Change and disruption: How the Russia-Ukraine conflict is reshaping cyber crime
CyberCX Cyber Intelligence is actively monitoring the conflict in Ukraine and the cyber implications for Australian and New Zealand organisations. We issued Threat Advisories on 1 March 2022 and 24 February 2022. This Intelligence Update offers insights into how the Russia-Ukraine conflict is impacting the global cyber crime ecosystem to provide situational awareness to Australian and New Zealand organisations.
Key Points
- Australian and New Zealand organisations face a real chance of ransomware, data theft extortion or DDoS attacks by pro-Russia criminal groups and hacktivists. Regional organisations are most at risk if they are high-profile and:
- have taken a public stance in support of Ukraine or in condemnation of Russia
- are involved or perceived to be in involved in facilitating or enforcing sanctions
- operate in sectors equivalent to those in Russia that have been targeted by sanctions (e.g. energy and financial services)
- operate critical infrastructure.
- The conflict is generating significant ‘noise’ in cyber news and churn in the cyber crime ecosystem, making it harder for regional organisations to assess and monitor threats.
- Cyber criminals with no ideological link to the conflict will increasingly exploit Russia-Ukraine content in phishing and cyber-enabled fraud attacks against Australian and New Zealand organisations.
Criminal and hacktivist targeting of western organisations
- Since our Threat Advisory of March 1, cyber criminals and hacktivists have continued to take ideological stances on the conflict and have conducted cyber attacks against Russia, Ukraine and NATO countries.
| Sentiment | Approximate known actors1 | Known locations |
| Pro-Russia | 10 | Belarus, Russia |
| Pro-Ukraine | 25 | Belarus, Georgia, Turkey |
We assess that pro-Russia cyber extortion groups are targeting critical infrastructure to support Russia’s interests.
- Pro-Russia cyber crime groups have publicly threatened to retaliate against countries and organisations that support Ukraine.
- We have high confidence that three of the most significant Russia-based cyber crime groups—Conti,Hive and Alphv—have recently conducted ransomware attacks against critical infrastructure in NATO countries.
- In the weeks prior to Russia’s invasion, Conti and Alphv conducted ransomware attacks on European oil and gas distributors. Several shipping terminals in Belgium, the Netherlands and Germany were impacted, causing widespread disruption to logistics.
- In early March, Romania’s largest oil refinery, Rompetrol, was targeted by Russia-based ransomware group, Hive, weeks after providing humanitarian support to Ukraine. Based on the timing and target selection, we assess this was in retaliation to Rompetrol’s support for Ukraine.
- These attacks indicate increased risk for Australian and New Zealand organisations.
- CyberCX has observed Conti, Hive and Alphv targeting Australian and New Zealand organisations within the last six months, indicating an increased risk to critical infrastructure providers in Australia and New Zealand.
- While most cyber extortion actors likely retain their self-imposed bans on targeting critical infrastructure providers, some pro-Russia cyber extortion groups have renewed risk appetite for targeting critical infrastructure. This reverses last year’s trend of groups restricting targeting of critical infrastructure to avoid global law enforcement attention.
We assess that Australian and New Zealand organisations face a real chance of ransomware, data theft extortion and DDoS attacks by pro-Russia cyber crime groups and hacktivists
- We have moderate confidence that pro-Russia cyber extortion and hacktivist groups have conducted ransomware, data theft extortion and attacks to influence target countries’ support for sanctions.
- Ransomware and DDoS attacks have been reported against energy, logistics and IT organisations in NATO countries.2
- In the event that pro-Russia criminal groups and hacktivists target Australia or New Zealand organisations, we assess that they are likely to adopt ‘publicity focussed’ targeting to maximise their impact on the conflict. This means that regional organisations are most at risk if they have:
- have taken a public stance in support of Ukraine or in condemnation of Russia
- are involved or perceived to be in involved in facilitating or enforcing sanctions
- operate in sectors equivalent to or adjacent those that have been targeted by sanctions (e.g. energy and financial services)
- operate critical infrastructure.
We assess there is an unlikely, but plausible, risk that pro-Ukraine or pro-Russia hacktivist attacks will inadvertently spill over to Australia or New Zealand.
- There has been an increase in hacktivist activity on both sides of the conflict. The sophistication and destructiveness of hacktivist attacks against both Russia and Ukraine is increasing.
- For example, a new cyber criminal wiper malware, RURansom, reportedly encrypts the data of Russian organisations with a random key that is discarded. This severely limits the likelihood that victims can recover their data.
- We assess that Australian and New Zealand organisations with operations in Russia or Ukraine are at increased risk of hacktivist DDoS, website defacement and data leaks. This risk extends to organisations with operations in NATO countries, but is less likely.
Noise and churn in the cyber crime ecosystem
The increase in cyber threat information generated by the conflict is making it harder for Australian and New Zealand organisations to prioritise and mitigate threats.
- Intense public interest and publicity focussed activities by hacktivist groups are driving misreporting and false information. At least two significant breaches claimed by pro-Ukraine hacktivists have been overstated or proven false.
- We assess with high confidence that hacktivist groups will continue to overstate their successes to gain publicity.
- We assess with moderate confidence that nation-state, pro-Russia and pro-Ukraine actors will make false claims (or set false flags) as part of larger-scale information operations.
We assess that infighting within cyber crime groups, triggered by the conflict, will also make it harder for Australian and New Zealand organisations to track threat groups.
- Infighting within cyber crime group, Conti, is likely to cause churn in the cyber crime ecosystem, but not reduce the threat to Australian and New Zealand organisations.
- The leak of information about Conti infrastructure and personnel (reportedly by a pro-Ukraine Conti affiliate) is likely to have only temporarily and marginally disrupted the capability of pro-Russia cyber extortion groups.
- Cyber extortion infrastructure is low-cost and designed to be quickly rebuilt.
- Despite the leaks, Conti’s activity on its Dedicated Leak Site has not declined.
- Even if Conti’s operational tempo dips, we assess new or historically less prolific cyber crime groups will increase operations by attracting former Conti affiliates and capturing their ‘market share’.
We assess with low confidence that the conflict may temporarily disrupt some cyber extortion operators in the conflict zone, but will not affect more persistent and resilient groups.
- We assess with high confidence that the most frequent Big Game Hunting (BGH) cyber extortion groups targeting Australia and New Zealand operate from at least Russia and/or Ukraine.
Most frequent BGH cyber extortion groups targeting Australia and New Zealand Lockbit 2.0 Cl0p Conti Alphv / Black Cat REvil / REvilLV Hive - We assess with low confidence that the impacts of the physical conflict and instability in Ukraine, including physical displacement, military involvement, infrastructure limitations and global bans or restrictions on Russian IP addresses, may temporarily disrupt some Russian and Ukrainian cyber criminals from targeting Australia and New Zealand organisations.
- We assess this disruption will only be temporary and will not impact the operational tempo of the more persistent and resilient groups targeting Australia and New Zealand, such as those listed in the table above.
- We have observed cyber extortion Dedicated Leak Site posts increase from January 2022 onwards, which could be for a combination of reasons including an attempt to finalise existing operations before potential law enforcement or conflict-related disruption.
- We have not observed increased Initial Access Broker (IAB) activity coinciding with the conflict. This likely reflects that IABs are commercially-driven and may be more geographically diverse, relative to hacktivists and cyber extortion actors.
Exploitation of the conflict by cyber criminals and scammers
Cyber criminals, regardless of ideology, will increasingly exploit the invasion of Ukraine and the resulting humanitarian crisis.
- Cyber criminals are exploiting the Russia-Ukraine conflict and the resulting humanitarian crisis to create lures for scams, phishing and malware delivery.
- Fake donation drives have been identified on social media sites, including TikTok and Twitter, with scammers claiming to be Ukrainians in urgent need of assistance in the form of cryptocurrency.3
- In early March, a phishing scam reportedly used a legitimate Australian humanitarian organisation’s brand to exploit the crisis.4
- It has been reported that email delivery campaigns for the Agent Tesla and Remcos malware strains have used lure emails that impersonate Ukrainian businesses and draw on the conflict to entice recipients to download attachments. Australian organisations reportedly comprised 2% of these campaigns’ targets.5
- For most organisations, opportunistic exploitation of the Ukraine crisis will affect the nature of their cyber risk, but will not increase it. However, this behaviour elevates the threat profile for Australian and New Zealand organisations that:
- make charitable donations or conduct humanitarian work that concerns Ukraine.
- have business relationships with organisations in Ukraine or the surrounding region, given threat actors may impersonate these businesses or exploit their trusted relationships for social engineering.
This threat advisory has been prepared by the CyberCX Cyber Intelligence Team.
Read more about our practices and insights:
If you need assistance responding to a cyber incident, please contact our investigation and response team here.
Guide to CyberCX Cyber Intelligence reporting language
CyberCX Cyber Intelligence uses probability estimates and confidence indicators to enable readers to take appropriate action based on our intelligence and assessments.
| Probability estimates – reflect our estimate of the likelihood an event or development occurs | ||||||
| Remote chance | Highly unlikely | Unlikely | Real chance | Likely | Highly likely | Almost certain |
| Less than 5% | 5-20% | 20-40% | 40-55% | 55-80% | 80-95% | 95% or higher |
Note, if we are unable to fully assess the likelihood of an event (for example, where information does not exist or is low-quality) we may use language like “may be” or “suggest”.
| Confidence levels – reflect the validity and accuracy of our assessments | ||
| Low confidence | Moderate confidence | High confidence |
| Assessment based on information that is not from a trusted source and/or that our analysts are unable to corroborate. | Assessment based on credible information that is not sufficiently corroborated, or that could be interpreted in various ways. | Assessment based on high-quality information that our analysts can corroborate from multiple, different sources. |
1] These numbers are based on non-state sponsored actors that have made a public statement in support of Russia or Ukraine.
2] On February 24, the day of invasion, threat actors likely associated with Russian intelligence services reportedly compromised US-based satellite operator, Viasat, causing downstream impacts across Europe. This Intelligence Update only covers cyber crime activity; we will cover nation-state activities related to the conflict—and their impacts for Australia and New Zealand—in a subsequent Update.
