fbpx

Representative offices: 

Request callback
btn

A10 NETWORKS SECURITY RESEARCH: HOW NOT TO BECOME AN "UNCONSCIOUS ACCOMPLICE" TO RUSSIAN CYBERATTACKS ON UKRAINIAN SYSTEMS

News

A10 Networks research monitors attacks on Ukrainian systems.

A A10 Networks Networks is one of those vendors who actively supports Ukraine during this very difficult time, condemning in every way Russia's crimes against the Ukrainian nation. The Russian-Ukrainian war is shocking in the scale of its bloodshed. Russian terrorists are focusing not only on territorial offensives, but also on destabilizing cyber-attacks on Ukrainian systems which are sponsored by the Russian state. To stop these destructive activities and, as well as the potential harmful effects on other countries, immediate action is required. We need to act now. In this series of articles, we'll explain in detail the characteristics and specifics of new cyber-attacks detected by A10 Networks' security research group. A10 NetworksLearn what actions you can take to reduce the impact of Russian cyber-attacks and how exactly you can make sure that you are not "unconscious accomplices" of the aggressor.


Threat Vectors Reports and Recommendations

State-sponsored attacks are not a novelty. The world has seen occasions in which a number of major enterprises in fields such as banking, healthcare, and government agencies have been subjected to massive DDoS attacks, making headlines. But as for the current cyberconflict, it is being waged on multiple fronts.Recent reports have included malware, DDoS attacks and damage to Ukrainian websites. Executives at the Cybersecurity and Infrastructure Protection Agency (CISA), part of the U.S. Department of Homeland Security, are warning of a new threat:

«Further disruptive cyberattacks against Ukrainian organizations are likely and could unintentionally affect organizations in other countries. Companies should increase their vigilance and re-evaluate their capabilities to plan, prepare, detect and respond to such threats».


Today, we can observe the results of preparations for the current cyber conflict. For example, in 2020 it was revealed that the Russian FSB was aiming to create a massive IoT botnet. We have also seen reports of malware with multiple variations, such as Wiper, causing damage by removing sensitive data from target computer systems. In addition, state-sponsored DDoS attacks target government, banking, and educational services, in other words, organizations that serve ordinary people. We are also seeing reports of revenge attacks by hacktivists. For example, the Anonymous group have hacked into prominent Russian websites to post the group's anti-war messages. This clearly demonstrates that both offensive and defensive measures and countermeasures are actively being pursued.


DDoS Amplification and Reflection Attacks were and still are targeting Ukraine

The systems of security research group A10 recorded powerful and sustained attacks on Ukrainian state networks and, as a result, on commercial Internet resources. The massive spike was observed on the first day of the military conflict.

Studying one of our research honeypots and focusing on the spike in first-day breaches, we can see that hackers are trying to engage legitimate systems in a coordinated DDoS Amplification/Reflection attack. The first attempt to breach the honeypot node was made several hours after the initial territorial attacks against Ukraine started on February 24. Taking into account the answers to the requests of the systems concerning Ukrainian targets, two main goals can be identified:


1) Private Company "Infoservice-Link" with more than two million requested responses to AppleRemoteDesktop (ARD).

2) Secretariat of the Cabinet of Ministers of Ukraine – more than 600 000 requests to NetworkTimeProtocol (NTP).


The first target is slightly unclear at first because of its name, which we were able to find out as a result of an automatic search. When we get the in-depth information of the “Infoservice-Link”, we see that it refers to the block of IP addresses 194.79.8.0. Checking where it was bound to, we see that in one source it is indicated as geolocation to one of the largest cities of Ukraine - Kharkiv, while the whois information shows it as Severodonetsk, Lugansk region, Ukraine, Lugansk. Flooding a block, although not on a specific host, still creates a DDoS attack, which the network equipment should in theory be able to handle if it is not weakened. Thus, we can conclude that the goal of the attack is to damage multiple applications, servers and the core infrastructure served by the block and equipment.


The second target – a government department, looks like an obvious source of opportunity for attackers:

"The main task of the Secretariat is organizational, expert-analytical, legal, informational, logistical support of the Cabinet of Ministers of Ukraine, government committees of the Prime Minister of Ukraine, First Deputy Prime Minister, Deputy Prime Ministers, Minister of the Cabinet of Ministers of Ukraine ", - Wikipedia.


Figure 1: Location information from ipinfo.io


Figure 2: 645 248 attempts to amplification-request to one honeypot in 15 minutes


To be continued. Stay tuned for more updates!

iIT Distribution is an official distributor of A10 Networks products in Ukraine, Kazakhstan, Georgia and Uzbekistan. We are sincerely thankful to A10 for active broadcasting the anti-tamper position by implementing measures to crack down Russian attacks on Ukrainian systems! For our part, iITD will continue to help our partners in selecting and implementing the most effective cyber solutions of this vendor.

Back

Mobile Marketing
+