Written by Ferhat Dikbiyik
Additional Contributor Yavuz Han
Edited by Haley Williams

In the last 24-36 hours, state-sponsored hacker groups publicly disclosed which flag they’re representing in cyber battle. The notorious Conti ransomware gang declared their support for Russia and intentions to execute cyber-attacks within their full power against countries supporting Ukraine. Additional volunteer underground hacker groups, including Anonymous, asserted their counter shortly after, supporting Ukraine and stance against Russian institutions.

These bold escalations have increased concerns significantly for many companies worldwide about the safety of their digital supply chain. Black Kite’s platform provides visibility to its customers around the overall cyber risk of any vendor, including ransomware susceptibility and DDoS resiliency in relation to Ukrainian and Russian-based assets.

Identify Possible Targets in Your Vendor Ecosystem

With multiple attack vectors and malware used in the Russian – Ukrainian cyberattacks, such as HermeticWiper and Cyclops Blink (replacement of VPNFilter malware), there is no single way of protecting your vendor ecosystem against escalating cyber threats.

Some countries publicly stated their support for either side of the crisis, likely ranking themselves higher on threat actors’ hit lists. Vendors from these countries might be more subject to cyberattacks, especially vendors residing and owning IT assets in Ukraine and Russia.

Black Kite can determine vendor risk by identifying the location of IT assets of the companies and also their vendors (4th parties). With smart tags, Black Kite alerts customers to the impact of cyber incidents related to the Russia-Ukraine war on their vendor ecosystems.

Understand the Cybersecurity Posture of Your Third and Fourth Parties

Threat actors might advance their way upwards in the supply chain by initially attacking a fourth party vendor (vendor of a vendor). Even if a vendor is not directly related to targeted countries, your company might still be impacted due to a targeted fourth party.

In addition to smart tags, Black Kite follows and applies commonly-used frameworks developed by the MITRE Corporation to score software weaknesses consistently and transparently, converting highly technical terms into simple letter grades. The vendors with lower grades can appear as easy opportunities to threat actors, and in turn, quickly be targeted. Organizations can also share technical details with their vendors with one click, alerting business partners to vulnerabilities and allowing them to improve accordingly.

Understand the Ransomware Susceptibility of Your Vendors

The Conti ransomware group is not alone in attacking organizations they perceive as “enemies.” Methods such as weaponizing data-wiper malware to extort companies, or simply hinder their operations, emphasize the need to monitor vendor ransomware risk and the anomalies in their ecosystems.

IoC lists are available in open sources. Playbooks of infamous gangs analyzed by research groups can also help understand their TTPs. For instance, Black Kite Research recently published three different analyses of Conti’s methods, playbook, and victims. CISA also published an alert about the destructive malware targeting organizations in Ukraine, including technical details.

Black Kite’s Ransomware Susceptibility Index™ (RSI™) follows a process of inspecting, transforming, and modeling collected from various OSINT sources (internet-wide scanners, hacker forums, the deep/dark web, and more). Using the data and machine learning, the correlation between control items is identified to provide approximations.

With the RSI™, organizations can understand which vendors are most prone to ransomware and develop a practical course of action for remediation by cross-correlating findings with Black Kite’s Cyber Risk Assessment.

Monitor the DDoS Resiliency of Your Vendors

Threat actors exploit Distributed Denial of Service (DDoS) attacks to block services and interrupt business. This method has become a primary weapon used by state-sponsored hackers to paralyze the target systems.

Russian hackers used this DDoS cyber weapon to attack Ukrainian state banks and public institutions on both February 15 and 23, 2022. The attacks resulted in service disruptions for hours, creating a ripple effect throughout the government institutions as a whole.

It’s possible adversaries might use the same weapon for companies to target your vendor ecosystem. Therefore, monitoring DDoS resiliency is imperative. Begin asking vendors to block suspicious IP addresses, such as IP addresses in the blacklists due to botnet infection and IP addresses originating from Russia and other wary countries. Threat actors are suspected of using VPN and ToR services to hide their tracks, so blocking IP ranges of Free VPN and ToR services is meaningful.

One of the 20 Black Kite Cyber Risk Assessment categories is DDoS Resiliency, which results from 15 different potential DDoS checks and detects any potential DDoS amplification endpoints. The data is collected from non-intrusive scanners and other internet-wide scanners.

Organizations can filter vendors with respect to their DDoS ratings and inform vendors rating lower about the misconfiguration.

In Conclusion

  • Monitor your third and fourth parties’ cyber security posture
  • Identify possible targets in your vendor ecosystem (IT asset locations might help)
  • Confirm vendors have the IoC list of possible malware in use by state-sponsored hackers
  • Monitor the ransomware susceptibility of your vendors. Ensure they patch recent critical vulnerabilities, use up-to-date services, do not have critical open ports such as RDP or SMB, and correct email configuration to mitigate phishing attacks
  • Monitor the DDoS resiliency of your vendors and make sure they block suspicious IP addresses

Get a Free Vendor Risk Assessment Today

Black Kite offers a free vendor assessment for up to five vendors here. Act now and request your free vendor assessment to see the possible impacts of the Ukraine-Russia war in cyberspace on your vendor ecosystem.

Cyber Attack Timeline

Our research team has compiled a list of cyber attacks and events that have occurred during the Russian invasion of Ukraine – this will be updated as more intelligence comes in.

DateSubjectThreat ActorSupportingSource
01.11.2022CISA: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical InfrastructureLink
01.13-14.2022The cyber-attack against the Ukrainian government websitesLink
01.14.2022Russia takes down REvil ransomware groupLink
01.15.2021Microsoft: Destructive malware targeting Ukrainian organizationsLink
01.16.2022Ukraine blames Russia for cyberattack against government websitesLink
01.18.2021Data of several Ukrainian government agencies is wiped in cyberattack
01.23.2022DHS warns of potential Russia cyberattacks amid tensions
02.15.2022Russian presence in critical Ukrainian networks, according to newly declassified U.S. intelligenceLink
02.15.2022Ukraine’s defense ministry hit by DDoS attackLink
02.16.2022CISA has released a new announcement: Russian State-Sponsored Actors Target Cleared Defense Contractor NetworksLink
02.18.2022CISA releases guidance regarding the Russia-Ukraine conflictLink
02.18.2022White House press briefing: We believe that the Russian government is responsible for wide-scale cyberattacks on Ukrainian banks this weekLink
02.22.2022TheRedBanditsRU announced their support for RussiaTheRedBanditsRURussiaLink
02.22.2022Senior FBI cyber official asked US businesses and local governments to be mindful of the potential for ransomware attacks as the crisis between the Kremlin and Ukraine deepensLink
02.23.2022The US and UK agencies said the malware was developed by SandWorm, a cyber-unit of the GRU Russian military intelligence serviceSandWormRussiaLink
02.23.2022ESET and Broadcom’s Symantec — have reported that computer networks in the country have been hit with a new data-wiping attackLink
02.23.2022Ukrainian banking and government websites hit by DDoS attack againLink
02.24.2022Remarks by President Biden on Russia’s Unprovoked and Unjustified Attack on UkraineLink
02.24.2022Russian websites, critical information infrastructure hit by cyberattacksLink 1
Link 2
02.24.2022Belarusian Cyber-Partisans (hacking group) announced supporting UkraineBelarusian Cyber-PartisansUkraine
02.24.2022Freecivilian group announced that it has data from 50 official Ukrainian websitesFreecivilianRussiaLink
02.25.2022CERT-UA: We continue monitoring activities of the ‘UNC1151’ group (its members are officers of the Ministry of Defence of the Republic of Belarus)UNC1151RussiaLink
02.25.2022Conti announced their support for RussiaContiRussiaLink
02.25.2022The Anonymous declared officially in cyber war against the Russian governmentAnonymousUkraineLink
02.25.2022Anonymous announced that the website of the Russian Ministry of Defense was downAnonymousUkraineLink
02.25.2022Anonymous announced that the website of the RT News was downAnonymousUkraineLink
02.25.2022Belarusian defense contractor Tetraedr was hacked: 200 GB data leakAnonymous Liberland & Pwn-BarUkraineLink
02.25.2022GhostSec announced their support for UkraineGhostSecLink
02.25.2022CoomingProject (Ransomware group) announced their support for RussiaCoomingProjectRussiaLink
02.26.2022Ukraine government officially declared the #itarmyofukraine as their official IT armyIT army of UkraineUkraineLink
02.26.2022The ‘IT Army’ announced by by Minister for Digital Transformation of Ukraine Mykhaylo Fedorov has released its target listIT army of UkraineUkraineLink
02.26.2022Black Hawk announces an operation in RussiaBlack HawkUkraineLink
02.27.2022AgainstTheWest announced their support for UkraineAgainstTheWest (ATW)UkraineLink
02.27.2022GNG, a hacking group affiliated with Anonymous, has gained access to SberBANK database and leaked hundreds of data filesGNGUkraineLink
02.27.2022NB65 has officially declared cyber war on RussiaNB65UkraineLink
02.27.2022Russian government and 1,500 other websites have been taken down1LevelCrewUkraineLink
02.27.2022Belarusian Cyber-Partisans accessed the computers that control the Belarusian train systemBelarusian Cyber-PartisansUkraineLink
02.27.2022Announced they stand with UkrainekelvinsecurityUkraineLink
02.27.2022Announced they stand with UkraineRaidforums Admin (popular dark web forum)UkraineLink
02.27.2022They released some IOCS about Ukraine targetsGamaredonRussiaLink
02.27.2022LockBit ransomware group announced official statement on the cyber threat to RussiaLockBitNoneLink
02.28.2022The Russian Ministry of Labour and Social Protection website is down1LevelCrewUkraineLink
02.28.2022SHDWSec joins the movement to support UkraineSHDWSecUkraineLink
03.01.2022HydraUG made a clear statement via Twitter: Already 5804 websites attackedHydra UGUkraineLink
03.01.2022Stormous announced their support for RussiaStormousRussiaLink
03.01.2022DigitalCobraGang announced their support for RussiaDigitalCobraGangRussia
03.01.2022Zatoichi announced their support for RussiaZatoichiRussiaLink
03.02.2022Xaknet announced their support for RussiaXaknetRussiaLink
03.03.2022Targeting Russian government websitesv0g3lSecUkraineLink