Threat actors loyal to the Kremlin have stepped up their attacks in support of its invasion of Ukraine, with denial of service attacks hitting German banks and other organizations and the unleashing of a destructive new data wiper on the ‘Ukraine.
German agency BSI, which monitors cybersecurity in that country, said the attacks caused small outages but ultimately caused little damage.
“Currently, some websites are not accessible,” the BSI said in a statement to news agencies. “There are currently no indications of direct effects on the respective service and, in the assessment of the BSI, these are not to be expected if the usual protective measures are taken.”
The distributed denial of service attacks, commonly referred to as DDoS, appeared to come in retaliation for the German government’s decision to allow delivery of its advanced Leopard 2 tanks to Ukraine. Researchers at security firm Cado Labs said on Wednesday that Russian-language hacktivist groups, including one calling itself Killnet, had appealed to its members to launch DDoS against targets in Germany. The campaign, which began on Tuesday as the Leopard 2 tank decision seemed imminent, used the hashtag #ГерманияRIP, which translates to “#GermanyRIP”.
Messages soon followed from other Russian-speaking groups claiming attacks on the websites of major German airports, including Hamburg, Dortmund, Dresden and Düsseldorf; the German development agency GIZ; the site of the German national police; German Bank; and the Giropay online payment system. It was unclear whether any of the attacks succeeded in shutting down the sites.
Another group calling itself Sudan Anonymous also claimed responsibility for DDoS attacks against the websites of German foreign intelligence and the German Cabinet, in support of Killnet.
“As we saw throughout the Russian-Ukrainian war, cyber threat actors react quickly to geopolitical events and successfully unite and mobilize like-minded groups,” the Cado Labs researchers wrote. . “The involvement of a group claiming to be the Sudanese version of Anonymous is interesting to note, as it demonstrates the ability of Russian-speaking hacktivist groups to lead this mobilization and collaboration internationally.”
Killnet appeared shortly after Russia invaded Ukraine. Last June, he took credit for what the Lithuanian government called “intense” DDoS attacks on the country’s critical infrastructure, including parts of the national secure data transfer network, which helps run the Lithuania’s strategy for ensuring national security in cyberspace. Discussions on a Killnet Telegram channel at the time said the attacks were in retaliation for the Baltic government’s closure of transit routes to Russia earlier this month.
In September, security firm Mandiant said it uncovered evidence that Killnet had indirect ties to the Kremlin. Specifically, Mandiant researchers said that Killnet coordinated some of its activities with a group called Xaknet and that Xaknet, in turn, coordinated some activities with threat actors from the Russian Main Intelligence Directorate, or GRU.
In addition, on Friday, researchers from the security company Eset reported that another Kremlin-backed threat actor known as Sandworm has unleashed a never-before-seen data eraser on Ukrainian targets. The destructive malware, dubbed SwiftSlicer, is written in the Go programming language and uses randomly generated 4096-byte blocks to overwrite data.
