Last week, Ukrainian officials said they stopped an attack on high-voltage electrical substations with the help of cybersecurity firm ESET and Microsoft. While thwarting the attack, they discovered a new variant of the Industroyer malware, which was used in a 2016 Ukraine grid attack and is tied to a notorious hacking unit within Russia’s GRU military intelligence agency known as Sandworm.
This kind of attack is typical of the tactics used by Russia in the ongoing cyberwarfare between Ukraine and Russia, which the Wall Street Journal has described as trench warfare: “a grinding conflict of relentless, if sometimes unsophisticated attacks that have taken casualties but had limited impact on the course of the fight.”
And a report this week from Symantec underscores a trend in persistent yet relatively unsophisticated Russian attacks. The report cites the Russian Shuckworm Espionage Group, which is continuing to conduct an “intense” yet unsophisticated campaign against Ukraine.
“These attacks have continued unabated since the Russian invasion of the country. While the group’s tools and tactics are simple and sometimes crude, the frequency and persistence of its attacks mean that it remains one of the key cyber threats facing organizations in the region,” the report said.
Despite these ongoing attacks, the absence of a full-scale Russia cyber shock-and-awe campaign is what has surprised most observers to date.
Some of the most notable recent attacks against Russia have been by ransomware gangs.
Last month, established ransomware gang OldGremlin conducted two malicious email campaigns against Russia organizations, according to research from Group-IB. The gang bombarded Russian companies with emails that exploited trending news topics, masquerading as representatives of a Russian financial organization, Group-IB said.
“Given the fact that many international providers of email security products suspended operations on the Russian market, the campaigns of OldGremlin and other threat actors that use email at the initial stage [of a ransomware attack] are likely to become more successful and frequent,” according to the report.
“We have reason to believe that the new campaigns may have infected a large number of companies and that in the coming months the attackers will slowly and carefully move through their infrastructure, bypassing existing security systems,” Group-IB said.
NB65, another notorious ransomware gang, has been actively conducting campaigns against Russia, including an attack on the state-owned television and radio broadcasting network, VGTRK, The Record reported.
In that attack, they reportedly stole 900,000 emails and 4,000 files.
“The group’s most sophisticated and recent attack happened in March when they used the leaked source code from the Conti Ransomware gang — a Russia-linked threat actor — to make unique ransomware for each Russian target,” The Record said.
Malwarebytes goes into further detail (here) how the ransomware works in recent iterations.
See Venafi’s March blog: In Ukraine Cyber War, No Large-Scale Russian Offensives (Yet) but Anti-Russian Hackers Active.