Application Security , Business Continuity Management / Disaster Recovery , Critical Infrastructure Security

Cybersecurity Picture Inside Russia Grows More Complicated

As Russia Launches Its Own Root Certificate, Country Targeted by Wiper Malware
Cybersecurity Picture Inside Russia Grows More Complicated
Translated noted dropped by RURansom wiper malware, which only targets systems in Russia (Source: Trend Micro)

Cybersecurity in Russia right now is complicated, owing to reprisals organized in response to President Vladimir Putin's decision to invade Ukraine and the Russian military's indiscriminate targeting of civilians.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

For starters, Ukraine has crowdsourced a multinational "IT Army" that is using distributed denial-of-service attacks to target organizations and services inside Russia.

In response to widespread, ongoing disruptions, the Russian government is allegedly weighing a move to disconnect the country from the internet and switch to its own "runet." While government officials have denied any such plans, they have announced the launch of a domestic, trusted TLS certificate authority to allow Russia to issue its own digital certificates, in the event that existing certificates get revoked.

Separately, someone is hunting Russian systems with wiper malware set to only execute on PCs inside the country.

Meanwhile, the challenge of keeping Russian systems protected against such attacks continues to get more difficult. On Thursday, one of the world's biggest anti-malware software developers, Avast, announced that it has suspended operations in Russia.

"We are horrified at Russia's aggression against Ukraine, where the lives and livelihoods of innocent people are at severe risk, and where all freedoms have come under attack," says Ondřej Vlček, CEO of Avast, which was launched in 1988 in what was then Czechoslovakia, which at the time was part of the Warsaw Pact, a defensive alliance composed of the Soviet Union and seven satellite states, until it was dissolved in 1991.

"Avast has employees in both Ukraine and Russia and is actively working to protect and sustain them as a priority," he says. "We continue to pay their full salaries and have aided the temporary relocation, at their request, of some families who were in high-risk areas. We've been in constant communication with the affected employees, and the challenges and very real dangers they face are an ongoing source of deep concern."

The company says it is making all of its products, including paid products, available for free to anyone in Ukraine. "With disinformation rife, supporting Ukrainians' access to a secure, unrestricted internet connection to obtain and share accurate information about the conflict is critically important," Vlček says.

Avast's free and paid anti-malware products are used by one-third of all Russian consumers, market researcher Statista reported in mid-2021.

Leading antivirus brands on personal devices in Russia 2021 (Source: Statista)

Avast tells Information Security Media Group that existing product licenses will remain valid in Russia until they expire. "Avast Free Antivirus and any other products will no longer be available for download on the Avast website," a spokeswoman says. "Russian users who have purchased licenses will be able to use their products fully until the license expiry date. Users who already have the free version installed are still protected and can continue using the product safely. The products are updated as usual with the latest signature updates.

Other software firms, such as Microsoft, have also announced that they are suspending sales in Russia and working to help protect Ukraine. Microsoft has made no mention of blocking updates or security fixes for any existing product owners in Russia. It didn't immediately respond to a request for comment about whether it would do so.

RURansom Wiper Malware Hunts Russians

Malware remains a global concern, including in Russia. Cybersecurity firm Trend Micro reports that it has seen a new type of alleged ransomware, dubbed RURansom, which appears to target only Russia. That would be a reverse from the norm, given that almost every strain of ransomware being wielded by criminal syndicates includes checks to see if a victim is located in Russia or a fellow member of the Commonwealth of Independent States. If so, the ransomware will typically be set to delete itself instead of infecting such a system (see: Russia's Cybercrime Rule Reminder: Never Hack Russians).

RURansom isn't actually ransomware, however, but a wiper written in .NET that spreads via a file "to all removable disks and mapped network shares," Trend Micro says. It says the Russian filename, translated into English, is "Russia-Ukraine_War-Update.doc.exe."

It says the malware drops a note on wiped systems that reads in part: "On February 24, President Vladimir Putin declared war on Ukraine … To counter this, I, the creator of RU_Ransom, created this malware to harm Russia. You bought this for yourself, Mr. President. … There is no way to decrypt your files. No payment, only damage. And yes, this is 'peacekeeping' like Papa Vladi does, killing innocent civilians."

Trend Micro says it hasn't yet identified any victims of the malware and that there are multiple versions of RURansom in circulation. "Some of these versions check if the IP address where the software is launched is in Russia. In cases where the software is launched outside of Russia, these versions will stop execution, showing a conscious effort to target only Russian-based computers," it says.

Russia Releases Its Own Root Certificate

Meanwhile, there are persistent rumors that Russia might seek to create its own internet. The Ukrainian government has called for Russia's top-level domain to be cut off by the Internet Corporation for Assigned Names and Numbers. But numerous experts have decried the proposal, warning that it might affect civilians, including Russian hospitals and schools.

On Sunday, letters leaked by Anonymous purported to reveal instructions from the Russian government to domestic internet users about how they'd be able to connect to a replacement "runet," as Bleeping Computer reported.

On Tuesday, Russia's Ministry of Digital Development, Communications and Mass Media denied any such plans being considered.

"There are nonstop cyberattacks on Russian sites from abroad," the ministry told Russian news service Interfax. "We are getting prepared for various scenarios in order to ensure the accessibility of Russian [online] resources. There are no plans to switch off the internet from inside [the country]."

As Russia loses access to some core internet services due to sanctions and businesses declining to support the country, however, the government has launched its own trusted TLS certificate authority.

Russia's own TLS certificate authority

Digital certificates are a crucial trust component online. In particular, a digital certificate is meant to verify that entities are who they claim to be and that all traffic with that site will remain encrypted. But if the Russian government controlled the certificate authority, it could easily eavesdrop on such connections and conduct man-in-the-middle attacks, cybersecurity experts warn.

For now, the only products set to accept Russian-issued certificates are the domestically developed Yandex browser and Atom products, Bleeping Computer reports. Users of more popular browsers - such as Chrome, Firefox or Edge - could manually add the new Russian root certificate, but if Russia was found to be abusing its root certificate - for example, for traffic interception - then that root certificate could be added to browsers' block lists and no longer function.


This story has been updated with comments from Avast.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.