Cyberattacks in the Russia–Ukraine war
WARNING: This article discusses war and violence. It may be distressing for some readers. For ways to help people in Ukraine, please see Checklist 269: Ukraine, Your Loved Ones, and You.
The ongoing Russia–Ukraine war shows why cybersecurity is now an issue of national security. In this overview, we’ll look at some of the ways in which Russia and Ukraine have used offensive cyber capabilities in the conflict thus far.
Preparing for war
Even ahead of the February 24 Russian invasion, cybersecurity experts noted a rise in cyberattacks on Ukraine.
In January, Microsoft researchers announced the discovery of a destructive wiper malware targeting organizations in Ukraine. They did not attribute the threat to a specific actor, but many analysts believed that Russia was behind the attacks. Hackers also defaced dozens of Ukrainian government websites, and even knocked some of them offline.
In February, in the week or so leading up to the invasion, a group of security researchers detected a significant spike in phishing attacks targeting Ukrainian businesses.
Hours before the invasion, “someone” attacked Ukraine with a new wiper malware variant: HermeticWiper. Researchers at ESET say that yet another wiper malware variant was seen immediately after the start of hostilities. This malware, called IssacWiper, targeted Ukrainian government networks.
In a separate incident, a cyberattack knocked thousands of satellite modems offline throughout Europe on the morning of February 24. A top Ukrainian cybersecurity official, Victor Zhora, told reporters that the attack caused “a huge loss in communications” in the opening hours of the war. The attack was also responsible for cutting off remote control and monitoring for over 5,800 wind turbines in Europe.
As the war drags on, the cyberattacks have continued. Security blog Krebs on Security reports that attacks on Ukraine have increased tenfold in recent weeks. According to one analyst, the pattern of malicious activity is an indication of what’s really going on:
They’re being targeted by a huge amount of phishing, and a lot of malware that is getting onto machines is trying to contact malicious command-and-control infrastructure.
In a recent press conference, Zhora pointed out how remarkable all of this is. “This is happening for the first time in history,” he said, characterizing the Russia–Ukraine war as a “hybrid war.”
Despite the cyberattacks, as well as the physical destruction of infrastructure, Ukraine has managed to keep itself online. In fact, it has even been able to mount a digital counter-offensive.
A Forbes report says that Ukraine’s IT technicians deserve a great deal of the credit for this:
Despite obliterated terrain and internet wires, fire-blackened data centers, curfews, lack of light, and the danger of death from above, the fixers go out and turn the internet back on … Their government calls them the “invisible heroes” of the war, entering dangerous places to replace and upgrade equipment.
On the offensive side, Ukraine appears to have taken advantage of Russian missteps to hack into the enemy’s communications. One report suggests that Russian forces destroyed so many of the 3G cell towers required by their encrypted military phone system that soldiers were forced to rely on ordinary local SIM cards to communicate. Ukrainian intelligence services intercepted their calls, revealing, among other things, the death of a high-ranking Russian officer.
In the early days of the war, Ukraine called on volunteers to join “The IT Army of Ukraine”. Over 300,000 people have joined the group, which focuses on “disrupting Russian websites, preventing disinformation, and getting accurate information to Russian citizens”.
Anonymous, a decentralized hacktivist movement, has declared cyberwar on Russia as well. In the past weeks, Anonymous has claimed credit for a number of high-profile hacks, breaches, and leaks. According to a recent CNBC article, these include:
…disabling prominent Russian government, news and corporate websites and leaking data from entities such as Roskomnadzor, the federal agency responsible for censoring Russian media.
CNBC reports that an independent security analyst who reviewed the claims says that they appear to be accurate, and that he couldn’t find any case of Anonymous overstating its successes.
Not as bad as feared? Not exactly.
Before the war, the security community speculated about the possible scope and reach of a Russian cyberwar in Ukraine. So far, the worst-case scenario — catastrophic cyberattacks on Ukraine and a massive global cyberwar — has not come to pass.
In terms of why Russia has not attacked outside of Ukraine, some experts believe that Moscow is trying to avoid potential retaliation, unwilling to risk an overwhelming cyber-response from the West.
As for what’s happening (or not happening) in Ukraine, there may be a somewhat grimmer explanation. In an interview with CNN, one Ukrainian cybersecurity leader remarked:
They bomb critical infrastructure. They don’t need to hack it.
But while Russia’s cyberwarfare activities have been limited — at least so far — cyberattacks are actually on the rise. As one cybersecurity executive, CrowdStrike CEO George Kurtz, explained:
E-crime is actually up since the war in Ukraine started. Everyone is looking at nation-state actors, everyone is talking about Ukraine and Russia, as they should be. It’s a terrible situation. But the e-crime actors are looking at that as a distraction and ramping up their activities and stealing more money as the days go on.
For this reason, it’s important for cybersecurity professionals and everyday computer users alike to remain vigilant in the days and weeks to come.