Pages

21 May 2023

What Russia’s hybrid war on Ukraine has taught us about nation state tactics


It’s been over a year since Russia launched its full-scale invasion of Ukraine on February 24th, 2022. Since that day, Russia has attempted to overrun Ukrainian defenses with a combination of hybrid warfare tactics, including cyber weapons, influence operations, and military force. And while Russia’s military has wrought immense physical devastation in Ukraine, it has fallen short of achieving all its objectives due to the limitations of Moscow’s parallel cyber and influence operations.

As of early 2023, Russian threat actors had expanded the scope of their war-related espionage operations. Between January and mid-February 2023, Microsoft threat intelligence analysts found indications of Russian threat activity against organizations in at least 17 European nations, targeting primarily the government sector. While these actions are most likely intended to boost intelligence collection against organizations providing political and material support to Ukraine, they could also, if directed, inform destructive operations.

As the war in Ukraine enters its second year, we’re offering insights and trends observed during Russia’s first year of cyber and influence operations targeting Ukraine and its supporters. Read on to learn more.

The 3 phases of Russia’s hybrid war

As we’ve continued to study cyber threat trends emerging out of the Russia-Ukraine war, we have found that our analysis best fits into three periods of the war:Phase 1 - Russia’s initial invasion of Ukraine: From January 2022 to late March 2022, Russian cyber threat and influence actors focused on achieving an early victory in Ukraine.

Since January 2022, Microsoft has seen Russian threat actors employ at least nine new wiper families and two types of ransomware against more than 100 Ukrainian organizations. Hundreds of systems across the Ukrainian government, critical infrastructure, media, and commercial sectors have been affected by wipers that permanently delete files and/or render machines inoperable. Most of these attacks coincided with Russia’s initial invasion in February and March 2022.

We also saw Russian influence actors attempt to flood social media platforms with propaganda ahead of the full-scale invasion. These efforts largely fell flat among Ukrainian and Western audiences thanks to proactive intelligence release.Phase 2 - Russia’s withdrawal from advance toward Kyiv to focus on the Donbas: From late March 2022 to September 2022, Russian forces withdrew from Kyiv to focus on Donbas and other then-occupied regions. During this time, Microsoft also observed a cyber and influence operational pivot to target material and political support to Ukraine.

Russian threat actors targeted the logistics and transportation sector inside Ukraine in particular, possibly to disrupt weapons or humanitarian flow to the frontlines. Russian forces also launched simultaneous missile strikes against Ukrainian transportation infrastructure. This points towards the disruption of the flow of goods and people across Ukraine as a common objective.

Likewise, malicious threat groups leveraged a robust cyberespionage campaign against organizations that provided military or humanitarian assistance to Ukraine. Aqua Blizzard, also known as Gamaredon and formerly ACTINIUM, conducted multiple phishing campaigns targeting humanitarian aid and resettlement organizations active in Ukraine, and entities involved in war crimes investigations from April through June 2022.Phase 3 - Russia's reaction to Ukraine’s counteroffensives in eastern and southern Ukraine: Most recently, from September 2022 to March 2023, the Russian government attempted to deepen claims to Ukrainian territory. Moscow announced a partial military mobilization in late September and illegally annexed Luhansk, Donetsk, Zaporizhzhia, and Kherson regions of Ukraine by early October.

Almost immediately after claiming sovereignty over eastern Ukrainian territory, the Russian military launched a barrage of missile strikes on critical energy infrastructure throughout Ukraine’s major cities, cutting heat and power to civilians in the impacted areas as winter set in.

Russian cyber threat and influence operators have also worked to augment Moscow’s political and military actions during this time. For example, a hacker group known as Seashell Blizzard (formerly known as IRIDIUM) directed wiper malware attacks against civilian power and water infrastructure in Ukraine, just as the Russian military launched missile strikes on that same infrastructure. Outside of Ukraine, Seashell Blizzard escalated operations to disrupt supply chains to Ukraine while other GRU-linked groups targeted Western defense-related organizations, likely for intelligence collection.

Cyber operations trends

Moscow has relied heavily on cyber weapons to amplify their efforts to gain access to and conduct attacks on desired targets throughout each of the three phases of Russia’s hybrid war.

Aside from the numerous destructive wiper attacks, Microsoft has observed three core trends that are likely to shape Russian cyber operations going forward:Using ransomware as a deniable destructive weapon. Seashell Blizzard’s development and deployment of Prestige ransomware against Ukrainian and Polish transportation sector organizations in October 2022 may have been a test to see how Ukrainian allies responded to a targeted destructive attack outside Ukraine.

As of November 2022, another actor suspected to be Seashell Blizzard deployed and refined another ransomware called Sullivan ransomware, also known as RansomBoggs.

Microsoft Threat Intelligence observed at least three variants of this ransomware deployed against one Ukrainian organization over the course of three to four days, reflecting iterative development and refinement for modular functionality and improved detection evasion.

Seashell Blizzard’s ransomware attack in Poland and the testing and refinement of Sullivan suggest the actor is preparing Sullivan, or related malware, for further use—possibly against targets outside of Ukraine.Gaining initial access through diverse means. Russian threat actors have leveraged a diverse toolkit to gain initial access to their targets within and outside of Ukraine throughout the conflict. Common tactics and techniques have included the exploitation of internet-facing applications, backdoored pirated software, and ubiquitous spear phishing.

Seashell Blizzard has backdoored pirated versions of Microsoft Office to gain access to targeted organizations in Ukraine. The actor is also responsible for uploading a weaponized version of Windows 10 to Ukrainian forums, exploiting demand for low-cost versions of the software to gain access to government and other sensitive organizations in Ukraine.

Russian threat actors are also actively abusing technical trust relationships, targeting IT providers to reach more sensitive targets downstream without immediately triggering alerts. The hacker groups Forest Blizzard (formerly known as STRONTIUM) and Secret Blizzard (formerly known as KRYPTON) both attempted to access an IT provider in Poland that counts sensitive sectors among its client base. Midnight Blizzard (formerly known as NOBELIUM), the same actor behind the SolarWinds intrusion, regularly attempts to compromise diplomatic organizations worldwide and foreign policy think tanks by first compromising cloud solutions and managed services providers that serve those organizations.Integration of real and pseudo-hacktivists for power projection. An evolving landscape of real or pseudo-hacktivist groups has played active roles in expanding the reach of Moscow’s cyber presence since the outset of the war. These groups amplify Moscow’s displeasure with adversaries and exaggerate the number of pro-Russian cyber forces.

Microsoft and others in the U.S. cybersecurity community have uncovered artifacts to indicate links between Russian military intelligence threat actors and hacktivist influence campaigns on Telegram. On January 17, 2023, Seashell Blizzard used a modified CaddyWiper payload in a destructive attack against a Ukrainian media organization that CERT-UA identified as Ukrinform. The same day, Cyber Army of Russia claimed responsibility for the attack, asserting it was a response to the outlet’s war reporting. The link between the Seashell Blizzard wiper attack and Cyber Army of Russia social media posts suggests coordination between the two entities but the exact nature of the relationship remains unclear.

Influence operations trends

Besides cyber operations and brute military force, influence operations are the third key arm of Russia’s hybrid war. Links between cyber actors and hacktivist groups in the information space represent one of the influence tactics used by Russia since the start of the war.

First, Russian influence actors have sought to weaponize “fact-checking” to spread Kremlin-aligned narratives. These messengers will often attempt to gain credibility by using the language and techniques associated with fact-checking to spread false claims. Social media accounts purporting to be fact-checking entities, like the Telegram channel War on Fakes, spread claims of “Ukrainian fakes” and “debunked” reports of Russian attacks on civilian and critical infrastructure—in reality, turning truth on its head and spreading Russian propaganda.

Second, pro-Russian actors consistently spread purportedly leaked information online to target political figures and governments supportive of Kyiv. While this is not a new tactic for Russia, hack-and-leak operations have become increasingly prevalent during the war. These operations can be more effective than other types of influence operations because leaks are often difficult to authenticate—or debunk—making them an effective tool to amplify existing divisions and tensions by allegedly exposing sensitive information.

Third, the Russian government and affiliated entities regularly coordinate foreign press tours throughout occupied Ukraine to garner international media coverage from sympathetic voices and achieve broader messaging goals. These tours often result in favorable coverage of Russia’s war by the visiting reporters in their respective media outlets and websites, acting as a pathway for pro-Russian propaganda to reach audiences otherwise unlikely to engage with Russian media. Ostensibly independent reporters who publish content aligned with Kremlin propaganda narratives are frequently given honors by the government, including the Russian agency Rossotrudnichestvo’s “Honest View” media awards.

Finally, in addition to operations targeting Moldova, Russia continues to conduct multi-faceted influence operations in Ukraine’s periphery and across Europe to widen societal divisions, discredit leadership supportive of Ukraine, and promote pro-Russian networks in those countries.

What’s next?

Russia’s destructive cyberattacks and influence operations have occurred in fits and starts to amplify Russian military operations in Ukraine. While Kremlin-backed digital operations have not yet successfully deterred Ukrainian resistance or degraded foreign support to Ukraine, there are many indicators we might look for to detect Russian escalation in the digital space.

Should Russia suffer more setbacks on the battlefield, Russian actors may seek to expand their targeting of military and humanitarian supply chains by pursuing destructive attacks beyond Ukraine and Poland. These possible cyberattacks, should the last year’s pattern continue, may incorporate newer destructive malware variants as well.

The convergence of Russian cyber hacks and information leaks may soon rise given that several countries supporting Ukraine will hold elections in the next year. Since at least 2015, Russia has employed cyber and influence campaigns across Western elections to elevate candidates favorable for the Kremlin’s foreign policy objectives. Poland will hold parliamentary elections in 2023, making room for a leadership and political governance change that could alter support for Ukraine. Add to this Finland’s new NATO membership and Sweden’s bid for NATO membership, and Russia likely has a strong incentive to use cyber-enabled influence operations to interfere in European politics in attempts to undermine NATO and EU support for Ukraine.

Microsoft is proud to have supported Ukraine’s digital defense since the start of the Russian invasion. The company’s entire threat intelligence community remains committed to detecting, assessing, and protecting against Russian cyberattacks and online provocations as the war enters its second year.

For more information on the latest cyber threat insights at home and abroad, visit Microsoft Security Insider.

No comments:

Post a Comment