Russian authorities say they prevented a cyber-attack by fixing an exploited widget. The Russian Ministry of Economic Development, a state-run organization, developed the widget. On March 8th, it was hacked and installed on government websites. The authorities were quick to realize the threat and fix it.
The attacks were quickly localized, but the incident resulted in a disruption of the operation on the affected websites for a short time before services were restored to normal. An hour is all it took for the cyber attack to be solved. According to Interfax, the incident occurred when a widget collecting visitor statistics was hacked. The attack was promptly localized by the security team, but the repercussions were felt for a short time before the services were restored to normal. The attackers were part of an unknown party in the supply chain.
Russian websites have been hacked, including those belonging to the Russian Federal Penitentiary Service, the Federal Bailiff Service, the Federal Antimonopoly Service, the Culture Ministry, the Energy Ministry and a number of other agencies. While authorities are downplaying the incident, Interfax reports that hackers gained access via vulnerabilities in outdated websites that were not adequately secured with current protection.
Even though the severity of this defacement campaign is hard to determine, we can see that it is an example of the conflict Russia has created in Ukraine spilling over into cyberspace.
It is not just Ukrainian university websites that have been hacked. Russian attackers have also targeted a larger number of WordPress-hosted sites. These pro-Russians have unleashed a destructive wiper malware strain, which has been dubbed ‘HermeticWiper.’ This strain was first deployed days after Russia invaded Ukraine.
ESET, a notable security software vendor, has discovered that “HermeticWiper” infected over 200 systems in Ukrainian organizations. The infection was found to be related to the malware found in the United States.
In a recent attack against Russian targets, an entirely new type of malware was used. The malware is called “RURansom” but it acts more like a data wiper than true ransomware. It doesn’t use independent encryption keys for each file, instead discarding them as it spreads.
Researchers at MalwareHunterTeam discovered a harmful .NET malware in the start of March. The worm-like program is written in the .NET programming language and copies itself under the filename. (‘Россия-Украина_Война-Обновление.doc[dot]exe’) & (‘Russia-Ukraine_War-Update.doc[dot]exe’).
Several versions of the malware are looking for Russian machines, then destroying files and infecting them. The note left on compromised machines also says that the malware is designed to harm Russia. It was originally written in Bengalese.
The creator of this virus is speculated to be from India and have a history of mining cryptocurrency. The original intent was to infect computers with the virus and use their processing power to mine for cryptocurrency. However, the malware quickly evolved into something more sinister and successful than ever before.
Trend Micro, who speculates that the virus writer is from India, thinks the author was creating this virus in order to mine cryptocurrency. They believe this because there was a note left inside the virus that mentions their home country and other files with “mining” in the name.