Security researchers have found a new piece of information-stealing malware targeting Ukrainian organizations, as the Eastern European country braces itself for a fresh wave of attacks ahead of a predicted new Russian offensive.
Dubbed “Graphiron,” the info-stealer was linked by Symantec to the Russian Nodaria (UAC-0056) group which has been active since at least March 2021 and first sprang to prominent during the destructive WhisperGate attacks in the early part of the war.
Like earlier info-stealing tools used by the group, such as GraphSteel and GrimPlant, Graphiron is written in Go, communicates with a C&C server using port 443, and is likely deployed via spear-phishing emails, Symantec said.
It consists of a downloader and payload and is designed to steal a variety of data including system information, credentials, screenshots and files.
The news comes as threat intelligence experts today warned of more cyber-attacks on Ukrainian critical infrastructure (CNI) ahead of a much-anticipated new Russian offensive in Donbas.
Citing Ukrainian sources, Recorded Future said wiper attacks had been a feature of the winter so far, echoing activity seen before the start of the war.
“Russian state-sponsored cyber threat actors, as well as pro-Russian cybercriminals and hacktivists, will almost certainly support this campaign through continued targeting of Ukrainian critical infrastructure, at least in part in an attempt to further degrade Ukraine’s morale and will to fight,” it said in a new report.
It will continue not only to draw upon hacktivists and cybercrime groups to attack allied countries with plausible deniability, but also pro-Russia influence networks like Telegram troll farm, Cyber Front Z, in a bid to win the information war, the report claimed.
However, very much like the kinetic war, Russia has failed to make significant progress as intended in its cyber operations, Recorded Future argued.
This is down in part to Western support, but also the skills Ukraine has developed in cyber-defense following attacks on critical infrastructure in previous years, it said.
“In the buildup to Russia’s invasion of Ukraine, and in the first few months of the war, there were multiple cyber-attacks that aligned with Moscow’s strategic objectives. These included DDoS attacks, wipers, website defacements and scam emails targeting Ukrainian government organizations, media organizations, e-services used by citizens and other private sector organizations including an American satellite communications company,” the report explained.
“But as the war drew on for longer than Russia originally intended, and as conventional military forces struggled to hold ground, the mass cyber-attacks launched by Russia failed to significantly bolster Russia’s conventional military progress.”