The WhisperGate cyberattack isn’t the only one that Russia-linked threat actors are suspected of carrying out against Ukraine in the last few months. On Monday, Symantec revealed the specifics of an espionage operation linked to a recognized organization. Russian advanced persistent threat (APT) actors have been waging numerous cyberattacks against Ukrainian targets for years. Some of these organizations are suspected of being part of or under the direct command of Moscow’s secret service.
In recent months at least two Russian state-sponsored organizations have been seen waging cyberattacks against Ukraine, particularly Gamaredon (aka Armageddon), Primitive Bear and Shuckworm, and maybe Sandworm (aka Iron Viking, Telebots, and Voodoo Bear). Gamaredon has been active since at least 2013 and has mostly attacked Ukrainian targets. It uses phishing emails to distribute off-the-shelf tools (e.g., RMS and UltraVNC) and bespoke malware (Pterodo/Pteranodon).
The Security Service of Ukraine (SSU) observed in a November 2021 report that the threat actor has begun deploying in-memory tools for credential theft and lateral movement, as well as an overall rise in complexity over the previous years. Gamaredon targeted a Ukrainian firm in the summer of 2021, and Symantec maintained a careful eye on the group’s behavior on the victim’s network. On July 14, a malicious document was sent to an employee’s PC, which installed the Pterodo backdoor.
The attackers then ran multiple scripts, set a scheduled job for persistence, ran different commands, installed new versions of the backdoor, then went silent for two days before returning to run additional scripts and other malware variants. The attackers returned on July 28 to carry out another Pterodo variation, this time a dropper for a VNC client. The threat actor returned to the compromised system until August 19 to run more scripts and various types of their malware.
Separately, earlier this month, many Ukrainian companies were affected by the WhisperGate attack, which has yet to be linked to a single threat actor. According to CrowdStrike, the event resembles operations carried out by Russian state-sponsored APTs. CrowdStrike published a technical study of the attack two weeks before, claiming that it had discovered no similarities with the NotPetya attack or other activities ascribed to Sandworm – a group likely linked to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
Sandworm has previously attempted to conceal its anti-Ukraine activities by imitating ransomware attacks and establishing hacktivist identities that took public responsibility for parts of the group’s aggressive operations and disseminated data acquired from different government and commercial institutions. While the APT first used destructive malware (such as KillDisk or BlackEnergy) to target specific targets, the organization eventually shifted to supply chain penetration, alternative deployment strategies, and worm-like dissemination mechanisms to broaden the scope of attacks (like the NotPetya campaign or the BadRabbit attack).
According to a recent Crowdstrike report, while the WhisperGate attack has a smaller reach than Sandworm’s NotPetya campaign, it’s still unclear whether this was done on purpose or whether the same threat actor is behind both. The security firm also notes that there were attempts to distribute data purportedly stolen from Ukrainian government organizations shortly after the attacks, which could indicate that the hackers were attempting to “execute an IO campaign to successively release personally identifiable information (PII).”
The objective of the attempted data dumps was most likely to erode public faith in Ukrainian government institutions as relations with Russia grew. Destructive software, most likely disguised as ransomware, is expected to be used in future offensive operations against Ukraine.