COMMENTARY. Ukrainian cyber forces have attacked Russian infrastructure and assets almost since the first day of the Russian invasion of Ukraine on Feb. 24, 2022.
While its mainstay is denial-of-service attacks that have knocked out the Russian customs system and grounded flights at Russian airports, among other things, it doesn't shy away from breaching Russian assets and making off with huge amounts of data.
Other hacktivist groups have also planted their flag firmly on the Ukrainian side.
Smaller groups have also supported Ukraine, such as Network Battalion 65 and Nebula, a newer player on the scene that became active in May 2023.
Regardless of their origin, they share one thing in common: attacking only Russian or Belarusian assets.
Nebula Hits an Unexpected Target On Oct. 28, Nebula posted screenshots of its breach of Raykasoft, an Iranian company specializing in medical software.
Attacks against non-Russian owned assets by Ukrainian hackers have happened during the conflict, but they are rare.
The IT Army of Ukraine has made it a point to target only Russian and Belarusian assets, no doubt to avoid upsetting Western backers that are providing significant military aid.
Some Western companies still doing business in Russia are anecdotally targeted, but this has been attributed more often to Anonymous rather than official Ukrainian cyber forces, whose official stance is to focus on Russia.
In an almost nightmarish scenario for any infosec professional, the screenshots show a half-dozen Meterpreter shells Nebula has open in Insoft's infrastructure.
Meterpreter sessions connecting to the Insoft infrastructure with partially blacked-out source IPs.
Looking at the evidence, it's unlikely that Nebula, while effectively being pro-Ukrainian, is controlled by the SSSCIP or the IT Army of Ukraine.
That it would go after a medical target isn't aligned with the IT Army of Ukraine's philosophy.
In October, the International Committee of the Red Cross released its rules for cyberwarfare during a conflict, which effectively amounts to avoiding or minimizing harm to civilian targets, sticking to military targets, and avoiding medical-related targets.
Since the Raykasoft hack, Nebula has returned to Russian targets.
In the first two weeks of November, it took down Refactor-ICS and Insoft, both Russian IT companies.
Looking at the overall picture, it seems that Nebula, being a pro-Ukrainian splinter entity, has merely been opportunistic in its targeting.
It's taken advantage of weak infrastructure to fire a warning shot to Iran - counter to the IT Army of Ukraine's current targeting philosophy.
While Iranian support of Russia is well known, for now cyber activity against Iranian assets remains a one-off.
We'll have to keep an eye on this development to see if it mutates into a more sustained trend against wider Iranian Infrastructure.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 10 Jan 2024 15:10:16 +0000