Full Report
In the first part of Trustwave SpiderLabs’ Russia-Ukraine war blog series, we gave a brief look at our major findings as well as the main differences between how Russia and Ukraine wage attacks in the digital frontlines. In this part of our series, we shed light on how both countries target government entities, defense organizations, and even human targets as part of their overall strategy to win the war.
Analysis Summary
# Incident Report: Russian State and Hacktivist Cyber Operations Against Ukraine and Associated Targets (2024)
## Executive Summary
Throughout 2024, Russian state-sponsored threat actors (APT29, APT28) and affiliated hacktivist groups (XakNet, KillNet) conducted sophisticated cyber operations targeting Ukrainian government infrastructure, defense organizations, and foreign supporters. Key incidents included a major destruction attack on Ukrainian government systems by XakNet and APT29's use of zero-day chains against Android devices. The overall impact involved significant disruption to critical government services and widespread surveillance/influence operations.
## Incident Details
- **Discovery Date:** Varies (The report details incidents spanning from February to December 2024)
- **Incident Date:** Various (Specific dates mentioned: December 19, 2024; July 2024; April 6, 2024; Late February 2024)
- **Affected Organization:** Ukrainian government entities (Ministry of Justice, National Information Systems), Mongolian government entities.
- **Sector:** Government, Defense, Critical Infrastructure.
- **Geography:** Ukraine, Russia (actor origin), Mongolia, Argentina, Georgia, Belarus, Kazakhstan, Poland, US (targets/operations areas).
## Timeline of Events
### Initial Access
- **Date/Time:** December 19, 2024
- **Vector:** System compromise against Ukrainian National Information Systems (nais.gov.ua).
- **Details:** XakNet hackers gained initial access, which allowed them to execute a secondary intrusion against the Ukrainian Ministry of Justice (minjust.gov.ua).
- **Date/Time:** July 2024
- **Vector:** Watering hole attack targeting Android users via compromised Mongolian government websites.
- **Details:** APT29 leveraged two chained zero-day vulnerabilities in Google Chrome/Chromium (CVE-2024-5274 and CVE-2024-4671).
- **Date/Time:** Late February 2024
- **Vector:** Phishing campaigns.
- **Details:** APT28 targeted entities across multiple countries using lures crafted from internal/public documents delivered via the _search-ms_ protocol query and custom WebDAV servers.
### Lateral Movement
- **Date/Time:** December 2024 (XakNet)
- The initial compromise of national infrastructure led to infiltration of the Ministry of Justice infrastructure.
### Data Exfiltration/Impact
- **Date/Time:** December 2024 (XakNet)
- Attackers claimed to have erased all records, including data from backup servers located in Poland.
- Approximately 60 Ministry of Justice databases were affected, rendering key systems like property ownership records and personal identification data inaccessible for days.
- **Date/Time:** July 2024 (APT29)
- The primary impact was surveillance, leveraging code execution and sandbox escape capabilities on Android devices.
### Detection & Response
- **Detection:**
- The APT29 Android campaign was observed by Google’s Threat Analysis Group (TAG).
- XakNet operations were announced via hacker group claims.
- **Response actions taken:** (Not explicitly detailed for XakNet/MoJ incident, but the reliance on rapid patching was implied regarding mobile exploits).
## Attack Methodology
| Category | Method Details |
| :--- | :--- |
| **Initial Access** | System compromise (XakNet); Watering Hole exploiting browser zero-days (APT29); Phishing using _search-ms_ protocol and WebDAV (APT28). |
| **Persistence** | Not heavily detailed, but APT28 malware deployment suggested establishment of backdoors (MASEPIE leading to OCEANMAP/STEELHOOK). |
| **Privilege Escalation** | Not explicitly detailed for server compromise, but mobile exploit chain included a Sandbox Escape (CVE-2024-4671). |
| **Defense Evasion** | Leveraging existing cybercriminal infrastructure to mask attribution; Zero-day use to bypass defenses (mobile); Messaging apps (Signal/Telegram) used to bypass email security. |
| **Credential Access** | Not explicitly detailed, though data destruction implies high-level access was achieved. |
| **Discovery** | APT28 used phishing lures crafted from internal/public documents. |
| **Lateral Movement** | Movement from compromised Nais infrastructure to Ministry of Justice systems. |
| **Collection** | Access to approximately 60 Ministry of Justice databases. |
| **Exfiltration** | Data erasure claimed; potentially data theft preceding erasure. |
| **Impact** | Destruction of critical data (property records, PII); Denial of Service/Inaccessibility of key governmental systems; Surveillance (mobile). |
## Impact Assessment
- **Financial:** Not estimated, but significant due to prolonged system inaccessibility.
- **Data Breach:** Loss of access to key government databases, including property ownership records and personal identification data.
- **Operational:** Key Ministry of Justice systems were rendered inaccessible for days, halting critical administrative functions.
- **Reputational:** Highlighted vulnerabilities in Ukraine's digital infrastructure.
## Indicators of Compromise
- **Network indicators:** Custom WebDAV servers (APT28); Communication channels used by KillNet/Deanon Club (Telegram).
- **File indicators:** MASEPIE backdoor, OCEANMAP, STEELHOOK (APT28).
- **Behavioral indicators:** Use of _search-ms_ protocol for payload delivery; Exploitation of CVE-2024-5274 chaining with CVE-2024-4671 to achieve mobile sandbox escape.
## Response Actions
- **Containment:** Not detailed for the destruction incident. (Implied patching efforts following discovery of zero-days).
- **Eradication:** Not detailed.
- **Recovery:** Restoring access to key government systems that were inaccessible for days following the XakNet attack.
## Lessons Learned
- APT threat actors efficiently leverage existing cybercriminal infrastructure to conceal their identities and increase operational speed.
- Attacks originating via non-email vectors, such as messaging apps (Signal, Telegram), are increasingly utilized to bypass traditional email security controls.
- The proliferation/potential sale of advanced spyware like Pegasus, even if claims are unverified, indicates high-value tools are circulating in non-state actor ecosystems.
## Recommendations
- Implement multi-layered security strategies for critical sectors combining advanced threat detection integrated with proactive threat hunting capabilities.
- Enhance monitoring and security protocol enforcement around emerging initial access vectors, including those leveraging messaging applications and non-standard protocols (like _search-ms_).
- Foster stronger, formalized collaboration channels between private cybersecurity firms and government/defense agencies to share threat intelligence rapidly.