Key security officials in Ukraine have accused hackers aligned with the Russian government of targeting its critical infrastructure, including the power grid and the financial systems, using a strain of malware previously linked to a major state-sponsored cyberattack.
Ukraine's security chief, Oleksandr Tkachuk, said on 15 February the attacks were linked to a gang that uses a type of computer malware dubbed BlackEnergy. In an unprecedented attack, the attackers allegedly used it to cause a widespread electricity blackout in Kiev two years ago.
"Russian hackers [have] become an important tool of the aggression against our country," Tkachuk said, as reported by Reuters.
He said the latest round of cyberattacks used a type of malicious software called Telebots with the aim of infecting its national infrastructure.
In late 2016, Slovakian cybersecurity firm Eset, which has previously tracked the BlackEnergy gang, said Telebots malware was used in "targeted cyberattacks against high-value targets in the Ukrainian financial sector." Its main aim was simple: cyber-sabotage.
"It's important to say that these attackers, and the toolset used, share a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December 2015 and January 2016," Eset experts wrote in a blog post. "In fact, we think that the BlackEnergy group has evolved into the Telebots group."
The BlackEnergy and Telebots groups are known to use the same tactics, usually spear phishing emails with malicious Microsoft Excel documents attached. As with many nation-state backed cybercrime groups, the victims of these campaigns are usually highly targeted.
This week, a separate US-based cybersecurity firm called CyberX, which specialises in critical infrastructure research, found another espionage campaign in Ukraine that had successfully compromised over 70 victims. It named the scheme Operation BugDrop.
The firm described it as a "large-scale cyber-reconnaissance operation" designed to eavesdrop on sensitive conversations by remotely controlling PC microphones – in order to snoop on its targets. The hackers used Dropbox to store any exfiltrated data.
Targets – while unnamed – included a firm that nakes remote monitoring systems for oil and gas pipelines, a company that designs electrical substations and an international organisation that monitors human rights, counter-terrorism and cyberattacks in Ukraine.
"The operation seeks to capture a range of sensitive information from its targets including audio recordings of conversations, screen shots, documents and passwords," the team said.
"Unlike video recordings, which are often blocked by users simply placing tape over the camera lens, it is virtually impossible to block your computer's microphone without physically accessing and disabling the PC hardware."
Chief Technology Officer Nir Giller told Reuters he was unsure who exactly was behind the attack, but suspected it was part of a reconnaissance mission.
"Its goal was to gather intelligence about targets in various domains including critical infrastructure, media, and scientific research," the CyberX team said.
"We have no evidence that any damage or harm has occurred from this operation, however identifying, locating and performing reconnaissance on targets is usually the first phase of operations with broader objectives."