The cybersecurity company Trellix says pro-Russia hackers had infiltrated the networks of numerous Ukrainian government agencies long before Russia’s ground invasion started in late February. In fact, hackers had planted malicious code in the networks even before Russian troops began assembling at the Ukrainian border in 2021.
These findings were part of a broader report on the global cyberthreat environment from San Jose, California-based Trellix, which was created last year via a merger between cybersecurity firms FireEye and McAfee Enterprise. The firm bases its findings on an analysis of data collected from organizations using McAfee Enterprise software.
The Trellix analysts found evidence of “wiper” malware that was later activated remotely to delete all content on the hard drives of Ukrainian government computers. The malware matched the signature of malware used in the past by actors known to be associated with the Russian government, says Christiaan Beek, lead scientist and principal engineer at Trellix’s Threat Labs division. The malware also originated from the same time zone as Moscow’s, Beek says, adding that some instances of the malware may have come from others acting on Russia’s behalf.
In any case, the malware had been there a while. “Somebody had longtime access,” Beek tells Fast Company. “They set up multiple entry points to target systems. They do every trick out of the book.”
Trellix analysts believe the hackers used WhisperGate and HermeticWiper malware before and during the invasion to destabilize Ukrainian IT systems by destroying communications within the country.
“They would try the first version of a wiper, and if that didn’t work they would try a second version,” Beek says.
The actors and techniques involved in the Ukraine attacks aren’t new. The report says a hacker group called APT29 (also known as Cozy Bear), believed to conduct operations for Russian government entities, ranked most active among nation-state actors in the fourth quarter of 2021. It also notes that a plurality (46%) of total cyber incidents in Q4 2021 involved planting malware.
Trellix, which examined cybercriminal behavior globally over the last six months, found that among its enterprise clients the transportation industry saw the most cyberattacks by a wide margin, followed by the shipping, manufacturing, and information technology industries. Looking at cyber activity in both the commercial and private realms, individuals remain the number-one target of cybercriminals, followed closely by healthcare institutions.
“We’re at a critical juncture in cybersecurity and observing increasingly hostile behavior across an ever-expanding attack surface,” Beek says.
The Trellix threat report contains recommendations for organizations on how to proactively protect their environment from tactics these actors use, including enabling multifactor authentication and disabling any nonessential ports or protocols related to remote services.