By Chester Wisniewski
When Russia invaded Ukraine on February 24, 2022, none of us knew what role cyberattacks might play in a full-scale invasion. Russia had been conducting cyberattacks against Ukraine since it had occupied Crimea back in 2014 and it seemed inevitable that these tools would play a role, especially after the attacks on Ukraine’s power grid and unleashing the NotPetya worm on the world.
According to the Ukrainian State Service of Special Communications and Information Protection (SSSCIP), Ukraine was attacked 1,123 times since the war’s inception. 36.9% of the targets were Government/Defense related and the attacks were 23.7% malicious code and 27.2% information gathering.
The cyber component of the war began nearly 24 hours before the land invasion. Let’s break these down into a few categories and then analyze their intensity, effectiveness and goals. I see them falling into four broad categories: destruction, disinformation, hacktivism, and espionage.
The first and most obvious was the destructive malware phase.
Beginning in January 2022, according to SSSCIP Russian and pro-Russian attackers began unleashing wiper and boot sector altering malware, designed to erase the contents of a system or make it inoperable. They primarily targeted Ukrainian service providers, critical infrastructure, and government agencies. A few days before these attacks, the Ukrainian government moved many of their official online functions to cloud infrastructure, avoiding disruption and allowing Ukraine to maintain services and communicate with the world.
Another destructive attack was on the Viasat satellite communications modems, in use throughout central and eastern Europe. This attack also imposed collateral damage on NATO members, disrupting the operation of more than 5,800 wind turbines in Germany. Due to the assistance of tech companies such as Microsoft and ESET, as well as US intelligence agencies, Ukraine’s success in stopping destructive attacks has been impressive.
One of the most sophisticated malware threats targeting critical infrastructure detected and neutralized by Ukraine was the Industroyer2, the malware was a combination of traditional wipers targeting Windows, Linux, and Solaris and ICS specific malware targeting the operational technology (OT) used to control and monitor the power grid.
Russia is no stranger to using disinformation as a weapon to achieve political outcomes. Their original mission appears to have envisioned a quick victory by storming in and installing a puppet government. Russians seem to have tried numerous influence operations over SMS and traditional social media networks, there didn’t seem to be much appetite for it in an increasingly patriotic Ukraine.
Russia has largely banned foreign and independent media, blocked access to social media, and criminalized calling the invasion a war.
Moreover, the third target of Russian disinformation, as the war has dragged on, is the rest of the world. Russia tried to influence non-aligned states like India, Egypt, and Indonesia may help keep them from voting against Russia in United Nations votes, as well as potentially sway them to support Russia. US intelligence agencies seemed to play a critical role in debunking many of these claims leading up to the war, often preempting Russian plans to disseminate disinformation.
Would the well-known, very skilled hackers throughout Russia and Ukraine take up cyberarms and unleash damaging waves of attacks supporting each of their sides? It certainly looked like that might be the case at the outset.
We observed a marked decline in ransomware attacks for about six weeks after the initial invasion. Hacktivists on both sides kicked into high gear in the early days of the war. Web defacements, DDoS attacks and other trivial hacks were targeting just about anything that was vulnerable and clearly identifiable as Russian or Ukrainian.
Unlike destructive attacks, the secretive nature of espionage attacks, and the difficulty of attributing them, make them more useful against all adversarial targets, not just Ukraine. It is nothing new that Russia targets the United States, European Union and NATO member states with malware, phishing attacks, and data theft.
In March 2022, Google’s Threat Analysis Group (TAG) published a report noting Russian and Belarusian phishing attacks targeting US-based non-governmental organizations (NGOs) and think tanks, the military of a Balkan country, and a Ukrainian defense contractor.
Proofpoint also published research showing EU officials working on assisting refugees were targeted in phishing campaigns originating from a Ukrainian email account allegedly previously compromised by Russian intelligence.
The war in Ukraine will be taught and talked about for a long time and is teaching us a lot about the role cybersecurity and cyberattacks can play in wartime.
The early stages of the war appeared to focus on destabilization, destruction, and disruption. That seems to have lessened in importance as the resolve of the Ukrainian people has allowed them to take the war into a prolonged state necessitating a migration to focusing on espionage and disinformation.
It remains to be seen how the situation will evolve with Russia controlling much of the energy supply in Europe as we head into winter. Disinformation will come into action to pressure European leaders to
European leaders to soften sanctions? Will criminal groups focus on attacks on European energy suppliers, as we have already seen on a small scale?
The war is not over, and the role of cyberattacks could evolve in new and unforeseen ways. What is unlikely is that they will play a decisive role. At least in this conflict, it is another tool to be used alongside other weapons and tools of war-and as with any other aspect of war, a strong defense is often the best solution.
(Chester Wisniewski is the Field CTO for Applied Research at Sophos).