With the Russian invasion still underway in Ukraine, Ukrainians practically face new cyber threats everyday. There has been a constant back-and-forth between both sides, taking turns targeting critical organizations in each other's countries.
Most recently, Russian threat actors have taken aim at a large software development company in Ukraine that is utilized by various government agencies within the country, according to a report from Cisco Talos.
Security researches discovered what they describe as a "fairly uncommon piece of malware," a modified version of the open source backdoor named "GoMet."
The report notes that since the company is involved in software development, it is likely that the state-sponsored threat actor was trying to gain access to then initiate a supply chain style attack, but there is no evidence to suggest they gained access.
What is the GoMet backdoor?
Cisco Talos says that the history of the GoMet backdoor is "rather curious."
There are two documented cases of its use by sophisticated threat actors. Both cases start with the exploitation of a publicly known vulnerability on appliances where the threat actor drops GoMet as a backdoor. Cisco explains:
"The original GoMet author posted the code on GitHub on March 31, 2019 and had commits until April 2, 2019. The commits didn't add any features but did fix some code convention aesthetics.
The backdoor itself is a rather simple piece of software written in the Go programming language. It contains nearly all the usual functions an attacker might want in a remotely controlled agent. Agents can be deployed on a variety of operating systems (OS) or architectures (amd64, arm, etc.).
GoMet supports job scheduling (via Cron or task scheduler depending on the OS), single command execution, file download, file upload or opening a shell.
An additional notable feature of GoMet lies in its ability to daisy chain—whereby the attackers gain access to a network or machine and then use that same information to gain access to multiple networks and computers—connections from one implanted host to another. Such a feature could allow for communication out to the internet from otherwise completely 'isolated' hosts."
The threat actors made one significant modification to the backdoor, though. The original code executed once every hour on the hour; with the modification, it executes every two seconds.
Cisco Talos says it expects to see continued deployment of cyber weapons targeting Ukraine as the war goes on.
For more technical information and a flow of the GoMet code, see the full report.
FBI trains Ukrainian cyber officials
It feels as though the whole world has Ukraine's back while it tries to fight off Russia, particularly on the cyber front of the war.
SecureWorld News previously reported on how the cybersecurity community has stepped up to help defend against Ukraine, and companies such as Microsoft have done their part by blocking cyberattacks targeting organizations in the country.
The FBI also recently flew a delegation of cybersecurity officials from five different government agencies in Ukraine to New York to attend a bureau-hosted conference and meetings in Washington, D.C. with America's top cyber officials, according to CyberScoop.
The Ukrainian officials have also been invited to meet with CISA Director Jen Easterly, who plans to discuss how CISA "can deepen collaboration with our Ukrainian partners," according to a CISA spokesperson.
This is just one of many examples of how the world is coming to Ukraine's aid during this incredibly difficult time for the country.