by venturebeat.com — Kyle Alspach — With limited information coming out of Ukraine about cyberattacks hitting the country, findings from tech giants Google, Amazon and Microsoft disclosed in recent days have provided a window into the cyber conditions in Ukraine as Russia’s brutal assault continues. All three companies have said they are providing cybersecurity support to Ukraine, whose government said on Saturday that it has been seeing “nonstop” distributed denial-of-service (DDoS) attacks by “Russian hackers” since Russia’s invasion on February 24. However, as evidenced by the latest reports from Google, Amazon and Microsoft, Ukraine’s computing infrastructure has been the victim of more than just DDoS attacks amid Russia’s unprovoked military campaign (though we still have yet to learn of a crippling cyberattack against electricity, water and communications infrastructure).
Google, Amazon and Microsoft have a view into the security threat landscape through operating massive cloud computing platforms, applications used by many governments and businesses and a number of security solutions. AWS continues to maintain its lead in the market for cloud infrastructure services, according to Synergy Research Group, followed by Microsoft Azure at No. 2 and Google Cloud at No. 3. What follows are the latest details that Google, Amazon and Microsoft have revealed about Ukraine’s cyber situation.
During the last two weeks, Google says that its Threat Analysis Group (TAG) that it “observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement.” Among the threat actors are FancyBear/APT28, which researchers have associated with Russia’s intelligence directorate (GRU), and Ghostwriter/UNC1151, which researchers have associated with the Belarus defense ministry. “This activity ranges from espionage to phishing campaigns. We’re sharing this information to help raise awareness among the security community and high-risk users,” said Shane Huntley of Google’s Threat Analysis Group in a blog post Monday. FancyBear has conducted “several large credential phishing campaigns” that have targeted users with ukr.net email address (from Ukrainian media company UkrNet). “The phishing emails are sent from a large number of compromised accounts (non-Gmail/Google), and include links to attacker controlled domains,” Huntley said. Two of the campaigns have included the use of new Blogspot domains for the landing page — which then redirect users to a credential phishing site, he said.
Ghostwriter/UNC1151 has previously been blamed for recent phishing attacks targeting Ukrainian military personnel. However, the group has been attacking not just Ukrainian government and military organizations, but individuals in the Polish military and government, as well, according to the Google blog penned by Huntley. Poland is a member of NATO. Along with ukr.net, other email providers whose users have been targeted in the UNC1151 phishing attacks include i.ua, meta.ua, wp.pl, yandex.ru and rambler.ru.
Meanwhile, a Chinese threat actor known as Mustang Panda (or Temp.Hex) has been seeking to capitalize on the Ukraine situation, according to the Google blog. The group has “targeted European entities with lures related to the Ukrainian invasion,” Huntley’s blog says, which have included “malicious attachments with file names such as ‘Situation at the EU borders with Ukraine.zip’.” “Contained within the zip file is an executable of the same name that is a basic downloader and when executed, downloads several additional files that load the final payload,” the blog says. Google has also observed “DDoS attempts against numerous Ukraine sites, including the Ministry of Foreign Affairs, Ministry of Internal Affairs, as well as services like Liveuamap that are designed to help people find information,” the Google blog said. In response, Google says it has expanded the eligibility criteria to receive free DDoS protection under Project Shield — “so that Ukrainian government websites, embassies worldwide and other governments in close proximity to the conflict can stay online, protect themselves and continue to offer their crucial services and ensure access to the information people need.”
In a blog post Friday, Amazon said that its cloud platform, Amazon Web Services (AWS), “has been working closely with Ukrainian customers and partners to keep their applications secure.” The work has included helping customers in Ukraine to employ best practices in cybersecurity, “building and supplying technical services and tools to customers in Ukraine” to assist with moving on-premises infrastructure onto AWS “in order to protect it from any potential physical or virtual attack,” Amazon staff said in the blog. Over the previous two weeks, Amazon has also observed “new malware signatures and activity from a number of state actors we monitor.” Specifics were not provided, by Amazon said that it has been sharing the threat intelligence it has gathered with governments and IT organizations in Europe, North America and other regions. Notably, Amazon said it is seeing both “an increase in activity of malicious state actors” and also “a higher operational tempo by other malicious actors.”
And, Amazon reports that it has observed “several situations where malware has been specifically targeted at charities, NGOs, and other aid organizations in order to spread confusion and cause disruption.” “In these particularly egregious cases, malware has been targeted at disrupting medical supplies, food, and clothing relief,” Amazon staff said in the blog. An Amazon representative told VentureBeat that the company did not have further details to share on the cyberattacks targeting charities, NGOs and other aid organizations.
Amazon’s report of those cyberattacks echoed comments earlier last week from Microsoft president Brad Smith. In a February 28 blog post, Smith alluded to cases of cyberattacks targeting humanitarian aid, emergency response services, agriculture and energy. Microsoft also did not provide further specifics. The recent cyberattacks against these civilian targets in Ukraine “raise serious concerns under the Geneva Convention,” Smith said in that blog — referencing the international treaty that defines what are commonly referred to as “war crimes.” In a follow-up blog post on Friday — in which Smith announced that Microsoft would suspend all new sales and services of its products in Russia — the Microsoft president said that “our single most impactful area of work almost certainly is the protection of Ukraine’s cybersecurity.” “We continue to work proactively to help cybersecurity officials in Ukraine defend against Russian attacks, including most recently a cyberattack against a major Ukrainian broadcaster,” Smith said.
Ultimately, “since the war began, we have acted against Russian positioning, destructive or disruptive measures against more than 20 Ukrainian government, IT and financial sector organizations,” he said. Smith’s earlier blog post had not specifically mentioned Russia in connection with cyberattacks in Ukraine — or mentioned the figure for the number of Ukrainian government, IT and financial organizations that had been attacked. “We have also acted against cyberattacks targeting several additional civilian sites,” Smith said. “We have publicly raised our concerns that these attacks against civilians violate the Geneva Convention.”
Smith’s blog on Friday was Microsoft’s third post last week addressing the cyber situation in Ukraine. On March 2, Microsoft warned that the group behind the “HermeticWiper” cyberattacks — a series of data-wiping malware attacks that struck numerous Ukrainian organizations on February 23 — remains an ongoing threat. “Microsoft assesses that there continues to be a risk for destructive activity from this group, as we have observed follow-on intrusions since February 23 involving these malicious capabilities,” the company said in the blog post update.