Ukraine has been a major target of international cyber warfare for a long time. To be clear, cyber warfare is just what it sounds like, violent action against others conducted through digital-based attacks. As we get further into the 21st century, bombs and guns and nukes and drones aren’t the only instruments of war. Militaries and rogue cyber warfare units are using their computers to attack other computers and make life difficult for the people, governments, and companies who are targeted.
Now, The Computer Emergency Response Team of Ukraine and the Foreign Intelligence Service of Ukraine are warning, they’ve found new malware which indicates that a new series of destructive military cyber attacks will soon commence.
Cyber attackers love to victimize Ukraine.
According to President Petro Poroshenko, Ukrainian state institutions were hit by cyber warfare attacks at least 6,500 times in last quarter of 2016 alone. Kenneth Geers, a NATO ambassador who specializes in cybersecurity explains, “You can’t really find a space in Ukraine where there hasn’t been an attack.”
One of the biggest cyber attacks in 2017 was NotPetya, a form of ransomware was designed to be a weapon for cyberwarfare. Real ransomware is designed to lock your computer’s files through cryptography, and then display a ransom note that demands money from you in order to get your files back. Cybercriminals who use ransomware generally just want to get your money. Computers infected by NotPetya looked like they had ransomware. A note would say, “Oops, your important files are encrypted.” And $300 worth of Bitcoin was requested, to be sent to a specific digital address.
NotPetya didn’t merely encrypt targets’ files, it wiped the files out completely, with no decryption possible. Its victims were Ukrainian banks and energy firms. After an in-depth investigation, the CIA concluded that NotPetya came from Russia’s GRU military spy agency. The ransom note was just designed to make targets think that it’s ransomware and to distract them from the malware’s true purpose, which was to permanently destroy important data on Ukrainian business computers.
It appears multiple Russian agencies are behind the many thousands of cyber warfare attacks in Ukraine each year. It seems to be the main way that Russia likes to harm Ukraine with military tactics.
Pterodo is back and it’s worse than ever.
The recently discovered malware in Ukraine is called “Pterodo,” a new version of something older through Windows backdoors, malware that gives cyber attackers illicit access to computer systems—like a backdoor to conduct further attacks.
The Computer Emergency Response Team of Ukraine wrote (in translation), “CERT-UA together with the Foreign Intelligence Service of Ukraine found new modifications of Pterodo- type malware on computers of state authorities of Ukraine, which is likely to be the preparatory stage for cyber attacking. This virus collects system data, regularly sends it to command-control servers and expects further commands. The main difference between modifications from previous versions is the possibility of infecting the system through flash drives and other removable media, as well as infecting flash drives that connect to the affected machine for further distribution.”
He added, “Documents (.doc, .docx), images (.jpg) and text files (.txt) are copied to a hidden MacOS folder named FILE <arbitrary>. <Extensions> (for example, FILE3462.docx), and the flash drives are created shortcuts with original filenames that ensure the simultaneous opening of the original file copied to the MacOS folder and execution of the created malicious file usb.ini.”
Okay, now it’s time to translate from tech nerd English to plain English.
This newly discovered Pterodo is a modified version of the previously discovered Pterodo. It gets information about how the computer systems are set up, sends the information to the cyber attacker’s own computers, and then waits for them to send instructions how to turn malicious. Unlike the old Pterodo, the new one can infect computers through USB flash drives and other removable media such as DVDs. It can also infect a USB drive that’s inside the once malware-free computer. The idea is that someone will put the newly Pterodo-infected USB drive into another computer and spread it about.
The malware hides inside document and graphics files, which get copied into a hidden folder designed for Mac computers. The malware works through the USB drive, so it will automatically launch through a Windows file. It’s also designed to attack Windows computers, a macOS folder created not for the use of Macs, but simply to hide what it’s doing from Windows computers.
This Pterodo malware can only attack Windows when it’s configured to use languages like Ukrainian, Belarusian, Russian, Armenian, Azerbaijani, Uzbek, and Tatar. Those are languages used predominantly in Ukraine and other Eastern European countries, so those are the only countries that the cyber attackers want to target. With Pterodo-infected computers, cyber attackers gain control and can therefore send many tons of nasty attacks.
The Gamaredon Group is the likely culprit.
As mentioned, there are many different Russian agencies and cyber warfare groups with a history of cyber attacking Ukraine specifically. Cyber warfare experts linked previous versions of the Pterodo malware to Russia’s Gamaredon Group, so this new version of Pterodo is likely from them as well.
Palo Alto’s Unit 42 researchers have been following Gamaredon’s activities for years. According to Unit 42, Gamaredon has been engaging in cyber warfare activities since at least 2013. They’ve gone from “off-the-shelf” tools—meaning malware developed by other people—to now using malware they’ve created themselves. Such as Pterodo!
Unit 42 wrote: “The Gamaredon Group primarily makes use of compromised domains, dynamic DNS providers, Russian and Ukrainian country code top-level domains (ccTLDs), and Russian hosting providers to distribute their custom-built malware. Antimalware technologies have a poor record of detecting the malware this group has developed. We believe this is likely due to the modular nature of the malware, the malware’s heavy use of batch scripts, and the abuse of legitimate applications and tools (such as wget) for malicious purposes.”
So, the Gamaredon Group uses compromised domains with addresses like “website.com” that were used legitimately and are now under their malicious control. DNS providers run the servers that translate domains like “google.com” to IP addresses like “184.108.40.206.” So when Gamaredon Group controls DNS servers, they can make domain names go to the wrong websites… their own malicious websites instead of the legitimate one. And the malware that Gamaredon Group can be easily changed by them, so it’s difficult for antivirus software to stop their actions.
Unfortunately, Ukraine will probably continue to be a target for cruel cyber warfare for years to come.