By Staff Writer.
Amid escalating tensions on the Ukrainian border, cybersecurity analysts are seeing a sharp uptick in data leaks as threat actors attempt to exploit the precarious security situation there. With threat actors capitalising on the upheaval, analysts also expect the number of data leaks to rise.
More than 100,000 Russian troops have gathered on the Belarussian side of the 1000 kilometre plus long Ukraine – Belarus border. Ostensibly, the troops are there for military exercises, but the US and NATO say a full-scale invasion is likely.
Previously, Russia backed threat actors have launched well-publicised cyberattacks on Ukrainian interests, including a recent large-scale attack that forced several Ukrainian Government websites offline.
Now, cybersecurity consultancies are seeing profit-driven threat actors enter the field, leaking data and repacking older data leaks. However, these leaks threaten Russian as well as Ukrainian interests.
‘Threat actors across various illicit communities are attempting to use increased attention to the situation around Ukraine for financial gain,” says Andras Toth-Czifra, a global intelligence senior analyst at cybersecurity consultancy, Flashpoint.
“Therefore, in the upcoming days and/or weeks, there will likely be several previously published databases resurfacing in various communities.”
Flashpoint highlights a January 24 ransomware attack on the Belarusian state railway company. Russia relies heavily on the railway network to move its troops around, and a successful cyberattack could disrupt that.
The ransomware attack reportedly impacted the railway’s servers, databases, and workstations. The threat actors behind the attack wanted Ukrainian political prisoners released and Russian troops out of Belarus.
A known hacktivist group called “Belarusian Cyber Partisans” claimed responsibility for the attack. The group has form for assisting an effort to discredit Belarussian President Alexander Lukashenko.
Flashpoint says this is not the first sign over the past week that Russia and its allies may face cyber backlash amidst escalating tensions in and around Ukraine.
Data stolen from Almaz Antey, a Russian state-owned weapons manufacturer, was released online in mid-January. Data from other Russian defence businesses has also become available online.
The hacktivist claiming responsibility for the Almaz Antey leak said they were “returning the favour” for recent attacks on Ukrainian companies and government databases later posted on illicit forums frequented by Russian-speaking cybercriminals.
While Almaz-Antey company confirmed the cyberattack, they also said the bad actors stole no important data.
“The uploads are potentially being used to heighten interest in Ukrainian targets among threat actors,” says Andras Toth-Czifra. “But the timing of the uploads does not mean that these companies were breached in the recent past. Such databases have been constantly traded on illicit forums, even before the present crisis.”
The threat actors aren’t only targeting enterprises assisting the Russian troop build-up. Flashpoint confirms seeing several Ukrainian databases advertised online in recent days. This includes user data from shipping company Ukrferry, a database of Privatebank employees, and defence contractor DTEK.
The cybersecurity consultancy says they have a moderate to high confidence most data leaks are for-profit and that the threat actors are exploiting the uncertainty and tensions around the Russian troop activity to sell the data and disrupt activity on both sides.