Malware Attacks and Disinformation Campaigns Target Ukraine

Latest Targets: Ukraine's Largest Radio Broadcaster, Government Software Provider
Malware Attacks and Disinformation Campaigns Target Ukraine

Hacked radio stations made to broadcast disinformation and unique malware targeted at a tech company whose software is used by state agencies are just the latest examples of the barrage of malware facing Ukrainian network defenders.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

It's not quite cyberwar, but as the Russian incursion into Ukraine grinds onward, so does the a barrage of malware attacks targeting organizations in Ukraine.

The second quarter of this year saw a "significant ramp up" of malware intended to steal and destroy data, says the State Service of Special Communications and Information Protection of Ukraine. It estimates malware incidents are up by 38%, compared to first three months of the year.

The White House this afternoon announced a new $270 million tranche of security assistance to Ukraine that includes four more High Mobility Artillery Rocket Systems, a weapon described as a potential game changer. Security experts warn that even with cyber operations in Ukraine falling short of all out war, Russian escalation remains a risk (see: Major Takeaways: Cyber Operations During Russia-Ukraine War).

Cyberattack on Ukrainian Radio Stations

One recent incident for the books was a cyberattack against TAVR Media, which owns a string of stations ranging from pop to dance and classical. It has a station dedicated to "Music of Ukrainian victory." TAVR Media identifies itself as the "largest radio group in Ukraine."

During the incident, attackers compromised TAVR Media servers to broadcast a fake message about Ukrainian President Volodymyr Zelenskyy's health, claiming he was in intensive care. A YouTube user who posted an apparent video of the incident described the message as "robotic."

Zelenskyy on Thursday took to Instagram to refute the matter, broadcasting in a green khaki t-shirt. "So, here I am in my office, and I have never felt as good as now," he said, according to a translation by Reuters. He fingered Russia as responsible for the attack.

In June, a similar incident took place when the Football World Cup 2022 qualifier game between Wales and Ukraine was interrupted in Ukraine by a cyberattack that targeted OLL.TV, a Ukrainian online broadcaster. The traffic was rerouted to a Russian propaganda-based channel to spread disinformation (see: Russian Cyberattack Hits Wales-Ukraine Football Broadcast).

Attack on Software Development Company

Security researchers at Cisco Talos say they identified a "fairly uncommon piece of malware" targeting an unidentified large software development company in Ukraine among whose customers number government agencies.

The malware appears to be a modified version of the open source backdoor called "GoMet."

The researchers attribute "with moderate to high confidence" the attack to Russian state-sponsored actors or someone acting in the Kremlin's interests.

Given the company's cliental, Talos said it's possible hackers attempted to initiate a supply chain-style attack.

The history of the GoMet backdoor a "rather curious," Talos says, because there are only a handful of documented cases of its use. The persistence malware is written in Go programming language and contains all necessary functions required to remotely control an agent that can be deployed on a variety of operating systems or processor architectures.

A significant modification to this version of GoMet is that it aggressively checks for connections to its command and control server, executing a check once every two seconds. If it determines that the command and control server is unreachable, it'll try again in a random interval of between five and ten minutes. The changes make the malware more noisy than the original, notes Talos.

It also hit itself by replacing an existing an auto-start command from legitimate software with itself, rather than creating a new autorun configuration.


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.