• watchofficermanager

Security Brief: CICYBER Week of March 27, 2022

March 27 - 30, 2022 | Issue 1

Keanna Grelicha, Emma Hoskins, CICYBER Team

Jennifer Loy, Chief of Staff

Microsoft Exchange Logo (2013-2019)[1]

Date: March 28, 2022

Location: Global

Parties involved: Microsoft; Microsoft Exchange Server; User(s); Unknown hacker(s)

The event: Microsoft, is experiencing IcedID malware attacks on its Exchange Server, Microsoft’s mail server platform. IcedID malware is a banking trojan[2] used to deploy other malware, like ransomware. Unknown hackers target email accounts within the Exchange Server platform through phishing attacks perceiving themselves as legitimate. The phishing attacks send emails with file attachments containing the IcedID malware to accounts in the Server. Users fall victim to these attacks because hackers use local Internet Protocol (IP) addresses, indicating the email is from a trusted domain and reducing the suspicion of fraud. Microsoft required users to install patches regarding vulnerabilities derived from similar malware campaigns to make the users’ system less susceptible to phishing attacks with embedded malware as the patches provide user account protection by ensuring backups of data.[3]

Analysis & Implications:

  • Users not installing patches very likely allows hackers to conduct IcedID malware attacks as there will likely be unprotected systems, very likely allowing them to steal data and login credentials. Hackers stealing login credentials will very likely allow them to sign into the users’ respective accounts and steal more personal information like phone numbers or credit card information. Hackers will very likely conduct financial fraud with personal data and credit card numbers, likely leading the victim to experience unknown payments and debts.

  • Malware campaigns continuously targeting the systems will very likely force Microsoft to require mandatory updates and patches for its users. Mandatory updates will almost certainly safeguard the Microsoft Exchange Server as an update on the user’s system will very likely provide additional protection targeting vulnerabilities from the IcedID attacks. Additional protection will very likely reduce the hackers’ ability to enter the Exchange Server when targeting individuals, almost certainly reducing the effectiveness of the IcedID attacks.

Date: March 28, 2022

Location: Ukraine

Parties involved: Ukraine; Russia; Ukrtelecom; State Service for Special Communications and Information Protection (SSSCIP); Protestors; Victor Zhora; Russian-based cyber groups; Ukrainian banking and defense websites

The event: Ukrtelecom, a Ukrainian telephone and Internet provider, experienced a Distributed Denial-of-Service attack (DDoS)[4] that caused a widespread Internet shortage across Ukraine. SSSCIP specialists neutralized the attack hours later, allowing Ukrtelecom to restore the connectivity across Ukraine. Victor Zhora, SSSCIP's deputy head, said the attack is still under investigation but accused “the enemy,” (referring to Russia), of perpetrating the attack.[5] Russian-based cyber groups launched a series of DDoS attacks in February 2022, targeting Ukrainian banking and defense websites, using similar Russian-cyber groups’.[6] DDoS attacks and other methods like using malware form a cyber groups’ Tools, Techniques, and Procedures (TTPs), the methodology they use when conducting cyberattacks.[7]

Analysis & Implications:

  • Russian-based cyber groups are likely the authors of the DDoS attack as the TTPs employed follow the trend Russian-based cyber groups used in the past when targeting Ukrainian cyberinfrastructure. Disrupting Ukraine’s Internet and telephone communication systems very likely benefits Russia in the invasion as Ukraine’s communication systems were inoperable. Inoperable communication systems will very likely prevent the Ukrainian military from using military equipment that uses the Internet to function, like drones and missile systems. Russia will likely use this to advance further on the territory with their on-the-ground troops.

  • The DDoS will unlikely prevent Ukrainian activists from posting content online as Ukrtelecom has neutralized the impact, and the systems were restored in the following hours. Ukrainian activists' content online very likely allows policy-makers and citizens to understand the current situation in Ukraine, very likely influencing the public opinion's attitudes towards the conflict. Negative attitudes towards the Russian invasion will very likely prompt demonstrations advocating for the Russian invasion to stop, likely forcing policy-makers to condemn the Russian invasion and take measures like sanctions.

________________________________________________________________________ The Counterterrorism Group (CTG)

[1]Microsoft Exchange Logo (2013-2019)” by Microsoft licensed under Public Domain

[2] “A banking trojan is a malicious program that disguises itself as legitimate by hiding malware in trusted files or Uniform Resource Locators (URL(s)) found in the target’s system.” Banking Trojans: A Reference Guide to the Malware Family Tree, F5 Application Threat Intelligence, August 2019,

[3] Microsoft Exchange targeted for IcedID reply-chain hijacking attacks, Bleeping Computer, March 2022,

[4] “A DDoS attack targets multiple connected devices, allowing cyber groups to flood the system with malware, creating traffic within the targets’ operating systems (OS).” What is a DDoS attack?, Cloud Flare,

[5] Ukraine says major cyberattack against telecom has been ‘neutralized’, Venture Beat, March 2022,

[6] Tracking Cyber Operations and Actors in the Russia-Ukraine War, Council on Foreign Relations, March 2022,

[7] Tactics, Techniques and Procedures (TTPs), NIST,