Russia-Ukraine CyberWar: One Year Later
One year ago today, Russia launched a massive combined arms ground, air, and sea assault against Ukraine, including a large cyber component designed to sow confusion among Ukrainian authorities. At the first anniversary, the initial takeaway is the role played by cyber has not been as prominent as predicted for what has turned into the largest European land war since 1945.
Russia and Ukraine are still actively using their cyber troops to conduct a variety of attacks against their foe. Still, the impact these incidents have had taken a distant backseat to the kinetic warfare that has pulverized countless Ukrainian towns and cities.
The Trustwave SpiderLabs team has been at the forefront tracking and reporting on this activity.
- Trustwave’s Action Response: Russia-Ukraine Crisis
- Russia-Ukraine War Raising the Awareness of Nation-State Attacks
- An Inside Look at Russian Cyber Weapons Used Against Ukraine
- Development of the Ukrainian Cyber Counter-Offensive
When the war kicked off, concerns ran high that any cyberattacks launched in conjunction with the war might spill out and affect others. This concern resulted in Trustwave security and engineering teams immediately going on heightened alert and actively monitoring for malicious cyber activity associated with and adjacent to the escalating military conflict between Russia and Ukraine. This work continues, and Trustwave is still working closely with its clients worldwide to enhance cyber preparedness as the war continues.
Over the first several weeks of the conflict, Trustwave SpiderLabs uncovered several attack schemes. These included spearphishing attacks from Russian APTs against Ukraine's government offices designed to deliver the CobaltStrike and GraphSteel backdoors.
However, as the year progressed, Trustwave learned a tremendous amount about Russia and Ukraine's cyber capabilities. The primary takeaway is that cyberattacks don't seem to have played a decisive role in the conflict but likely helped supply each side with a tremendous amount of intelligence. While not as obvious as the results of shelling or rolling tanks, the intel gathered likely created opportunities for psyops to support one side or the other, as well as attacks on critical infrastructure and even one of the primary methods of communication in the modern era, the Internet.
With that said, there have been a few examples of cyberattacks having a physical impact. For example, a Russian attack on Ukraine's access to the bricked tens of thousands of satellite modems in Ukraine and across Europe with the likely intention of harming Ukraine’s military ability to function in the first hours and days of the. Additionally, malware targeting Ukraine's power grid was customized specifically for their targets that used reconnaissance likely done in an unobserved cyberattack.
Cybers Impact on the War
The concern that one side or the other would initiate devastating cyberattacks at the start of the war did not come to fruition, particularly from the Russian side. Still, the lack of such a knock-out blow does not mean Russia's capabilities are lacking.
In fact, underestimating Russian cyber offensive capabilities is a mistake. While Ukraine has been Russia's cyber playground to try out various attack types over the years, one should not assume that the current cyber offensive and physical war against Ukraine is indicative of any weakness on Russia's part. Russia is also learning quite a lot from this incursion, so it may come out on the other side with skills practiced in the real world.
The type of attacks launched by both sides has ranged from phishing and misinformation campaigns to the HermeticWiper and IsaacWiper data wipers and Distributed Denial of Services (DDoS) attacks. For example, during the early phase of the war Ukraine launched multiple DDoS attacks against multiple Russian government and official sites while at the same time other hackers who communicated primarily on Telegram targeted Ukrainian government and military officials and spreading misinformation about what is truly taking place in Ukraine.
One might categorize KillNet, which uses DDoS attacks, and the IT Army of Ukraine's cyberattacks as low to mid-level and a nuisance, but repeated DDoS attacks on varying organizations and government agencies add another layer of problems to solve while simultaneously fending off and dealing with repercussions from Russia's kinetic attacks. While traditional "central command and control" may be loose or entirely missing in these cases, often these groups are leaned on for their chaos factor, which is a very low investment for an excellent return.
Russian Response to Outside Support for Ukraine
The amount of Western military hardware that has poured into Ukraine along with political support for Ukraine has been key to that nation's ability to not only fend off the initial onslaught but claw back vast tracks of land initially occupied by Russian forces. This very public support, however, has angered not only the Russian government but also native Russian cyber groups resulting in several launching attacks against the countries providing arms to Ukraine.
Some infamous cyber threat actors have been connected to Russian activity against Ukraine. As can be seen in an earlier SpiderLabs report, they include the following:
- APT29 - also known as Cozy Bear or The Dukes to the Russian Foreign Intelligence Service (SVR)
- APT28 - also known as Fancy Bear or Sofacy was traced to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Former GRU) Unit 26165
- SANDWORM - also known as Black Energy, was tied to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Former GRU) Unit 74455
- DRAGONFLY - also known as Energetic Bear or Crouching Yeti was identified as the Russian Federal Security Service (FSB) Unit 71330
- GAMAREDON - also known as Primitive Bear or Armageddon, traced to the Russian Federal Security Service (FSB) in November 2021. The Security Service of Ukraine (SSU) successfully identified individuals behind Gamaredon confirming their ties with FSB
- NoName057(16) – a hacktivist group that has been targeting NATO and Czech presidential election candidates’ websites recently
- KILLNET - is a pro-Russian hacktivist group active since at least January 2022 known for its DDoS campaigns against countries supporting Ukraine, especially NATO countries since the Russia-Ukraine war broke out last year.
During the last few months SpiderLabs has found hacktivist groups expanding their attacks to other countries including Poland, Slovakia, Czech Republic and Denmark targeting government ministries, power plants, banks, transportation, and NATO.
Belarus, which is allied with Russia, has increased its cyberactivity. On Jan. 17, 2023, the groups Infinity and Killnet, the former associated with Belarus, both claimed to have targeted the U.S. Internal Revenue Service last fall. The U.S. Treasury reported at the time that it had thwarted a DDoS attack by Killnet.
One of the earliest attacks, AcidRain, was timed for Russia's physical invasion of Ukraine in February. AcidRain was a targeted attack against modems accessing the Internet through Viasat's satellite network. Viasat is a satellite-based broadband service provider. The attackers gained access to Viasat's management network. They then used it to push the AcidRain malware to satellite modems and wipe those modems of essential software needed to operate and connect to the Internet properly.
Cyber Rules of Engagement
It seems counterintuitive, but the war has written and unwritten rules. For example, Geneva Convention signatories promise to treat prisoners must be treated properly, with no torture, and caring for the wounded. As the war and tactics have evolved over the past year, the conversation turned to what type of cyberattack constitutes an attack that goes too far.
For cyberwar, there is the Tallinn Manual. Tallinn is an academic, non-binding study on how international law applies to cyber conflicts and cyber warfare.
How cyber activities now taking place in the Ukraine war will be viewed is still in flux.
As we know, crimes usually come before the laws that govern it. Threat actors innovate, and law enforcement has to draft and enact laws that mete out justice for the crime or cybercrimes committed.
Hybrid warfare – cyber and kinetic attacks being waged simultaneously – is new to the warfare arena and will require organizations worldwide to be on guard to defend against attacks launched in support of either side of the conflict. These attacks may intentionally target non-belligerent entities, but the other possibility is being victimized by an attack that gets out of control and essentially becoming collateral damage.
The best way to stay safe is to ensure your organization is buttoned-down, that “all the doors and windows are locked” and to have a plan and security partner in place to respond if and when an attack occurs.
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.