In this special advisory, Radware shares a collection of public information regarding threats and attacks surrounding the Kremlin’s special military action against Ukraine. Information is based on recent developments online, influenced by, and in support of the offline conflict.
Read the Complete Alert
Background
The North Atlantic Treaty Organization (NATO) is an alliance of 30 member countries that promotes democratic values, is committed to a peaceful resolution of disputes, and relies on collective military power to undertake operations when diplomatic efforts fail. Article 5 of the NATO charter is the cornerstone of this military alliance. It talks of “the principle of collective defense,” the very heart of NATO. This article binds NATO member countries to commit them “to protecting each other and setting a spirit of solidarity within the alliance.” This means that if a member country is attacked by a non-member country, all members will consider it an attack on the individual countries and respond militarily. But Article 5 does not apply to non-member countries such as Ukraine. Ukraine applied to be a NATO member in 2008 and its application for NATO membership is pending. Ukraine’s President, Volodymyr Zelenskyy, has recently appealed again to expedite a membership decision. This is also what lies at the origin of the current conflict.
Although NATO fully supports Ukraine’s sovereignty, territorial integrity, and Ukraine’s right of self-defense and condemning Ukraine's invasion, the alliance can not and will not go to war with Russia unless one of its members is attacked. This applies both to online and offline conflicts.
NATO members agreed and imposed a package of unseen and severe sanctions on Russia, targeting its financial system and introducing export controls on dual-use and high-tech goods, with a particular focus on electronics, computers, telecom and information security, sensors and lasers and marine applications. The package also includes an export ban on aircraft, aircraft parts and related equipment, as well as a ban on the sale of equipment and technology needed to update Russian oil refineries to modern environmental standards.
In the Kremlin’s best interest, it is not to expose itself by attacking targets outside of Ukraine. If they do, they could trigger a larger conflict through a NATO alliance member, at which point we can expect the worse.
There have been reports of DDoS attacks on both sides. Anonymous claimed responsibility for the attacks on Russia, while the attacks on Ukraine were attributed to Russia by the U.S. government and the NCSC (U.K.). The attribution is, as far as information is available, based on known and used Tactics, Techniques and Procedures (TTPs) during Russian military operations. Before the start of the invasion, Ukraine targets were assaulted by a wiper malware dubbed “HermeticWiper.” The second deployment of a wiper malware against Ukrainian targets, with the first attacks taking place in the middle of January leveraging a malware named ‘WhisperGate.’
As the world started to take note of the horrendous situation on the ground in Ukraine, political hactivists and underground movements stepped in and took initiative targeting both sides of the dispute with online attacks. Nations and influencers are adding to the global confusion with disinformation campaigns and fake news surrounding offline and online events.
Wiper Malware Attacks
A wiper is a type of malware leveraged to wipe data or systems. Wipers can make systems inoperative by overwriting boot loaders. Wipers typically also have worming capabilities that allows them to move from system to system through a local network or, in a worst-case scenario, through the internet. Wipers leverage most of the same techniques and tactics as ransomware. Some wipers disguise themselves as ransomware and leave a ransom note on the screen, only for the owner to find out that his system is wiped. Though leveraging much of the same initial access and propagation techniques, wipers are less sophisticated compared to their ransomware siblings. Ransomware encrypts data with a reversible algorithm and exfiltrates data while wiper do not concern themselves with an ability to recover the data or steal sensitive information. The objective of the wiper is to destroy systems and impact the availability and productivity of its victims. A good backup and restore strategy are most effective against wipers.
The Shamoon malware used in 2012 and 2016 attacks targeting Saudi energy organizations contained a disk wiping mechanism. The original variant overwrote files with portions of an image of a burning U.S. flag. The 2016 variant was nearly identical, except using an image of the body of Alan Kurdi instead.