Espionage attacks are designed to establish a foothold and exfiltrate data from targeted systems.Destructive attacks are meant to destroy the data and render targeted systems inoperable.Looking at the type of malware used, we can distinguish between 2 lines of attacks differentiated by the attacker's objectives: The variety of malware used, and involvement of Russian state-sponsored threat actors makes it evident that successful protection measures against attackers would require not only reactive but also a proactive approach. The flow timeline below illustrates the pressure placed on Ukrainian organizations and that government infrastructure is the attacker’s primary target of the attackers. However, as published by ESET researchers, InvisiMole was found to be using server infrastructure operated by Gamaredon.įigure 2 – Threat Actors and Russian Special Services Connections Timeline of the Attacks & Malware Used Other actively involved threat actors such as UNC2589, also known as Ember Bear or Lorec53, and InvisiMole do not present such clear ties with Russian special services. The Security Service of Ukraine (SSU) successfully identified individuals behind Gamaredon confirming their ties with FSB. GAMAREDON, also known as Primitive Bear or Armageddon, traced to the Russian Federal Security Service (FSB) in November 2021. SANDWORM, also known as Black Energy, was tied to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Former GRU) Unit 74455.ĭRAGONFLY, also known as Energetic Bear or Crouching Yeti was identified as the Russian Federal Security Service (FSB) Unit 71330.
Russian Threat Actors Behind the Attacks in Ukraineĭespite the high level and technical sophistication of the cyberattacks, and the Russian Special Services’ ability to cover their tracks, several traces remain present after the attacks which leave no doubt of Russia’s involvement in the current attacks against Ukraine.Īs mentioned in a report released by the Estonian Foreign Intelligence Service and a UK government publication we can clearly draw some connections between the most notorious threat groups involved and Russian special services.ĪPT29, also known as Cozy Bear or The Dukes to the Russian Foreign Intelligence Service (SVR).ĪPT28, also known as Fancy Bear or Sofacy was traced to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Former GRU) Unit 26165. In this article we will summarize some of the most prominent Russian threat actors involved and the malware tools used in cyberattacks against Ukraine.
#Eset cyber security pro blocking transmission series
Reports from Trustwave and other security researchers show that Russian cyberattackers have maintained pressure launching a series of attacks showing how malware has been used against organizations in Ukraine either to destroy or gain control over targeted systems. Russia utilized cyberattacks during the initial phase of the invasion in February.
While conventional warfare is conducted on the battlefield and limited by several factors, cyber warfare continues in cyber space, offering the chance to infiltrate and damage targets far behind the frontlines. Observing the ongoing conflict between Russia and Ukraine, we can clearly see that cyberattacks leveraging malware are an important part of modern hybrid war strategy.
0 kommentar(er)
