Russia/ Ukraine Conflict Cyberaspect: Report OSINT
Russia/ Ukraine Conflict Cyberaspect: Report OSINT
Russia/ Ukraine Conflict Cyberaspect: Report OSINT
Russia/ Ukraine
Conflict Cyberaspect
Version: 1.0
Classification: Confidential Essential
TLP: white
Disclosure is not limited
Sources may use TLP:WHITE when information
carries minimal or no foreseeable risk of misuse, in
accordance with applicable rules and procedures
for public release. Subject to standard copyright
rules, TLP:WHITE information may be distributed
without restriction.
Fokkerstraat 4
3833 LD Leusden
The Netherlands
www.tesorion.com
Tesorion – Russia/ Ukraine Conflict Cyberaspect
Preface
Following the recent attacks affecting mainly Ukraine and the Baltic States, this
document provides an OSINT scan on the cyber aspects of the Russia-Ukraine conflict.
For example, last month large numbers of infections were observed, related to the
WhisperGate/Hermetic Wiper trojans, intended to make infected systems unusable, as
well as the Cyclops Blink malware. The most commonly mentioned threat actor behind
these malware attacks is the SandWorm APT group. This group was also responsible for
previous large-scale malware attacks on Ukraine, such as NotPetya, which also caused a
lot of damage in Western Europe.
With regard to the threat posed by the malware families and threat actors mentioned in
this report, Tesorion is assuming on the one hand that infections will spread
unintentionally to other countries, for example in Western Europe, and on the other
hand that parties in this region will also be active.
There is also a risk of further escalation in which the Netherlands and other EU countries,
possibly as a result of sanctions or other punitive measures, become the deliberate target
of threat actors behind these malware families. For example, when the EU decides to
exclude Russia and the SWIFT payment system.
The information in this report is derived from OSINT sources and public information
published during the past month. The technical indicators such as IP addresses, malware
hashes and Yara signatures can be used for the purpose of detecting and blocking
malicious traffic.
The remainder of this report thus provides more information on the following topics:
• Malware Families & Threat Actors
• Indicators of Compromise
• Newsarticles & Security Advisories
Tesorion does not own the copyright for the technical information provided. This
information originates from various IT Security companies and National CERTs.
Our Security Monitoring Services is closely monitoring the geopolitical conflict. The
current situation is monitored through various threat intelligence feeds that are
continuously updated. We make every effort to process this rapidly changing data. For
those clients whom we are servicing with Immunity Services, Managed Firewall and
other services, please note that the IOC’s (Indicators of Compromise) are added to our
services.
2
Tesorion – Russia/ Ukraine Conflict Cyberaspect
Threat Actors
• Sandworm APT
Indicators of Compromise
Malware Hashes
IP Addresses
Katana Botnet Indicators of Compromise
• 100.43.220[.]234
• 96.80.68[.]193
• 188.152.254[.]170
• 208.81.37[.]50
• 70.62.153[.]174
• 2.230.110[.]137
• 90.63.245[.]175
• 212.103.208[.]182
• 50.255.126[.]65
• 78.134.89[.]167
• 81.4.177[.]118
3
Tesorion – Russia/ Ukraine Conflict Cyberaspect
• 24.199.247[.]222
• 37.99.163[.]162
• 37.71.147[.]186
• 105.159.248[.]137
• 80.155.38[.]210
• 217.57.80[.]18
• 151.0.169[.]250
• 212.202.147[.]10
• 212.234.179[.]113
• 185.82.169[.]99
• 93.51.177[.]66
• 80.15.113[.]188
• 80.153.75[.]103
• 109.192.30[.]125
Yara Signatures
Yara Rule Katana DDoS Botnet
rule Ddos_Linux_Katana {
meta:
description = "Detects Mirai variant named Katana"
date = "2022-02-19"
license = "Apache License 2.0"
hash = "82c426d9b8843f279ab9d5d2613ae874d0c359c483658d01e92cc5ac68f6ebcf"
strings:
$ = "[http flood] fd%d started connect"
$ = "Failed to set IP_HDRINCL. Aborting"
$ = "[OVH] DDoS Started"
$ = "[vega/table] tried to access table.%d but it is locked"
$ = "Cannot send DNS flood without a domain"
condition:
all of them
}
Yara Rule Cyclops Blink
rule CyclopsBlink_notable_strings
{
meta:
author = "NCSC"
description = "Detects notable strings identified within the Cyclops
Blink executable"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
strings:
// Process names masqueraded by implant
$proc_name1 = "[kworker/0:1]"
$proc_name2 = "[kworker/1:1]"
// DNS query over SSL, used to resolve C2 server address
$dns_query = "POST /dns-query HTTP/1.1\x0d\x0aHost:
dns.google\x0d\x0a"
// iptables commands
$iptables1 = "iptables -I %s -p tcp --dport %d -j ACCEPT &>/dev/null"
$iptables2 = "iptables -D %s -p tcp --dport %d -j ACCEPT &>/dev/null"
// Format strings used for system recon
$sys_recon1 = "{\"ver\":\"%x\",\"mods\";["
$sys_recon2 = "uptime: %lu mem_size: %lu mem_free: %lu"
$sys_recon3 = "disk_size: %lu disk_free: %lu"
4
Tesorion – Russia/ Ukraine Conflict Cyberaspect
5
Tesorion – Russia/ Ukraine Conflict Cyberaspect
condition:
(uint32(0) == 0x464c457f) and (6 of them)
}
rule CyclopsBlink_core_command_check
{
meta:
author = "NCSC"
description = "Detects the code bytes used to test the command ID
being sent to the core component of Cyclops Blink"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
strings:
// Check for command ID equals 0x7, 0xa, 0xb, 0xc or 0xd
$cmd_check = {81 3F 00 18 88 09 00 05 54 00 06 3E 2F 80 00
(07|0A|0B|0C|0D)}
condition:
(uint32(0) == 0x464c457f) and (#cmd_check == 5)
rule CyclopsBlink_config_identifiers
{
meta:
author = "NCSC"
description = "Detects the initial characters used to identify
Cyclops Blink configuration data"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
strings:
// Main config parameter data starts with the string "<p: "
$ = "<p: " fullword
// RSA public key data starts with the string "<k: "
$ = {3C 00 3C 6B 60 00 3A 20 90 09 00 00}
// X.509 certificate data starts with the string "<c: "
$ = {3C 00 3C 63 60 00 3A 20 90 09 00 00}
// RSA private key data starts with the string "<s: "
$ = {3C 00 3C 73 60 00 3A 20 90 09 00 00}
condition:
(uint32(0) == 0x464c457f) and (all of them)
}
rule CyclopsBlink_handle_mod_0xf_command
{
meta:
author = "NCSC"
description = "Detects the code bytes used to check module ID 0xf
control flags and a format string used for file content upload"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
strings:
// Tests execute flag (bit 0)
$ = {54 00 06 3E 54 00 07 FE 54 00 06 3E 2F 80 00 00}
// Tests add module flag (bit 1)
$ = {54 00 06 3E 54 00 07 BC 2F 80 00 00}
// Tests run as shellcode flag (bit 2)
$ = {54 00 06 3E 54 00 07 7A 2F 80 00 00}
// Tests upload flag (bit 4)
$ = {54 00 06 3E 54 00 06 F6 2F 80 00 00}
// Upload format string
6
Tesorion – Russia/ Ukraine Conflict Cyberaspect
$ = "file:%s\n" fullword
condition:
(uint32(0) == 0x464c457f) and (all of them)
}
rule CyclopsBlink_default_config_values
{
meta:
author = "NCSC"
description = "Detects the code bytes used to set default Cyclops
Blink configuration values"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
strings:
// Unknown config value set to 0x19
$ = {38 00 00 19 90 09 01 A4}
// Unknown config value set to 0x18000
$ = {3C 00 00 01 60 00 80 00 90 09 01 A8}
// Unknown config value set to 0x4000
$ = {38 00 40 00 90 09 01 AC}
// Unknown config value set to 0x10b
$ = {38 00 01 0B 90 09 01 B0}
// Unknown config value set to 0x2711
$ = {38 00 27 11 90 09 01 C0}
condition:
(uint32(0) == 0x464c457f) and (3 of them)
}
rule CyclopsBlink_handle_mod_0x51_command
{
meta:
author = "NCSC"
description = "Detects the code bytes used to check commands sent to
module ID 0x51 and notable strings relating to the Cyclops Blink update
process"
hash1 = "3adf9a59743bc5d8399f67cab5eb2daf28b9b863"
hash2 = "c59bc17659daca1b1ce65b6af077f86a648ad8a8"
strings:
// Check for module command ID equals 0x1, 0x2 or 0x3
$cmd_check = {88 1F [2] 54 00 06 3E 2F 80 00 (01|02|03}
// Legitimate WatchGuard filepaths relating to device configuration
$path1 = "/etc/wg/configd-hash.xml"
$path2 = "/etc/wg/config.xml"
// Mount arguments used to remount root filesystem as RW or RO
$mnt_arg1 = "ext2"
$mnt_arg2 = "errors=continue"
$mnt_arg3 = {38 C0 0C 20}
$mnt_arg4 = {38 C0 0C 21}
condition:
(uint32(0) == 0x464c457f) and (#cmd_check == 3) and
((@cmd_check[3] - @cmd_check[1]) < 0x200) and
(all of ($path*)) and (all of ($mnt_arg*))
}
7
Tesorion – Russia/ Ukraine Conflict Cyberaspect
8
Tesorion – Russia/ Ukraine Conflict Cyberaspect
9
Tesorion – Russia/ Ukraine Conflict Cyberaspect
About Tesorion
Tesorion is a 100% Dutch company whose primary focus is on cybersecurity and on helping our
customers combat all kinds of cybercrime and minimize their operational risks. The company’s
objective is to make the Netherlands more secure, with a particular focus on Managed Cybersecurity
services. It achieves this using, among other things, SOC services, Behavior & Security Awareness, Digital
Risk Protection and Offensive Security. Tesorion also offers specialist 24/7 support in the event of cyber
incidents. When, for example, an organization is affected by a cybersecurity incident, Tesorion’s digital
forensics specialists can offer support. Every day more than four million devices are protected on behalf
of customers in the healthcare, education, transport and logistics, corporate services, the financial
sector, and industry.
10
Tesorion – Russia/ Ukraine Conflict Cyberaspect
In case of emergency
+31 88 27 47 800
11
Tesorion – Russia/ Ukraine Conflict Cyberaspect
Fokkerstraat 4
3833 LD Leusden
Nederland
www.tesorion.com
Report OSINT – TLP:WHITE
12