Russia's digital warfare on Ukraine shows no signs of slowing: Malware hits surge

Russia's use of malware to support its military efforts in Ukraine is showing no signs of waning while its tactics continually evolve to bypass protections.

Ukraine's State Service of Special Communications and Information Protection (SSSCIP) published its half-year report on Russia's cyber activity in the war this week, noting a 90 percent increase in incidents involving malware infections.

Email protections are widely deployed, and according to the SSSCIP's report, they're quite effective, which means the Russians have to get more creative as they find new ways of dropping malware inside Ukraine's borders.

The report details a case study in which UAC-0184, a known Russian cyberespionage outfit, targets military personnel, specifically using messaging apps such as Signal to steal sensitive documents.

"Equipped with ample personal data and contact phone numbers, UAC-0184 hackers impersonate others and initiate communication with their intended victims, often through Signal," the report reads. "It's worth noting that they employ any available resources to 'groom' their targets, including dating platforms. 

"After gaining the victim's trust, under the guise of sending documents related to awards, combat footage, or recruitment to other units, the hackers send an archive containing a shortcut file. 

"Opening the shortcut file on a computer displays a decoy file relevant to the conversation topic while simultaneously infecting the system with a downloader malware, which then installs remote control software. This way, UAC-0184 gains full access to the victim's computer."

Message lures are often be themed around four key areas:

• Requests for information, such as contact details or confirmation that the recipient has received some documents

• Deceptive intimidation tactics similar to phony spam emails, for example, trying to convince the recipient they're being investigated over recent behavior

• Promises of rewards such as watches and leave

• Fake information regarding being transferred to another unit

The malware doesn't stop there, as popular strains such as Smokeloader were spotted in other, more speculative spray-and-pray-style phishing campaigns, while ransomware was also seen in "several" cases.

One of the trends the SSSCIP highlighted was Russia's renewed interest in disruptive cyberattacks. The war kicked off just hours after Russia's destructive attack on Viasat, which involved the WhisperGate wiper malware, and similar incidents keep cropping up deep into the conflict's third year.

Back in March, Russia attempted a widespread destructive cyberattack against nearly 20 energy infrastructure organizations in Ukraine, succeeding in at least some cases.

The attacks involved the compromise of three supply chains simultaneously, the report noted, adding that the initial infection came via "a shared service provider."

Ukraine attributed the attacks to UAC-0002 aka Sandworm – one of Russia's most prolific offensive cyber groups, linked to attacks on water facilities in the US and EU, the 2018 Winter Olympics, NotPetya, and various other major attacks on Ukraine's critical infrastructure.

"Targeting such a large number of organizations individually is a challenging task," the report reads. "Therefore, this time, they executed a supply chain attack, targeting at least three supply chains simultaneously. 

"This conclusion was drawn from the fact that in some cases, the initial unauthorized access correlated with the installation of specialized software containing backdoors and vulnerabilities, while in others, the attackers compromised employees' accounts of the service provider who routinely had access to the industrial control systems (ICS) of organizations for maintenance and technical support."

Investigators found evidence of various malware strains installed on the systems at critical infrastructure organizations, such as LoadGrip and BiasBoat – both of which are Linux-based QueueSeed variants.

The SSSCIP wrote in its report: "Given the operation of these specialized software systems within the ICS of targeted objects, the attackers utilized them for lateral movement and escalation of the cyberattack against the corporate networks of the organization. 

"For example on such systems, pre-created PHP web shells like Weevely, the PHP tunnel Rgeorg.neo, or Pivotnacci were found in specialized software directories. 

"It is likely that the unauthorized access to the ICS of a significant number of energy, heat, and water supply facilities was intended to amplify the impact of missile strikes on Ukraine's infrastructure in the spring of 2024."

An incident summary from the Computer Emergency Response Team of Ukraine (CERT-UA) at the time noted that attacks were able to unfold due to inadequate network segmentation and the "negligent attitude" of software vendors failing to patch "banal" remote code execution vulnerabilities.

Keeping a low profile

Yevheniya Nakonechna, head of the State Cyber Protection Centre of the SSSCIP, said the hallmark of Russia's cyber activity in 2024 has been the targeting "anything directly connected to the theater of war," trying to maintain a low profile and persistent access in key systems relied on by the military.

"Hackers are no longer just exploiting vulnerabilities wherever they can but are now targeting areas critical to the success and support of their military operations," she said.

Despite Russia's return to destructive attacks akin to those seen in the early stages of the war, its ambition to stay (largely) under the radar is supported by the figures gathered by CERT-UA and the SSSCIP.

Putin's cyber army is still as active as ever, registering a 19 percent increase in overall attacks in the first half of 2024. However, the incidents investigated by Ukraine have primarily been categorized as low severity. 

Compared to the final six months of 2023, 'critical' and 'high' severity incidents dropped 90 percent and 71 percent respectively. Of the total 1,739 incidents analyzed, only 48 fell into the most serious category, although Russia's continued targeting of the government and military sectors remains a concern.

"The war persists, and cyberspace remains a battlefield in its own right," the report reads. "The enemy is determined to gather intelligence by any means necessary, leading us to believe that cyberattacks targeting military personnel and government bodies will remain prevalent. 

"Phishing and malware infections are the primary tools of cyberespionage, with human behavior being the weakest link. Therefore, the primary means of cybersecurity must focus on continuously raising citizens' awareness of fundamental cyber hygiene practices and current cyber threats." ®