Nilaa Maharjan & Bhabesh Raj Rai, Logpoint Global Services & Security Research
Cyber threats have been rising since Russia began its war on Ukraine on February 24. Logpoint helps organizations protect themselves against threats related to Russian cyber operations and the war in Ukraine.
This blog post provides an overview of the research conducted on the offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure. The blog post is accompanied by a Logpoint Emerging Threats Protection report, covering detection methods, investigation playbooks, and recommended responses and best practices.
Hours before the launch of missiles on Ukraine and the movement of tanks across the borders on February 24, Microsoft’s Threat Intelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure.
Thanks to cyber defense teams worldwide, signatures to detect the new exploits were written and widely available within three hours. As new threats have emerged, defense teams have created more detection and prevention techniques and provided suggestions on strengthening defenses. It’s fair to say that cyber defense teams worldwide have been uniting to keep Ukraine and its allies safe through all means possible.
Logpoint, too, has utilized its Emerging Threats Protection service to analyze the main threats discovered during the first period of the Russia-Ukraine war to understand whether any of these threats put our customers in harm’s way, and ensure our customers are protected. Many of these threats can be discovered using the rules package described in the report. Others may require additional investigation, manually or using automated Playbooks.
Historically, we have seen a wide use of the 2017 NotPetya malware family by Russian actors. This time around, we see a new variety of threats and tactics following a certain pattern, causing havoc in Ukraine and with the potential to spread throughout the rest of the world.
As the war rages, new malware variants are being introduced by Russian actors, such as the CaddyWiper, detected on March 14 by Esset. There have been at least four wiper attacks, and our Research Team is adding additional detection methodologies that track Wiper processes and behavior to detect, investigate and respond using automated playbooks. The Emerging Threats Protection report covers the impact on Ukrainian systems and describes these detection methods.
Attackers have targeted not only Ukrainian government institutions but also the financial sector, agriculture sector, emergency response services, humanitarian aid efforts, and energy sector organizations and enterprises. This has led multiple tech and non-technical groups to share statistics and advice and lend their assistance to help the Ukrainian authorities.
Recently we have seen increased attacks against Ukranian Internet providers, for example, the March 28 attack on Ukrtelecom, which was documented on Cloudflare Radar.
However, it seems that Russia is holding back on deploying it’s full cyber-attack capabilities. For years experts have expected that the next war would be a cyber war, yet Russia uses artillery more than cyber warfare. Considering that CISA has published information on significant attacks against the Energy Sector worldwide, this is even more surprising and makes you wonder when those capabilities will be unleashed – and against who.
There is a risk that the burgeoning cyber war in over Ukraine might spread worldwide. In the interest of being proactive and vigilant, Logpoint’s Security Research and Global Services teams have published the report going into the details of the recent incidents, potential threats, and how to detect and defend against attacks using Logpoint’s SIEM and SOAR capabilities.
We will keep updating our customers with new rules, detection methodologies, and playbooks to ensure our SIEM+SOAR solution is up to date and keeps your infrastructure safe.