Two Docker images which have been downloaded by thousands of users have been used to conduct distributed denial-of-service (DDoS) attacks against Russian and Belarusian websites run by organizations in various sectors, including government, military, and news organizations.
It appears that the campaign has been orchestrated by pro-Ukraine hacktivists likely supported by the Ukraine government-backed Ukraine IT Army (UIA).
“Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Army (UIA). The two images have been downloaded over 150,000 times, but CrowdStrike Intelligence cannot assess how many of these downloads originate from compromised infrastructure,” said researchers at cybersecurity firm CrowdStrike who spotted the attacks.
The said Docker images were observed being deployed between February 27 and March 1, 2022. The first image (abagayev/stop-russia) is hosted on Docker Hub and has a download count of over 100,000. It contains a Go-based HTTP benchmarking tool named 'bombardier' with SHA256 hash that uses HTTP-based requests to stress-test a website. The researchers say that the image was updated on March 1 with expanded target list, which included Russian and Belarusian websites from government, military, media, finance, energy, retail, mining, manufacturing, chemicals, production, technology, advertisements, agriculture, and transportation sectors.
The other image (erikmnkl/stoppropaganda) was downloaded over 50,000 times from Docker Hub. The image contains a custom Go-based DoS program named 'stoppropaganda' that has the SHA256 hash that sends HTTP GET requests to a list of target websites that overloads them with requests. The attack targets Russian and Belarusian websites in government, military, energy, mining, retail, media and finance sectors.
“Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed UIA that called its members to perform DDoS attacks against Russian targets. CrowdStrike Intelligence assesses these actors almost certainly compromised the honeypots to support pro-Ukrainian DDoS attacks. This assessment is made with high confidence based on the targeted websites,” CrowdStrike concluded.
Cybersecurity Help statement on the critical situation in Ukraine
On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!