{ "id": "be122097-1231-444c-bf5a-b3dae2eef13f", "created_at": "2026-04-06T00:09:31.278689Z", "updated_at": "2026-04-10T13:12:34.765428Z", "deleted_at": null, "sha1_hash": "9a457a7f5978e8077b628ab30249cc2f017f094e", "title": "Webinar on cyberattacks in Ukraine - summary and Q\u0026A", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 104884, "plain_text": "Webinar on cyberattacks in Ukraine - summary and Q\u0026A\r\nBy GReAT\r\nPublished: 2022-03-14 · Archived: 2026-04-05 19:41:32 UTC\r\nAbout the webinar\r\nOn March 10, 2022 Kaspersky’s Global Research and Analysis Team (GReAT) shared their insights into the\r\ncurrent (and past) cyberattacks in Ukraine. In this post we address the questions that we did not have the time to\r\nanswer and provide the Indicators of Compromise (IoCs) that can help you defend against the identified threats.\r\nYou can watch the full recording of the webinar here: ‘A look at current cyberattacks in Ukraine‘\r\nThe webinar included an historical overview of attacks on Ukraine; and an overview of current cyber-activity in\r\nthe country, which comprises known APT activity, unknown parties carrying out DDoS attacks and leveraging\r\ncommodity RATs, hacktivism, activities by cybercriminals and unattributed attacks.\r\nIn the webcast, we also provided an analysis of attacks identified using Kaspersky’s honeypot network in Ukraine;\r\nas well as an analysis of the APT attacks by Gamaredon, Cyclops Blink, Hades/Sandworm and unknown groups,\r\nusing commodity malware such as PandoraBlade. We also looked into different wipers that have been used against\r\norganizations in Ukraine, including HermeticWiper, WhisperGate, IsaacWiper and HermeticRansom. We also\r\ncovered unknown and unattributed attacks and hacktivist activity taking place in the same timeframe.\r\nWe assess that the number of cyber attacks in Ukraine will increase during the next six months. While most of the\r\ncurrent attacks are of low complexity – such as DDoS or attacks using commodity and low-quality tools – more\r\nsophisticated attacks exist also, and more are expected to come. Current complex activities include the\r\nemployment of HermeticWiper, which stands out due to its sophistication, as well as the Viasat ‘cyber event’ – the\r\nhttps://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/\r\nPage 1 of 5\n\npartial network outage that impacted internet service for fixed broadband customers in Ukraine and elsewhere on\r\nthe European KA-SAT network that affected over 30,000 plus terminals in Europe.\r\nCurrently, we assess that the risk of the cyber component of this conflict spilling over to Europe is medium-high.\r\nWe advise organizations to:\r\nTake typical measures against DDoS attacks, ransomware and destructive malware, phishing, targeted\r\nattacks, supply-chain attacks and firmware attacks\r\nMake sure that any and all internet-facing systems are up-to-date with all the latest patches installed\r\nInstall security software on endpoints\r\nSet up extensive logging that will allow defenders to be alerted about suspicious events\r\nEstablish strict application white-listing on all machines\r\nActively hunt for attackers inside the company’s internal network\r\nIntegrate Threat Intelligence into SOC, EDR and leverage IOCs, YARA, Suricata and Sigma rules. We\r\nwould also refer you to Kaspersky’s Threat Intelligence Resource Hub, which currently provides free\r\naccess to independent, continuously updated and globally-sourced information on ongoing cyberattacks\r\nand threats.\r\nQ\u0026A\r\nDue to time limitations, we could not address all questions during the webinar, so here are our answers for the\r\nremaining questions we received in the live session:\r\nQ: What are the chances that we’ll see attacks using enterprise resources to launch attacks?\r\nA: Depending on the nature of the attack, actors may not differentiate between home, SMB and enterprise\r\nsystems. For example, infected IoT and network devices such as IP-cameras may be used by anyone, and may be\r\ninfected and abused by attackers to launch attacks such as DDoS attacks. Attackers will use and abuse any\r\nresources they require in order to conduct their attack. If this includes enterprise resources then they will be\r\nincluded in the attackers scope.\r\nQ: Currently we have seen massive connection outbreaks in many different services over TOR-exits located\r\nin the German region. Does this provide a “true” picture of the threat landscape, since many attackers seem\r\nto be from – in this instance – Germany but might originate from regions that are very interested in causing\r\ndamage to Europe or Ukraine specifically right now?\r\nA: We commonly take TOR and other anonymizing services into account when it comes to the origin of attacks.\r\nNot all attacks, for example on our honeypot infrastructure, are easily possible through TOR due to enforced\r\npolicies on exit-nodes.\r\nQ: I’m wondering what you can say about the attacks on Russian targets, both from “hacktivists” and\r\nothers? Can you help us separate the hype and exaggerations from attacks that are having a real impact?\r\nA: We have seen several public “hack” announcements. Most of them don’t include enough evidence to confirm a\r\nreal hack; nor do we have the abilities or resources to verify most of them as they are very specific and “targeted”.\r\nhttps://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/\r\nPage 2 of 5\n\nThe most important suggestion is to not blindly trust all messages, reports and claims – especially unverified\r\ncontent or if it’s from unverified channels/accounts.\r\nQ: We all know of REvil group activity and the Kaseya case. REvil members were arrested by the Russian\r\nFSB a few months ago. Do you believe that these people might be “employed” by the Kremlin to organize\r\nan attack against Ukraine? Or you think it might be possible to determine if any attackers are former REvil\r\nmembers?\r\nA: We don’t have any insights into the employment of criminals or other threat actors; nor into plans and\r\nstrategies of any government or related organizations. Our focus is on the technical aspects only, which is where\r\nour expertise and focus lies. The real world identity of criminals and other threat actors is the focus area of law\r\nenforcement and related agencies.\r\nQ: How may this conflict between Russia and Ukraine affect financial operations? Are firewalls and\r\nantivirus tools enough to defend against a cyberattack that comes from Europe?\r\nA: Financial transactions and other operations are handled through the networks of financial institutions. These are\r\nusually secured using many different methods. The origin (that is, region or country) is usually not the first\r\nquestion in regards to defense, but rather technical aspects and targets. Depending on that, particular methods and\r\npolicies should be applied to protect against attacks.\r\nQ: Do you have any current readings on attacks on NGOs?\r\nA: Several investigations reveal that targets include NGOs – these are accessible through our Threat Intelligence\r\nReporting Service.\r\nQ: How can we use the Kaspersky honeypot and sandbox?\r\nA: Our honeypots are not part of any Kaspersky products. They are dedicated systems where specific sensors are\r\ninstalled in order to monitor attacks. However, you may join our honeypot initiative (for details, email us at\r\nhoneypots@kaspersky.com).\r\nYou may access and use the Kaspersky Sandbox within our Product \u0026 Service offerings: Kaspersky Sandbox and\r\nKaspersky Threat Intelligence. File analysis can also be conducted through OpenTIP.\r\nWhat follows is the list of IoCs we derived from our honeypot-sensors in Ukraine. These are the observed, most\r\nprominent and relevant attacking IP addresses.\r\nIndicators of Compromise (IoCs)\r\nIPs found attacking Ukraine honeypot assets\r\n185[.]252[.]232[.]67\r\n133[.]242[.]129[.]39\r\n120[.]48[.]3[.]144\r\n178[.]62[.]81[.]147\r\n159[.]203[.]71[.]145\r\n116[.]105[.]72[.]113\r\nhttps://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/\r\nPage 3 of 5\n\n182[.]59[.]88[.]117\r\n27[.]6[.]204[.]233\r\n115[.]48[.]212[.]167\r\n42[.]227[.]250[.]181\r\n219[.]157[.]145[.]211\r\n182[.]119[.]167[.]53\r\n42[.]224[.]124[.]173\r\n125[.]40[.]19[.]101\r\n196[.]70[.]116[.]243\r\n125[.]41[.]141[.]113\r\n219[.]157[.]59[.]51\r\n14[.]106[.]231[.]203\r\n87[.]150[.]3[.]191\r\n152[.]32[.]180[.]171\r\n192[.]241[.]221[.]199\r\n121[.]229[.]44[.]136\r\n192[.]241[.]220[.]251\r\n192[.]241[.]220[.]48\r\n192[.]241[.]220[.]47\r\n192[.]241[.]218[.]100\r\n62[.]16[.]2[.]14\r\n152[.]32[.]135[.]202\r\n139[.]162[.]8[.]54\r\nHashes\r\necce8845921a91854ab34bff2623151e IsaacWiper\r\nd5d2c4ac6c724cd63b69ca054713e278 HermeticRansom\r\n3f4a16b29f2f0532b7ce3e7656799125 HermeticWiper\r\n84ba0197920fd3e2b7dfa719fee09d2f HermeticWiper\r\n517d2b385b846d6ea13b75b8adceb061 HermeticWizard\r\n5d5c99a08a7d927346ca2dafa7973fc1 WhisperGate\r\n14c8482f302b5e81e3fa1b18a509289d WhisperGate\r\ne61518ae9454a563b8f842286bbdb87b WhisperGate\r\n3907c7fbd4148395284d8e6e3c1dba5d WhisperGate\r\ne5071ccd626ad4ef8b0be7561c50f1ac WhisperGate\r\n238bf5d26e338ca205b269ca4a9f57a8 WhisperGate\r\n033fa3ae260e465da3d541bc138d2e1d WhiteBlackCrypt x32\r\n4a6bec571521881b387b9de3d7b06aa0 WhiteBlackCrypt x32\r\n072da4148add1d8ee1e691cb94b31737 WhiteBlackCrypt x32\r\nhttps://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/\r\nPage 4 of 5\n\n99bd77ae4a287904c813960727046d80 WhiteBlackCrypt x32\r\nb36e5c508efea796731d444c189b413c WhiteBlackCrypt x64\r\n490d8cdaf68619f23a2e03f55fd9e33e Pandora hVNC\r\n6942546805623a1648960ffdc91d1cff Pandora hVNC\r\nc2cbd5caa9012e4878ff35c31cb2122f Pandora hVNC\r\n02190c8c52bfafe4fa69b2972f867c1b Pandora hVNC\r\ne34d6387d3ab063b0d926ac1fca8c4c4 MicroBackdoor spearphishing ZIP archive\r\n2556a9e1d5e9874171f51620e5c5e09a MicroBackdoor CHM dropper\r\nbc6932a0479045b2e60896567a37a36c MicroBackdoor JS dropper\r\nMore IOCs are available to customers of the Kaspersky Intelligence reporting service. Contact:\r\nintelreports@kaspersky.com\r\nSource: https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/\r\nhttps://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/webinar-on-cyberattacks-in-ukraine-summary-and-qa/106075/" ], "report_names": [ "106075" ], "threat_actors": [ { "id": "8670f370-1865-4264-9a1b-0dfe7617c329", "created_at": "2022-10-25T16:07:23.69953Z", "updated_at": "2026-04-10T02:00:04.716126Z", "deleted_at": null, "main_name": "Hades", "aliases": [ "Operation TrickyMouse" ], "source_name": "ETDA:Hades", "tools": [ "Brave Prince", "Gold Dragon", "GoldDragon", "Lovexxx", "Olympic Destroyer", "Running RAT", "RunningRAT", "SOURGRAPE", "running_rat" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434171, "ts_updated_at": 1775826754, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9a457a7f5978e8077b628ab30249cc2f017f094e.pdf", "text": "https://archive.orkl.eu/9a457a7f5978e8077b628ab30249cc2f017f094e.txt", "img": "https://archive.orkl.eu/9a457a7f5978e8077b628ab30249cc2f017f094e.jpg" } }