Cybercrime, the Russian-Ukrainian war opens the era of wiper

Since the outbreak of the conflict, attacks carried out through a type of malware that causes the deletion of data and programs on the disk of infected devices increases, making them unusable. The analysis of Leonardo's Global Security Operation Centre 20 Jun 2022

The Russo-Ucarine war changes the face of cybercrime. Leonardo's Cyber Threats Snapshot Report took the picture, highlighting the main malicious actors, cybercrime activities and vulnerabilities found between January and March 2022. The analysis, conducted by Cyber Threat Intelligence experts in support of Leonardo's Global Security Operation Centre (Soc), highlights some dominant strands that characterized the period. All of them are, in one way or another, linked to the Russia-Ukraine conflict, confirming its character as a "hybrid war" characterized by: • attacks on Ukrainian organizations • disseminated disinformation and propaganda campaigns • destructive activities aimed at sabotage Before the invasion of Ukrainian territory by the Russian army, there were DDoS (Distributed Denial of Service) attacks that consist of storming a site with requests, up to knocking it out and making it unreachable) and defacement (with the illicit introduction of content on a website) that targeted critical infrastructure, government institutions and Ukrainian finances. In particular, DDoS was the most widespread type of attack. In conjunction with and in support of these attacks, disinformation campaigns have been launched aimed at further destabilizing the internal situation of Ukraine, especially in the provinces bordering Russia. These campaigns were conducted not only through social networks (where many accounts were suspended by the managers), but also through fraudulent text messages that provided false information about the unavailability of some essential services – including those provided by one of the largest Ukrainian commercial banks – which were instead regularly operational. Starting from February 23, 2022, however, destructive activities were detected aimed at sabotage operations by threat actors attributable to both sides. These attacks were perpetrated through the spread of wiper, a type of malware that causes the deletion of data and programs on the disk of infected devices, making them in fact unusable. Among the most widely used are WhisperGate, developed to resemble ransomware but without system recovery mechanisms, and RURansom, which spreads like a worm inside removable disks and on all mapped network shares and, before encrypting systems irreversibly, locates devices infecting only those located in Russia. But the repercussions of the conflict are also felt outside the countries directly involved: globally, the government and defense sector was among the most affected by threat actors who immediately sided in support of Russia or Ukraine. This phenomenon has not only involved government actors, but also the majority of collectives operating in the field of Cyber Crime. The defence and aerospace industry sector was also among the main targets of attackers, interested in exfiltrating strategic and sensitive information such as intellectual property, related to production processes and projects, but also personal data of employees.