In a recent report, Kaspersky’s experts analyse cyberspace activities relating to the Ukrainian crisis, observing their meaning in relation to the current conflict, and their impact on the cybersecurity field. The report is part of Kaspersky Security Bulletin (KSB), an annual series of predictions and analytical reports on key shifts within the cybersecurity world.
2022 was marked by a 20th century-style military conflict – that definitely brought uncertainty and some serious risks. A number of cyber-events took place during the conflict turned to be very significant.
The story of the year, prepared by Kaspersky researchers within the annual Kaspersky Security Bulletin, tracks every stage of the armed conflict in Ukraine, the events that have taken place in the cyberspace and how they correlated with on-the-ground operations.
Significant signs and spikes in cyberwarfare in the days and weeks pre-dating military conflict were seen. February 24, 2022 saw a massive wave of pseudo-ransomware and wiper attacks indiscriminately affecting Ukrainian entities. Some were highly sophisticated, but the volume of wiper and ransomware attacks quickly subsided after the initial wave, with a limited number of notable incidents subsequently reported. Ideologically-motivated groups that presented themselves in the original wave of attacks appear to be inactive now.
On February 24, Europeans relying on the ViaSat-owned satellite faced major Internet access disruptions. This “cyber-event” started around 4h UTC, less than two hours after the Russian Federation publicly announced the beginning of a “special military operation” in Ukraine. The ViaSat sabotage once again demonstrates cyberattacks are a basic building block for modern armed conflicts and may directly support key milestones in military operations.
As the conflict has evolved, there is no evidence that the cyberattacks were part of coordinated military actions on either side. However, there are some main characteristics that defined the 2022 cyber confrontation:
- Hacktivists and DDoS attacks. The conflict in Ukraine has created a breeding ground for new cyberwarfare activity from various groups including cybercriminals and hacktivists, rushing to support their favourite side. Some groups such as the IT Army of Ukraine or Killnet have been officially supported by governments and their Telegram channels include hundreds of thousands of subscribers. While the attacks performed by hacktivists had relatively low complexity, the experts witnessed a spike in DDoS activity during the European summer period – both in number of attacks and their duration: in 2022, an average DDoS attack lasted 18.5 hours – almost 40 times longer compared to 2021 (approx. 28 minutes).
- Hack and leak. The more sophisticated attacks attempted to hijack media attention with hack-and-leak operations, and have been on the rise since the beginning of the conflict. Such attacks involve breaching an organisation and publishing its internal data online, often via a dedicated website. This is significantly more difficult than a simple defacing operation, since not all machines contain internal data worth releasing.
- Poisoned open source repositories, weaponising open source software. As the conflict drags on, popular open source packages can be used as a protest or attack platform by developers or hackers alike. The impact from such attacks can extend wider than the open source software itself, propagating in other packages that automatically rely on the trojanised code.
- Balkanization. Following the start of the Ukraine conflict in February 2022, many western companies are exiting the Russian market and leaving their users in a delicate position when it comes to receiving security updates or support – and the security updates are probably the top issue when vendors end support for products or leave the market.
“From February 24 onwards, we’ve been puzzled with a question, if cyberspace is a true reflection of the conflict in Ukraine, it represents the pinnacle of a real, modern “cyberwar”. By going through all the events that followed military operations in cyberspace, we witnessed an absence of coordination between cyber and kinetic means, and in many ways downgraded cyber-offense to a subordinate role. Ransomware attacks observed in the first weeks of the conflict qualify as distractions at best. Kinetic attacks using missiles and unmanned aerial vehicles have once again proven to be a more effective method of targeting infrastructure than cyberattacks. Nevertheless, collateral damage and cyber risks have grown for organisations in nearby countries due to the conflict, requiring advanced defensive measures more than ever,” comments Costin Raiu, the Director of Global Research and Analysis Team at Kaspersky.
The report is part of Kaspersky Security Bulletin (KSB), an annual series of predictions and analytical reports on key shifts within the cybersecurity world.