Most cyberattacks in Ukraine continue to be planned and highly targeted but there are some signs that the situation could change soon as many have predicted would happen.
One indication is a new Trojan dubbed FoxBlade that Microsoft researchers discovered recently on Ukrainian government systems that would allow attackers to use infected PCs in distributed denial of service attack (DDoS). There is some concern that the operators of the malware will try and infect as many systems as possible with it—both inside and outside Ukraine—to make their DDoS attacks more powerful.
Another indication is a sharp increase in phishing attacks out of Russia over the past 24 hours that have already impacted some organizations in the US and Europe.
Microsoft president and vice chair Brad Smith mentioned FoxBlade briefly in a broader blog post on the use and abuse of digital technology in Ukraine on Monday. He described the malware as being used as part of a broader set of "precisely targeted" attacks unlike in 2017 when NotPetya attacks spread from Ukraine to other countries. Smith offered no description of FoxBlade or potential infection vectors but noted that Microsoft had developed a signature for the threat in three hours and added it to the company's Defender anti-malware service.
A Microsoft threat intelligence description of the brief however described FoxBlade as malware that allow infected systems to be co-opted into DDoS attacks without the system user's knowledge.
Nathan Einwechter, director of security research at Vectra says he expects systems outside Ukraine will be the predominant targets of FoxBlade infections."Being able to infect many systems outside of Ukraine allows the attackers to have a greater impact on important targets," he says. "Infected systems within Ukraine are much more likely to be the victim of a ransomware or wiper attack following infection as opposed to the FoxBlade DDoS trojan."
Also important to consider is, who exactly the threat actor might target with their DDoS capabilities. These organizations are likely going to be much more carefully selected entities that the attackers are interested in actively disrupting. Potential targets could include organizations in Ukraine as well as those in countries that have thrown their support behind Ukraine. "Both of these target types, even outside Ukraine, represent important opportunities to impact the conflict in various ways." Einwechter says. FoxBlade is self-contained, along with a dropper, and is loaded onto systems after some other existing exploit is leveraged, so is not specifically tied to any given exploit or vulnerability, he adds.
Big Surge in Email Attacks Out of Russia
Meanwhile Avanan reported observing an eight-fold increase in email borne attacks out of Russia in just the past 24hours, at least some of them targeting manufacturing firms and international shipping and transportation companies in the US and Europe.
Most of the attacks appear designed to gain access to the recipient's email accounts and to induce them to hand over account credentials, Avanan said Tuesday.
"There does appear to be a larger volume of attacks going after sea shipping companies and auto manufacturer's," says Gil Friedrich, CEO of Avanan, a Check Point Security Company. "Some have operations in Ukraine; some don't," he says. As one example, he points an international shipping company whose executives have Ukrainian ties that was targeted. The actors behind the latest round of attacks appear to be a combination of Russia-based groups engaged in opportunistic attacks and those who are more targeted, he says.
In another development, ESET on Tuesday said its researchers had observed a second destructive disk-wiper—this one dubbed IsaacWiper—being used in targeted fashion on systems belonging to a Ukrainian government organization. The security vendor had last week reported discovered finding another disk-wiper called HermeticWiper on systems belonging to several Ukrainian organizations. Both malware tools are designed to overwrite the Master Boot Record (MBR) on Windows systems making them inoperable after infection and compromise.
In an update Tuesday, ESET described attacks involving HermeticWiper as starting on February 23rd shortly before Russia's invasion of Ukraine. The security vendor said it had observed HermeticWiper on hundreds of systems belonging to at least five organizations in Ukraine. The attackers appear to have used a malware tool dubbed HermeticWizard to spread the disk wiping malware across local networks via SMB shares and Windows Management Instrumentation (WMI), ESET said. The company said its researchers had not been able to attribute the malware to any specific actor or country.
"The two wipers differ quite a bit in their implementation," says Jean-Ian Boutin, head of ESET threat research. "HermeticWiper is more sophisticated than IsaacWiper, but both has the same purpose: they try to corrupt the disk’s content and make the system inoperable."
Boutin shared Smith's assessment of the attacks on Ukraine so far being targeted. "This is [a] fair assessment," Boutin noted. "Based on the capability, appearance and the selection of targets, the wiper attacks reported by ESET Research were very targeted."