Recent Developments in Russian-Ukrainian Cyber Warfare, April 6, 2022

Recent Developments in Russian-Ukrainian Cyber Warfare, April 6, 2022

By CyberProof Research Team

April 6, 2022

This week, security researchers shared a deep-dive analysis of an advanced wiper that was leveraged to wipe Viasat’s satellite communication modems in Ukraine. In addition, Google’s threat analysis group has published a report regarding the cyber landscape following the war between Russia and Ukraine, stating that different threat groups are using the subject as a lure in different cyber attacks.

Newly Discovered AcidRain Wiper is Used to Attack Global Originations

Security researchers shared an analysis of an advanced wiper used to wipe Viasat’s satellite communication modems in Ukraine. Named AcidRain, the wiper is a MIPS ELF executable with brute-force functionality that is mainly focused on data wiping on modems and routers. Once executed, the malware performs an in-depth wipe of the filesystem and known storage device files, including non-standard files in the filesystem (when it runs as root).

More specifically, the research indicates that the malware iterates over all possible device file identifiers, opens the device file, and either overwrites it with up to 0x40000 bytes of data or uses specific IOCTLS to delete it.

Additionally, researchers identified notable code similarities between AcidRain and a destructive plugin used by the VPNFilter wiper. The latter is a modular malware that targets SOHO routers and QNAP storage devices – which was recently attributed to the Russian state-sponsored APT group Sandworm. Therefore, researchers suspect with medium confidence that AcidRain might be operated by the Sandworm threat group as well.

Security researchers shared an analysis of an advanced wiper used to wipe Viasat’s satellite communication modems in Ukraine.

Multiple Threat Groups Use the War in Ukraine as a Lure in Phishing Attempts

Google’s threat analysis group has published a report regarding the cyber landscape following the war between Russia and Ukraine, stating that different threat groups are using the subject as a lure in different cyber attacks.

According to the report, state-sponsored attackers from Russia, China, Iran and North Korea - as well as unattributed groups - are using various themes related to the war in Ukraine to lure victims in order to steal sensitive information, credentials, and even money.

State-sponsored attackers from Russia, China, Iran and North Korea - as well as unattributed groups - are using various themes related to the war in Ukraine to lure victims and steal sensitive information, credentials, and even money.

Over a two-week period, several threat groups were observed leveraging the recent events of the ongoing war, including a Russian-based group referred to as Coldriver and Calisto. Their targets included several US-based NGOs and think tanks, the military of multiple Eastern European countries, and more. The campaigns use recently created Gmail accounts to send phishing emails, with links designed to steal credentials.

Another threat is Ghostwriter, a Belarusian threat group. Ghostwriter's phishing attacks simulate a browser within the browser to spoof legitimate domains, exploiting this to host malicious websites. Once a user enters their credentials, the details are sent to an attacker-controlled domain, where they are stored and can be exploited in the future.

Another threat group mentioned in the report is Curious Gorge, who is linked to the cyber and electronic warfare branch of the Chinese military. It is using lures related to Russia's invasion of Ukraine in its campaigns, and has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia.

In addition to state-sponsored groups, cyber criminals have also been incorporating the subject in their attacks. One cyber criminal operation, for example, is impersonating military personnel and demanding payments for rescuing relatives stuck in Ukraine.

We advise that all employees be educated to be wary of emails related to the current situation and ongoing war between Russia and Ukraine, as this subject seems to be a prominent phishing lure.

SOC Masterclass - Future-proofing your SOC


Interested in learning more about how you can protect your organization from cyber attack with CyberProof’s Managed Detection & Response services? Contact us!

Written by CyberProof Research Team
Our Cyber Research Team is always on the lookout for the latest threats facing the digital ecosystem. Stay ahead of the risks so you don't need to find out about them after they become your next attackers.