IT infrastructure used to launch DDoS attack on Russian targets

CrowdStrike Intelligence warns organisations that their IT infrastructure could be used to launch cyber attacks without their knowledge, after a Docker Engine honeypot was compromised to execute distributed denial of service (DDoS) attacks on Russian and Belarusian websites.

CrowdStrike said that between 27 February and 1 March 2022, a Docker honeypot it had set up to identify container-based cyber attacks was compromised via an exposed Docker Engine API, a technique commonly used by “opportunistic” attackers to infect misconfigured container engines.

It added the honeypots were compromised to execute two different Docker images targeting Russian and Belarusian websites for DDoS attacks, and that these websites overlap with domains already identified and shared as targets by the state-sanctioned Ukraine IT Army (UIA).

The list of targets included Russian websites from a variety of sectors, including government, military, media, finance, energy, retail, mining, manufacturing, chemicals, production, technology, advertisements, agriculture and transportation, as well as those of political parties.

Belarusian websites from the media, retail, government and military sectors were also targeted, as well as three Lithuanian media websites.

“CrowdStrike Intelligence assesses these actors almost certainly compromised the honeypots to support pro-Ukrainian DDoS attacks. This assessment is made with high confidence based on the targeted websites,” it said in a blog post on 4 May 2022, adding the UIA has previously called on its volunteer members to launch DDoS attacks against Russian targets.

“There may be a risk of retaliatory activity by threat actors supporting the Russian Federation, against organisations being leveraged to unwittingly conduct disruptive attacks against government, military and civilian websites.”

Speaking to Container Journal, Adam Meyers, senior vice-president of intelligence at CrowdStrike, said either Russia or Belarus (or groups acting on their behalf) could launch counterstrikes to disable the IT infrastructure used to attack them, leaving organisations as collateral damage in the escalating conflict.

According to the CrowdStrike blog, the first docker image – called abagayev/stop-russia – was hosted on Docker Hub and downloaded more than 100,000 times. “The Docker image contains a Go-based HTTP benchmarking tool named bombardier with SHA256 hash 6d38fda9cf27fddd45111d80c237b86f87cf9d350c795363ee016bb030bb3453 that uses HTTP-based requests to stress-test a website,” the blog said.

In this case, it added, the tool was abused to launch a DDoS that automatically started when a new container based on the Docker image was created, with the target-selection routine then picking a random entry from a hard-coded list to attack.  

The second Docker image – named erikmnkl/stoppropaganda – was downloaded more than 50,000 times from Docker Hub, and contained a custom Go-based DDoS programme that used a hash which sends HTTP GET requests to a list of target websites, overloading them with requests.

While the two images were downloaded over 150,000 times, CrowdStrike said it was unable to assess how many of these downloads originated from the compromised infrastructure.

Data released by Check Point Research on 28 February 2022 showed a 196% increase in cyber attacks on Ukraine’s government and military sector, as well as a 4% increase in attacks directed at Russian organisations more generally.

On 24 March, for example, hackers operating under the Anonymous banner claimed to have stolen more than 35,000 sensitive files from the Central Bank of Russia as part of its cyber war against the Russian state, which it declared shortly after Vladimir Putin illegally invaded Ukraine.