The Russian – Ukraine war continues in the cyber world at the same speed as on the ground.
Attackers hacked into the broadcasting network of satellite TV channels in Russia.
The incident happened this morning and according to officers, attackers added anti-war announcements against operations in Ukraine at the bottom of the screen.
According to post of 66.ru, “Our specialists are doing everything possible to resolve the problem as soon as possible. In the near future, everything will be restored, ”the company said.
It is specified that several providers were subjected to the attack.
According to a Russian website – habr, at least dozens of accounts have been blocked by GitHub.
Sanctions against Sberbank and Alfa-Bank, the country’s largest private banks, include the freezing of bank assets and the imposition of a ban on US citizens and companies from doing business with them. Under the sanctions, as an example, these GitHub accounts of these two banks have been blocked;
Today, some researches reported that some personal accounts have been blocked too.
One of the largest Ukrainian telecom-providers, Ukrtelecom, suffered in the powerful attack on March 28, 2022. It was just an incident during the hybrid warfare between Russia and Ukraine, that we are always trying to inform you about the latest situations.
Ukrtelecom’s CIO Kyrylo Honcharuk spoke about the details of the Ukrtelecom attack:
“Ukrtelecom as part of Ukraine’s vital information infrastructure is in the focus of hackers’ attention all the time. We’ve been observing the increase in the number of cyberattacks against our infrastructure since the very beginning of the invasion. The attack on March 28 was powerful and sophisticated,”
Officials mentioned that the discovery phase of the attack launched from the Ukrainian territory recently temporarily occupied by the Russians. The hackers used for discovery a compromised account of the company’s employee.
Once they gained access, the hackers then tried to disable Ukrtelecom’s equipment and servers to gain control over its network and equipment. There was also an attempt to change the passwords of employees’ accounts and of logins to access equipment and firewalls. With the attack, Ukrtelecom temporarily limited the access to its services for private and business clients. The traffic in the network fell to 13% from the regular regime of the network’s functioning. The Internet access for the clients started to be restored late on March 28. The following day, Ukrtelecom services became available to almost all its users.
The investigation continues. We saw several attacks on Ukraine’s organizations related to Russian invasion, however, this attack cannot be attributed to any hacker group. We expect to see more attacks on Ukrainian targets including government, energy and financial organizations.
Another sanction decision against Russia came from Canonical. Canonical announced that they are cancelling support, professional services, and channel partnerships with Russian enterprises.
“In response to the Russian invasion and acts of war in Ukraine, Canonical has sent notice of termination of support, professional services, and channel partnerships with Russian enterprises. We will not resume such engagements while broad and democratically instituted sanctions on Russia remain in place.
We will not restrict access to security patches for Ubuntu users in Russia – free software platforms like Ubuntu, VPN technologies, and Tor, are important for those who seek news and dialogue outside state control. We will direct any Russian subscription income for such maintenance to Ukrainian humanitarian causes.
We are actively supporting all of our colleagues affected by this war to ensure to the greatest degree possible their financial, emotional and physical safety. We are also supportive of colleagues around the world who have joined the effort to help and house victims and refugees.
As a company and a community, we are appalled by the senseless loss of life, and destruction of property and heritage, underway in Ukraine.“
Anonymous continues to target Russian government entities and private businesses. Lastly, it is announced that Russian Orthodox Church’s charitable wing hacked by Anonymous group.
The group leaked 15GB of data however, they offer to share this data only to journalists or researches.
This week, Thozis Corp. was another victim of Anonymous in Russia. Thois Corp. is a Russian investment company and owned by Zakhar Smushkin. The Group have stolen thousands of internal email (about 5500) and shared.
As the sanctions against Russia gradually increased, we saw that technology companies also participated in these sanctions at a large rate. Meanwhile, cyber attacks against Russia continue with all their violence by different threat actors. Against these sanctions and threats, different measures stand out on the Russian side.
Sberbank, one of the biggest banks in Russia, temporarily stop updating software due to the increased risk of device infection.
“We urge users to stop updating software now, and developers to tighten control over the use of external source code. If there is an urgent need to use software, be sure to check all downloaded files with an antivirus, and when using someone else’s source code in your programs, conduct a manual or automated check, including, view the text of the source code,” Sberbank officials said.
The use of such software can lead to infection of personal and corporate computers, as well as IT infrastructure.The most important attack like this was experienced with the Solarwinds case. Customers of Solarwinds hacked because of the infected update of its Orion software and went undetected for months until Mandiant determined the malicious.
These latest events that emerged with the war showed us that there will be big changes in the cyber security industry in the coming days. On the one hand, many large cybersecurity manufacturers are buying smaller companies, it seems like countries will concentrate more on local cyber security and even IT product production.
Anonymous announced that dozens of CCTV cameras in Russia had been hacked and they published all these streams in a website.
Some of the them are not reachable now however there are still many broadcast including restaurants, indoor, outdoor, offices and schools. At the beginning, site was including home camera broadcasts too but the hackers then removed these broadcasts from the websites with an explanation:
“After some consideration, we’ve decided to take down the house cams out of respect for the privacy of the Russian civilians. We hope you understand.“
It is currently unclear how the cameras were accessed by attackers.
The war between Russia and Ukraine continues with all its violence in the cyber environment as well as on land.
The day started with the news about the hacking of the websites of arbitration courts of the Russian Federation.
The courts of Moscow, Primorsky, Krasnodar, Khabarovsk Territories and other regions were attacked. The attackers posted texts insulting Vladimir Putin and Russians on the main pages related to the operation in Ukraine.
Anonymous still have a very active role for Ukrainian side in this cyber war.
As the latest activities of Anonymous, they attacked to the German facilities of the Russian energy firm Rosneft, and have stolen about 20 TB of confidential data. Rostneft is a very important supplier for different industries of Germany and this attack looks like it will have a lot of effects on the company’s operations.
Meanwhile today, the largest Ukrainian TV channel Ukraine-24 was hacked and the news about Zelensky called for laying down arms was published.
“The news ticker of the TV channel Ukraine 24 was hacked by enemy hackers and they are broadcasting Zelensky’s message about the alleged “surrender”. It’s fake. Friends, we have repeatedly warned about this. No one is going to give up <…>,” the message published after the incident.
To avoid sanctions after Ukraine invasion, Moscow has set up its own certificate authority to issue TLS certs. As announced in government’s website, certificates will be made available to Russian websites unable to renew or obtain security certificates as a knock-on effect of Western sanctions and organizations refusing to support Russian customers.
“It will replace the foreign security certificate if it is revoked or expires. The Ministry of Digital Development will provide a free domestic analogue. The service is provided to legal entities – site owners upon request within 5 working days.”
In order to securely view a website where a certificate is used, the certificate authority must be recognized by the browser used. However, Russia is silent on which browsers will accept the certs. Considering the heavy sanctions against Russia, it seems unlikely that any browser will support certificates approved by the Russian certificate authority. But then, why was this certificate authority established?
Russia has a good alternative as browser. Yandex is local alternative for Google and YaBrowser of Yandex will likely support this certificate authority. This means, YaBrowser users can visit websites has a certificate approved by Russian certificate authority.
The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate’s contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate’s subject (Wikipedia). The key element in digital certificates is ‘trust’. In several news portals, this Russian certificate authority news was considered dangerous because if the certificate authority will be under Putin’s control, that means Russian government can intercept and decrypt all traffic and surely, this situation violates the privacy of the users and provides more control over internet users in Russia.
On 27th of February, a member of Conti threat group started leaking data from the group, after Conti group announced that they are fully supporting Russia against Ukraine. Leakage process is still going on via “ContiLeaks” Twitter account.
Leakage started with unencrypted chat messages between Conti members. On 1st of March, the threat actor shared access information to several Conti storage servers and some screenshots of the folders in server.
On 4th of March, another Twitter account @c3rb3ru5d3d53c shared the vulnerabilities that Conti is using to compromise the systems with the screenshot below.
Conti has harmed many organizations and continues to do so. We know that even in February alone, they hacked many organizations and managed to get their data out.
As can be seen in the screenshot, the threat group is using vulnerabilities that already has patch, instead of using very sophisticated techniques. This situation shows us, even very simple vulnerability management can prevent most of these attacks. Even scanning with free tools and patching the vulnerabilities really can prevent your system actively. So, this sharing from @c3rb3ru5d3d53c Twitter account was very important for us because it shows us that even very simple measures can prevent big problems.