18 July 2023

Ukraine’s ground counteroffensive ushers in a new phase of the conflict in cyberspace


Cyberattacks against Ukraine have surged, linked to attacks on the ground, but their effectiveness has been blunted, according to observers including the deputy chairman of Ukraine’s cyber warfare service.

As its campaign against Ukraine grinds on well into its second year, Russia appears to be making greater use of hacktivists, "patriotic" cybercriminals, and mercenaries in its attacks on the smaller nation. Meanwhile, Western countries neighboring Russia, including recent NATO entrant Finland, have seen an upsurge in hostile attacks that pose a threat to both businesses and government institutions.

Attacks by Russia against Ukraine's government, media outlets and utilities predate the full-scale invasion of its southern neighbor by Russian forces in February 2022, stretching back to the annexation of the Crimean Peninsula in 2014. Notable attacks include the NotPetya wiper malware in June 2017 and attacks on Ukraine's power grid in December 2015 that temporarily left about 225,000 customers without power. The latter was subsequently attributed to Sandworm, a unit of Russian military intelligence (GRU).

With the full-scale invasion of Ukraine, feared attacks leading to the degradation of critical infrastructure services failed to materialize -- thanks to the experience, preparations, and expertise of Ukrainian cyber-defenders. Assistance by Ukraine's Western allies also helped to build resilience in the face of determined assaults.
Russia's cyberattacks against Ukraine have surged

Cyberattacks have nonetheless continued throughout the conflict, accompanied by something of an upsurge in activity since the start of 2023. The Computer Emergency Response Team of Ukraine (CERT-UA) handled 701 incidents between January and April of 2023, with utilities at the sharp end of attacks. About a quarter of the attacks were aimed at government agencies and the military with many of the remainder targeting the power grid, finance, transport, telecoms, and other elements of Ukraine's critical infrastructure. This compares to 2,194 attacks logged by CERT-UA throughout the whole of 2022.

The aims of Russian cyber attackers include reconnaissance (gaining information about government and public infrastructure as well as citizens), destroying infrastructure, spreading panic and distrust in local authorities, and attacking the morale of the population through disinformation and propaganda.

Russian cyberattacks against Ukraine often coincide with physical strikes by rockets and missiles and drones, according to Victor Zhora, the deputy chairman and chief digital transformation officer of the State Service of Special Communication and Information Protection of Ukraine (SSSCIP). "In some cases, we observe the coordination between cyberattacks and kinetic attacks," Zhora says. "For instance, some cyberattacks can be disruptive to [elements of the] critical infrastructure, such as telecoms. In some cases, these attacks can amplify the psychological effect of kinetic attacks."

International support has helped Ukraine fend off cyberattacks

Information harvested through hacking can be used as intelligence to direct conventional (kinetic) attacks. "There are many forms of how these attacks can be really harmful and can be useful in conventional warfare," Zhora says. "Of course, the impact of these attacks cannot be compared to the disruptions provided by conventional warfare."

During the conflict, Ukraine’s defence minister famously called for international support from hackers in targeting Russian entities, leading onto the creation of the "IT Army of Ukraine", a band of Ukrainian and foreign volunteers. This syndicate has had a significant impact in disrupting Russian entities, including conducting DDoS attacks, doxing Russian military members and senior officials, conducting defacement attacks, and data breaches.

The IT Army of Ukraine has also played a significant role in PsyOps (psychological warfare) and in raising awareness of the reality of the conflict among Russian citizens, many of whom have had their access to real-time information censored by the Russian state.
Russia's Killnet community has caused increased disruption

Russia, meanwhile, has established a hacktivist community under the name Killnet which has had some success in conducting disruptive attacks against institutions in Ukraine and NATO countries. This has mostly involved the use of DDoS attacks, which while being successful in causing disruptions, have not had a lasting impact.

Other groups supporting Russia include Cyber Front Z, a pro-Russian troll operation, and NoName057, a group largely associated with running DDoS attacks against the websites of utilities and telecoms firms in pro-Ukranian countries. A wiper called Acid Rain affected routers and modems, including 5800 wind turbines in Germany on 24 February 2022.

Cybersecurity experts tell CSO that the Russian state has some level of involvement in influencing hacktivist and cybercriminal operations, but its level of involvement is unclear. Many pro-Russian hacktivist groups that claim to carry out attacks on Russia’s enemies are, in fact, fronts for various Russian government agencies, security experts suspect.

For example, the FreeCivilian data extortion group has conducted several attacks that have resulted in the deliberate breaching of data on Ukrainian government websites. While those running the operation have claimed to be an independent cybercriminal (or group), there are several similarities with defacement activity that was attributed to advanced persistent threat (APT) groups associated with Russian military intelligence (GRU). "It is realistically possible that FreeCivilian is instead operated by GRU members," according to Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest.

A member of the "Yanluowang" ransomware group was also doxxed as a member of the Russian Armed Forces. "With threat actors deliberately attempting to obfuscate their identity and motivations -- often by masquerading as a separate entity -- determining where activity sits on the spectrum of attribution is incredibly difficult," Morgan says.

Russian tactics have been shifting

Broadly speaking Russian military intelligence (GRU) is most involved in targeting Ukraine with destructive attacks. The Russian FSB security agency is, by contrast, targeting intelligence operations worldwide. Tactics and targets are shifting as are the cadence of attacks.

"Russian cyber operations have also taken a dramatic change, with reporting suggesting that Russian state-aligned groups – notably those associated with Russia's military intelligence, the GRU – have been changing pace to conduct quick, destructive attacks," Morgan says. "This change involves a tactic of 'living on the edge' by targeting edge devices like firewalls and routers and deploying data-wiping malware in a matter of weeks after initial access. Often, victims were targeted multiple times, with motivations balanced between conducting espionage operations and conducting disruption."

Even financially motivated groups are sometimes encouraged to attack Ukrainian targets with reassurance by the Russian government that they will not be prosecuted. A recent espionage campaign by the hacking group Winter Vivern (a group with links to the Russian and Belarusian governments) targeted government agencies and telecom operators in Europe, Ukraine, and India.

Among the targets it is suspected to have attacked are Ukrainian government websites that offer guidance to Russian and Belarusian troops seeking to surrender during the war in Ukraine. "Russia's tactics have had to change because in the past their reliance on many APT groups who were based in Russia changed," Philip Ingram MBE, a former senior British military intelligence officer and content lead at International Cyber Expo, tells CSO. "Those APTs franchised a lot of their activities out to hackers outside Russia and their access to these individuals dried up almost completely when Russia re-invaded Ukraine in February 2022."

Russia appears to be tolerating more hacktivist groups

Russian hacktivists continue to play a nuisance role both inside Ukraine and across the rest of the world, according to Ingram. The Russian government has probably tolerated cybercriminal ransomware gangs such as REvil and Conti. But in January 2022, just before the invasion of Ukraine, they cracked down on the REvil gang and arrested them.

It seems that some of the cybercriminals arrested by Russia during a short-lived crackdown on ransomware operations prior to February 2022 have been released, according to Mikko Hypp?nen, chief research officer at WithSecure. Over recent months, the Finland-based cybersecurity vendor has tracked an increase in the activity of pro-Russian hacktivist groups.

Tim West, head of threat intelligence at WithSecure, says there has long appeared to be a relationship between Russian hacktivists and the country's government. This month some of these hacktivists have come out self-proclaimed "private military contractors" (mercenaries), openly declaring themselves as more involved than simple self-motivated "patriotic hackers," he tells CSO. At present, these hacktivists are primarily involved in disruptive attacks such as distributed denial of service (DDoS) attacks, ransomware and wiper malware. Most of this is fairly low level, according to West.

Finland has seen a spike in attacks since joining NATO

Finland joined NATO on April 4, 2023, in a decision spurred on by Russia's full-scale invasion of Ukraine. Russian jets have carried out incursions into Finnish airspace since Finland first applied to join the Western defence alliance. The country's accession to NATO has been accompanied by a ramp-up in DDoS attacks against Finnish government organizations, according to West. "We also detected a small spike in malware activity in Finland on the days around Finland's membership was made official."

Technical measures - such as applying software updates, redundancy and remote backups – need to be combined with processes and policies to make countries more resilient to attacks. "The Ukraine is not alone. Unfortunately, it is not the only target," Zhora says. "We see a lot of our friends and partners being attacked by Russia." "I think there are a lot of areas of cooperation, exchanging information on threats, sharing experience and techniques of protection," Zhora says. "Our recommendations for all of our partners are basically the same: sharing cyber rules, building capacities, enhancing collaboration and cooperation between agencies, improving international cooperation, and strengthening existing infrastructures. I think one of the major contributions to our resilience was achieved through international technical assistance projects prior to this full-scale war."

No comments: