Immediately after Ukraine discovered a cyberattack on official websites, the US Cybersecurity and Infrastructure Security Agency (CISA) released a warning about increased Russian “disruptive” activities.
In response to a cyberattack against multiple Ukrainian government websites, the US Cybersecurity and Infrastructure Security Agency has issued an alert asking businesses to step up their cybersecurity awareness on this day, the anniversary of Russia’s invasion of Ukraine.
“The United States and European nations may experience unruly and defacement attacks against websites in an attempt to sow disorder and societal discord,” the CISA advisory said.
According to a statement from the State Department of Special Communication and Information Protection of Ukraine, the cyberattack in Ukraine, discovered yesterday, targeted the websites of many central and municipal agencies, “changing the content of some of their webpages.”
The Ukrainian state agency noted that it appeared that Russia was making an effort to maintain visibility on the eve of the anniversary of the full-scale invasion in cyberspace, where it typically operates as a terrorist state by assaulting civilian targets.
The attack did not cause critical system interruptions, and most of the affected information resources were quickly recovered, the agency said.
According to the Computer Emergency Response Team of Ukraine (CERT-UA), the websites were compromised via a backdoor planted in December 2021. CERT-UA learned about the attacks after examining a web shell on one of the compromised websites that the threat actors used to install malware.
A year ago, the web shell was used to install a number of backdoors (known as CredPump, HoaxPen, and HoaxApe) and produce an index.php file in the root web directory that altered the content of the compromised websites, according to CERT-UA.
Cyberattack on Ukraine blamed on Black Bear group, a Russian-aligned organization
The cyberattack was ascribed to the Ember Bear threat group, also known as UAC-0056 or Lorec53, by CERT-UA. Ember Bear is believed to be a cyberespionage outfit that has run operations in Eastern Europe from the beginning of 2021.
The UAC-0056 group violated the usual operation mode of the studied web resources, according to CERT-preliminary UA’s assessment based on the set of indications.
In the years leading up to the invasion, attackers with support from the Russian government intensified their cyberattacks, according to a study from Google’s Threat Analysis Group. According to Google, Russian targeting of users in Ukraine grew by 250% in 2022 compared to 2020, and over 300% in the same period for users in NATO nations.
According to the report, “we assess with high confidence that attackers supported by the Russian government will continue to conduct cyberattacks against Ukraine and NATO allies to further Russian strategic goals.”
The report also said that Moscow will increase disruptive and destructive attacks in response to developments on the battlefield that fundamentally shift the balance toward Ukraine “These attacks will primarily target Ukraine, but increasingly expand to include NATO partners,” Google said in the report.
Nations that have supported Ukraine are increasingly being targeted by Russian or Russia-aligned organizations. A Russian spy ring operating in Australia under the guise of a diplomat was busted, according to Mike Burgess, director general of the Australian Security Intelligence Organisation (ASIO), in an address on Tuesday this week. He claimed that the spies, who were highly skilled and tried to conceal their activities by using clever tradecraft, have been expelled from the nation.
The spy ring operated for 18 months before being shut down, according to a Sydney Morning Herald story published on Friday.
Shields Up, which CISA describes as a “one-stop webpage that offers resources to increase organizational vigilance and keep the public informed about current cybersecurity threats,” is one of the cybersecurity resources that CISA maintains, according to its advisory.