The Russian invasion and occupation of Ukraine is not only market by military warfare and needless fatalities. Another feature of the campaign appears to be cyberwarfare, at least in terms of Russian activities directed towards Ukrainian services with the aim of causing additional disruption.
A phishing attack has taken place, hitting various Ukrainian government agencies and the state railway (Ukrzaliznytsia). Considering the implications of this event is Joe Gallop, Cyber Threat Intelligence Manager at Cofense.
According to Gallop the likely origin of the incident was Russia: “Though there is no confirmation yet, it is likely that DolphinCape is a Russian operation, designed to interrupt Ukraine’s railway systems while Russia loses ground in the war.”
In terms of the form of attack, this was aimed at addressing so-termed ‘human factors’, according to Gallop: “Phishing, as a threat vector, targets the habits, concerns, and interests of humans. Phishing attacks are common in Ukraine, accounting for about 70 percent of all cybercrimes. In the last year, the country has been hit with various phishing attacks from Russia, including one in April from the threat actor Armageddon that baited Ukrainian and Latvian government officials with information about the Ukraine-Russian war.”
The latest attack was relatively sophisticated, notes Gallop: “The unfortunate irony in this particular attack is that the phishing emails included warnings on how to identify a kamikaze drone while unsuspecting Ukrainians remained unassuming about the real attack that was taking place.”
In terms of how these attacks work, Gallop explains: “Lure design is one of the critical components of a phishing email. Threat actors like to play the fear factor in commonplace phishing campaigns, drawing on fears raised by unpaid invoices, account security notices, IRS inquiries, termination notices, etc.”
With the specific incident, Gallop adds: “In this campaign targeting Ukrainian government agencies, the threat actors took things a step further, getting more targeted and personal with military conflict fears. While CERT-UA hasn’t indicated how successful this campaign was in compromising Ukrainian government employees, it’s clear that very little is out of bounds for these threat actors. Users must not only be trained to recognize emails with suspicious topics and content but should have this training regularly enough to minimize emotional reactions when a real phishing email does come through.”
There are measures that governments can take to reduce the impact of further cybersecurity threats. Here Gallop advises: “To prevent future phishing attacks, organizations need to prioritize knowing how to recognize phishing emails. Indicators that an email may be a phishing attempt include an improper tone or greeting, grammar or spelling errors and inconsistencies in email addresses, links and domain names.”
He further recommends: “It is also essential that the necessary steps are taken to protect inboxes, detect threats, and respond to an attack. Adopting actionable intelligence that gives visibility into the risk factors in your network and immediately and decisively responds to phishing threats will help keep malicious actors at bay and ensure the protection of sensitive data.”