Malware Callbacks Point to Heavy Cyber Attack Barrage During Crimea Crisis

Malware Callbacks Point to Heavy Cyber Attack Barrage During Crimea Crisis
Malware Callbacks Point to Heavy Cyber Attack Barrage During Crimea Crisis
Malware attacks on Russia and Ukraine have rocketed in recent months, hinting that cyber operatives on both sides may be actively engaged in online campaigns, according to new data from FireEye.
 
The targeted attack specialist analyzed malware callbacks within both countries over the past 16 months.
 
Callbacks are the communications from compromised machines to “first stage” command and control (C&C) servers, which can be a good indication of attack activity.
 
“As we track the evolution of callbacks during this period, we see a likely correlation between the overall number of callbacks both to Russia and to Ukraine, and the intensification of the crisis between the two nations,” wrote FireEye senior global threat analyst, Kenneth Geers, in a blog post.
 
In fact, Russia was number 7 on the global list of nations by number of callbacks, but has risen to fifth so far this year. Ukraine has jumped from 12th to 9th.
 
Geers said that, tellingly, the biggest jump was in March this year, when Russia jumped from 7th to 3rd place.
 
March was the same month the Russian military gathered along the Ukrainian border, the Duma authorized use of force in Ukraine, and Vladimir Putin signed a bill recognizing Crimea as part of Russia.
 
On March 4, the head of Ukraine's SBU security service, Valentyn Nalivaichenko, told reporters that “an IP-telephonic attack is under way on mobile phones of members of Ukrainian parliament for the second day in row”.
 
FireEye spotted a rise in callbacks to Russia from compromised computers in a range of countries across the globe including South Korea, Italy, Japan and the US.
 
“It is important to note that nearly half of the world’s countries experienced a decrease in callbacks during this same time frame,” Geers clarified.
 
Ukraine and Russia both increased the number of source countries sending callbacks to C&C servers within their borders; Ukraine recorded an increase in source countries from 29 to 39 and Russia from 45 to 53.
 
Finally, Geers highlighted an increase in the volume of malware signatures associated with the callbacks to each country for February and March 2014.

While Ukraine was outside the top ten in 15th place, Russia came in fourth, with an increase of 33 between February and March. Again, by comparison half of the world’s countries saw either no increase or a decrease.
 
“Within such a large volume of malware activity, there are likely to be lone hackers, ‘patriotic hackers’, cyber criminals, Russian and Ukrainian government operations, and cyber operations initiated by other nations,” Geers said.
 
“The rise in callbacks to Russia and Ukraine (or to any other country or region of the world) during high levels of geopolitical tension suggests strongly that computer network operations are being used as one way to gain competitive advantage in the conflict.”
 
The findings certainly confirm what has already been suspected. In March, BAE Systems released a major analysis of a long term cyber espionage campaign dubbed “Snake”, which showed a significant increase in activity during the Crimea crisis.
 
The malware used in the campaign was tied back to Russia.

What’s hot on Infosecurity Magazine?