What Google, Amazon and Microsoft revealed about Ukraine’s cyber situation

Join online with today’s leading executives at the Data Summit on March 9th. Register here.

With limited information coming out of Ukraine about cyber attacks in the country, recent findings released by tech giants Google, Amazon and Microsoft have provided a window into cyber situations in Ukraine as Russia continues its brutal attack.

All three companies have said they provide cyber security assistance to Ukraine, whose government said on Saturday it was watching “nonstop” distributed denial-of-service (DDoS) attacks by “Russian hackers” since the Russian invasion on February 24.

However, as evidenced by recent reports from Google, Amazon and Microsoft, Ukraine’s computing infrastructure has suffered more than just DDoS attacks in the midst of Russia’s unprovoked military campaign (although we are still concerned about lightning, water and anti-terrorism attacks). Infrastructure).

Google, Amazon and Microsoft are found in the landscape of security risk through giant cloud computing platforms, applications used by many governments and businesses, and a number of security solutions. AWS continues to maintain its lead in the market for cloud infrastructure services, according to Synergy Research Group, with Microsoft at number one Azure. 2 and Google Cloud no. 3.

Following are the latest details released by Google, Amazon and Microsoft about the cyber situation in Ukraine.


Over the past two weeks, Google has said that its Threat Analysis Group (TAG) stated that it has “observed a range of threats that we regularly monitor and are known for law enforcement.” At risk are artists FancyBear / APT28, which researchers have linked to Russia’s Intelligence Directorate (GRU), and Ghostwriter / UNC1151, which researchers have linked to the Belarusian Defense Ministry.

“The activity ranges from espionage to phishing campaigns. We’re sharing this information to help raise awareness among the security community and high-risk users, “Shane Huntley of Google’s Threat Analysis Group said in a blog post on Monday.

FancyBear has launched “some big credential phishing campaigns” targeting users with the ukr.net email address (from Ukrainian media company UkrNet). “Phishing emails are sent from a large number of compromised accounts (non-Gmail / Google), and include links to attacker-controlled domains,” Huntley said.

The two campaigns include the use of new Blogspot domains for the landing page – which then redirects users to an identity card phishing site, he said.

Ghostwriter / UNC1151 has previously been blamed for recent phishing attacks targeting Ukrainian military personnel. However, according to a Google blog written by Huntley, the group is attacking not only the Ukrainian government and military institutions, but also the Polish military and government officials. Poland is a member of NATO.

Along with ukr.net, other email providers whose users have been targeted in UNC1151 phishing attacks include i.ua, meta.ua, wp.pl, yandex.ru and rambler.ru.

Meanwhile, a dangerous Chinese actor known as Mustang Panda (or Temp.Hex) wants to take advantage of the situation in Ukraine, according to a Google blog. The group has “targeted European institutions with the lure of the Ukrainian invasion,” says Huntley’s blog, which includes malicious attachments with file names such as “Ukraine.zip with the situation on EU borders”.

“Included in the zip file is an executable with the same name as the default downloader and when executed, downloads some additional files that load the final payload,” the blog says.

Google has also observed “DDoS efforts against numerous Ukrainian sites, including the Ministry of Foreign Affairs, the Ministry of Internal Affairs, as well as services such as Liveuamap that are designed to help people find information,” the Google blog said.

In response, Google says it has expanded its eligibility criteria for free DDoS protection under Project Shield – “so that Ukrainian government websites, embassies around the world and other governments close to the conflict can stay online, protect themselves and continue to make their critical offer.” . Ensure access to services and information needed by the public. “


In a blog post on Friday, Amazon stated that its cloud platform, Amazon Web Services (AWS), is “working closely with Ukrainian customers and partners to secure their applications.”

The work involves the use of best practices in cyber security for Ukrainian customers, “building and supplying technical services and equipment to customers in Ukraine” to help move on-premises infrastructure over AWS to protect them from any potential physical or virtual security. Attack, “Amazon staff said in a blog post.

Over the past two weeks, Amazon has also observed “new malware signatures and activity from a number of state actors we monitor.” Specifications were not provided, Amazon said it was sharing intelligence of the threat collected with governments and IT organizations in Europe, North America and other regions.

Significantly, Amazon said it was seeing both an “increase in the activity of malicious state actors” and a “high performance tempo by other malicious actors.”

And, Amazon reports that it has “observed some situations where malware has been specifically targeted at charities, NGOs and other aid organizations in order to spread confusion and disruption.”

“In these particularly serious cases, the malware is targeted to disrupt the relief of medical supplies, food and clothing,” Amazon staff said in a blog post.

An Amazon representative told VentureBeat that the company did not have further details to share about the cyber-attack targeting charities, NGOs and other aid organizations.


That echo of Amazon President Brad Smith’s comments last week in Amazon’s report on cyber attacks. In a February 28 blog post, Smith cited cases of cyber-attacks targeting humanitarian aid, emergency response services, agriculture and energy. Microsoft also did not provide further specifications.

Recent cyber attacks against these civilian targets in Ukraine “raise serious concerns under the Geneva Conventions,” Smith said in the blog – referring to an international treaty defining what is commonly known as “war crimes.”

In a follow-up blog post on Friday – in which Smith announced that Microsoft would suspend all new sales and services of its products in Russia – the president of Microsoft said that “one of our most effective areas of work is almost certainly the protection of Ukraine’s cyber security.”

“We continue to work actively to protect cyber security officials in Ukraine from Russian attacks, including the recent cyber attack against a major Ukrainian broadcaster,” Smith said.

Ultimately, “since the start of the war, we have taken action against more than 20 Ukrainian governments, IT and financial sector entities against the Russian position, destructive or disruptive measures,” he said.

Smith’s previous blog post did not specifically mention Russia in connection with the cyber attack in Ukraine – or the number of attacks on the Ukrainian government, IT and financial institutions.

“We have also taken action against cyber attacks targeting some additional civilian sites,” Smith said. “We have publicly expressed our concern that these attacks on civilians violate the Geneva Conventions.”

Smith’s blog on Friday was Microsoft’s third post last week addressing the cyber situation in Ukraine. On March 2, Microsoft warned that the group behind the “Hermetic Viper” cyber attacks – a series of data-wiping malware attacks that attacked a number of Ukrainian institutions on February 23 – was a continuing threat.

“Microsoft assesses that there is a risk of destructive activity from this group, as we have observed follow-on intrusions involving these malicious capabilities since February 23,” the company said in a blog post update.

Venturebeat’s mission Transformative Enterprise is about to become a digital town square for technology decision makers to gain knowledge about technology and transactions. Learn more

Similar Posts

Leave a Reply

Your email address will not be published.