© 2023 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Russian hackers use western networks to attack Ukraine


A Fortune 500 company, dam monitoring system, and organizations in the UK and France had their networks used by malicious Russian actors to launch cyberattacks on Ukraine.

Russian threat actors use networks of organizations in countries that support Ukraine to launch cyberattacks, a recent report from Lupovis, a cybersecurity firm, claims.

Researchers planted various decoys imitating Ukrainian documents or websites to bait Russian hackers. Not knowing the true nature of the decoys, threat actors tried using them to launch attacks against Ukraine.

According to Xavier Bellekens, the CEO of Lupovis, pro-Russian hackers quickly reacted to newly posted information on Ukraine. Up to 60 human attackers flock to a piece of data within a minute of it appearing online.

“As we shared the breadcrumb data directly on Russian forums, telegram groups, and on the dark web, the response was almost immediate,” Bellekens told Cybernews.

Worryingly, threat actors later used the data obtained via decoys to launch attacks against Ukraine, rerouting them via IT networks of organizations in the US, the UK, France, Brazil, and other nations.

“We collected a couple of scripts that contained Russian language, pointed to Russian websites, and targeted Ukrainian government websites. While these could still be false flag operations, it is highly unlikely given the fact that we scattered and shared information about the decoys on Russian forums, telegram channels, etc.,” Bellekens explained.

Planting the bait

Researchers planted various decoys named after Ukrainian government departments or critical national infrastructure (CNI) objects all around the web to lure potential threat actors.

For example, fake documents that send a beacon once opened were ‘leaked’ in Russian forums and amongst pro-Russian groups. Researchers also set up decoy websites, masquerading as Ukrainian political or government sites.

“They were also configured to insecurely attempt to authenticate into an API. The way in which the authentication was purposely created could allow for a credential to the next decoy type to be found,” claims the report.

Final decoys, SSH services, were configured to accept counterfeit credentials taken from fake websites and report a critical attack.

“We collected a couple of scripts that contained Russian language, pointed to Russian websites, and targeted Ukrainian government websites.”

Bellekens said.

Hunting the hunters

Decoys allowed the researchers to discover that some Russian adversaries landed on the set-up websites without following the bait. That’s likely because adversaries have done their own recognizance. Others, however, followed the predetermined attack path.

According to the report, adversaries carried out a variety of attacks on the decoys, from intelligence gathering to turning them into bots to perform DDoS attacks. Attackers tried SQL injection, RCE attacks, docker exploitation, and using known CVEs against the decoys.

Since researchers also set up non-Ukrainian decoys, they were able to deduce that threat actors were significantly more aggressive towards lures imitating Ukrainian organizations. For example, threat actors were prone to using scripts to attack Ukrainian websites, institutions, and websites supporting Kyiv in the war against Russian occupation.

“The most concerning finding from our study is that Russian cybercriminals have compromised the networks of multiple global organizations, including a Fortune 500 business, over 15 healthcare organizations, and a Dam Monitoring System,” reads the report.

The organizations in the US, UK, France, Brazil, South Africa, and elsewhere were used to reroute Russian attacks on fake targets in Ukraine.

Not only does this suggest that using foreign networks for attacks is a common practice for Russian cybercriminals, but it also shows that Russian hackers have a significant presence in foreign networks.

“There are 13 different critical national infrastructures in the UK and 16 in the USA. Some CNIs are well protected. However, we also know that a wide range of sectors, such as maritime and healthcare, and smaller entities, have difficulties implementing and increasing their cybersecurity […]. These are likely prime targets,” Bellekens said.


More from Cybernews:

Meta’s data scraping: against the rules yet impossible to stop?

Foxconn expects production rebound in world’s largest iPhone plant

Florida Department of Revenue exposed user data, including Social Security numbers

The future of Twitter under Elon Musk

Swiss government proposes “reporting duty” for cyberattacks on vital infrastructure

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked