4 May 2022

Pro-Ukraine hacktivists use Docker images to conduct DDoS attacks on Russian, Belarusian websites


Pro-Ukraine hacktivists use Docker images to conduct DDoS attacks on Russian, Belarusian websites

Two Docker images which have been downloaded by thousands of users have been used to conduct distributed denial-of-service (DDoS) attacks against Russian and Belarusian websites run by organizations in various sectors, including government, military, and news organizations.

It appears that the campaign has been orchestrated by pro-Ukraine hacktivists likely supported by the Ukraine government-backed Ukraine IT Army (UIA).

“Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Army (UIA). The two images have been downloaded over 150,000 times, but CrowdStrike Intelligence cannot assess how many of these downloads originate from compromised infrastructure,” said researchers at cybersecurity firm CrowdStrike who spotted the attacks.

The said Docker images were observed being deployed between February 27 and March 1, 2022. The first image (abagayev/stop-russia) is hosted on Docker Hub and has a download count of over 100,000. It contains a Go-based HTTP benchmarking tool named 'bombardier' with SHA256 hash that uses HTTP-based requests to stress-test a website. The researchers say that the image was updated on March 1 with expanded target list, which included Russian and Belarusian websites from government, military, media, finance, energy, retail, mining, manufacturing, chemicals, production, technology, advertisements, agriculture, and transportation sectors.

The other image (erikmnkl/stoppropaganda) was downloaded over 50,000 times from Docker Hub. The image contains a custom Go-based DoS program named 'stoppropaganda' that has the SHA256 hash that sends HTTP GET requests to a list of target websites that overloads them with requests. The attack targets Russian and Belarusian websites in government, military, energy, mining, retail, media and finance sectors.

“Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed UIA that called its members to perform DDoS attacks against Russian targets. CrowdStrike Intelligence assesses these actors almost certainly compromised the honeypots to support pro-Ukrainian DDoS attacks. This assessment is made with high confidence based on the targeted websites,” CrowdStrike concluded.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!


Back to the list

Latest Posts

Interpol arrests suspected leader of Nigerian cybercrime gang involved in BEC attacks

Interpol arrests suspected leader of Nigerian cybercrime gang involved in BEC attacks

The suspect registered 240 domains, 50 of which were used as command-and-control domains for the ISRStealer, Pony, and LokiBot malware.
26 May 2022
US automaker General Motors hit with credential stuffing attack

US automaker General Motors hit with credential stuffing attack

Social Security numbers and driver’s license details weren’t compromised, the company said.
25 May 2022
Popular Python and PHP libraries altered to steal AWS keys

Popular Python and PHP libraries altered to steal AWS keys

In both cases the attacker appears to have taken over packages that have not been updated in a while.
25 May 2022