The war between Russia and Ukraine marked a new era in cybersecurity: more cyber attacks, better targeted and with a particular preference for break down critical infrastructures. Power plants, public transportation, health systems, and even nuclear power plants became the focus of a hybrid battlefield.

Among the repertoire of attacks are the well-known DDoS, (saturation of networks to deprive access to legitimate users), ransomware, where data is encrypted to ask for a ransom in cryptocurrencies in exchange, and a trend that is growing: wiper , programs that delete information to do harm.

Microsoft’s latest report on digital defense found that these incidents have increased from 20% in 2021 to 40% this year. And within these attacks, there is a specific category in cyberwarfare that is one of the most worrying experts: the groups known as APT (“Advanced Persistent Threat”).

The “advanced persistent cyber threats”Are rather silent types of attacks, in which intruders install themselves on other people’s computers and can extract information for months or even years without being detected. And they are one of the most typical sponsored by the states.

Robert Lipovsky, Principal Threat Intelligence Researcher at ESET, took an in-depth look at the cyber attacks from Russia to Ukraine, their impact and how Ukrainian forces managed to stop them.

During his visit to Buenos Aires, as part of Ekoparty 2022, one of the largest hacker and cybersecurity convention in Latin America, Lipovsky told all about “Industroyer2”: a piece of malicious code designed to attack critical infrastructures , which had already been used in 2016, but returned recharged in April of this year after the invasion of Ukraine.

The expert is in a privileged position to analyze cyber warfare: ESET, based in Slovakia, is the best-selling antivirus in Ukraine. Which means a gold mine when it comes to gathering and analyzing information to understand threats. I spoke with Clarione.

Industroyer2, a loaded malware

─How has the landscape of cyber attacks changed in Ukraine and Russia after the war?

─There has been an increase and a shift towards the most aggressive cyber attacks since February. But one thing needs to be clarified: the cyber war in the Ukraine-Russia zone has been going on for a long time. Over the past eight years or so, and this also coincides with the geopolitical situation that has occurred since then, such as when Russia occupied Crimea in 2014 or the war in Donbass in eastern Ukraine.

─Are there any other state sponsored attacks?

─Yes, although they existed before in the area, we have begun to see an increase in attacks by the Russian state against various Ukrainian targets. And among the whites there were both public sector government organizations and private companies, means of transportation, that is critical infrastructure. Most notable were the attacks on the Ukrainian electricity grid, we saw three attempts in which Russian hackers tried to stop the flow of electricity, with partial success (they didn’t get exactly what they wanted).

─Here it comes “industrial2”, This virus that aims to bring down industrial plants. What is known about him?

─I would say that the most interesting thing was the discovery of the malware [programa malicioso] by itself. It was December 2016 and for about five years no one has heard from it. Since then, the entire industry has wondered when it might appear, and in the end it did. April.

─What was it created for?

─It was designed to de-energize power plants, but there were also other malware that were implemented in that campaign and they were wipers, programs designed to erase information (windscreen wiper). There were for Windows systems and there were also other wipers for Linux and Solaris, to substantially cover their tracks and make recovery more difficult.

─And how much did Industroyer2 affect Ukraine? What have you tried to do?

─Tried to shut down the country’s electricity grid. The good news is that the Ukrainians have a lot of experience in fighting these Russian cyber attacks and we have also worked very closely with them. That’s why the last attack was unsuccessful, avoided, and there was no power outage.

─Is it very different from the first version?

─It was interesting because it has modifications of the first Industroyer, but also similarities. It’s clearly made up of the same code base, so it’s definitely a new version of the same thing, basically with a lot of architectural differences.

─ Speaking of information wiping wipers, were they used more after the war?

─Yes. Let’s see, there are several categories of threats. While they may look similar at first glance, wipers are the favorite attacks of these nation-state-sponsored groups we’ve seen. Sometimes pretend to be ransomware and display a ransom message, corrupt your system and sometimes even encrypt your files, but in reality view the ransom note only as a decoy. They actually aim to destroy everything.

Ransomware: Fewer attacks, more hits

─Ransomware has gained prominence over the years. What did they detect in these types of attacks?

─Ransomware groups have become very professional over the years, they pursue very big goals, companies and states that have money, do their prior recognition, examine their income and really calculate the amounts of money they can ask for. It’s not like 10 years ago, when ransomware attacked regular users and demanded $ 300.

─And what about the infection mechanisms?

─One trend we have seen in our telemetry is that there has been a huge increase in brute force attempts PSR (Remote Desktop Protocol, i.e. to be able to remotely access another computer).

─ And what was it due to?

─It was largely fueled by the shift to remote work introduced by the pandemic, in which many employees accessed their company’s resources from home, with misconfigured VPN (private network) access and the like. The attackers took advantage of this and tried to use this vector to break in, and it was also one of the main methods of installing ransomware on corporate networks.

─ Are there more or less ransomware attacks?

─This year we have seen a reduction in attacks, similar to that reported by Fortinet. There has been a decrease in these ransomware brute force attacks, but even though there has been a significant reduction, it is still a important vector we are seeing and one of the main methods that ransomware is getting into computer systems.

─ The systems used by industries are generally old and obsolete. Is it an entry vector for ransomware?

─On the one hand, yes, all these old systems typical of Industrial Control Systems (ICS) environments are a potential vector of infection. These systems are very difficult – if not impossible – to patch because they are out of date. We saw this with industrial malware attacks on the power grid, which used industrial communication protocols to send commands to circuit breakers to de-energize power plants. There they weren’t using no exploits absolutely. They were simply using the protocols the way they were designed to be used.

─ That is, they don’t have a username, password or security checks.

─ Exactly, they were designed decades ago, without thinking about safety. No authentication, none of that. So it’s definitely like a system-wide weakness. It is not only a weakness of a particular utility, but it is a vastly vulnerable system. On the other hand, sometimes doing things the old way and have manual mechanisms it is also an advantage, as in Ukraine.

─ In what sense?

─We have seen that during some of these cyber attacks the electrical substation operators were able to restore power faster by going into manual mode, a capability that many Western power grids do not have, so yes, it is a weakness, but it can also have some advantages like this: analog sometimes allows for more efficient protection.

Ekoparty took place on 2, 3 and 4 November in Buenos Aires. For 3 days, cybersecurity, hacking experts and attendees with various interests attend conferences and workshops. It was at the Buenos Aires Convention Center and had around 10,000 attendees.