Cyberattack on Russian Strategic Bomber Maker: Implications and Analysis

Estimated reading time: 15 minutes

Key Takeaways:

  • Ukraine’s HUR claims cyberattack on Tupolev, a Russian strategic bomber manufacturer.
  • Qilin ransomware exploits Fortinet vulnerabilities, impacting critical services.
  • PathWiper data wiper malware targets critical infrastructure in Ukraine.
  • Proactive cybersecurity measures are essential for mitigating such threats.

Table of Contents:

Ukraine’s Military Intelligence Claims Cyberattack on Russian Strategic Bomber Maker

Recent reports have emerged detailing a significant cyberattack targeting Tupolev, a major Russian state-owned aircraft manufacturer known for its strategic bombers. This incident, claimed by Ukraine’s military intelligence (HUR), and the exploitation of Fortinet vulnerabilities by the Qilin ransomware group, underscores the increasing complexity and severity of cyber warfare and its impact on critical infrastructure. This post provides an analysis of these events, their potential consequences, and actionable advice for mitigating similar threats.

Ukraine’s military intelligence agency (HUR) has claimed responsibility for a cyberattack against Tupolev, a key player in Russia’s aerospace industry. This alleged breach occurred shortly after a series of drone strikes by Ukraine on Russian air bases, targeting aircraft manufactured by Tupolev. According to HUR, the cyberattack successfully penetrated Tupolev’s internal systems, granting access to over 4.4 gigabytes of sensitive data. This data purportedly includes internal communications, personnel files, purchase records, and notes from closed-door meetings.

HUR stated that it now possesses comprehensive information on individuals involved in servicing Russia’s fleet of strategic bombers, some of which have been used to launch missiles at Ukrainian cities. In a statement to local media, HUR asserted, “There is nothing secret left in Tupolev’s activities for Ukrainian intelligence,” further suggesting that “The result of the operation will be noticeable both on the ground and in the sky.”

Adding a layer of symbolic warfare, HUR also claimed to have replaced the homepage of Tupolev’s website with an image of an owl clutching a Russian aircraft-a symbol associated with HUR’s cyber operations. At the time of the report, the Tupolev website was inaccessible.

As of the reporting date, independent verification of these claims has been challenging. Neither Tupolev nor Russian officials have issued public statements regarding the alleged breach. However, if confirmed, this cyberattack represents a significant intelligence victory for Ukraine and a potential disruption to Russia’s military-industrial complex.

Context and Background

Tupolev, a legacy of the Soviet aerospace industry, has been under U.S. and Western sanctions since Russia’s full-scale invasion of Ukraine began in 2022. The company is responsible for designing and manufacturing strategic bombers such as the Tu-95, Tu-22M3, and Tu-160. These aircraft have been instrumental in Russia’s military operations, including launching missile strikes against Ukrainian cities.

The cyberattack on Tupolev follows a series of Ukrainian drone offensives targeting Russian air bases. These attacks reportedly damaged or destroyed more than 40 long-range bombers, including those manufactured by Tupolev. The drones were purportedly launched from mobile platforms hidden inside Russian territory, showcasing Ukraine’s evolving capabilities in asymmetric warfare.

Potential Implications

If the claims made by HUR are accurate, the cyberattack on Tupolev could have several significant implications:

  • Intelligence Gathering: Access to internal communications, personnel files, and purchase records could provide Ukraine with valuable intelligence on Russia’s military capabilities, supply chains, and strategic planning.
  • Disruption of Operations: The breach could disrupt Tupolev’s operations by compromising internal systems, delaying production, and affecting maintenance schedules.
  • Psychological Impact: The attack could have a demoralizing effect on Tupolev’s employees and undermine confidence in Russia’s ability to protect its critical infrastructure.
  • Erosion of Trust: The compromise of sensitive data could erode trust between Tupolev and its partners, potentially affecting future collaborations and contracts.

Cybersecurity analyst reviewing threat data related to defense contractor hacks

Qilin Ransomware Exploits Fortinet Vulnerabilities

In a separate but equally concerning development, the Qilin ransomware operation has been actively exploiting critical vulnerabilities in Fortinet devices. Qilin, also known as Phantom Mantis, operates under the Ransomware-as-a-Service (RaaS) model and has claimed responsibility for attacks on over 310 victims since its emergence in August 2022. The group’s targets include high-profile organizations across various sectors.

Recent reports indicate that Qilin ransomware attacks now exploit two Fortinet vulnerabilities that allow bypassing authentication on vulnerable devices and executing malicious code remotely.

Victims of Qilin ransomware include:

  • Yangfeng, an automotive giant.
  • Lee Enterprises, a publishing giant.
  • Australia’s Court Services Victoria.
  • Synnovis, a pathology services provider.

The attack on Synnovis had a cascading effect, impacting several major NHS hospitals in London, leading to the cancellation of hundreds of appointments and operations.

PRODAFT, a threat intelligence company, has observed that Qilin ransomware attacks are increasingly targeting organizations in Spanish-speaking countries. However, they anticipate that the campaign will expand worldwide, selecting targets opportunistically rather than following a strict geographical or sector-based pattern.

Vulnerabilities Exploited

Qilin ransomware attacks exploit the following Fortinet vulnerabilities:

  • CVE-2024-55591: This vulnerability was exploited as a zero-day by other threat groups as far back as November 2024. The Mora_001 ransomware operator has also used it to deploy the SuperBlack ransomware strain linked to the LockBit cybercrime gang.
  • CVE-2024-21762: This vulnerability was patched in February, with CISA adding it to its catalog of actively exploited security flaws.

Despite the availability of patches, a significant number of devices remain vulnerable. The Shadowserver Foundation reported that nearly 150,000 devices were still vulnerable to CVE-2024-21762 attacks almost a month after the patch was released.

Historical Context of Fortinet Exploits

Fortinet vulnerabilities are frequently exploited in cyber espionage campaigns and ransomware attacks. For example, in February, Fortinet disclosed that the Chinese Volt Typhoon hacking group used two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to deploy the Coathanger custom remote access trojan (RAT) malware. This malware had previously been used to backdoor a Dutch Ministry of Defence military network.

PathWiper Data Wiper Malware Hits Critical Infrastructure in Ukraine

Adding another layer of complexity to the cyber threat environment, a new data wiper malware named ‘PathWiper’ has been identified in targeted attacks against critical infrastructure in Ukraine. This malware is designed to disrupt operations by destroying data on compromised systems.

The payload is deployed through a legitimate endpoint administration tool, indicating that attackers had achieved administrative access to the system through a prior compromise.

Cisco Talos researchers have attributed this attack with high confidence to a Russia-linked advanced persistent threat (APT). They compare PathWiper to HermeticWiper, previously deployed in Ukraine by the ‘Sandworm’ threat group, noting similar functionality.

PathWiper’s Functionality

PathWiper operates by:

  • Executing via a Windows batch file that launches a malicious VBScript.
  • Identifying all connected drives (local, network, dismounted) on the system.
  • Dismounting volumes using Windows APIs to prepare them for corruption.
  • Creating threads for each volume to overwrite critical NTFS structures.

The malware targets critical system files in the root directory of the NTFS, including:

  • MBR (Master Boot Record)
  • $MFT (Master File Table)
  • $LogFile
  • $Boot

PathWiper overwrites these files with random bytes, rendering impacted systems completely inoperable. The observed attacks do not involve extortion, indicating that the sole aim is destruction and operational disruption.

Broader Context of Data Wipers in Ukraine

Data wipers have been a recurring tool in attacks on Ukraine since the beginning of the conflict, with Russian threat actors commonly using them to disrupt critical operations. Other wipers used in these attacks include DoubleZero, CaddyWiper, HermeticWiper, IsaacWiper, WhisperKill, WhisperGate, and AcidRain.

Practical Takeaways and Actionable Advice

The incidents involving Tupolev, Qilin ransomware, and PathWiper malware highlight several key areas that organizations need to address to enhance their cybersecurity posture:

  • Vulnerability Management: Implement a rigorous vulnerability management program to identify and patch security flaws in a timely manner. This includes regularly scanning for vulnerabilities, prioritizing patches based on risk, and monitoring for new threats.
  • Access Controls: Enforce strong access controls to limit the ability of attackers to move laterally within the network. This includes implementing multi-factor authentication, least privilege principles, and network segmentation.
  • Incident Response Planning: Develop and regularly test an incident response plan to ensure that the organization can effectively respond to and recover from cyberattacks. This includes identifying key stakeholders, defining roles and responsibilities, and establishing communication channels.
  • Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor endpoints for malicious activity and provide early warning of potential attacks. EDR solutions can also help to contain and remediate incidents more effectively.
  • Data Backup and Recovery: Implement a robust data backup and recovery strategy to ensure that critical data can be restored in the event of a cyberattack or other disaster. This includes regularly backing up data, storing backups in a secure location, and testing the recovery process.
  • Security Awareness Training: Provide regular security awareness training to employees to educate them about the latest threats and how to avoid becoming victims of cyberattacks. This includes training on phishing, social engineering, and other common attack vectors.
  • Supply Chain Risk Management: Assess and manage the security risks associated with third-party vendors and suppliers. This includes conducting due diligence on vendors, establishing security requirements in contracts, and monitoring vendor compliance.

Technical readers should focus on:

  • Implementing and maintaining a cyber threat intelligence platform.
  • Deploying real-time ransomware intelligence feeds.
  • Utilizing dark web monitoring services.
  • Implementing telegram threat monitoring.
  • Integrating live ransomware APIs for automated response.
  • Improving breach detection capabilities.
  • Strengthening supply-chain risk monitoring.
  • Leveraging underground forum intelligence.
  • Setting up brand leak alerting systems.

Non-technical readers should focus on:

  • Ensuring that cybersecurity is a priority at the executive level.
  • Allocating sufficient resources to cybersecurity.
  • Establishing clear lines of communication between IT and business units.
  • Promoting a culture of security awareness throughout the organization.

The ongoing cyber activities highlight the need for proactive and adaptive cybersecurity measures. By implementing these strategies, organizations can significantly reduce their risk of becoming victims of cyberattacks and protect their critical assets.

PurpleOps and Cyber Threat Intelligence

PurpleOps specializes in providing comprehensive cybersecurity solutions that can help organizations defend against these types of threats. Our services include:

  • Cyber Threat Intelligence Platform: Aggregates and analyzes threat data from various sources to provide actionable intelligence.
  • Real-time Ransomware Intelligence: Delivers up-to-the-minute information on ransomware threats, including new variants and attack patterns.
  • Dark Web Monitoring Service: Monitors the dark web for stolen credentials, leaked data, and other information that could be used to target your organization.
  • Breach Detection: Identifies and responds to security breaches in real-time.
  • Supply-Chain Risk Monitoring: Assesses and manages the security risks associated with third-party vendors and suppliers.
  • Underground Forum Intelligence: Provides insights into the tactics, techniques, and procedures (TTPs) used by cybercriminals.
  • Brand Leak Alerting: Notifies you when your brand or sensitive information is leaked online.

These services, combined with proactive threat monitoring and incident response capabilities, enable organizations to maintain a secure and resilient IT environment.

To learn more about how PurpleOps can help your organization protect itself from cyberattacks, please contact us for a consultation.

FAQ

Q: What is a cyberattack?

A: A cyberattack is a malicious attempt to damage or disrupt computer systems, networks, or devices.

Q: What is ransomware?

A: Ransomware is a type of malware that encrypts a victim’s files and demands a ransom payment for their decryption.

Q: What is a data wiper?

A: A data wiper is a type of malware that destroys data on a compromised system.

Q: How can I protect my organization from cyberattacks?

A: Implement a rigorous vulnerability management program, enforce strong access controls, develop and regularly test an incident response plan, deploy endpoint detection and response (EDR) solutions, and implement a robust data backup and recovery strategy.