Notes on Russia- Ukraine Cyberwarfare

Russia has shown how not to use cyber operations to gain advantage in armed conflict, but its efforts highlight best practices. The most obvious lesson is the need for adequate preparation to generate coordinated, simultaneous strikes on critical targets. The second is to achieve cyber superiority by crippling cyber defenders. The third is to prepare the battlefield politically and psychologically and to control the public narrative of the campaign as much as possible. Some call Vladimir Putin’s Ukraine invasion as the world’s 1st full-scale cyberwar.

Timeline 2005-2013:

1st attacks on information systems of private enterprises and state institutions of ukraine were recorded during mass protests in 2013.  Russian cyberweapon Uroburos has been around since 2005. Turla or Uroboros is a Trojan package that is suspected by computer security researchers and Western intelligence officers to be the product of a Russian government agency of the same name. In December 2014 there was evidence of it targeting operating systems running Linux.

Telegram App, created by Russians was launched in 2013, The Kremlin has propagandised Russian state media, and is trying to control the narrative online too. There was a bombardment of “imposter content” circulating – including fake news reports and deepfake videos.

Timeline 2013-2022:

In 2021, groups aligned with Russian security services began laying the groundwork for a military incursion, according to Microsoft. The digital onslaught, which Microsoft said began one year prior to Russia’s Feb. 24 invasion, may have laid the groundwork for different military missions in the war-torn territory, researchers found. Between Feb. 23 and April 8, Microsoft said, it observed a total of 37 Russian destructive cyberattacks inside Ukraine. Microsoft said Russia’s hacking and military operations worked in “tandem against a shared target set.” For example, a timeline published by Microsoft showed that on March 1 – the same day a Russian missile was fired at Kyiv’s TV tower – media companies in the capital were hit by destructive hacks and cyberespionage.

In another case, the company’s cybersecurity research team recorded “suspected Russian actors” lurking on Ukrainian critical infrastructure in the northeast city of Sumy, two weeks before widespread electricity shortages were reported in the area on March 3. The next day, Microsoft said, Russian hackers broke into a government network in the central Ukrainian city of Vinnytsia. Two days later, missiles leveled the city’s airport.

Two weeks ago the U.S. government publicly exposed a cyberweapon, known as Pipedream, that was designed to damage industrial control systems. While the tool hasn’t been attributed to Russia, it is viewed as highly dangerous and its discovery coincides with the Ukraine conflict.

Individuals are also targets. Every Ukrainian citizen is potentially at risk of cyber-attack, with hacked personal data providing the Russian security services with opportunities to gain backdoor access to Ukrainian organizations and identify potential opponents or prepare tailored propaganda campaigns.

The Microsoft report says:

Russia not surprisingly targeted Ukraine’s governmental data center in an early cruise missile attack, and other “on premise” servers similarly were vulnerable to attacks by conventional weapons. Russia also targeted its destructive “wiper” attacks at on-premises computer networks. Microsoft has seen the Russian military launch multiple waves of destructive cyberattacks against 48 distinct Ukrainian agencies and enterprises.

Russian cyber tactics in the war have differed from those deployed in the NotPetya attack against Ukraine in 2017. That attack used “wormable” destructive malware that could jump from one computer domain to another and hence cross borders into other countries. Russia has been careful in 2022 to confine destructive “wiper software” to specific network domains inside Ukraine itself. But the recent and ongoing destructive attacks themselves have been sophisticated and more widespread than many reports recognize. And the Russian army is continuing to adapt these destructive attacks to changing war needs, including by coupling cyberattacks with the use of conventional weapons.  

Microsoft detected Russian network intrusion efforts on 128 organizations in 42 countries outside Ukraine. While the United States has been Russia’s number one target, this activity has also prioritized Poland, where much of the logistical delivery of military and humanitarian assistance is being coordinated. Russian activities have also targeted Baltic countries, and during the past two months there has been an increase in similar activity targeting computer networks in Denmark, Norway, Finland, Sweden, and Turkey.

Most vulnerable are government computers that are running “on premise” rather than in the cloud. This reflects the current and global state of offensive cyber espionage and defensive cyber protection. As the SolarWinds incident demonstrated 18 months ago, Russia’s intelligence agencies have extremely sophisticated capabilities to implant code and operate as an Advanced Persistent Threat (APT) that can obtain and exfiltrate sensitive information from a network on an ongoing basis. 

Russian cyber-influence operations are building on and are connected to tactics developed for other cyber activities. Like the APT teams that work within Russian intelligence services, Advance Persistent Manipulator (APM) teams associated with Russian government agencies act through social media and digital platforms. They are pre-positioning false narratives in ways that are similar to the pre-positioning of malware and other software code. They are then launching broad-based and simultaneous “reporting” of these narratives from government-managed and influenced websites and amplifying their narratives through technology tools designed to exploit social media services. Recent examples include narratives around biolabs in Ukraine and multiple efforts to obfuscate military attacks against Ukrainian civilian targets.  During the last six months, similar Russian cyber influence operations sought to help inflame public opposition to COVID-19 policies in New Zealand and Canada

5 conclusions that come from the war’s first four months: 

  1. First, defense against a military invasion now requires for most countries the ability to disburse and distribute digital operations and data assets across borders and into other countries.
  2. Second, recent advances in cyber threat intelligence and end-point protection have helped Ukraine withstand a high percentage of destructive Russian cyberattacks. 
  3. Third, as a coalition of countries has come together to defend Ukraine, Russian intelligence agencies have stepped up network penetration and espionage activities targeting allied governments outside Ukraine.
  4. Fourth, in coordination with these other cyber activities, Russian agencies are conducting global cyber-influence operations to support their war efforts.
  5. Finally, the lessons from Ukraine call for a coordinated and comprehensive strategy to strengthen defenses against the full range of cyber destructive, espionage, and influence operations. reports: Russia had previously used cyberattacks against Ukraine to destroy or damage infrastructure and data. It attempted to do so again in 2022. Based on publicly available information, Russia launched a broad cyber campaign shortly before the invasion in January. The intent appears to have been to create disorder and overwhelm Ukrainian defenses. Russia sought to disrupt services and install destructive malware on Ukrainian networks included phishing, denial of service, and taking advantage of software vulnerabilities. One company identified eight different families of destructive software used by Russia in these attacks. The primary targets were Ukrainian government websites, energy and telecom service providers, financial institutions, and media outlets, but the cyberattacks encompassed most critical sectors. This was a wide-ranging attack using the full suite of Russian cyber capabilities to disrupt Ukraine.

Most of these attacks have been attributed by Ukrainian and Western sources to Russian government entities—chiefly the GRU, Russia’s military intelligence service, which has a history of using disruptive cyberattacks. In a few cases, proxy groups (such as the leading ransomware group Conti) were also involved, and in one reported instance, a Brazilian hacker group supportive of Russia attacked Ukrainian universities.

There was reportedly a surge of Russian action to penetrate North Atlantic Treaty Organization (NATO) networks at the onset of the conflict, a sensible precaution from the Russian perspective, given its fear of the possibility of a NATO intervention.

While celebrated in the media, the various cyber actions against Russian websites by private actors had no effect on Russian military operations, its military capabilities, or, as far as anyone can tell, Putin’s strategic calculations. The results of the activities of “hacktivists” and their efforts against Russia are exaggerated. Russia did not change course or alter plans as a result of these hacktivist efforts, nor was the Russian capability to engage in offensive operations, spotty as it may have been, degraded by hacktivist action. 

Estonia’s Cyber Defense Unit is an example of how such groups can be organized to be effective. Estonia assisted Ukraine before the invasion, and it is possible that some of the volunteer cyber defenders were organized in ways that assigned them to priority targets, avoided both duplication of effort and gaps, and made them a more reliable source of auxiliary cyber capability.

The lesson for other countries– is that volunteers can provide valuable assistance in defense if their efforts are coordinated and a framework for coordination and partnership with government agencies is developed in advance of conflict. Ukrainian civilian efforts to provide intelligence on Russian forces, while dependent on networks, are not exactly “cyber” efforts, but they provided real benefit to defenders. 

Leave a Reply