back to article Unknown actors deploy malware to steal data in occupied regions of Ukraine

A cyber espionage campaign targeting organizations in Russian-occupied regions of Ukraine is using novel malware to steal data, according to Russia-based infosec software vendor Kaspersky. In a report published Tuesday, Kaspersky researchers detailed the infections, which use a PowerShell-based backdoor they've named " …

  1. Peter2 Silver badge

    However, the victims – administrative, agricultural and transportation organizations located in the Donetsk, Luhansk and Crimea regions – and the phishing lures suggest that this campaign is related to the illegal Russian invasion of Ukraine.

    Well, quite.

    Ok, so transportation organisations I completely understand wanting to spy on; saying where cargo [especially military cargo; ie Russian ammunition] is being picked up and delivered to has very obvious military applications; helping Russian ammo stockpiles explode in the warehouse rather than after being delivered to and fired by the Russians.

    Administrative makes general sense as there might be usable information [We are going to use building X for R&R for Russian troops between X and Y dates = legitimate military target], however i'm not seeing any particularly obvious reason as to why they would care much about agricultural organisations.

    Can anybody see what i'm missing? Perhaps X food amount is being delivered to Y location gives Russian troop strengths?

    1. MiguelC Silver badge

      Don't you know of any other uses for fertilisers? If you don't, Timothy McVeigh might enlighten you

      1. Peter2 Silver badge

        The Beirut explosion is a better example of a lot of AMFO going up.

        I would say that the Russians are hardly likely to be resorting to the use of AMFO given how bulky, unstable and low yield compared to "proper" military explosives it is, but to be fair i'd have had similar comments on the Russians rolling out museum pieces like T62's as frontline equipment a year ago.

      2. Anonymous Coward
        Anonymous Coward

        MacGyver showed us how to make those as kids in the 80's.

    2. moonhaus

      "however i'm not seeing any particularly obvious reason as to why they would care much about agricultural organisations."

      Russia has been stealing Ukraine's grain and moving it to and from those areas.

    3. Jellied Eel Silver badge

      Can anybody see what i'm missing? Perhaps X food amount is being delivered to Y location gives Russian troop strengths?

      There's an assumption that it's being done by a state actor, not ad-hoc hackers. Ukraine has/had a thriving IT sector with a lot of software developers, including a lot of indie game devs. Or GSC Game World, who gave us S.T.A.L.K.E.R. But it also has/had a fair number of cybercriminals doing their own thing. Often those ended up lumped in to generic 'Russian hackers' because the western media has never really understood the cultural ties, differences, or the way organised crime tends to work in that part of the world.

      So it could just be opportunistic, and the targets just the ones they managed to spear. If it's state-backed, it could make sense given logistics wins wars, or special military operations. Our media keeps telling us that Bakhmut is insignificant, yet a quick look at a map shows it's logistically important for that part of Ukraine given the road and rail links. So it could be intelligence gathering with a view to disrupting logistics and admininstration. Mostly that's likely to be a civilian target given Russia's military is probably using it's own logistics. It could be an effort to obtain lists of 'collaborators'. Or it could be something that will be followed up with a demand to pay BTC.

      1. Peter2 Silver badge

        In a war, i'd assume that ad-hoc hackers will be defacto working for the state and would be going for information with some form of useful application just based on "what would I do?".

        1. Jellied Eel Silver badge

          In a war, i'd assume that ad-hoc hackers will be defacto working for the state and would be going for information with some form of useful application just based on "what would I do?".

          I think it's one of those things where the law probably hasn't caught up with war. If I was to sneak into a critical water pumping installation, place charges and blow it up, that would probably be considered an act of war, if I was acting for a state. If instead I sit at my desk, mess with the SCADA systems and make it water-hammer itself to bits.. same result, different consequences? So at what point does cyberwarfare become real warfare.

          There are also potential issues wrt volunteers, no matter how well intentioned creating politcal or practical problems for their governments. So maybe I hack a pumping station in Russia, and Russia retaliates by destroying 10 in Ukraine. Governments generally like to co-ordinate and control this sort of stuff, so freelancing might do more harm than help. Plus if you're hacking without official authorisation, it's still a crime. Ukraine may choose not to prosecute, or it may not, or you might just find yourself considered an unlawful enemy combatant without any of the rights or protections offered to lawful combatants.

          1. Claptrap314 Silver badge

            A few years ago, there was an article in these pages about an update to the Geneva Conventions such that hacking a SCADA to effect infrastructure damage is the same as planting charges.

            And, so far as I can tell, Ukrainian civilians aren't being afforded any rights in the first place, so there's not much worry about being an unlawful combatant, sadly.

            But it will be interesting to see how comprehensive the peace treaty will be.

        2. Claptrap314 Silver badge

          After 9/11, there were a number of American hackers that took down various Al Queda websites--including ones that the CIA had been using to track activity.

          So no, you really cannot make that assumption based on relevant history.

          One of the many, many differences between the physical and electronic worlds...

        3. doublelayer Silver badge

          "In a war, i'd assume that ad-hoc hackers will be defacto working for the state and would be going for information with some form of useful application just based on "what would I do?"."

          I had to think about what I would do, but assuming I turned to hacking systems as a way of helping out, I would not do it this way because, having obtained useful information, I wouldn't know who I could give that information to. If I've discovered useful information about Russian troop movements but I don't know someone high enough in military command that can use it, then what good is it that I know it? If I already had some, I'd try passing things around in the hopes that it gets somewhere useful, but if I had to pick a target, I would pick one that can be affected without having to have connections. The alternative is making the information public in the hope that the Ukrainian military will find and act on it before the Russian military found it and changed their plan, but the risk is that someone else would impersonate me and post false information, so that method has risks too.

          1. Jellied Eel Silver badge

            The alternative is making the information public in the hope that the Ukrainian military will find and act on it before the Russian military found it and changed their plan, but the risk is that someone else would impersonate me and post false information, so that method has risks too.

            Luckily, it's not that difficult.. Sort of. So Ukraine's had tip lines for reporting this kind of thing to it's SBU since the conflict started. Most intelligence services have websites with contact info. If you're wanting to share what you've found out of a sense of duty, just contact them. If you want to try and do that anonymously, and you're a hacker, you could probably figure out a dropbox to leave it on a server somewhere and just let them know where to find the data. But they'd probably be naturally suspicious because they're institutionally paranoid, and check that what you're trying to feed them isn't disinformation. Any decent media organisation would probably want to do the same thing, but then James Vasquez has just blown up in another Ghost of Kiev kinda way.

        4. Old Used Programmer

          What's old in new again?

          Hackers as 21st century privateers? If you have a Letter of Marque from your government, you needn't fear your government's policing authorities...

  2. Potemkine! Silver badge

    What is interesting here is to have the IoC and the means used to infect the devices.

    About the threat actors, no one can be excluded, Putin Khuylo is paranoid enough to spy his own puppets.

  3. Anonymous Coward
    Anonymous Coward

    Powershell ?

    Once again, a very good reason not to run Windows. Unless there are reports of Linux machines being pwned ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Powershell ?

      There probably wouldn't be reports of Linux machines being "pwned" because most people running *nix don't run anti virus.

    2. Potemkine! Silver badge
      1. Claptrap314 Silver badge
        Trollface

        Re: Powershell ?

        Well, don't you remember--Windows 95 got rated, I think, for Orange level, "As long as it is not connected to another computer".

    3. JassMan

      Re: Powershell ?

      The Russchists are running western software after Pootler has told his people not to use anything from the west? I am absolutely shocked.

      Or I would be if I hadn't seen videos released on official Russchist TV of the glorious leader driving his (Western) Merc while wearing a (Western) Philipe Patek watch on his way to Crimea across a bridge which earned him 20+ times his official salary.

      The invaders deserve everything they suffer.

    4. doublelayer Silver badge

      Re: Powershell ?

      They target Windows because the people they want to get information about are using Windows. If the people were all using Linux, they would target Linux. Malware that does target Linux has been successfully written and deployed against Linux systems, including many strains of ransomware. Did you also think that Macs don't get viruses a while ago? Do you think that now?

  4. Mike 137 Silver badge

    Common sense?

    I find a .lnk file in a zip archive received from the outside world and I'm going to open it? "Not bloody likely - I'm going in a taxi"[1].

    But of course with all this URL shortening and cryptic hash ridden links, you don't usually know where the hell you'll land up anyway, so I guess falling for this is psychologically not too unexpected.

    [1] with apologies to "My fair Lady"

  5. Winkypop Silver badge
    Devil

    Give the Russians enough rope

    …something about incompetence…disorganisation…corruption…and one’s own petard…

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like