Curated Intelligence Stands With Ukraine


The Curated Intelligence community is working with analysts from around the world to provide useful information to organisations in Ukraine looking for additional free threat intelligence. Slava Ukraini. Glory to Ukraine. 

Curated Intel has prepared a Repository on GitHub to assist cybersecurity teams still working tirelessly in Ukraine to defend their networks from Russian cyber operations. 

Curated Intelligence analysts worldwide are continuously monitoring the situation and updating the Repository (see above) with attacks on Ukraine as close to real-time as possible for a group of volunteers.

Equinix Threat Analysis Center (ETAC)™️ Vetted IOCs (see here🔗)

KPMG-Egyde IOC Threat Hunt Feeds (see here🔗):

  • Added loosely-vetted IOC Threat Hunt Feeds by KPMG-Egyde CTI (h/t @0xDISREL)
  • IOCs shared by these feeds are LOW-TO-MEDIUM CONFIDENCE we strongly recommend NOT adding them to a blocklist
  • These could potentially be used for THREAT HUNTING and could be added to a WATCHLIST
  • IOCs are generated in MISP COMPATIBLE CSV format

Overview of Russian-aligned campaigns against Ukraine (up to 2 March 2022):

The Russian state is currently launching cyberattacks to degrade and disrupt computer networks in Ukraine. The key types of attacks Curated Intelligence has observed so far is as follows:
  • Two types of destructive malware designed to wipe the Master Boot Record (MBR) of Ukrainian government institutions known as WhisperGate and HermeticWiper
  • Distributed Denial of Service (DDoS) attacks to overwhelm and incapacitate the websites of Ukrainian governments institutions and Ukrainian banks, False SMS and emails were also pushed at the same time to create panic
  • Website defacements against Ukrainian government institutions to spread disinformation
  • Ukrainian troops are receiving threatening SMS messages from Russian psychological operations
  • Phishing emails with malicious attachments containing malware by the Crimea-based Russian FSB group known as Gamaredon (aka Shuckworm or PrimitiveBear)
  • Phishing emails with malicious attachments or URLs to credential harvesting pages by the Belarusian Ministry of Defense (support by the Russian GRU) known as GhostWriter (aka UNC1151)
  • The Sandworm group (aka VoodooBear) has been attributed by the UK NCSC to a new Internet-of-Things (IoT) malware dubbed CyclopsBlink; the malware is a replacement for its VPNfilter botnet, which targeted Ukrainian ICS/OT devices since 2017
Russian cybercriminals, some pledging allegiance to the Russian state, have also targeted Ukraine. The key types of attacks Curated Intelligence has observed so far from cybercriminals is as follows:
  • Data brokers offering stolen databases from Ukrainian government institutions, private businesses, and critical infrastructure organisations
  • "Patriotic" Russian threat actors launching DDoS attacks against Ukrainian government institutions; DDoS botnets involved include Mirai, Gafgyt, IRCbot, Ripprbot, and Moobot according to China's 360 NetLab
  • Access brokers offering an initial foothold into Ukrainian government institutions and private sector organisations
  • The Conti ransomware group (aka WizardSpider) has pledged its allegiance to the Russian state and has claimed it will "strike back at the critical infrastructures” if Russia is targeted by cyberwarfare; Conti did, however, release a secondary statement walking back some of their claims
  • Following Conti, the CoomingProject data hostage group (steals data and does not deploy ransomware) also pledged allegiance to the Russian state
  • Scammers have created numerous websites looking to steal donations from those looking to support Ukraine, one cryptocurrency address used to collect donations via these scamming sites has been tied to a known ransomware variant according to TRMLabs