Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
Ukraine Experiences Internet Outage - and Russia May, TooUkraine Outage Due to Cyberattack; Russia at Risk Due to Sanction-Related Shortages
On Monday, Ukrainian internet service provider Ukrtelecom was hit by a cyberattack that reduced its services, the State Service for Special Communications and Information Protection of Ukraine says. Meanwhile, Russia’s internet services could be affected by a shortage of equipment due to ongoing sanctions, according to the Russian news agency Kommersant, citing the RSPP Commission for Communications and IT.
Global internet monitoring firm NetBlocks says Monday's internet outage in Ukraine was the largest observed since Russia invaded Ukraine on Feb. 24, 2022. Initially, it was thought to be a regular outage, NetBlocks says, as these have been frequent in Ukraine during the past month. But soon the Ukrainian SSSCIP confirmed in a tweet that the outage was due to a cyberattack targeted specifically at telecom and internet service provider Ukrtelecom.
Today, the enemy launched a powerful cyberattack against #Ukrtelecom ’s IT-infrastructure. According to Yuriy Shchyhol, the Chairman of the @dsszzi, at the moment massive cyberattack against #Ukrtelecom is neutralized. Resuming services is under way. #Ukraine #CyberAttack #war— SSSCIP Ukraine (@dsszzi) March 28, 2022
Neither SSSCIP Ukraine Chairman Yuriy Shchyhol nor Ukrtelecom confirm if Russia was behind this targeted cyberattack, but an analysis from NetBlocks showed that Ukrtelecom's real-time network connectivity collapsed to 13% of pre-war levels.
Confirmed: A major internet disruption has been registered across #Ukraine on national provider #Ukrtelecom; real-time network data show connectivity collapsing to 13% of pre-war levels; the provider reports issues assigning new sessions— NetBlocks (@netblocks) March 28, 2022
Background: https://t.co/S0qJQ7CbNv pic.twitter.com/BY2OOBK0m6
The SSSCIP says the outage mainly affected civilians, not the armed forces, since it is essential for them to continue running during the war. "In order to preserve its network infrastructure and to continue providing services to Ukraine's Armed Forces and other military formations as well as to the customers, Ukrtelecom has temporarily limited providing its services to the majority of private users and business clients," the SSSCIP says.
The special agency later tweeted that its IT specialists had reacted promptly to the situation and had successfully repelled the cyberattack, further assuring Ukrtelecom's users of a speedy restoration of services.
Toby Lewis, head of threat analysis at cybersecurity AI company Darktrace, tells Information Security Media Group, "At this stage, we have minimal details but the available network activity appears to show a gradual decline in connectivity, rather than a cliff-edge drop typical of DDoS or a ransomware attack at the core of the network. This would suggest it was a supply chain attack where endpoint devices such as home routers are slowly taken out. We saw a similar attack on ViaSat that took place on the day of the invasion itself, and previously with the SolarWinds' Orion campaign, where the real damage only occurred after updates or malicious configuration changes were pushed out to customers." A kinetic attack severing cables would likewise have caused an instant loss of connectivity.
Russia on the Brink of Outages
Russia's potential internet outages may not arise from a cyberattack but from an acute shortage of telecom equipment that Russian telecom companies will face owing to sanctions imposed on the country by Western countries, warns the Commission on Telecommunications and IT of the RSPP, or Russian Union of Industrialists and Entrepreneurs.
Kommersant cited a document compiled by the commission that says the Russian government is at imminent risk of large-scale internet service outages that may hit the country by July of August. "In the current economic conditions, the reserves of telecom operators' equipment will last for six months, and failures in their work may begin as early as summer," the document says.
The reason for this is the departure of Western companies and the subsequent trade sanctions imposed during the ongoing war, the document says.
This is not the commission's only concern. Due to the limited availability of telecom equipment stocks, the prices of available equipment have already increased by 40% and with the continued depreciation of the ruble, this is expected to increase by another 80%, the commission says.
Kommersant also reported on the response from Russian telecom companies, who say that the impact will be felt on the communication networks of its railway transport, fuel and energy sectors. "The only way to keep the infrastructure working is to curtail all development plans and use previously purchased equipment solely to maintain the stability of the network," the commission says.
Cyberattacks on Ukrainian Authorities Continue
Amid the internet outage chaos, the Ukrainian CERT yesterday published information about three malwares actively targeting Ukrainian authorities and citizens.
GraphSteel and GrimPlant Malwares
In one alert, CERT-UA says GraphSteel and GrimPlant malwares are being distributed through phishing emails that carry the heading "Wage arrears," typically targeted at people working in Ukranian government agencies. The emails carry an attachment called "Wage arrears.xls" that contains legitimate statistics and macros, CERT-UA says.
Also hex-coded data has been added to the document as an attachment and the macro, when activated, decodes the data, creates the EXE-file "Base-Update.exe" on the computer and executes it. The program also downloads and runs another bootloader, which, in turn, downloads and runs GraphSteel and GrimPlant malware on the victim's computer, CERT-UA says.
The agency attributes this activity to the UAC-0056 group - aka SaintBear, UNC2589, TA471, which cybersecurity firm SentinelOne recently reported was targeting Ukrainians with fake translation software. The downloader used in that campaign is Python language-based while the one used in the current campaign is based on the Golang programming language. Otherwise, the two campaigns are identical, the firm says.
In the second alert, CERT-UA warned of the distribution of the archive "Information on the loss of servicemen of the Armed Forces of Ukraine.docx.exe." It contains the bait file "Loss-1001.docx" and the compressed file "googleupdate.exe," the agency says.
After analysis, CERT-UA experts classified the malware as PseudoSteel. Explaining the functionality of the malware, CERT-UA says, "After entering the computer, this malicious program searches for files (* .txt, * .doc, * .docx, * .pdf, * .xls, * .xlsx, * .ppt, * .pptx, * .odt, *. rtf, * .zip, * .rar, * .7z) and uploads them to an external FTP server. This makes the information in these files available to attackers."
With a low level of confidence, CERT-UA attributes this activity to the Russian attack group UAC-0010 - aka Armageddon.
First Cyberwar Is Underway
During a briefing at the Ukraine Media Center, Shchyhol, the head of SSSCIP Ukraine, said: "The first cyber war in human history is now underway."
He spoke about how the entire world's IT society has united in its reaction to injustice and attempts by Russia to destroy Ukraine.
"Our service is responsible for protecting information and for cybersecurity. On the eve of the war, we brought together the best IT and cybersecurity professionals, who are now helping us keep Ukraine's information resources safe. Ukrainian IT professionals from around the world quickly cooperated and got in touch with the authorities responsible for cybersecurity," Shchyhol said.
He added that Ukraine is also helped by the world's leading IT companies, including giants such as Microsoft and Oracle. The main challenge lying ahead, Shchyhol says, is to defeat the enemy in all arenas of the battle, including cyberspace. Citing the ongoing cyberattacks on Ukrainian authorities, he asked users to maintain cyber hygiene and said, "Do not open unknown links. Do not download files whose origin you do not understand. Be critical of all information that comes to you."