considerably reduce the efficiency of the countries- aggressors’ protection against cyberthreats. russia officially denies that IT and IS specialists are fleeing the country because of the sanctions and impossible working conditions and simultaneously introduces new benefits for such specialists. In particular, postponement from the army, preferential mortgage, tax benefits, etc. The list of benefits is to be expanded. April 4, 2022 Weekly analytics
The analytical document is prepared by the experts and analysts from the State Service of Special Communication and Information Protection of Ukraine. If you want to receive regular updates, please subscribe to our analytical mailing at https://forms.gle/qWJWGqAUd5habwiz5 Follow the State Service of Special Communication and Information Protection of Ukraine: www.cip.gov.ua www.facebook.com/dsszzi www.Instagram.com/dsszzi www.t.me/dsszzi_official www.twitter.com/dsszzi Prepared with the support of the European Union April 4, 2022 Weekly analytics
You can also read