The Russia-Ukraine conflict has galvanized the hacktivist community, drawing in groups such as Anonymous, which regularly engages in cyberattacks to support its causes. As part of the attack strategy, cloud native technologies are being used, according to Aqua, a cloud native security company.
Aqua said it gathered data from public repositories that contain code and tools for targeting cyber-aggression on both sides of the conflict. Then it analyzed container images in Docker Hub and popular code libraries and software packages (including PyPI, NPM, Ruby), searching for names and text labels that called for action against either side.
This was first reported by ZDNet.
“As part of our research efforts, we regularly deploy honeypots, i.e., misconfigured cloud native applications based on Docker and Kubernetes or other widely used applications such as databases,” according to Aqua.
Of the public sources, about 40% of the packages were denial-of-service (DoS) activity aimed at online services. Aqua also found sources that suggested doxing of high-ranking individuals.
A whopping 84% of the targets were affiliated with IP addresses in Russia and only 16% in Ukraine.
Network and media organizations were attacked most often, Aqua said.
Containers were employed in attacks:
“These container images have published instructions and source code on GitHub, including a list of targets with Russian website addresses. Among other things, the guidelines explained how to initiate an attack and what tools to download, allowing non-professionals to launch an attack on their own.
"As we see, the repositories have played a major role in the ongoing virtual conflict, making cloud native tools widely available to a less technical audience. This once again shows that today you don’t have to be a skilled hacker to take part in cyber war.”
--Cloud Native Technologies Used in Russia-Ukraine Cyber Attacks, Aqua, March 15, 2022
Other findings in the report include:
- A container image that contains a DoS attack tool that targets financial data and service providers in Russia.
- A container image with a DDoS attack tool over TCP protocol through multiple connection requests, which targets multiple service providers in Russia.
- Both container images also included attack tools that initiate a DNS flood aimed at Russian banks.
The findings underscore the outsized role that individuals can play in a geopolitical conflict by distributing simple automated tools that allow less skilled actors to participate in a cyber war, Aqua concluded.
As cloud native development efforts gain momentum in large organizations everywhere, containers will continue to be used in new and interesting ways. Sometimes for good. Sometimes for bad. As such, it’s critical that you understand exactly how cloud native technologies are being used and who can access them in your organization.