Wapack
Labs, under a project named "8-ball" maintains watch over cyber activities between Russia and
the Ukraine in an effort to warn Red Sky Alliance and the FS-ISAC members of impending threats to
their businesses and interests in the area. We've authored reports of Telephony Denial of Service (TDoS) attacks and details involving the CyberBerkut group and their tools.
This week we published a priority intelligence report that demonstrated the ability of the Russian and
Ukrainian governments to develop and deploy cyber operations (on the Russian
side, aimed at interfering with the election of the next Ukrainian president;
on the Ukrainian side, the ability to identify, defend, and arrest). We believe
the actions taken by the Russian attackers may be indicative of actions that could
be used against other organizations, and identifying lessons learned may help them better understand new threats and defend against future attacks.
The abbreviated version of the story goes like this...
We all know how television stations broadcast election results throughout the evening, tallying votes, predicting winners. The presidential election in the Ukraine was no different. Russian television (Channel One) broadcasted updates through the evening. Unfortunately, the updates were being taken from a feed from a compromised Ukrainian election commission system.
On
May 25, 2014, Russian state TV Channel One reported that a controversial
Ukrainian nationalist and leader of the Right Sector, Dmytro Yarosh, was
leading in the elections with 37 percent of the vote, when all other sources
were showing another moderate candidate’s clear victory and Dmytro Yarosh's
results under 1 percent (see Figure 1).
Figure 1: Russian Channel One television coverage of fake election results
|
Ukrainian
media sources stated that 40 minutes before, the Russian media reported the fake
results, Ukrainian cyber security forces neutralized a virus in the Ukrainian
Central Election Commission system. The virus was supposedly placed to
influence the system that reported election results. This
resulted in a reporting of 37% of the vote for Dmytro Yarosh. Channel One was thought to be reporting on
activity received from a legitimate Ukrainian Central Election Commission
system –a possible (but unconfirmed) unwitting participant in an attempt to
discredit the Ukrainian election.
The
Security Service of Ukraine reported that it had arrested a group of hackers in
Kiev who were working to compromise the electoral system. As reported by the Kyvipost,
according to Victor Yagun, Deputy Head of the Security Service of Ukraine (also
known as the SBU), “A group of
hackers has been arrested in Kiev with specialized equipment intended to rig
the results of Ukraine’s presidential election.” This
article [in Russian] offered deeper details on the arrest and hacking attacks
during the elections.
Additional reporting suggests multiple coordinated tactics used to sway the election. Telephone Denial of Service (TDoS) attacks were used in an attempt to block phones of the electoral commissions Another report suggested redirection of traffic from the electoral commission to a different IP address. A DDoS was run from Ukrainian servers operated by a Russian citizen. And Russian botnets were believed use to deny access to results other than those being shown on Russian Channel One.
We provide intelligence and analysis to a lot of companies and organizations. Much of it is retrospective in nature, but some of it is also forward looking. One of the best ways to understand possible future actions is to understand how cyber is used during conflict. And there is no better time to learn how government sponsored cyber actions will unfold than by watching the activities between Russia and Ukraine.
Did Russia attempt to sway the Ukrainian presidential election? You make the call. Certainly the increase in cyber activity suggests an attempt to influence. Regardless, at the strategic level Wapack Labs "Project 8-ball" is offering continued Russia/Ukraine situational awareness to Red Sky Alliance members and others. At a tactical level, we've published detailed workings of tools used and indicators/rules that may be placed in intrusion detection systems and other layers of their defense in depth to help protect our members and customers who are operating in the area.
Rick will be posting next week. I'm taking a week off, flyfishing with an old friend in what we're calling "Advanced Persistent Trout". I'm placing my email on 'Out of Office' today. If you need to contact us, please contact Jim McKee or Rick Gamache for membership questions.
Have a great week!
Jeff