Malware and DDoS attack prior to the invasion

Prior to the invasion, researchers had also already discovered a malware named WhisperGate circulating on Ukrainian systems, including on the network of the government and of organisations that work in partnership with it. The malware was disguised as a ransomware being used for financial gain, but it was actually designed to be destructive and render the infected devices inoperable.

In the week leading up to the invasion, DDoS attacks were launched to hit the websites of Ukraine’s Ministry of Defence and of two of the country's largest banks, Privatbank and Oschadbank. While assigning responsibility for these types of attacks typically takes months, the US publicly attributed the blame to the GRU, Russia’s military intelligence service.

A second wave of DDoS attacks targeted Ukrainian government sites the day prior to the invasion, including the website of the Ministry of Defence, Ministry of Foreign Affairs, and the Parliament. On the same day, a new data-wiping malware, called HermeticWiper, was found targeting specifically government contractors, in addition to Ukrainian financial, IT and energy organisations.

Russian threat actors were not the only ones attempting to hack into Ukrainian systems, as it is suspected that the day prior to the invasion, the Chinese government launched coordinated hacking attempts on over 600 Ukrainian websites.

The day of the invasion

On 24 February 2022, while Russian military forces launched the large-scale invasion of Ukraine via kinetic warfare, Russian threat actors supported the military’s strategic and tactical objectives by launching cyber attacks in the digital environment. On the day of the invasion, a major cyberattack targeted Viasat, the American commercial satellite internet company, resulting in disruptions and outages that impacted several thousand Ukrainian customers, and tens of thousands of customers across Europe. Disruptions to this service, which is used also by the Ukrainian military, resulted in a huge loss of communication in Ukraine, right when Russian military forces were starting to invade the country.

This attack also had effects in Germany, where an energy company was unable to control and monitor over 5,800 of its wind turbines.

Hacktivists join the war

As war broke out, civilian hacktivists and vigilante groups took sides and started launching attacks, worsening the pre-existing “fog of war”. The hacktivist collective Anonymous declared cyber war against Russia, and in the following weeks took credit for hacking several Russian TV stations and streaming services to display pro-Ukraine messages. The collective also took responsibility for launching DDoS attacks on over 2,500 websites, including government websites, in Russia and Belarus. On 10 March, Anonymous announced it had hacked into the systems of Roskomnadzor, the Russian agency that deals with censoring and monitoring media, and claimed to have leaked over 360,000 of the agency’s files. The ransomware group Conti instead, took a stance in support of the Russian government, threatening to retaliate against anyone who launched cyber attacks against Russia. The Ukrainian government also tried to coordinate the actions of hacktivists, by asking volunteers with cyber skills to join a virtual IT army, in order to help Ukraine launch attacks against Russian targets.

A hybrid war between Russia and Ukraine

Both the US and the EU have publicly blamed Russia for releasing data-wiping malware, with the aim of infecting the networks of the Ukrainian government and private sector. According to Microsoft, at least 8 destructive malware families were deployed in Ukraine, including WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper and Industoyer2. The report by Microsoft informs that at least 6 Russian Advanced Persistent Threat actors were responsible for launching destructive attacks on Ukraine. Out of the attacks, over 40% targeted organisations in critical infrastructure sectors, and 23% affected Ukrainian government organisations, at the national, regional and city level. Similarly, Avast’s Q1/2022 report suggests that there was a significant increase in the number of attacks in Ukraine, Russia and Belarus, with a 50% increase in the number of Remote Access Trojan attacks, and a 20% increase in the amount of information stealer malware attacks. Since before the invasion, DDoS attacks were also used as a common attack technique, with Ukraine being targeted by more than 3,000 DDoS attacks by mid-March, according to Ukraine’s State Service of Special Communication and Information Protection.

The cyber-attacks launched against Ukraine as part of the Russian operation, have aimed to degrade and disrupt the Ukrainian government, military and economic functions, and to generate distrust in the government among citizens, according to Microsoft. Since the onset of the invasion, Russian threat actors, have attempted to control the information environment and to compromise the communication infrastructure in Ukraine. In early March, the websites of the municipal and regional governments of the Ukrainian territories seized by Russia, were hacked to display fake news suggesting that Ukraine had surrendered to Russian forces. The Ukrainian internet provider Triolan instead, suffered a number of attacks since the invasion, which caused some routers and other infrastructure in Ukraine to remain offline for some period of time. Similarly, at the end of March, Ukraine’s largest internet and telephone provider Urketelecom, which is extensively used by the Ukrainian military and government, was hit by a DDoS attack which led to near-total loss of connectivity. According to the Ukrainian State Service of Special Communication and Information Protection, Russian hackers launched continuous attacks on Ukrainian information resources, such as the websites of the presidency, ministries, parliament, and cabinet.

Russia was on the receiving end of cyberattacks as well that, however, did not cause significant damage. Russian government agencies and state-owned companies suffered outages and disruptions, including the websites of the Kremlin, the flagship carrier Aeroflot and Russia’s largest lender, Sberbank. According to Rostelecom-Solar, the cybersecurity section of the telecom company Rostelecom, Russian businesses were heavily targeted, with the commercial sector being hit by more than 1,100 DDoS attacks from the 1 to 10 March. Russia’s largest bank, Sberbank, also advised its customers to not update their software in fear of the so-called “protestware” threat, in which activist programmers and code authors insert malicious content into a library of open-source code to make a political statement. The Russian oil pipeline Transneft was also hit, this time by a data leak through which, unknown attackers obtained 79GB of the company’s emails. The leak, published on Distributed Denial of Secrets, was dedicated to Hillary Clinton, just days after an interview in which she encouraged Anonymous to launch cyberattacks against Russia. On 22 March, a cyberattacks launched against the Moscow-based meat producer and distributor Miratorg Agribusiness Holding, resulted in the company’s IT systems being encrypted. While the attack initially seemed like a ransomware attack, it later appeared that the aim was to sabotage the company instead.

The war between Russia and Ukraine is currently being fought in a hybrid way, with cyberattacks being used in support of kinetic traditional warfare. It is known however, that Russia in particular has the capability to launch attacks that could paralyse Ukrainian systems, by targeting power grids and critical infrastructure. It is still unclear why these cyber capabilities have been underused as of now. However, there still remains a risk that, as the military invasion and traditional warfare reaches a stalemate, the focus might shift even more on launching attacks in the cyber domain. For this reason, Ukraine and its neighbours remain on high alert. Western countries have also issued alerts for the possibility of destructive cyber attacks, both as part of retaliation efforts by Russia following the sanctions imposed on the country, and because of the fear of a spillover effect of cyber attacks. Considering the interconnectedness of global networks, there is a realistic risk that attacks aimed at Ukraine could spread, and accidentally affect other countries. As of now, Western countries like the US and the UK are helping Ukraine to improve its defenses, with the aim of helping the country protect its network infrastructure from threats.

The information contained in this article is provided by White Blue Ocean, part of CRIF Group, a global company specializing in credit & business information systems, analytics, outsourcing and processing services, as well as advanced digital solutions for business development and open banking.

Reference List

https://www.bbc.co.uk/news/technology-61396331

https://www.bleepingcomputer.com/news/security/top-russian-meat-producer-hit-with-windows-bitlocker-encryption-attack/

https://www.bleepingcomputer.com/news/security/multiple-ukrainian-government-websites-hacked-and-defaced/

https://blogs.microsoft.com/on-the-issues/2022/04/27/hybrid-war-ukraine-russia-cyberattacks/

https://www.computerweekly.com/news/252513946/Ukraine-cyber-attacks-seen-spiking-but-no-destructive-cyber-war-yet

https://www.csoonline.com/article/3647072/a-timeline-of-russian-linked-cyberattacks-on-ukraine.html

https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks

https://decoded.avast.io/threatresearch/avast-q1-2022-threat-report/

https://fortune.com/2022/03/22/what-is-protestware-russia-ukraine-sberbank-software-open-source/

https://krebsonsecurity.com/2022/03/report-recent-10x-increase-in-cyberattacks-on-ukraine/

https://www.lawfareblog.com/cyber-realism-time-war

https://news.sophos.com/en-us/2022/03/21/russia-ukraine-war-related-cyberattack-developments/

https://news.sophos.com/en-us/2022/02/22/cyberthreats-during-russian-ukrainian-tensions-what-can-we-learn-from-history-to-be-prepared/

https://press.avast.com/en-gb/avast-q1/2022-threat-report-cyber-warfare-in-ukraine-and-russia-dominates-the-threat-landscape

https://www.reuters.com/world/europe/factbox-the-cyber-war-between-ukraine-russia-2022-05-10/

https://www.theguardian.com/technology/2022/feb/23/uk-firms-warned-russia-cyberwar-spillover-ukraine-critical-infrastructure

https://thehackernews.com/2022/04/chinese-hackers-targeting-russian.html

https://www.theregister.com/2022/05/10/us_eu_russia/?

utm_source=daily&utm_medium=newsletter&utm_content=article

https://www.theguardian.com/world/2022/feb/27/anonymous-the-hacker-collective-that-has-declared-cyberwar-on-russia

https://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.