Non-State Threat Actors Take Action on the Russia-Ukraine Conflict

Non-State Threat Actors Take Action on the Russia-Ukraine Conflict

Cyber attacks, which inceptive before the Russian military intervention in Ukraine and targeted critical public and government entities like banks, financial centers, ministries, started to increase as of Feb 23. Attacks by actors allegedly supported by Russia and Ukrainian counterattacks caused the beginning of a large-scale cyberwar.

In the hours when the cyber attacks continued, global reactions began to come for both Ukraine and Russia. Especially the reactions from the West directly targeting to Russia. EU, NATO, USA and the UK strongly condemned the Russian cyber operations and expressed their support for Ukraine.

As a result of Ukraine's request for technical support from the EU in the ongoing war on the Russian-Ukrainian cyber front, firstly 6 EU countries gived a positive response. On the other hand, NATO said that in response to Ukraine's request, they can provide all kinds of support to protect the country's national cyber infrastructure from Russian cyber attacks.

In addition, Ukraine also received support from global hacktivist groups such as Anonymous. Allegedly, the Anonymous also stated that they can attack Russia’s cyber infrastructure and they are active with all their members. Shortly after this claim, the group shared the database of the Russian Ministry of Defense on its Twitter page on Feb. 26.

On the other hand, the Ukrainian government is also said to have launched a “cyber mobilization” across the nation. According to the information in the press, the fovernment also called on all hacker groups on underground platforms and asked them to join cyber army that will be established for offensive and defensive cyber operations against Russia. Ukraine, which does not currently have a cyber army, is though to follow such a method to counter Russian cyber attacks. But, how effective this initiative can be against Russian cyber operations is a matter of debate.

On the Russian side, it is seen that non-state cyber threat actors have started to support Russia. The one of the most effective ransomware groups in the world CONTI, which has very strong claims that they are related to Russia, openly announced that they will support Russia and take a role in cyber operations. In the statement in the blog of the group on the Tor network; In the event that Russia and elements in all Russian speaking regions are exposed to any cyber attack, the USA and other countries that do not support Russia’s activities will be targeted by CONTI.

Since Dec 2019, CONTI, which has targeted large companies and government institutions especially in the North American continent, steals confidential informations from the systems it has managed to infiltrate and publishes it on their blogs in case the ransom not paid. Most common attack pattern of the group is;[1]

• Sending personalized pishing e-mails containing harmful documents or links
• ?Stolen or weak RDP protocol credentials,
• ?Social engiinering with phone calls,
• ?Fake spftware promoted via search engine optimization,
• Common vulnerabilities in external assets

Most common vulnerabilities which is exploiting by group;[2]

• 2017 Microsoft Windows Message Block 1.0 Server Vulnerabilities (CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148,
• “PrintNightmare” vulnerability in Windows Print spooler service (CVE-2021-34527)
• ?“Zerologon” vulnerabilitiy in Microsoft Avtive Directory Domain Controller systems (CVE-2020-1472)

Likewise, another ransomware group, CoomingProject, posted a similar statement on their channel, expressing their open support for Russia.

On the other hand, not only ransom groups are involved in the tension between Russia and Ukraine. In the last week, when tensions gained momentum, many threat actors have put up for sale or shared a series of data, both directly targeting Ukraine and belonging to the US military. Of these data sales, especially the Free Civilian movement, is a critical sale that directly concerns Ukrainian citizens. Among the data that threat actor is selling, there is the identity and driver's license information of the citizens.??In addition, databases belonging to many government institutions such as the Ministry of Foreign Affairs and the Ministry of?Health are currently on sale.?

Such statements from Ukrainian and Russian cyber front show that the cyber war between the two states will grow even more with the involvement of non-state actors. The involvement of Western countries and international organizations such as NATO and the EU in the process may further expand the negative effects of cyber war.

In this context, when we turn our focus to Turkey, it is seen that the tension between Russia and Ukraine may affect both state institutions and companies operating in the field of defense and energy in Turkey. Turkey's defense cooperation with Ukraine, especially in recent years, causes the assessment that they can be targeted by Kremlin-backed cyber actors. In addition, Turkey's involvement (as a NATO member) in the current tension and the way it has approached the conflict increase the probability of government institutions and large companies to be particularly attacked by DDoS and ransomware operations.

We closely follow the repercussions of the tension between Russia and Ukraine in the cyber dimension in order to identify potential cyber threats against all institutions and organizations we cooperate with. In addition, we strongly recommend that our government agencies and institutions/organizations in all sectors in cooperation with Ukraine increase their cyber security awareness, keep all their systems and infrastructures up-to-date, and perform risk and threat assessments in preparation for a potential cyber attack.

Kadir K?vam & Ersin ?ahmuto?lu

Cyber Security Research Team

ADEO Cyber Security Services

[1]?Conti Ransomware, CISA, https://www.cisa.gov/uscert/ncas/alerts/aa21-265a

[2]?Idib.