Join today’s leading executives at the Data Summit on March 9. Register here.
With limited information coming out of Ukraine on cyber-attacks hitting the country, the findings of tech giants Google, Amazon and Microsoft released in recent days have provided insight into the cyber conditions in Ukraine as Russia’s brutal attack continues.
All three companies have said they are providing cybersecurity support to Ukraine, which the government said on Saturday has seen “non-stop” distributed denial-of-service (DDoS) attacks by “Russian hackers” since the Russian invasion on February 24. .
However, as the latest reports from Google, Amazon and Microsoft show, Ukraine’s computing infrastructure has fallen victim to more than just DDoS attacks during Russia’s unprovoked military campaign (although we still don’t hear about a crippling cyber attack on electricity, water and communication infrastructure).
Google, Amazon and Microsoft have visibility into the security threat landscape through massive cloud computing platforms, applications used by many governments and businesses, and a number of security solutions. According to Synergy Research Group, AWS continues to lead the cloud infrastructure services market, followed by Microsoft Azure at number 2 and Google Cloud at number 3.
What follows are the latest details that Google, Amazon and Microsoft have revealed about the cyber situation in Ukraine.
For the past two weeks, Google says its Threat Analysis Group (TAG) has observed “activity from a range of threat actors that we monitor regularly and are well known to law enforcement.” Threat actors include FancyBear/APT28, which investigators have associated with the Russian Intelligence Service (GRU), and Ghostwriter/UNC1151, which investigators have associated with the Belarusian Ministry of Defense.
“This activity ranges from espionage to phishing campaigns. We are sharing this information to raise awareness among the security community and high-risk users,” Shane Huntley of Google’s Threat Analysis Group said in a blog post Monday.
FancyBear has been running “several major phishing campaigns with credentials” targeting users with a ukr.net email address (from the Ukrainian media company UkrNet). “The phishing emails are sent from a large number of compromised accounts (non-Gmail/Google) and contain links to attacker-controlled domains,” Huntley said.
Two of the campaigns involve using new Blogspot landing page domains, which then redirect users to a phishing site with credentials, he said.
Ghostwriter/UNC1151 has previously been accused of recent phishing attacks on Ukrainian military personnel. However, according to Huntley’s Google blog, the group has attacked not only the Ukrainian government and military organizations, but also individuals in the Polish military and government. Poland is a member of NATO.
In addition to ukr.net, other email providers whose users have been targeted by the UNC1151 phishing attacks include i.ua, meta.ua, wp.pl, yandex.ru, and rambler.ru.
Meanwhile, a Chinese threat actor known as Mustang Panda (or Temp.Hex) has been trying to take advantage of the situation in Ukraine, according to the Google blog. The group has “attacked European entities with lures related to the Ukrainian invasion,” says Huntley’s blog, which “included malicious attachments with file names such as ‘Situation at the EU’s borders with Ukraine.zip’.”
“The zip file contains an executable file of the same name that is a simple downloader and, when run, downloads several additional files that load the final payload,” the blog says.
Google has also observed “DDoS attempts against numerous Ukrainian sites, including the Ministry of Foreign Affairs, the Ministry of the Interior, as well as services such as Liveuamap designed to help people find information,” according to the Google blog.
In response, Google says it has expanded its eligibility criteria for free DDoS protection under Project Shield — “so Ukrainian government websites, embassies around the world, and other governments close to the conflict can stay online, empower themselves.” protect their vital services and provide access to the information people need.”
In a blog post Friday, Amazon said its cloud platform, Amazon Web Services (AWS), “has worked closely with Ukrainian customers and partners to keep their applications secure.”
The work included helping customers in Ukraine adopt cybersecurity best practices, “building and delivering technical services and tools to customers in Ukraine” to help move the on-premises infrastructure to AWS “to protect it from possible physical or virtual attack,” Amazon employees said in the blog.
In the past two weeks, Amazon has also observed “new malware signatures and activity from a number of state actors we monitor”. Details were not provided, Amazon said it has shared the threat intelligence it has collected with governments and IT organizations in Europe, North America and other regions.
In particular, Amazon said it sees both “an increase in the activity of malicious state actors” and “a higher operational pace by other malicious actors.”
And Amazon reports that it has “observed several situations where malware has specifically targeted charities, NGOs and other aid organizations to create confusion and cause disruption.”
“In these particularly egregious cases, malware is aimed at disrupting medical supplies, food and clothing assistance,” Amazon employees said in the blog.
An Amazon representative told VentureBeat that the company has no further details to share about the cyberattacks targeting charities, NGOs and other aid organizations.
Amazon’s report of those cyber attacks echoed comments made earlier last week by Microsoft president Brad Smith. In a Feb. 28 blog post, Smith alluded to instances of cyberattacks targeting humanitarian aid, emergency services, agriculture and energy. Microsoft also gave no further details.
The recent cyber attacks on these civilian targets in Ukraine “raise serious concern under the Geneva Convention,” Smith said in that blog — referring to the international treaty defining what are commonly referred to as “war crimes.”
In a follow-up blog on Friday — in which Smith announced that Microsoft would discontinue all new sales and services of its products in Russia — the Microsoft president said that “our single most impactful area of work is almost certainly protecting Ukraine’s cybersecurity. †
“We continue to work proactively to help cybersecurity officials in Ukraine defend against Russian attacks, most recently a cyberattack on a major Ukrainian broadcaster,” Smith said.
Ultimately, “since the beginning of the war, we have acted against Russian positioning, destructive or disruptive measures against more than 20 Ukrainian government, IT and financial sector organizations,” he said.
Smith’s previous blog post had not specifically mentioned Russia in relation to cyberattacks in Ukraine — or the figure for the number of Ukrainian government, IT and financial organizations that had been attacked.
“We also acted against cyber-attacks on several other civilian sites,” Smith said. “We have publicly expressed our concern that these attacks on civilians violate the Geneva Convention.”
Smith’s blog on Friday was Microsoft’s third post last week on the cyber situation in Ukraine. On March 2, Microsoft warned that the group behind the “HermeticWiper” cyber attacks — a series of data-wiping malware attacks that hit numerous Ukrainian organizations on February 23 — remains an ongoing threat.
“Microsoft believes there is still a risk for destructive activity from this group as we have observed follow-up intrusions since Feb. 23 involving these malicious capabilities,” the company said in the blog post update.
VentureBeat’s mission is to be a digital city square for tech decision makers to learn about transformative business technology and transactions. Learn more
This post What Google, Amazon and Microsoft have revealed about the cyber situation in Ukraine was original published at “https://venturebeat.com/2022/03/07/what-google-amazon-and-microsoft-revealed-about-ukraines-cyber-situation/”