Ukraine seeks volunteers to defend networks as Russian troops menace Kyiv
While Moscow tells its operators: Treat any infrastructure outage as a 'computer attack'
As the Russian invasion of Ukraine continues, the latter's government is reportedly seeking cybersecurity volunteers to help defend itself. Meanwhile, Russia's CERT has warned critical infrastructure operators that any strange outages should be treated as "a computer attack."
Reuters reported this morning that a Google Docs form had been published so Ukrainian infosec specialists can register their services. The form reportedly had this message with it:
Ukrainian cybercommunity! It's time to get involved in the cyber defense of our country.
As Register readers know, inputting one's details into a Google Docs form can be risky; El Reg's own sources, however, suggested something officially sanctioned was definitely afoot.
Similarly, this afternoon Ukraine's CERT warned in a Facebook post that a threat group known as UNC1151 was targeting "private ‘i.ua’ and ‘meta.ua’ [email] accounts of Ukrainian military personnel and related individuals" to launch phishing attacks.
Threat intel firm Mandiant said two domains mentioned by the UCERT, i[.]ua-passport[.]space and id[.]bigmir[.]space were known command-and-control domains of UNC1151, adding: "We are able to tie the infrastructure reported by CERT.UA to UNC1151, but have not seen the phishing messages directly. However, UNC1151 has targeted Ukraine and especially its military extensively over the past two years, so this activity matches their historical pattern."
UNC1151 was previously attributed by Ukrainian officials to Belarus, following deployment of a device-wiping malware strain. Belarus is widely believed in the West to be acting as a proxy for Russia. Another file-destroying software nasty was spotted in Ukraine this week by ESET.
"The world will hold Russia, as well as Belarus, accountable for their actions," said NATO in a statement issued this afternoon as it urged the world to "condemn this unconscionable attack unreservedly".
While the US and its NATO allies are not getting involved in the shooting war, the US CISA infosec agency has published a list of free services and tools as highlighted by its director Jen Easterly on Twitter:
🛡 We've had tremendous response so far to our FREE #cybersecurity services & tools page but would ❤️ your help in getting the word out even further. 🙏 Resources available at https://t.co/lY02JtIJYm pic.twitter.com/iQqwWUeFXV— Jen Easterly (@CISAJen) February 25, 2022
Meanwhile, the Russian National Coordination Center for Computer Incidents has issued an advisory warning of "the threat of an increase in the intensity of computer attacks on Russian information resources."
"In addition, in the future, it is possible to carry out harmful influences from the Russian information space to form a negative image of the Russian Federation in the eyes of the world community," said the advisory.
Any failure in the operation of [critical information infrastructure] objects for a reason that has not been reliably established should first of all be considered as the result of a computer attack.
As is necessary when reading anything from Russia, the wider intent must be looked at rather than just the words in isolation. The advisory may be a genuine warning to Russians and Russian-aligned organisations but could also be an attempt to lay a smokescreen for Russian politicians to claim someone else is carrying out a false flag attack in their name. Such techniques are well known.
- How to fool infosec wonks into pinning a cyber attack on China, Russia, Iran, whomever
- Cyberwarfare looms as Russia shells Ukraine
- Ukraine's IT sector looks to business continuity plans as Russia invades
- Ukraine invasion may hit chip supply chain – analysts
Despite some expectations that Russia would conduct a blitzkrieg-style invasion of Ukraine, using every military means available to smash the country and its population, the use of indiscriminate large-scale cyber-attacks has either not been publicly reported or is simply not occurring yet. Nonetheless, the previously-reported wiper malware has been seen in the wild in Ukraine, and other cyber activity is most definitely happening.
British infosec company Orpheus Cyber said it had seen stolen Ukrainian government data, purloined earlier this month, being published on a Tor website by a threat actor called FreeCivilian. In a blog post the firm said: "The lack of extortion tactics and the publishing of significant amounts of free data suggests that the actor's objective is to disrupt Ukrainian government websites regardless of monetisation."
A shipping labor agency director, speaking to Lloyd's List, described the effects of apparent Russian missile attacks against civilian shipping south of Ukrainian waters, near the port of Odessa.
Danica Crewing managing director Henrik Jensen told the insurance company's news organ: "We have been in contact with all office staff and they are all safe and sheltering. We have unconfirmed reports that Russian troops are in Odessa. Communication including internet is still fully operational." ®
As international disagreements about fresh sanctions against Russia fly back and forth, at least one multinational institution has got itself into gear and taken a hard stance against Russian aggression.
"The European Broadcasting Union (EBU) has announced that no Russian act will participate in this year's Eurovision Song Contest," reads the first line of the embedded picture above.