Ukraine calls on underground hacker network to defend cyberattacks

The Ukrainian government is asking for volunteers from the country's underground hacker network to help protect critical infrastructure and conduct cyber spying missions.
25 February 2022

Activists hold placards as they gather in Lafayette Square to protest Russia’s invasion of Ukraine in Washington, DC. (Photo by MANDEL NGAN / AFP)

As Russia’s military actions continue in Ukraine, both in physical and virtual arenas, the country is now hoping to get support from the underground hacker network to deal with a barrage of cyber intrusions of alleged Russian origin. Ukraine has already been hit by numerous cyberattacks this year, with many government websites and several banking websites affected.

According to a report from Reuters, the Ukrainian government is asking for volunteers from the country’s underground hacker network to help protect critical infrastructure and conduct cyber spying missions against Russian troops. The requests for volunteers have appeared on hacker forums, as Russian forces continued their military actions across the nation.

“Ukrainian cybercommunity! It’s time to get involved in the cyber defense of our country,” the post read, asking hackers and cybersecurity experts to apply via Google Docs, listing their specialties, such as malware development, and professional references.

While Russia is known for its hacker network, the Ukranian underground hacker community is also known for its work on the dark web. The hacker network in Ukraine is also well connected to other hackers around the world who may just end up coming to aid the Ukrainians.

Speaking to Reuters, Yegor Aushev, the co-founder of a cybersecurity company in Kyiv, wrote the post at the request of a senior Defense Ministry official who contacted him. Aushev’s firm Cyber Unit Technologies is known for working with Ukraine’s government on the defense of critical infrastructure.

Over in the US, the White House has denied a media report suggesting the US President was presented with options to carry out cyberattacks on Russia. The attacks were supposedly aimed to disrupt Russia’s ability to sustain its military operations in Ukraine.

Meanwhile, the Cyber Peace Institute which has been tracking the cyber espionage operations has reported a spike in cyberattacks in the country. But what they found more concerning was the targeting of critical infrastructure.

Attacks on infrastructure such as energy, water, healthcare, financial institutions, transport and communication services can have devastating consequences on the civilian population. Beyond the risk to critical infrastructure and civilian objects, cyberattacks sow destruction and limit access to accurate information or spread false information,” said the institute.

HermeticWiper malware a major cyberthreat in Ukraine

Ukraine has already faced numerous DDOS attacks and reports showed that the country is also facing malware attacks. The attack involved new data-wiping malware dubbed HermeticWiper, a destructive piece of code that can delete or corrupt data on a targeted computer or network. Technical analysis indicates the mechanism of the attack was built at least six weeks prior to the Russian ground invasion.

Lavi Lazarovitz, Head of Security Research at CyberArk Labs who continues to monitor the HermeticWiper malware in real-time, told TechHQ that their team has identified a few specific characteristics that make this malware unique. “The attacks so far have been very targeted in nature and the infections seen to date leverage compromised identities to move laterally, all leading to the potential for a strong initial foothold based on their nature.

Specifically, Lazarovitz pointed out that the distribution of the Wiper doesn’t seem to be leveraging supply chain vulnerabilities or other “super-spreader” techniques, which means that infection will not quickly spill to other geographics. In one reported case, he said the ransomware deployed using Active-Directory group policy, which means the threat actors had privileged access to the directory. This scenario is more commonly used in targeted, human-operated incidents.

“It’s important to note that the Wiper leverages high privileges on the compromised host to make the host “unbootable” by overriding the boot records and configurations, erasing device configurations, and deleting shadow copies (backups),” elaborated Lazarovitz. “It appears that the Wiper is configured to not encrypt domain controllers – that is to keep the domain running and allow the ransomware to use valid credentials to authenticate to servers and encrypt those. This further highlights that the threat actors use compromised identities to access the network and/or move laterally.”