This blog is the latest in a series dedicated to Zhadnost, a Russia-aligned botnet first discovered by SecurityScorecard in March. Previous Zhadnost related blog posts can be found here.
Executive Summary: Zhadnost’s DDoS Attack on Ukrposhta
SecurityScorecard (SSC) identified a Zhadnost DDoS attack that targeted the website of the Ukrainian postal service, Ukrposhta.
The attack lasted just over 16 hours and was launched by nearly 1,000 bots, which are now considered to be part of the Zhadnost botnet.
The majority of the bots were MikroTik routers located in Indonesia, Thailand, and the Philippines.
The DDoS attack used DNS amplification, similar to previous Zhadnost attacks on Ukrainian government and financial websites in February.
The attack coincides with the release of a new Ukrainian postage stamp depicting a Ukrainian soldier making a crude gesture towards the sunken Russian warship, “Moskva”.
SSC observes the first time use of Russia-based bots and the re-use of Zhadnost infrastructure, a possible indication Zhadnost is starting to exhaust its inventory of unique infrastructure.
Outlook on the DDoS Attack
The DDoS attack against Ukrposhta’s website was successful in temporarily disrupting the online sales of the stamp. However, Ukrposhta was able to establish a different online store and ultimately sell over 86,000 stamps. SSC continues to assess with moderate confidence that Zhadnost is aware of the limited and temporary impact of its DDoS attacks, yet conducts them anyway to harass its victims and serve warning that further, more destructive attacks could be next.
Recommendations for Data Security
It is critical to put DDoS mitigations in place, via a service like Cloudflare, Akamai, or AWS Cloudfront. Having only a firewall will not stop the volume of traffic we have observed during a Zhadnost DDoS attack.
Furthermore, blocking Russian IPs will not stop DDoS attacks. The attacks are coming from across the world leveraging open proxies and DNS resolvers located all over the world.
It’s important that DNS resolvers and proxy servers are configured to only accept requests from internal IP addresses and authorized users, unless there is a practical reason not to do so. Zhadnost relies on open proxies and DNS resolvers for its bot infrastructure. If all of these services were properly configured, it would be a crippling blow to Zhadnost.
Background of Ukrposhta and Zhadnost
“Russian warship, go f$ck yourself.” These were the final words boldly communicated to the Moskva, the flagship of Russia’s Black Sea fleet, after it called for the surrender of 13 Ukrainian border guards defending Snake Island. Although the defense of the island ultimately failed, these now famous words of defiance became a rallying cry for Ukrainian resistance, and the Moskva no doubt became an important and symbolic target for the Ukrainian military.
Fast forward nearly two months to April 13. The Russian invasion of Ukraine continues, millions have been displaced, thousands have been killed. The Moskva is patrolling 65 miles off the coast of Odessa with a ship’s complement of nearly 400 sailors. What happened next is subject to debate. According to Russian sources, a fire broke out, which caused munitions to explode. The crew tried to save the ship but their efforts failed, and the ship sank in stormy seas. According to Ukrainian and Western sources, the Moskva was struck by two R-360 Neptune anti-ship missiles, fired from a land-based launcher near Odessa. The missiles caused a massive explosion that led to the abandonment and sinking of the ship several hours later. Regardless of how the Moskva was sunk, it represents a massive operational and emblematic loss to Russia, and another extremely valuable “go f$ck yourself” moment to improve the morale of Ukrainian defenders.
Image 1: A purported image of Moskva on fire and listing following the event that led to its loss. (Source: Unknown)
It didn’t take long for Ukraine’s National Postal Service, Ukrposhta, to seize the opportunity to issue a stamp honoring the defiance of the Snake Island border guards. The stamp, shown below, depicts a Ukrainian defender “flipping the bird” to the Moskva.
Image 2: Ukrainian postage stamp. (Source: Ukrposhta)
Zhadnost DDoS Attack
The stamp was released on April 10, and 2 days later, the Moskva was sunk, further increasing the already huge demand for the stamp. On April 22, Ukrposhta opened online sales for the stamp, and was quickly bombarded with orders from legitimate customers. However, after a few hours, Ukrposhta’s CEO Igor Smelyansky announced on his Facebook profile that online sales of the stamp would be suspended due to an ongoing DDoS attack on Ukrposhta’s systems.
SSC resolved the IP address Ukrposhta’s website and conducted netflow analysis for the period corresponding with the DDoS attack. Our data shows a sustained DNS Amplification attack, lasting approximately 16 hours, launched by nearly 1,000 unique IP addresses, spanning multiple countries and continents. The most active bots were located in Indonesia, Thailand, and the Philippines. As is typical with Zhadnost, the majority of the bots are MikroTik routers, with DNS incursion enabled on port 53. 16 of the bots were located in Russia, of note since this is the first attack in which we have observed Zhadnost using Russia-based bots. SSC probed these IPs and it appears that they are all open DNS resolvers, no different than the bots located in other countries.
Image 3: Distribution of Zhadnost bots by country code. (Source: SSC)
Additionally, SSC discovered 34 Zhadnost bots which were also previously used in attacks on Ukrainian Government and Financial websites. This is the first time we have observed the same bot being used in two different attacks, a possible indication that Zhadnost is starting to exhaust its unique infrastructure and is beginning to reuse bots to maintain the desired effect of the attack. (Or it could have just been an oversight on Zhadnost’s part.)
Attribution to Zhadnost
Attributing Zhadnost to any one threat actor continues to prove difficult, given that many botnets rely on compromised and misconfigured MikroTik devices, and that individual bots can be used by more than one botnet. Furthermore, it is difficult to identify the botnet’s command and control infrastructure since the router’s traffic is combined with the legitimate traffic of the devices behind them. However, taking into account that this attack coincided with the sale of a stamp depicting a Ukrainian soldier “flipping off” the now sunk Russian flagship, SSC continues to assess with moderate confidence that Russia-or Russian-aligned actors–are likely behind this Zhadnost DDoS attack.
Indicators of Compromise
Please contact [email protected] for IoCs associated with the Zhadnost botnet, or with any questions or comments.
Threat Intelligence with SecurityScorecard
SecurityScorecard’s threat intelligence could be the competitive advantage your company needs to stay ahead of today’s fast-moving threat actors. If your company would like to access the expertise of SecurityScorecard’s Threat Research and Intelligence team, please contact [email protected].