The operations map maintained for the public by the British Ministry of Defence (MoD) shows more Russian airstrikes but continued sluggish progress of ground forces. The Telegraph's map shows fighting concentrated around Kyiv, Kharkiv, Donetsk, Mariupol, and Mykolaiv. There are reports that in some areas, notably around Kyiv, Russian forces have halted their advance and turned to constructing field fortifications. That is, they're now digging in, not moving forward.
A new wiper is discovered in Ukrainian systems.
ESET researchers have found a new wiper they're calling "CaddyWiper," the third one Russian operators have used to hit Ukrainian targets during Russia's war against Ukraine. "This new malware erases user data and partition information from attached drives," ESET tweeted. "ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations." First observed yesterday morning at 0938 UTC (that's 1138 Kyiv time, or 0538 US Eastern Time), the malware seems to have been compiled the same day it was deployed. CaddyWiper has little in common with its two predecessors. As ESET put it, "CaddyWiper does not share any significant code similarity with #HermeticWiper, #IsaacWiper or any other malware known to us. The sample we analyzed was not digitally signed." It did share one tactic with HermeticWiper: deployment via Group Policy Object (GPO), which suggests to ESET that "the attackers had prior control of the target's network beforehand." The wiper's operators are apparently interested in maintaining persistence in the targets' networks. "Interestingly, CaddyWiper avoids destroying data on domain controllers. This is probably a way for the attackers to keep their access inside the organization while still disturbing operations." The Verge reports that the effect of the attack seems so far to have been small. One organization appears to have been affected, but the consequences of that attack (and the organization's identity) remain publicly unknown.
CERT-UA warns of bogus security warnings.
Ukraine's CERT has warned that emails misrepresenting themselves as government advice on improving security are in fact malware vectors, carrying Cobalt Strike and other malicious packages. BleepingComputer characterizes the emails as fake anti-virus updates.
Cyber criminals look for letters of marque from both sides (and some of them are looking like hacktivists).
Researchers at Aqua Security review the techniques, many involving commodity malware and cloud-native services, being used in the cyber phases of Russia's hybrid war against Ukraine.
Help Net Security reports that "financially motivated" (that is, criminal) cyber groups are choosing sides in Russia's war against Ukraine. In a rough-and-ready way, the criminals have tended to side with Russia (for whom many of them have historically served as privateers) and the hacktivists (like Anonymous) have tended to side with Ukraine. But this may be changing, as some Russophone gangs are expressing a willingness to hack Russian targets if there's a good prospect of making it pay. There also appear to be personal and ideological rifts in the underworld that are leading some gangs toward one side rather than the other. Thus privateering is converging with hacktivism. Accenture reports that this is something new: "previously coexisting, financially motivated threat actors divided along ideological factions."
Despite no major Russian cyberattacks against Western targets, warnings continue to circulate.
US Senator Mark Warner (Democrat of Virginia) who chairs the Senate Intelligence Committee says he's surprised by Russia's apparent failure to mount cyberattacks against the US and other Western targets. TheHill quotes him as saying, “I am still relatively amazed that they have not really launched the level of maliciousness that their cyber arsenal includes.”
Twenty-two US Senators have sent a letter to Homeland Security Secretary Majorkas asking for a briefing on the Russian cyber threat. They want to know, specifically, what the Cybersecurity and Infrastructure Security Agency (CISA) is doing to protect the US against that threat, which specific US "entities or sectors" are likely to be targets, how is Shields Up Technical Guidance being disseminated, what the Department of Homeland Security is doing against Russian disinformation, and, finally, how is CISA coordinating with international partners.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.
About the Author
