There are two fronts on the Ukraine cyberwar, says Alex “Jay” Bălan, Director of Security Research at Bitdefender and an expert with over 20 years of experience in the field. Private hacktivists deface sites and then advertise on Twitter. Hackers related to the intelligence community use more complex methods like Advanced Persistent Threats (APT), consisting of several components living in systems for months or years, to join and help create a data breach at a specific moment. APTs are more related to intelligence gathering than to immediate destruction.
The economic component of the war is very important since most of the skills of 99% of contemporary hackers are related to ransomware, scams, and phishing. Russia might try to finance its declining economy with such methods in a move similar to what North Korea has been doing during the last years. This “predatory” component poses a higher security risk to regular computer users in the West.
Bălan considers it is unlikely that law enforcement and intelligence agencies will hire vast armies of hackers and analysts because collaboration with private companies is common in this field. This will increase private involvement and leverage of the private sector in politics.
How is the information security business going now, with the war?
We, just like everybody else, are simply horrified about what’s happening. It’s tough. It’s tough because you have to see what you can do, you know? And we’re also trying to kinda make sure that whatever you do doesn’t seem like a PR stunt. That’s the weird stuff in trying to make an effort to help in any way that you can.
What about the number of attacks directly or indirectly related to Ukraine?
There are more, obviously. Whenever there’s a big event happening worldwide, the amount of attacks increases, simply because of the leverage of that event. Especially the scams and the frauds. In this case, they look like this: “Do you want to help Ukraine? Click here!” And it’s a phishing website that takes your credit card data. This is the most simple, basic stuff. When COVID started, there was something called a Coronavirus map. And it was a password stealer virus. Because everybody was looking for a Coronavirus map, in the beginning, there were no such things. The guy was simply leveraging something like Google SEO.
So, this is the kind of thing that happens with each big event. But what’s particular about Ukraine is that we’re seeing attacks that are a little bit different than usually. For instance – the most common malware is ransomware. They encrypt your data and they ask you for money to get it back. But in this particular case we’ve seen a virus that is not offering the option to decrypt the data. It was only faking that it would decrypt the data. So it was posing as ransomware, but it was actually just aiming at destroying data on computers.
So they were taking the money and they were destroying your data?
No, not even taking money. We’ve looked at the wallets, they had no money in them, and the interesting thing here is that in the cybercrime industry, the main motivator is money. And if it’s no money changing hands, and if it’s just damaging computers, that literally rules out 99% of all hackers on this planet. So that leaves only entities that have not a financial desire, but a desire to damage systems.
Advanced hackers and their APT methods
The whole thing looks like a piece of ransomware that was hastily adapted to simply damage systems. But, anyway, this is something closer to a war.
Yes, very much. Another interesting thing that we’ve seen is new types of malware, APT’s as we call them. APT stands for Advanced Persistent Threat. It’s a type of malware that cannot be detected. Usually it’s made of several small components spread across an infrastructure, and merging into one component that acts for a few hours or for a few minutes, and steals data and exfiltrates them. There’s a definite increase in this type of Advanced Persistent Threats.
Who are the guys who are doing it, how do they do it?
The way I see it, there are two types of technology wars here. First of all, it’s an information war. So that’s essentially trying to push a message to various channels, propaganda basically. And this is something that’s happening on both sides, although in totally different ways. The second one is actual cyberwar, in which they’re trying to hack, they’re trying to infect systems, to backdoor them. Because of the wave of sympathy for Ukraine, we’ve been able to see a number of hacktivists starting to attack Russian systems. And we’ve seen the rebirth of the Low Orbit Ion Cannon.
What is that?
The Low Orbit Ion Cannon was used roughly 15 years ago, by LulzSec, a group related to Anonymous. It’s essentially a website that you can host anywhere. If anybody opens it, it will start attacking a target. Hackers are promoting messages with an emotional impact, such as: “Do you want to support Ukraine?” or “Do you want to help us attack Russia? All you have to do is open this page on your mobile phone or on your computer and keep it open”. When your phone opens that page, it starts attacking a site. And with a sufficient amount of people – in this case it was about 300,000 people -, imagine that every phone would send like 100 Megabits per second to the targets. And imagine this happening from 300,000 phones.
This is similar to DDoS, right? Distributed denial of service is flooding a target with data from more sources.
Yes. But the really messed up part of that is that people are not aware of what they do when they open the page. The page effectively starts attacking an entity, and there’s a legal issue to be taken into account here.
Because you are the one that does it. Together with the others.
Yes, you would be the source of the attack.
The Kremlin CCTV hack by Anonymous
And opposite to classic DDoS, it’s unintentional or unaware. DDoS attacks originate from hacker machines in general.
And it’s still going on, I think. So be wary, if you see a website that says “Help us attack Russia, just open this page”. If you open that page, you become the source of the attack. Then there’s another thing. They recently hacked the CCTV systems in Kremlin. And that was awesome in terms of skill. There’s little information about how they did it, but my suspicion is they found out about a management interface for the CCTV, and then they used a vulnerability in the CCTV system, because there are a lot of them.
Anonymous released a video with inside images from Kremlin. This is probably because surveillance cameras are Internet of Things, less protected than other types of equipment.
Yes. To summarize, at this point we know a lot about how the attacks against Russia are going, because everybody goes public on Twitter and they brag about it. However, we know very little about how Russia attacks other countries. Because they don’t brag about it. And even if you see a malicious file that originates from a Russian IP address and you disassembly it and in the code you see some Cyrillic characters, so that it appears to be from Russia, it’s still very difficult to do the attribution. Because all these clues are not enough to be 100% sure it’s a Russian source.
They could have been planted on a Russian server by somebody else. Likewise, the Cyrillic comments in the disassembled file.
Yes. So this is what happens in the cybersecurity part of warfare. But I think the most important part is the information war. Or the propaganda war.
The problem with data dumps
Possibly, what Russian hackers do comes out on some channels, but not on our platforms and in languages we know. But we’ve seen indeed quite a few news about defacing and accessing web server databases of Russian sites. There are some security experts that say this is pretty basic hacking and matters only in symbolic terms. How good are these guys? Who is doing what, otherwise?
It depends on what your end goal is. The hardcore hackers will deploy those APT concepts that I’ve mentioned earlier. They will be present in an infrastructure for months or even for years, without anybody knowing that they are there. And because of the Internet of Things, they can be present on a printer, they can be present on a surveillance camera, because they can just drop a backdoor in an operating system. It’s going to be tricky for somebody to find out that they’re there. But I think that the end goal here is to expose things. The problem is that nobody actually takes time to read the documents. It’s not Wikileaks. In the case of Wikileaks, the documents that were stolen were actually used to expose stuff. The media came and said: we’ve read this or that in Wikileaks. Or the Panama Papers. We’ve read that this company has offshore accounts and so forth. These leaks happen maybe too quickly. I’m looking right now on my screen at all the employees of the Russian state television, all the emails from the infrastructure of the Russian state television. This is cool, but I don’t know Russian. I will just have a look at it. 90,000 emails and 4,000 files from the Russian state television. So this may be something revolutionary. The only problem is that nobody is investigating the data.
Somebody will, very probably. And it will or it will not go public. It’s true that Wikileaks would have been nothing without the traditional media they had partnerships with. Ironically, that totally contradicted Assange’s theory about the “uncensored truth”. The “uncensored truth” is a huge pile of data, which nobody can make sense of, at the level of a typical audience. But tell me more about anti-Russian hackers’ skills and intentions.
There’s a high degree of probability that these data dumps happened because of some Elasticsearch infrastructure. Elasticsearch is this kind of very well-structured database that enables us to do queries in large amounts of data. If you just Google “elasticsearch data leak”, you’re gonna see that a lot of companies suffered of huge leaks because of these exposed Elasticsearch interfaces. The same thing goes for Amazon S3 buckets.
Badly paid support teams, social engineering and TeamViewer access for money
Let me specify that an Amazon S3 Bucket is a structure created as a data container, in the Cloud. But what you just said refers to skilled hackers.
In many other cases, we’re looking at simply a dashboard that has weak passwords. And it’s very easy to brute force. It’s true, in some cases it takes more creativity. There are other things too. As was the case in some recent events, you simply pay somebody to give you access to a computer that is inside the internal network. And things being as they are now in Russia, I don’t think everybody will resist a 20,000 dollars proposal to get, say, just some TeamViewer access on the computer.
TeamViewer is software that allows total control of a remote computer. You can see and use somebody else’s desktop like it was yours. I would say this as a variant of social engineering.
Yes. And this is happening, and if you care about security, you should take this into account, because it could happen to you. Usually, the most targeted people in a company work in support. Very often, support people are among the worst paid, and also they have insanely high access privileges. They have to interact with customer data. They have to open your account, close your account, change your account… so they can actually see all the clients of a company.
That’s like administrator privileges, but with less control of the network itself.
These guys, the support people are the easiest targets. From TeamViewer, or something similar, you have access to all that person can do in the network. And, oh, my God, the support people can do so many things!
Let me specify that support is a category of customer service more focused on technical aspects.
Yes. And all you gotta do is just look on LinkedIn and see who works there, reach out to them, and say: “I’ve got this offer for you.”
And since customer service is massive, many departments are decentralized, people work remotely, especially since the pandemics. It’s easier for somebody to do that kind of thing from home, nobody looks into your screen there. So remote work proves to be a security threat.
Oh, yes, indeed. But there’s like a million and an infinity of ways you can get hacked. The only thing you need to remember is that you don’t know all the ways in which you can get hacked. And you should make peace with that.
Watch out for ransomware
Do you think the Ukraine situation and whatever the Russian hackers are doing without advertising it pose a significantly bigger security risk for normal Western computer users?
Well, one thing that they’re gonna need is gonna be funding. So I expect that Russia will look for that somewhere. There’s a group called the Conti group who publicly sided with Russia at the beginning of the war. They will start to have increasingly aggressive ransomware campaigns.
As you said, ransomware is core business for hackers these days.
Yes, think about it: it’s like a 13 billion dollars a year industry. And if you score a big fish, like the Colonial Pipeline, you can get 40 million dollars. Incidentally, this is also happening from North Korea. North Korea is making a lot of money, that they apparently need, from ransomware. So we’ll definitely see an increase, because my expectation is the Russians need money, and this is an easy way to make money.
So there will be a direct economic purpose in this war, more like in Antiquity or Middle Age, when a country attacked another simply for plundering. Now, let’s talk a little bit about what one can actually harm with hacking. There’s the notorious example of the Ukraine power grid, that was hacked in 2015by a Russian group.
You have to understand that in many regards, the attacks against Russia are also the result of unorganized groups. It’s people thinking: “Whatever I can hack, I’m gonna hack.” And then they’re gonna post it on Twitter, and it will add up to a big pile of websites hacked in Russia. But there’s obviously a very good chance that many such sites were lousy in terms of security to begin with. I’m not saying all of them, but most of them. So what happens is kind of disorganized. If, on the contrary, you have the mindset of “OK, I have an objective, I want to do this, this and that”, then you have to ask yourself: why do you want to disable the power grid? When do I want to do it? So you have to start planning ahead. Are there any collateral systems? Or it’s isolated? Do I need to pivot from another system to that system? So targeting power grids or water systems is not necessarily something that is going to happen anytime soon. I don’t think there’s a point in it. It’s just causing damage.
It does spread fear and discomfort though. Now there are news of the Ukrainians having a lot of support from Western intelligence and Western companies to secure this kind of system, eliminate APTs and so on. Microsoft was there for such purposes.
I’m not entirely convinced that fear is an aspect. Even when the Colonial Pipeline was shot down it was not fear. People were not scared, not believing that it’s gonna happen again. There were just pissed off. And then went into panic buying. But that happened for other reasons, not because they were afraid of the hackers.
Hackers, security experts and intelligence agencies
So a big part of the cyberwar is decentralized and random, at least in terms of private involvement. What about the intelligence community? They have a different level of skill and a different approach.
If I was in one of the intelligence groups on either side, I would focus on intelligence gathering. So my main objective would be to tap into their networks, to tap into their communications and systems, and just extract all the information.
And remain as discreet as you can. No bragging on Twitter.
Yes. My objective wouldn’t be to disable any systems unless there was a direct necessity for that system to be disabled. Other than that, I would focus entirely on gathering information, finding backdoors on as many computers as possible, and gather all the communications, the emails and chat messages of all those guys on the other side.
There are some symptoms that they’re already doing it. It might not be information obtained from hacking, but it could as well be: before Russia’s invasion, the Americans issued repeated warnings, at the highest level, that it is going to happen. Nobody was convinced, even Ukraine was saying the Russians were not going to enter. And then they entered.
That was the British intelligence, as far as I can remember. They were the ones that provided the most intelligence for Ukrainians.
States won’t hire armies of hackers and analysts. They already collaborate well with the private sector
Maybe they did. The Americans were very active on a political level, they were very vocal in their warnings. Collaboration between the US and Britain is notorious, on all military levels. UK has a huge military, anyway. Which leads me to the next question: do you think the Ukraine war will create a lot of white hat hacker jobs? I’m thinking about the way the FBI expanded and increased its budgets after 9/11. Will there be big departments of analysts? Because it takes more manpower to analyze the information than to get it. Maybe this will result in a new insignia, like aviation and navy are now.
Not necessarily. One thing that happened after 9/11 was a closer cooperation between the state and the private sector in this field. The government called upon the private sector to gather intelligence, to help in investigations and with forensics. Most of these things were taken as measures after 9/11, and improved over time, until today. I don’t think Ukraine is going to drastically increase anything. Things are very well in place the way they are now. Especially with this cooperation between the government and private. We’re in a good position, worldwide at least. We are where we’re supposed to be. It’s no secret that Bitdefender, the company I represent, also has this kind of collaboration with the Romanian National Cyber Security Directorate, aka DNSC, to provide security for Ukrainian citizens and businesses in Ukraine, NATO or EU countries. We’veannounced it transparently.
So 9/11 increased budgets and organizational charts in law enforcement, but not so much in the state hacking and cyberdefense business. Then what about the companies involved in this kind of cooperation? Are they classic companies, like I gave the example of Microsoft, or totally new companies with a specific purpose, a new ecosystem?
There are two things to be taken into account here. First and foremost is trust. You cannot work with a government if you’re not trustworthy, if you don’t have all the certifications, all the clearances and so forth. And the next thing is your competence level. What are your skills? Microsoft has a very good security department. There are some other companies that definitely have better investigation departments, and they’re at work with law enforcement, to reach and understand what happens in the Internet space. There are also companies that do constant monitoring of the deep web. So if a company meets these two criteria, trust and competence, they will be called upon to help.
I would say that existing companies have a slight advantage, since they might get clearance based on their already good reputation. But that doesn’t exclude at all new players or a new ecosystem. Is that particularly empowering for the companies getting involved? Will they be privileged in political and economic terms? They will have more power and leverage, maybe even get involved in the governance act and decisions, to a certain extent. One of the earliest examples is Twitter having scheduled a maintenance day in 2009, during the Iran protests. The Department of State reached out to them and asked the postpone the day. Twitter did. It didn’t topple the regime, but Twitter got actively involved into politics, nevertheless. The platform was useful for the protesters.
It was the same with the revolution against Hosni Mubarak. I remember that we – we, the information security community – were providing them with VPN nodes, we were sending modems in Egypt. Platforms like Twitter were essential to them, to be able to be heard. It was kinda cool, actually. I fully endorse that kind of usage of technology.