Last-minute paper: Battlefield Ukraine: finding patterns behind summer cyber attacks

Thursday 5 October 15:00 - 15:30, Green room

Alexander Adamov (NioGuard Security Lab)
Anders Carlsson (Blekinge Institute of Technology)

Ukraine has unwillingly found itself the battlefield of hacker group(s) with supposedly Russian roots and the anti-virus industry. This is not the first time that Ukraine has attracted the attention of cybersecurity experts. Suffice it to recall in this regard the several waves of cyber attacks against the critical infrastructure of Ukraine using the BlackEnergy [1] and Industroyer [2, 3] industrial malware supposedly created by a Russian hacker group.

This summer, we noticed that a supply-chain attack through the popular in Ukraine M.E.Doc accounting software ended with a splash of the NotPetya ransomware-wiper [4]. During the M.E.Doc campaign, we discovered that attacks were run with the help of several pieces of specially crafted ransomware: XData (AES-NI clone) [5], WannaCry.NET (WannaCry clone) [6], and NotPetya (Petya & Misha & WannaCry clone). It is worth mentioning that the first notable infection through the trojanized M.E.Doc [7] with the XData ransomware happened in the middle of May - more than a month before NotPetya was launched.

Now, we are seeing another ongoing campaign against Ukrainian organizations that follows a similar pattern. First, the attackers hacked the web server of the Ukrainian producer of another piece of accounting software [8], to upload the Chthonic (Zeus-based) backdoor seen in June in the nation-state attack against Ukrainian government institutions [9] and PSCrypt 2, a clone of the GlobeImposter (Globe-based) ransomware [10]. Then, they spear-phished the targets to lure them into downloading and installing one of these options. We are continuing to work with the victims to find out more information about the attack vectors.

In our talk, we'll show the timeline and highlight the patterns behind these attacks, including:

  • The attack vectors
  • The types of used malware in the context of previous nation-state attacks
  • Ransomware design style
  • C&C domains
  • Peculiarities in the language use

Finally, we'll share our hypotheses as to who is behind the summer attacks in Ukraine.















Alexander Adamov

Alexander Adamov is the founder and CEO of NioGuard Security Lab, which designs open-source sandbox-based solutions and tests security software against targeted attacks and ransomware. As a teacher, he develops and teaches the Advanced Malware Analysis course in universities in Ukraine and Sweden within the EU project called ENGENSEC. Alexander has worked for Kaspersky Lab, Lavasoft, Samsung, Mirantis and Acronis and has spoken at various security conferences and workshops such as Virus Bulletin, Kaspersky Virus Analysts Summit, OpenStack Summit, OWASP, HackIT, and BSides.



Anders Carlsson

Anders Carlsson has 30 years of experience in computer security, network security  and digital forensics.

He was educated and earned a degree as a Computer Engineer/Lieutenant-Commander specialist in the Submarines of the Royal Swedish Navy, where he worked for 25 years.

Since 1999 he has been employed by BTH, Blekinge Institute of Technology, as a senior researcher, where he is responsible for networks, network security, computer security and digital forensic at B.Sc. and M.Sc. levels. He has also been involved in the EU_ISEC project (2007-2013) to develop courses and train law enforcement officers within EUROPOL and BKA (the Federal Police in Germany) in forensics.

He was a project manager in BAITSE (Baltic Academic IT-Security Exchange) 2010-2013, a project aimed at exchanging knowledge and harmonizing IT security in academic institutions within Sweden, Latvia, Poland and Ukraine. He continued this work as General Manager for the EU-TEMPUS IV, and founded project ENGENSEC (Educating NexT Generation IT Security Experts) that will end in November 2017.

   Download slides    Watch video






Other VB2017 papers

The state of cybersecurity in Africa: Kenya

Tyrus Kamau (Euclid Consultancy)

The cyber threats Kenya faces range from basic hacking such as website defacements, financial fraud, social media account…

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.