Ukraine War Related Cyberattack Risk Increases Outside the Main Conflict And Fluid Cybercriminal Marketplaces Maintain Strong User Bases

Threat Actor Update: Opportunistic and Strategic Information Gain Will Likely Drive Further APT Cyber Conflict Outside the Russia-Ukraine War

Since the beginning of April, EclecticIQ analysts have noted increased open-source reporting of APT groups using Ukraine war themes in phishing attacks targeting countries not directly participating in the conflict (1, 2, 3). APT groups with alleged links to China, Iran, North Korea, and an unidentified Spanish-speaking APT have been identified carrying out these attacks, in addition to Russia.

EclecticIQ analysts evaluate this behavior as typical of APT groups that are already continually adjusting operations to remain effective and breach new targets. As the war continues, its progression provides attention-grabbing themes used to direct cyberattacks at users who are most likely to engage with that material. The majority of APT attacks are aimed at information theft, based on malware used in campaigns that lend heavily to remote access and information gathering, and the initial access vectors.

Less common attacks are possibly aimed at strategic service disruption as part of more complex State-on-State conflict (4, 5, 6, 7). The April 12 attack targeting a Bremen-based German wind power company represents the third attack on a German wind power company since the start of the war. This third attack is alleged to be linked to the war in Ukraine based on initial comments from “experts” connected to the matter. It is possible that ransomware attacks will also serve as an extension of strategic activities of APT groups connected to State interests, providing both disruption and strategic information gain.

New and Noteworthy: Law Enforcement Operations Chip Away at Illicit Markets With Little Effect

On February 27th RaidForums’ primary command and control infrastructure was taken down and US law enforcement placed an announcement on the landing page (8). RaidForums was a very popular marketplace that often advertised illicit cyber-related activities. A separate law enforcement operation recently took down the Hydra marketplace (9). Many, many more dark marketplaces remain available through the internet and TOR.

These sanctioned operations demonstrate a degree of prioritization of official resources aimed at combating these prevalent websites. Targeted takedowns are very likely not have a significant effect on the larger landscape for the exchange of illicit goods and data. The primary administrator of RaidForums started the service when he was about 14 years old. This is a very clear indication of how easily these markets are set up and maintained. Much like a literal hydra, dark marketplaces will continue to spring up in different forms, hosted in various countries, offering the same services, and end-users will migrate to new sites with ease. A 2020 study of almost 40 million users’ activity across dark markets found that the ecosystem is resilient and largely aided by fluid user migration (https://www.nature.com/articles/s41598-020-74416-y) Narrowing the time between identification and takedown of dark marketplaces is likely to provide further, a more effective deterrent for threat actors involved in creating and maintaining infrastructure.

You might also be interested in:

Issue #06 : Racoon Stealer Development Hiatus, Updates on LAPSUS$ and North Korean State Backed Operations

Issue #05: Russo-Ukrainian Cyberattacks, and Updates on Lapsus$ and Conti Ransomware Operations

Issue #04: MuddyWater APT attributed to Iranian Ministry of Intelligence and Security, and the Increasing Global Ransomware Threat

References:

1. https://www.sentinelone.com/labs/chinese-threat-actor-scarab-targeting-ukraine/
2. https://thehackernews.com/2022/04/multiple-hacker-groups-capitalizing-on.html
3. https://securityaffairs.co/wordpress/129982/apt/microsoft-court-order-apt28-attacks-ukraine.html
4. https://www.butenunbinnen.de/nachrichten/cyberangriff-auf-deutsche-windtechnik-ag-bremen-102.html
5. https://thehackernews.com/2022/04/russian-hackers-tried-attacking.html
6. https://www.energate-messenger.com/news/221449/hackers-attack-nordex
7. https://www-techtimes-com.cdn.ampproject.org/c/s/www.techtimes.com/amp/articles/272624/20220305/europe-cyberattack-results-massive-internet-outage-5-800-wind-turbines.htm
8. https://www.bleepingcomputer.com/news/security/raidforums-hacking-forum-seized-by-police-owner-arrested/
9. https://www.cyberscoop.com/hydra-market-sting-germany-bka/ 

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack.

TAXII v1 Discovery services: https://cti.eclecticiq.com/taxii/discovery

You may also download the content as eiq_json, stix1_2, stix2_1.

Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.