Criminal Malware Used In Attacks On Ukraine Government

Ukraine - Shutterstock - © Mykhaylo Palinchak

Ukraine government sites hit by criminal malware normally used in attacks on financial institutions, as epic DDoS attacks are launched

The DirtJumper malware, a tool used by digital criminals during attacks on banks, has started targeting Ukranian government websites, amid growing tensions with neighbouring Russia.

The past few days have seen a number of epic distributed denial of services (DDoS) attacks going off in the troubled region, with both Russian and Ukranian sites taking severe hits.

It’s unclear who is responsible, but Dell SecureWorks data handed to TechWeekEurope indicated many of DirtJumper’s command and control servers were situated in Eastern Europe, with the majority located in Russia, as seen in the map below.

Dirt_Jumper_Image_March_18_2014

Ukraine digital attacks

DirtJumper botnets had been used in attacks on Ukranian government sites in December, but only for a brief period. The latest attacks, which also hit news outlets as well as government entities, only used one of the 34 DirtJumper botnets being tracked by SecureWorks researchers.

They said the botnet had added various pro-Ukranian government and media sites to its list of targets for DDoS attacks.

On Monday, Arbor Networks said there were 132 reported attacks targeting Russia, with the peak size reaching 124Gbps, a massive attack in DDoS terms. There were only four reported attacks targeting Ukraine, according to Arbor’s data, with the peak size measuring 9.8Gbps, but the country saw 42 on Sunday.

Another malware type known as Drive, a variant of DirtJumper, was also seen in attacks.

It recently gained new skills, according to an Arbor report, and has been using various compromised sites for its command and control infrastructure. “Unfortunately, especially for the sites, they were indeed legitimate sites that had been compromised and used to direct an army of DDoS bots towards various targets,” said Jason Jones, security research analyst with the Arbor Networks’ ASERT team, in a blog post.

“Judging by the paths present for the PHP scripts, many of these were sites were running some version of WordPress with plugins. It is not known whether they were compromised via a WordPress or plugin vulnerability as once I realised they were legitimate I stopped all probing on them. We have taken action with relevant CERTs in an attempt to get the sites cleaned up, but there are still some available.”

Growing tension

Jones, in a statement sent to TechWeek, said the Network Time Protocol (NTP) had been abused in at least one attack.

NTP can be used for massive DDoS amplification, by spoofing IP addresses of targets and sending small requests to an NTP server. That will then return masses of traffic, especially if repeated requests are made.

Various digital attacks have been witnessed since troubles broke out in Ukraine and Crimea, which held a vote on Sunday to determine whether it would become independent. Crimea now looks set to be annexed by Russia.

The state-run news agency Ukrinform has been hit by DoS attacks, whilst there were suggestions illegally installed equipment had been found at network operator Ukrtelecom, in an apparent attempt to spy on members of the Verkhovna Rada – the Ukrainian parliament.

A handful of Nato websites were disrupted over the weekend too, with responsibility taken by a group calling itself Cyber Berkut. It appeared to sympathise with the Russian bid to annex Crimea.

What do you know about IT in Russia? Take our quiz!