Before the Russian invasion of Ukraine, Western Intelligence agencies warned of potential cyber attacks from Russia towards Ukraine. Targets included military and government sites, and small businesses to large organisations. At the time, Western Intelligence agencies also highlighted that these cyber attacks could cause damage, or even affect computer networks outside of Ukraine.
Conti
“If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use our all-possible resources to strike back at the critical infrastructures of an enemy.”
Conti is a highly sophisticated, highly capably and a well-funded ransomware group. It is known to be the first threat actor group to weaponize Log4Shell. However, as of late May 2022, Conti is rebranding itself and dividing into smaller groups.
UNC1151
UNC1151 is a Belarus-aligned hacking group which has been active since 2016. The group has previously targeted government agencies and private organisations in Ukraine, Lithuania, Latvia, Poland and Germany. UNC1151 has been linked to various attacks against Ukraine, including the defacement of multiple Ukrainian government websites. UNC1151 has also been using phishing campaigns to target Ukrainian military personal Facebook accounts.
Armageddon/Garmaredon
Armageddon is backed by the Russian FSB. The group has been targeting Ukraine since 2013. More recently its attacks have included the data-corrupting malware MBRLocker (WhisperGate), which destroys a victim’s data. Armageddon is a very aggressive threat actor. Its phishing campaigns during this war also included mail subject lines such as “Information on war criminals of the Russian Federation”. This campaign was targeted against the Ukrainian government and organisation linked to the Ukrainian government
APT28 (Fancy Bear)
Fancy Bear is a highly sophisticated Russian cyber espionage group. Their main MO is employing both phishing and credential harvesting. Fancy Bear operates across the globe and targets many industries and sectors including government, military and critical infrastructure.
ATP28 was linked to the cyberattack on US satellite communications provider Viasat. The latest cyber-attack involved email spoofing, attacks towards critical infrastructure and government/military institutions inside Ukraine, as well as targeting similar institutions in North America, the UK and NATO.
AgentTesla/XLoader
Russian threats actors have been using AgnetTesla and Xloader malware for a long time. The main use of the malware is to steal passwords, screenshots, log keystrokes and install malicious files on to a victims’ network. Agent/Tesla/XLoader is currently being used to target Ukrainian citizens and organisations within Ukraine.
