Powered by MOMENTUM MEDIA
cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Cyber warfare in Ukraine and Russia dominates threat landscape

Avast has released its Q1/2022 Threat Report, which reveals cyber threats revolving around the physical war between Russia and Ukraine.

user iconReporter
Tue, 10 May 2022
Cyber warfare in Ukraine and Russia dominates threat landscape
expand image

The latest Avast report shines light on a Russia-attributed APT group attacking users in Ukraine and DDoS tools being used against targeting Russian sites, and ransomware attacks targeting companies in Ukraine.

Additionally, findings show that cyber gangs have been affected by the physical war, causing a slight decline in ransomware and the temporary discontinuation of the information stealer, Racoon Stealer.

Cyber warfare: Ukraine and Russia

According to Jakub Kroustek, Avast malware research director, the Avast Threat Labs researchers team often sees parallels between what’s happening in the real world and the threat landscape when it comes to how threats are being spread and their targets.

“In Q1/2022, we saw a significant increase in attacks of particular malware types in countries involved in the war.

“We also blocked 30 per cent more attempts to infect new devices to join botnets in Russia, and a 15 per cent increase in Ukraine, with the goal to build armies of devices that can carry out DDoS attacks on media and other critical websites and infrastructures.

“Compared to Q4/2021, we saw a more than 50 per cent increase in the amount of remote access trojan (RAT) attacks and more than 20 per cent increase in information stealer malware attacks we blocked in Ukraine, Russia, and Belarus, which could be used for information gathering or espionage,” Kroustek said.

Just before the war in Ukraine began, the Avast researchers tracked several cyber attacks, believed to be carried out by Russian APT groups.

Gamaredon, a known and active APT group, increased activity rapidly at the end of February, spreading their malware to a wide target pool, including consumers, searching for victims of interest in order to carry out espionage. A ransomware called HermeticRansom, for which Avast released a decryptor tool for, was spread, presumably also by an APT group.

Avast researchers tracked tools promoted by hacktivist communities to carry out DDoS attacks on Russian websites. The researchers spotted webpages, including a weather forecast site, incorporating the code used to carry out these attacks via the visitors’ browsers without their consent.

These types of attacks declined towards the end of the quarter. A botnet sold as a service was used for a DDoS campaign in March in connection with the Sodinokibi (REvil) ransomware group. Additionally, malware authors have used the war to spread malware, like RATs by spreading emails with malicious attachments claiming to contain important information about the war.

Ukraine war impacting cyber crime operations

Malware authors and operators have been directly affected by the war, such as the alleged death of the Raccoon Stealer leading developer, which resulted in the temporary discontinuation of the information stealer malware.

The Avast Threat Labs also continued to observe a slight decline of 7 per cent in ransomware attacks worldwide in Q1/2022, compared to Q4/2021, which is believed to have been caused by the war in Ukraine, where many ransomware operators and affiliates operate from.

With this, ransomware attacks have decreased for the second quarter in a row. In Q4/2021, the decline was caused by a cooperation of nations, government agencies, and security vendors hunting down ransomware authors and operators. Further causes for the decline could be one of the most active and successful ransomware groups, Maze, shutting down their operations in February, and the continued trend of ransomware gangs focusing more on targeted attacks on large targets (big game hunting) rather than on regular users via spray and pray techniques.

The war caused a rift within the Conti ransomware gang, with a Ukrainian researcher leaking internal files from the gang’s business and source code of the Conti ransomware, after the group declared allegiance to Russia, promising ransomware retaliation for cyber attacks against Russia. The leaks temporarily resulted in a decline of Conti ransomware.

Mexico, Japan and India are exceptions, where the chance of a user encountering ransomware increased by 120 per cent, 37 per cent and 34 per cent, respectively, in Q1/2022 compared to Q4/2021.

Emotet market share doubled, TDS spreading malicious campaigns

In addition, the report reveals Emotet doubled its market share since last quarter. In particular, Avast researchers observed a significant increase in Emotet botnet infection attempts in March. Moreover, a traffic direction system (TDS), called Parrot TDS was found spreading malicious campaigns via 16,500 infected sites.

The report also includes a summary of how Avast researchers pieced together clues to uncover how Meris, one of the largest botnet-as-a-service networks, mainly made up of more than 230,000 vulnerable MikroTik devices, facilitated multiple large-scale attacks in the past years.

On the mobile side, bad actors are changing tactics when it comes to spreading adware and premium SMS subscriptions, which continue to be prevalent. While the Google Play Store has previously been used to distribute these threats, bad actors are now using browser pop-up windows and notifications to spread malicious apps among consumers.

[Related: Aussie employers struggle to find talent to bolster digital future]

cd intro podcast

Introducing Cyber Daily, the new name for Cyber Security Connect

Click here to learn all about it
newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.