Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
Hackers Target Russian Federal Air Transport Agency
65 Terabytes of Data Wiped Out, According to ReportsHackers have allegedly managed to breach the infrastructure belonging to Russia's Federal Air Transport Agency, or Rosaviatsiya, and wiped out its entire database and files consisting of 65TB of data, including documents, files, aircraft registration data and emails from the servers. The agency oversees the civil aviation industry in Russia.
See Also: Gartner Guide for Digital Forensics and Incident Response
The agency's official website, favt.ru, has remained offline since Monday morning, and it did not share an update, according to specialist publication The Aviation Herald, which also released an alleged company statement that says the agency is switching to the paper version, due to lack of access to internet and malfunction of the electronic document flow system.
"The document flow procedure is being determined by the current records management instructions. Information exchange will be carried out via AFTN channel (for urgent short message) and postal mail. Please make this information available to all Civil Aviation Organizations," the statement says.
Various Russian media reports claim that the aviation agency's website is undergoing a major restructuring, The Aviation Herald says.
But there also are reports claiming that the mass loss of data may be irretrievable, and sources claim that due to a lack of government funds, many files at Rosaviatsiya were never backed up.
Hacktivist Responsible?
On Tuesday, Ukraine-based Kyiv Post tweeted, attributing the attack to the international hacking collective Anonymous. But the group quickly responded to the post, calling it a "false flag."
Anonymous hacked the servers of the Federal Air Transport Agency. pic.twitter.com/KYpE3GOItv
— KyivPost (@KyivPost) March 29, 2022
Ken Westin, director of security strategy at Cybereason, says he is not surprised by the reported attack, given that all Russian agencies, networks and websites are being targeted by hacktivist groups.
"It looks like they were hit with data-destroying malware and databases were deleted," Westin says. "Many more breaches of various agencies in Russia have taken place since its invasion of Ukraine, but they haven’t been in the news headlines. However, when a major business disruption occurs, Russia is forced to disclose to the public the damage caused because systems aren't operating."
Anonymous declared a full cyberwar on Russia late last month. Almost immediately, the group claimed to have hacked websites connected to the Russian government, state media and banks (see: Anonymous Extends Its Russian Cyberwar to State-Run Media).
The decentralized collective also reportedly hit the government website for Chechnya, a Russian republic that has vowed military support for Russia.
Anonymous also targeted several Russia state-run media agencies, including Tass, Izvestia, Fontanka, RBC and Kommersant and left antiwar messages on their websites, and the group reportedly leaked more than 200GB of emails from the Belarusian weapons manufacturer Tetraedr and claimed credit for hacking Russian ISPs.
"The main challenge in such attacks is attribution. Unlike physical conflicts, attacks in the cyber domain are very challenging when attempting to prove that an attack was carried out by a specific person, entity, or even nation," says Avishai Avivi, CISO at SafeBreach, a breach and attack simulation platform.
Avivi says this destructive attack does not appear to be the work of a nation-state, much less that of the U.S., and the claim that the attack wiped out 65TB of data indicates that it is likely a hacktivist attack.
"There is no real tactical or strategic value to this type of operation," Avivi says. "Even if the attack can be traced back to an IP address that belongs to a host physically located in the U.S., it will still not be conclusive evidence that the attack originated there. Malicious actors will often compromise a random machine, then use that machine to pivot and attack the real target. This method is referred to as using a jump host. The more sophisticated hackers will use several jump hosts before executing the actual attack. This is why attribution is so difficult and why it is unlikely the U.S. is behind this attack."
Russia Blames West
On Tuesday, Russia's Ministry of Foreign Affairs accused the U.S. of attacking the country's critical infrastructure and network systems in a massive cyberattack.
"At the suggestion of the Kiev regime, an 'international call' has been announced for anti-Russian computer specialists, who, in fact, form 'offensive cyber forces.' The bill for malicious attacks against us is hundreds of thousands per day," the ministry says.
Sam Curry, chief security officer at Cybereason, tells Information Security Media Group that Russia's recent allegations against the U.S. for attacking the country's critical infrastructure and network systems are possibly true, but Russia is always looking to manufacture pretexts.
"Ukrainian President Zelenskyy put it best when he was falsely accused of using chemical weapons against Russia and said it was frightening because Russia always accuses others of what they are about to do," says Curry.
The Ministry of Foreign Affairs says that fake information is being disseminated "with the aim of disorienting and demoralizing Russian society, discrediting the actions of the Armed Forces of the Russian Federation and government agencies, stimulating illegal activity among the population, hindering the work of various sectors of the economy and sowing fear and instability."
Petko Stoyanov, CTO at Forcepoint, says the confrontation that's going on right now, across physical, cyber and information front lines, is extremely complex and constantly changing. He says Russia has a history of combining disinformation with physical attacks, as well as using criminal groups to collaborate with or copy their tactics.
"Continued and escalating cyberattacks are a key facet of modern military conflict - not only on military systems and networks, but also on critical infrastructure targets as the Russian Foreign Ministry is claiming here. What's difficult to tell in the cyber world is who is responsible for a particular attack," Stoyanov says.
"An army of cyber mercenaries is waging war against us, facing specific combat missions, often bordering on open terrorism. Our specialized structures are effectively resisting these attacks, giving them a powerful rebuff," the Ministry of Foreign Affairs says.
The ministry statement was devoid of details, sources or evidence around these alleged attacks, says Adam Seamons, systems and security engineer at GRC International Group.
"However, there was plenty of rhetoric, unfounded accusations and the usual amount of saber rattling, which we've come to expect from the Putin regime. It is well known Russia's actions in Ukraine have drawn scorn by many cyber hacktivist groups such as Anonymous. Suffice to say, invading countries and killing civilians has consequences, some of which can be realized in cyber vigilantism," Seamons says.
A spokesperson for the National Security Agency was not immediately available to comment.