{"id":614,"date":"2018-12-14T15:50:30","date_gmt":"2018-12-14T13:50:30","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=614"},"modified":"2026-06-08T22:32:19","modified_gmt":"2026-06-08T22:32:19","slug":"hybrid-cyber-warfare-russia-ukraine-italy","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/hybrid-cyber-warfare-russia-ukraine-italy\/","title":{"rendered":"Hybrid Cyber Warfare between Russia and Ukraine \u2014 Italy among the targets"},"content":{"rendered":"<p style=\"text-align: justify\"><span style=\"font-size: 14pt\">In November, two foreign security firms identified a new malware exploiting an <strong>Adobe Flash Player zero-day<\/strong> (<span><strong>CVE-2018-15982<\/strong>) embedded within a <strong>Word document<\/strong>. Both organizations attributed the offensive operation to a malware attack against a <strong>Russian<\/strong> clinic conducted by the <strong>Ukrainian<\/strong> government.<\/span><\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-size: 14pt\">Our telemetry permits us to <strong>extend<\/strong> the scope of <strong>offensive operations to Russian and Eastern European financial institutions<\/strong>. The hypothesis that the attack source is a state actor rather than an APT group developing proprietary tools is reinforced by the incongruence between malware sophistication levels and evident operational security failures during the offensive campaign.<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-size: 14pt\">In the recent history of conventional and non-conventional warfare between Russia and Ukraine, the cyber dimension of operations conducted by both sides warrants consideration. Recent cyber intrusions demonstrate the current state of <em><strong>Hybrid Cyber Warfare<\/strong><\/em> between the parties.<\/span><\/p>\n<p style=\"text-align: justify\"><span style=\"font-size: 14pt\">Although operations appear <strong>virtually confined<\/strong> to systems within both nations, <strong>our intelligence indicates the presence of an Italian financial institution among attack targets<\/strong>.<\/span><\/p>\n<table border=\"1\" style=\"border-collapse: collapse;width: 100%;height: 378px\">\n<tbody>\n<tr style=\"height: 378px\">\n<td style=\"width: 58.5333%;height: 378px\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/12\/banche.png\" alt=\"\" width=\"546\" height=\"427\" class=\"alignnone wp-image-615 zoooom\" loading=\"lazy\"><\/td>\n<td style=\"width: 41.4667%;height: 378px\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/12\/tabella.png\" alt=\"\" width=\"328\" height=\"163\" class=\"alignnone wp-image-618 zoooom\" loading=\"lazy\"><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: center\"><span style=\", times, serif\"><em>National attribution of targeted institutions<\/em><\/span><\/p>\n<p style=\"text-align: justify\">This significant finding underscores the necessity for all organizations\u2014whether strategically critical to national infrastructure or not\u2014to <strong>upgrade defensive capabilities against this class of attacks<\/strong> and <strong>adversarial intrusions<\/strong>.<\/p>\n<p style=\"text-align: justify\">The importance of <strong>countering targeted, persistent, and sophisticated attacks<\/strong> is evident.<\/p>\n<h1 style=\"text-align: justify\">Why Hybrid Cyber Warfare?<\/h1>\n<p style=\"text-align: justify\"><strong>Hybrid Cyber Warfare<\/strong> denotes a military strategy combining <strong>irregular<\/strong>, <strong>conventional<\/strong>, and <strong>cyber<\/strong> warfare. <strong>NATO<\/strong> has addressed <strong>Hybrid Warfare<\/strong>, defining it as warfare that &#8220;<em>simultaneously employ conventional and non-conventional means adaptively in pursuit of one&#8217;s objectives<\/em>&#8220;.<\/p>\n<p style=\"text-align: justify\"><strong>Hybrid Warfare<\/strong> references:<\/p>\n<ul>\n<li style=\"text-align: justify\"><span style=\"font-size: 12pt\"><strong>European Parliament<\/strong> &#8211; <a href=\"http:\/\/www.europarl.europa.eu\/RegData\/etudes\/ATAG\/2015\/564355\/EPRS_ATA(2015)564355_EN.pdf\">LINK PDF<\/a><\/span><\/li>\n<li style=\"text-align: justify\"><span style=\"font-size: 12pt\"><strong>NATO<\/strong> &#8211; <a href=\"https:\/\/www.act.nato.int\/nato-countering-the-hybrid-threat\">LINK<\/a><\/span><\/li>\n<\/ul>\n<h1 style=\"text-align: justify\">Malware Capabilities<\/h1>\n<p style=\"text-align: justify\">Our telemetry does not permit identification of systems actually compromised; however, the attack demonstrates <strong>considerable complexity and technical sophistication<\/strong>. The malware accesses <strong>system information<\/strong> and is capable of executing <strong>lateral movement within compromised infrastructure<\/strong>. Exploitation of the <strong>Adobe Flash Player<\/strong> vulnerability enables code execution without user interaction. Opening the malicious document is <strong>sufficient for system compromise<\/strong>. Through <a href=\"https:\/\/fortgale.com\/en\/cyber-threat-intelligence\/\">Cyber Threat Intelligence<\/a> collection, we have tracked the full attack chain and associated infrastructure.<\/p>\n<h1 style=\"text-align: justify\">Execution and Attack Flow<\/h1>\n<p style=\"text-align: justify\">The attack structure mirrors the operation against the Russian clinic. The attacker sends an <strong>email<\/strong> with an attached <strong>Word document<\/strong> and <strong>image<\/strong> compressed within a <strong>.rar archive<\/strong>.<\/p>\n<table border=\"1\" style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/12\/FlashExpl.png\" alt=\"\" width=\"1144\" height=\"921\" class=\"alignnone wp-image-647 zoooom\" loading=\"lazy\"><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: justify\">The <strong>Word document<\/strong> contains an <em>.swf<\/em> file (<strong>Adobe Flash<\/strong>) embedding the exploit (<strong>CVE-2018-15982<\/strong>). The vulnerability permits the attacker to execute system commands without further user interaction. In this case, the malware &#8220;<strong>NVIDIAControlPanel.exe<\/strong>&#8221; is extracted from the <em>.jpg<\/em> file and copied to &#8220;<span>%APPDATA%\\NVIDIAControlPanel\\NVIDIAControlPanel.exe<\/span>&#8221; (NVIDIA Control Panel Application).<\/p>\n<table border=\"1\" style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 50%\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/12\/backup.png\" alt=\"\" width=\"129\" height=\"127\" class=\"size-full wp-image-648 aligncenter\" loading=\"lazy\"><\/td>\n<td style=\"width: 50%\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/12\/ht1.png\" alt=\"\" width=\"509\" height=\"280\" class=\"alignnone wp-image-649 zoooom\" loading=\"lazy\"><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: justify\">Persistence on the compromised system is achieved through <strong>Windows Task Scheduler<\/strong> task creation.<\/p>\n<h1>Network Connections<\/h1>\n<p style=\"text-align: justify\">Following initial <strong>system compromise<\/strong>, <strong>persistence establishment<\/strong>, and <strong>information gathering (fingerprinting)<\/strong> activities, the malware initiates command-and-control communication via <strong>HTTP protocol<\/strong> to IP address &#8220;<strong>188.241.58.68<\/strong>&#8220;.<\/p>\n<p style=\"text-align: justify\">This infrastructure is hosted within a <strong>Romanian datacenter<\/strong>:<\/p>\n<table border=\"1\" style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2018\/12\/whois.png\" alt=\"\" width=\"473\" height=\"211\" class=\"aligncenter wp-image-662 zoooom\" loading=\"lazy\"><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h1 style=\"text-align: justify\"><\/h1>\n<h1 style=\"text-align: justify\">Threat Hunting &amp; Incident Response<\/h1>\n<p style=\"text-align: justify\">Comprehensive <strong>threat analysis<\/strong>, <strong>attack vector details<\/strong>, <strong>malware samples<\/strong>, and complete <strong>indicators of compromise<\/strong> are available through detailed technical reporting. The full dataset includes <strong>primary threat intelligence<\/strong> and <strong>compromise indicators<\/strong> for the current quarter.<\/p>\n<p style=\"text-align: justify\"><span style=\"color: #ff0000\">N.B. &#8211; Corporate email addresses required:<\/span><\/p>\n<table border=\"1\" style=\"border-collapse: collapse;width: 100%\">\n<tbody>\n<tr>\n<td style=\"width: 100%\">[lead-form form-id=3 title=Technical report]<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<h1 style=\"text-align: justify\">References<\/h1>\n<p style=\"text-align: justify\">References to malware detections:<\/p>\n<p>https:\/\/atr-blog.gigamon.com\/2018\/12\/05\/adobe-flash-zero-day-exploited-in-the-wild\/<\/p>\n<p>http:\/\/blogs.360.cn\/post\/PoisonNeedles_CVE-2018-15982_EN<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Russia-Ukraine cyber conflict: spillover operations on Italian organisations, attribution signals, defacement and DDoS waves, intelligence-driven defence priorities.<\/p>\n","protected":false},"author":1,"featured_media":615,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[22,32,47,90,3098,3160,435,3158,300,302,3157,3159,3161,365],"class_list":["post-614","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-adobe-flash","tag-apt","tag-banche","tag-cve-2018-15982","tag-ddos","tag-defacement","tag-fortgale-report","tag-hybrid-warfare","tag-romania","tag-russia","tag-russia-ukraine","tag-spillover","tag-state-aligned-actors","tag-ucraina"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/614","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=614"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/614\/revisions"}],"predecessor-version":[{"id":9855,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/614\/revisions\/9855"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=614"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=614"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=614"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}