Categories: SecurityWorkspace

Criminal Malware Used In Attacks On Ukraine Government

The DirtJumper malware, a tool used by digital criminals during attacks on banks, has started targeting Ukranian government websites, amid growing tensions with neighbouring Russia.

The past few days have seen a number of epic distributed denial of services (DDoS) attacks going off in the troubled region, with both Russian and Ukranian sites taking severe hits.

It’s unclear who is responsible, but Dell SecureWorks data handed to TechWeekEurope indicated many of DirtJumper’s command and control servers were situated in Eastern Europe, with the majority located in Russia, as seen in the map below.

Ukraine digital attacks

DirtJumper botnets had been used in attacks on Ukranian government sites in December, but only for a brief period. The latest attacks, which also hit news outlets as well as government entities, only used one of the 34 DirtJumper botnets being tracked by SecureWorks researchers.

They said the botnet had added various pro-Ukranian government and media sites to its list of targets for DDoS attacks.

On Monday, Arbor Networks said there were 132 reported attacks targeting Russia, with the peak size reaching 124Gbps, a massive attack in DDoS terms. There were only four reported attacks targeting Ukraine, according to Arbor’s data, with the peak size measuring 9.8Gbps, but the country saw 42 on Sunday.

Another malware type known as Drive, a variant of DirtJumper, was also seen in attacks.

It recently gained new skills, according to an Arbor report, and has been using various compromised sites for its command and control infrastructure. “Unfortunately, especially for the sites, they were indeed legitimate sites that had been compromised and used to direct an army of DDoS bots towards various targets,” said Jason Jones, security research analyst with the Arbor Networks’ ASERT team, in a blog post.

“Judging by the paths present for the PHP scripts, many of these were sites were running some version of WordPress with plugins. It is not known whether they were compromised via a WordPress or plugin vulnerability as once I realised they were legitimate I stopped all probing on them. We have taken action with relevant CERTs in an attempt to get the sites cleaned up, but there are still some available.”

Growing tension

Jones, in a statement sent to TechWeek, said the Network Time Protocol (NTP) had been abused in at least one attack.

NTP can be used for massive DDoS amplification, by spoofing IP addresses of targets and sending small requests to an NTP server. That will then return masses of traffic, especially if repeated requests are made.

Various digital attacks have been witnessed since troubles broke out in Ukraine and Crimea, which held a vote on Sunday to determine whether it would become independent. Crimea now looks set to be annexed by Russia.

The state-run news agency Ukrinform has been hit by DoS attacks, whilst there were suggestions illegally installed equipment had been found at network operator Ukrtelecom, in an apparent attempt to spy on members of the Verkhovna Rada – the Ukrainian parliament.

A handful of Nato websites were disrupted over the weekend too, with responsibility taken by a group calling itself Cyber Berkut. It appeared to sympathise with the Russian bid to annex Crimea.

What do you know about IT in Russia? Take our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

17 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

18 hours ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

19 hours ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago