While organizations throughout eastern Europe and Russia were being hit by the ransomware campaign known as Bad Rabbit, a more insidious attack was taking place in Ukraine under its cover, Reuters reported.

According to Serhiy Demedyuk, the head of the Ukrainian state cyber police, a number of Ukrainian entities were targeted by phishing campaigns at the same time as Bad Rabbit spread. Those campaigns intended to compromise financial information and other sensitive data.

“During these attacks, we repeatedly detected more powerful, quiet attacks that were aimed at obtaining financial and confidential information,” Demedyuk told the Reuters Cyber Security Summit in Kiev earlier this week.

Demedyuk described the campaign as a hybrid attack, with the Bad Rabbit ransomware serving as an obvious and intrusive attack while a second, hidden attack is carried out without as much attention—but with just as devastating results, if not more so.

Bad Rabbit began spreading late last month and quickly infected a number of major organizations including Russian media companies and critical infrastructure including Kiev Metro—the main mode of public transport in Ukraine’s capital city—and the Odessa International Airport.

The attack was believed to have spread through what are known as drive-by attacks. Such attacks occur when threat actors plan malicious scripts or code into an insecure web page. That script can often download the malicious software directly to the computer of a person who visits the site or redirect the visitor to a site that serves up the ransomware.

In the case of Bad Rabbit, the drive-by attacks appear to have been set up on a number of Russian news and media websites and were used to drop a malicious download disguised as an Adobe Flash installer. When users clicked to install the update, their machine was compromised by Bad Rabbit. The attack then encrypted a victim’s files and made them inaccessible until the person agreed to pay 0.05 Bitcoin, or about $280, in order to regain access to their files.

The revelation made by Ukrainian cyber police suggest the ransom was not the ultimate goal for Bad Rabbit. Investigators currently believe that the perpetrator of Bad Rabbit and of the secondary phishing campaign are one in the same, with the goal of the secondary attack to gain undetected access well after the ransomware campaign stopped spreading.

In that way, it bears resemblance to the Petya attack that spread earlier this year and also heavily targeted organizations in Ukraine. That attack, in which users appeared to have been infected with ransomware, was actually known as a wiper—a destructive virus that deletes files and corrodes an infected system beyond the point of recovery.

Hackers have continued to use backdoors that allow for ongoing access into an affected system to carry out attacks long after the spread of Petya ended.

“As cyber criminals get smarter and more sophisticated, it is important to remember that attacks are not always what they seem on the surface," Ben Johnson, co-founder and chief technology officer of Obsidian Security, told International Business Times. "Everything a hacker does is built with an objective in mind, so sometimes the objective is to deceive or confuse defenders. For example, it may seem the goal of ransomware is to be detected in order to make money. But this shows that often times, the hidden motive is simply to distract cyber defenders while criminals launch quieter, more targeted attacks to accomplish their real goals.”

The former computer scientist for the United States National Security Agency said, "This may take the form of a phishing campaign, or deploying some other nastier payload, but sophisticated actors are initially after one thing—access. High profile attacks like this can be the perfect cover for obtaining access, and maintaining it long term.”

It may not be a coincidence that Bad Rabbit and Petya both used ransomware as a cover for a secondary attack. Both used a similar propagation method and some security experts have suggested the attacks could have been carried out by the same group as they share similar code.

According to Demedyuk, the Ukrainian authorities have already prevented a number of attacks on financial institutions and organizations in charge of strategic infrastructure since Petya spread in June of this year. In one of those attacks, law enforcement was able to block the transfer of 10 million hryvnia (about $371,000) from being taken out of a company’s account.

RELATED STORIES
Security Ransomware Cybercrime Security