Botnet Malware On The Rise
Before a single Russian boot had even set foot on Ukraine soil, the imminent invasion was preempted by Russian cyber attacks on military, financial and government targets in Ukraine on February 15-16.
These distributed denial-of-service (DDOS) attacks became relentless once Russia’s military invaded Ukraine on February 24, as the Kremlin sought to weaken its enemy by knocking offline critical networked infrastructure.
These waves of Russian DDOS attacks however are only one facet of how the cyber threat landscape in both Ukraine and Russia has changed since then.
Our analysis of data collected from sinkholes and honeypots operated by The Shadowserver Foundation, an internet security NGO, shows there have been major surges in activity from a number of notorious malware families from IP addresses in Ukraine and Russia compared to the period prior to 24th February 2022 that run counter to trends in the rest of the world.
Of particular concern is increased activity from Ukraine IP addresses by several strains of malware that enable the spread of botnets.
We also discovered that despite the dismantling of major botnets Avalanche and Andromeda/Gamarue several years ago, some of the key malware families that were hosted on the now-defunct networks have been particularly resurgent in Ukraine and Russia in recent months.
While this is not to suggest that these networks have somehow been resurrected, it’s concerning to observe increases to the threat posed by this malware localized to countries directly involved in a major conflict.
Some of the biggest sustained increases in malware activity since the war began were in Ukraine have related to trojans, several of which can be used to create botnets. This suggests that bad actors may have been targeting Ukraine, where cybersecurity has naturally been a lower priority for much of the population, in order to expand their botnets.
This theory is lent further weight by our discovery of a massive localized surge in activity from Ukraine IPs by a notorious worm that forms a botnet as it spreads.
Not only does this have repercussions for Ukrainians with infected zombie devices but also for the rest of the world, due to the increased threat posed by botnet expansion.
FURTHER READING: We are monitoring the destruction of internet infrastructure as part of our Ukraine digital rights violations tracker.
While the biggest relative increases in malware activity have come from Ukraine IP addresses, there have also been notable localized increases in trojan malware activity in Russia that outstrip global trends.
One potential reason for this trend could be efforts to target Russia by Ukraine-based hacktivists and their supporters around the world, who have also been involved in retaliatory DDOS attacks.
As well as looking at localized increases in malware with the potential to accelerate the spread of dangerous botnets, we also analyzed botnet activity and found that DDOS attacks from Ukraine IP addresses skyrocketed by over 360% in March compared to before February.
It’s likely that at least some of these IP addresses were used to attack local targets in Ukraine and over the border in Russia, as the spike correlates with reported DDOS attacks in the region. However, the majority of the impact was most likely to be greater elsewhere on traditional targets, such as the U.S.
The map below shows how during October application layer attacks from Ukraine IPs was greatly concentrated on the U.S and the UK, with only a small fraction of the total focused on Ukraine and Russia.
Use the links below to read detailed analysis of localized increases in activity by individual malware families since February:
Unless noted otherwise, our method for calculating increases in malware activity is to compare the relevant period with the average over the 90 days prior to February 24. See our methodology for more detail on our approach.
Why did we do this research? The invasion of Ukraine is the first major conflict where there has also been impact in cyberspace. Large scale cyber attacks are carried out by huge botnets, which are largely made up of unsecured consumer devices that have been infected by malware.
By bringing attention to this cybersecurity issue and its real-world consequences that reach way beyond the owner of an infected device, we hope to improve consumer cybersecurity standards overall.