Ukraine suffered two cyberattacks in the lead-up to Russia’s invasion
But in the days before the conflict began, Ukraine was the target of two significant cyberattacks, detailed in new research out today. Both affected Ukraine’s government agencies and one of them also impacted its military and civilians.
Hackers took down the U.S. satellite Internet firm Viasat starting Feb. 24, as Russia began invading Ukraine. Viasat has released a new overview that details the timeline of the “multifaceted and deliberate cyberattack” on its European satellite network, KA-SAT.
- The cyberattack affected Ukraine’s military, government agencies and civilians, Ukrainian authorities have said. Viasat uses European distributors to sell Internet service to customers, who use modems.
- Ukrainian modems and equipment began sending “high volumes of focused, malicious traffic” in the morning hours of Feb. 24, Viasat said. “This targeted denial of service attack made it difficult for many modems to remain online,” the company said. “We believe the purpose of the attack was to interrupt service.”
U.S. intelligence agencies have concluded that hackers working for Russia’s military intelligence agency were behind the attack, my colleague Ellen Nakashima reported last week. Viasat has said an investigation with Mandiant, law enforcement, government agencies and others is ongoing.
Viasat also says it detected a “ground-based network intrusion by an attacker” that got into a key part of the KA-SAT network after “exploiting a misconfiguration in a VPN appliance.” The attacker then told “a large number of residential modems” to overwrite their data, making them unable to connect to the network.
- More of Viasat’s response: “Certain end-customer modems promptly received over-the-air updates, but where such updates are insufficient to timely restore functionality, new modems are being provided as the most efficient way to restore service,” the company said. “Viasat has already shipped tens of thousands of replacement modems to distributors and is ready to ship additional modems as needed.”
The report comes around two weeks after CISA and the FBI warned satellite communication providers that hacks of their networks “could create risk in SATCOM network providers’ customer environments.”
CrowdStrike researchers say a group called “Ember Bear” was behind malware dubbed “Whispergate,” which targeted Ukrainian government agencies in the run-up to the invasion.
- The group is “an adversary group that has operated against government and military organizations in Eastern Europe since early 2021,” CrowdStrike head of intelligence Adam Meyers plans to tell the House Homeland Security Committee today.
CrowdStrike hasn’t said the Russian government is behind the group. But its technical characteristics and intent “are consistent with other GRU cyber operations,” Meyers said, referring to Russia’s military intelligence agency.
- “We believe that they were initially engaged in collecting intelligence from various networks and they were basically motivated to weaponize that access and data during their intrusions to support information operations, so leaking things out in order to kind of create mistrust in public institutions and degrade the government’s ability to counter Russian cyber operations,” Meyers told me.
The new details could provide insight for cyber pros who have to defend their networks from Russian hackers.
Russian hackers have increased their scanning of U.S. networks over the past month, FBI Cyber Division assistant director Bryan Vorndran told the House Judiciary Committee on Tuesday.
“We have absolute strategic warning that Russia plans to hit us,” Vorndran said.
The hackers targeted election officials in at least nine states in October, the FBI said. The FBI warned that the emails “shared similar attachment files, used compromised email addresses and were sent close in time, suggesting a concerted effort to target U.S. election officials.”
Election officials need to continue to be on alert, the FBI said. “The FBI judges cyber actors will likely continue or increase their targeting of U.S. election officials with phishing campaigns in the lead-up to the 2022 U.S. midterm elections,” it warned.
Cybersecurity experts debated whether there was enough evidence to conclude that the FBI actually found a campaign targeting election officials specifically. Here’s Georgetown University’s Matt Blaze and Mandiant’s John Hultquist:
Not saying it wasn’t, but that same pattern works for regular phishing, too. Compromise an account, phish everyone in its addressbook.
— matt blaze (@mattblaze) March 29, 2022
I’d be verrrrry careful about invoice themed phishing. I’d argue the theme suggests that it’s not targeted.
— John Hultquist🌻 (@JohnHultquist) March 29, 2022
The country’s police bought “not Pegasus, but a system called ‘Saifan’ — in essence, a weakened version of Pegasus … with lesser capabilities, fewer means of operating,” NSO chief executive Shalev Hulio told an Israeli radio station. Hulio also said NSO shared an “audit trail log” of targeted Israelis with government investigators who were looking into possible misuse of the technology, Reuters‘s Dan Williams reports.
“Israeli media have reported that the hacking tool used by police is designed to allow real-time eavesdropping, whereas Pegasus also provides access to past correspondence stored on cellphones,” Williams writes. “Reuters could not independently confirm this.”
The details came after a government inquiry rebutted an Israeli news organization’s allegations that police used the technology illegally.
The U.S. government blacklisted NSO in November after finding that foreign governments used its technology to “maliciously target” government officials, activists and journalists. An investigation by The Washington Post and 16 media partners last year found that the spyware was used to target journalists, activists and executives.
The brazen hack marks one of the largest crypto thefts to date, Steven Zeitchik reports. It took place last Wednesday, when hackers breached the Ronin blockchain and made off with around $625 million in cryptocurrency. Ronin powers the popular video game Axie Infinity.
“Developers at Sky Mavis, which runs both Axie Infinity and Ronin, said they only discovered the breach Tuesday,” Steven writes.
The company said in its newsletter that it is “working directly with various government agencies to ensure the criminals get brought to justice.” Crypto hacks are becoming increasingly common as the amount of trading activity increases.
Sky Mavis representatives did not respond to The Post’s request for comment, though Axie Infinity’s Twitter account tweeted that “we are here to stay.”
- Mike Sexton has joined Third Way as senior policy adviser for cyber. He previously directed the Middle East Institute’s cyber program. Jayson Browder has also joined Third Way as senior policy adviser for national security. He previously was an assistant dean at New York Abu Dhabi.
- National Cyber Director Chris Inglis, Rep. Jim Langevin (D-R.I.) and Mark Montgomery, who was executive director of the Cyberspace Solarium Commission, speak at a U.S. Chamber of Commerce event today 12:30 p.m.
- The House Homeland Security Committee holds a hearing on securing critical sectors from Russian cyberattacks today at 2 p.m.
- CISA’s cybersecurity advisory committee meets on Thursday at 2 p.m.
- The Center for Strategic and International Studies hosts an event on the cybersecurity implications of U.S.-China technology decoupling on Thursday at 2 p.m.
- Homeland Security Secretary Alejandro Mayorkas and Dilan Yeşilgöz-Zegerius, the Netherlands’s Minister of Justice and Security, speak at an Atlantic Council event on securing marine transportation systems on Friday at 10:30 a.m.
