Threat Research

Technical Analysis of the DDoS Attacks against Ukrainian Websites

Securonix

Ukrainian banks and government websites were targeted by a moderate DDoS campaign attributed to the Katana botnet, a Mirai variant used to flood services. Preparation for the attack appears to have begun as early as February 13, with delivery through exploited IoT cameras and a broader effort including panic-inducing SMS messages; sites recovered within hours. #Katana #Mirai #OschadBank #PrivatBank

Keypoints

  • The attack impacted Ukrainian banks, government, and military websites, with the scale described as moderate and sites recovering within hours.
  • UK and US attribution pointed to Katana, a Mirai-based botnet with enhanced DDoS capabilities.
  • Katana’s code and related samples tie the activity to a Mirai variant, using a C2 IP and specific malware filenames observed in reports.
  • Delivery leveraged publicly accessible Avtech network cameras; a rip.sh installer was part of Katana’s deployment.
  • Fraudulent SMS messages circulated to Ukrainian phones to amplify panic and hinder response efforts.
  • High-level intent appeared aimed at destabilization, panic, and chaos, per statements from Ukraine’s minister and US officials, signaling a strategic interest beyond mere disruption.

MITRE Techniques

  • [T1499] Endpoint Denial of Service – The websites for several banks and government organisations in Ukraine were hit with a Distributed Denial-of-Service attack. “the websites for several banks and government organisations in Ukraine were hit with a Distributed Denial-of-Service attack.”
  • [T1190] Exploit Public-Facing Application – A number of vulnerable Avtech network cameras are publicly accessible and were exploited by the attacker to perform the DDoS. “A number of vulnerable Avtech network cameras are publicly accessible and were exploited by the attacker to perform the DDoS.”
  • [T1059.004] Unix Shell – Rip.sh is part of Katana’s deployment and would have been a simple installer for Katana. “Whilst the file rip.sh is no longer available to download, it’s part of the standard deployment for Katana and would have been a simple installer for Katana such as this:”
  • [T1566] Phishing – Fraudulent SMS messages were sent to Ukrainian phones in an attempt to create a panic. “The text messages says “Due to technical circumstances, Privatbank ATMs do not work on February 15. We apologize”.”

Indicators of Compromise

  • [IP Address] – 5.182.211.5 (C2 IP used by Katana) – observed as the command-and-control endpoint.
  • [URL] – http://5.182.211[.]5/rip.sh – a script associated with Katana deployment.
  • [Hash] – 82c426d9b8843f279ab9d5d2613ae874d0c359c483658d01e92cc5ac68f6ebcf
  • [Hash] – 978672b911f0b1e529c9cf0bca824d3d3908606d0545a5ebbeb6c4726489a2ed
  • [File name] – KKveTTgaAAsecNNaaaa.mips – one of the malware samples linked to Katana
  • [File name] – a2b1d5g2e5t8vc.elf – another sample name associated with Katana

Read more: https://www.cadosecurity.com/technical-analysis-of-the-ddos-attacks-against-ukrainian-websites/