Ukraine-Russia conflict: Ukraine warns energy companies of possible escalation in cyberattacks


Cyberattack warning: Latest developments as tensions between Russia and Ukraine continue to escalate

A Ukrainian government statement released earlier this week warns energy companies inside Ukraine and those of allies around the world to heighten alertness to potential cyberattacks related to the current dynamics of the Russian-Ukrainian war. (1) The statement also cites possible “DDoS attacks” against allies Ukraine, Poland and the unnamed Baltic states. Other details are not mentioned.

This announcement comes at a moment of shifting escalation in the Russian-Ukrainian war. On Monday, September 26, at least two explosions large enough to be detected by seismometers in Sweden damaged four undersea sections of the Nord Stream gas pipelines, which are designed to transport natural gas from Russia to northern Europe. (2, 3, 4) Western governments believe the leaks were caused by deliberate actions to sabotage energy operations. (5) The attribution has not been made public.

These explosions further exacerbate a tense geopolitical situation. Last week, Russia announced its biggest conscription since World War II. (6) In addition, Moscow is preparing to annex parts of Ukraine after a referendum held last week that Kyiv and the West say was a sham intended to legitimize Russia’s occupation of Ukrainian territory. (seven) The Nord Stream 1 gas line was shut down by Russia in September. (8) Germany has seized other Russian-linked energy assets (9) of Ukraine taking over territory. (ten)

Recent cyberattacks on energy infrastructure vary in severity, but demonstrate the vulnerability of critical infrastructure networks worldwide

EclecticIQ analysts have analyzed some recent examples of attacks against critical infrastructure. The motivation is usually disruption or destruction. A wide range of actors and targets exist in this threat landscape. Attacks on water utilities, city police departments, hospitals and industrial infrastructure show just how widespread the threat is. (11, 12, 13, 14) Below are some examples to give an idea of ​​what future cyber threats related to critical infrastructure of energy companies could look like.

Some cyberattacks target data disruption and theft. Blackcat, a cybercriminal ransomware group, hit Italian energy agency GSE last summer, stealing 700 gigabits of data (15). Italian oil company Eni SpA also fell victim to a minor ransomware cyberattack around the same time. (16) The stolen data could be sold and used by other parties for further cyberattacks.

DDoS attacks, mentioned in the alert, pose another disruption threat to energy companies and more. Killnet, a pro-Russian hacktivist group, was almost certainly responsible for the DDoS attacks against Japanese companies and public institutions in early September (18), against Estonian government entities in August, (19) and against Lithuanian government networks in June (20).

Other attacks, such as those targeting Ukraine, may be more closely tied to broader geopolitical goals. The DTEK Group, which owns various power plants in Ukraine, said the aim of a cyberattack in July was to “destabilize the technological processes of its distribution and production companies, spread propaganda about the operations of the business and leave Ukrainian consumers without electricity”. (17) Technical details of the cyberattack are not publicly available.

Post-Exploitation Analysis of Malware and Past Attacks in Ukraine and Elsewhere

In its warning, the Ukrainian government noted that the country’s infrastructure had already been attacked in 2015 and 2016. In these cases, the BlackEnergy and GreyEnergy malware relied on phishing to install an access trojan. remotely on a third-party system, where access and privileges could then be escalated by stealing other credentials. In both families of malware, the main function of the malware is to enable the download of other specialized malicious plug-ins. (21) Some variants used signed certificates to evade internal alarms. Industroyer 2 was also highly configurable like BlackEnergy and GreyEnergy, but was only designed to implement a single protocol, IEC 60870-5-104, implying that it was only able to target very specific devices used in industrial control systems.(22)

Other related malware is designed to be highly targeted to specific systems

Triton, CaddyWiper and Industroyer 1 malware have all been tailored to particular technologies and specific industrial control system protocols to have physical consequences. (23, 24) All families had file-wiping capabilities and variants of Industroyer and CaddyWiper contained wiper-like modules. (25, 26) None of the malware contained persistence TTPs, so other malware modules were used to provide backdoor access. EclecticIQ analysts have observed many reported wiper variants targeting Ukraine in 2022. They are likely to remain a significant threat.

Critical Infrastructure Network Cyber ​​Attack Defense Recommendations

Based on recent and historical intelligence, EclecticIQ analysts recommend focusing on the following areas to counter cyber attack patterns.

  • Increase attention to emails. Threat actors are more likely to use phishing to deliver an initial payload using attachments, malicious HTML, or JavaScript. (21)
  • Increase logging and monitoring of user accounts. Alert to connections from unknown IP addresses. Password stealers can also allow initial network compromise via valid account credentials. (22, 23)
  • Find and review all systems considered part of the Internet of Things (IoT). Increasing rates of disclosed vulnerabilities in these devices can provide a pivot point for threat actors to more secure network systems. (24)
  • Increase awareness of auxiliary systems that can be attached to the network. 42% of cyberattacks targeting operational technology in early 2022 involved critical infrastructure companies’ building automation infrastructure as the initial point of compromise. (27, 30)
  • Examine network traffic on a regular basis. Almost all of the related cyberattacks examined involved moderate to extensive recognition in the form of fingerprinting and scanning. Internal network defenses should be tuned to alert of similar activity.(28, 29)

About the EclecticIQ Intelligence and Research Team

EclecticIQ is a global provider of threat intelligence, hunting and response technologies and services. Based in Amsterdam, the EclecticIQ Intelligence & Research team is made up of experts from Europe and the United States with decades of experience in cybersecurity and intelligence in industry and government.

We would like to hear from you. Please send us your comments by writing to us at [email protected] Where Fill the EclecticIQ Audience Interest Survey to direct our research towards your priority area.

Structured data

Find the analyst prompt and past editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery Services:

Please refer to our support page to find out how to access the streams.

You might also be interested in:

Network Environment Focused Conversations Necessary in Cybersecurity Approaches

Emotet Downloader document uses Regsvr32 for execution

The AI ​​facial recognition used in the Ukraine-Russia war is subject to vulnerabilities


  7. votes-end-amid-russian-mobilization-exodus-2022-09-26/?utm_source=Sailthru&utm_medium=newsletter&utm_campaign=daily-briefing&utm_term=09-28-2022

*** This is a syndicated blog from the Security Bloggers Network of Blog EclecticIQ authored by the EclecticIQ Threat Research Team. Read the original post at:

Source link