Botnets, Trojans, DDoS From Ukraine and Russia Have Increased Since Invasion

Written by

Activity from IP addresses in Ukraine and Russia has shown a substantial spike in malware, helping botnets spread since February 2022.

The data comes from security researchers at Top10VPN, who shared a report about the findings with Infosecurity ahead of publication.

In particular, Trojan malware with more significant increases in activity from Ukraine and Russia IP addresses since February 2022 included Citadel Trojan, CoreBOT Trojan, Wauchos Trojan and Nivdort Trojan.

“Some of the biggest sustained increases in malware activity since the war began were in Ukraine [and] have related to trojans, several of which can be used to create botnets,” wrote Simon Migliano, head of research at Top10VPN.

“This suggests that bad actors may have been targeting Ukraine, where cybersecurity has naturally been a lower priority for much of the population, in order to expand their botnets.”

Further, the report suggested an increase in the Avalanche malware families using Russian and Ukraine IP addresses despite the shutdown of the crime syndicate in 2016. In this regard, Top10VPN observed individual daily surges of as much as 1500% compared to before February.

“Despite the dismantling of major botnets Avalanche and Andromeda/Gamarue several years ago, some of the key malware families that were hosted on the now-defunct networks have been particularly resurgent in Ukraine and Russia in recent months,” Migliano added.

“While this is not to suggest that these networks have somehow been resurrected, it’s concerning to observe increases in the threat posed by this malware localized to countries directly involved in a major conflict.”

The report also noted that distributed denial-of-service (DDoS) attacks originating from Ukraine increased 363% in March compared to the average before February.

“These distributed denial-of-service (DDoS) attacks became relentless once Russia’s military invaded Ukraine on February 24, as the Kremlin sought to weaken its enemy by knocking offline critical networked infrastructure,” Migliano explained.

Further, while the most significant increases in malware activity have come from Ukraine IP addresses, Top10VPN noted that there have also been notable localized increases in Trojan malware activity in Russia that outstrip global trends.

“One potential reason for this trend could be efforts to target Russia by Ukraine-based hacktivists and their supporters around the world, who have also been involved in retaliatory DDOS attacks,” Migliano added.

The company’s investigation is based on data from sinkholes and honeypots operated by The Shadowserver Foundation, an internet security non-governmental organization (NGO). Migliano wrote the report with additional research by Top10VPN data analyst Agata Michalak.

Its publication comes weeks after the Ukrainian government announced plans to strengthen cooperation with the European Union Agency for Cybersecurity (ENISA).

What’s hot on Infosecurity Magazine?