CISA Sounds Alarm on Cybersecurity Threats Amid Russia’s Invasion Anniversary

Feb 24, 2023Ravie LakshmananCyber War / Cybersecurity

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations and individuals to increase their cyber vigilance, as Russia’s military invasion of Ukraine officially enters one year.

“CISA assesses that the United States and European nations may experience disruptive and defacement attacks against websites in an attempt to sow chaos and societal discord on February 24, 2023, the anniversary of Russia’s 2022 invasion of Ukraine,” the agency said.

To that end, CISA is recommending that organizations implement cybersecurity best practices, increase preparedness, and take proactive steps to reduce the likelihood and impact of distributed denial-of-service (DDoS) attacks.

The advisory comes as the Computer Emergency Response Team of Ukraine (CERT-UA) revealed that Russian nation-state hackers breached government websites and planted backdoors as far back as December 2021.

CERT-UA attributed the activity to a threat actor it tracks as UAC-0056, which is also known under the monikers DEV-0586, Ember Bear, Nodaria, TA471, and UNC2589.

The attacks entail the use of web shells as well as a number of custom backdoors like CredPump, HoaxApe, and HoaxPen, adding to the group’s arsenal of tools like WhisperGate, SaintBot, OutSteel, GraphSteel, GrimPlant, and more recently, Graphiron.

The agency, in a related advisory, also disclosed a phishing campaign bearing RAR archives that lead to the deployment of the Remos remote control and surveillance software. It’s been linked to a threat actor known as UAC-0050 (and UAC-0096).

The findings come as Fortinet reported a 53% increase in destructive wiper attacks from Q3 to Q4 2022, primarily fueled by Russia’s state-sponsored hackers employing an unprecedented variety of data-destroying malware at Ukraine.

“These new strains are increasingly being picked up by cybercriminal groups and used throughout the growing cybercrime-as-a-service (CaaS) network,” the security vendor said.

“Cybercriminals are also now developing their own wiper malware which is being used readily across CaaS organizations, meaning that the threat of wiper malware is more widespread than ever and all organizations are a potential target, not just those based in Ukraine or surrounding countries.”