Russia-Ukraine: One year of war
Date : February 07, 2023
Several organisations have published reports on the cyber aspects of the Russian-Ukrainian war. Following is a summary of what we have learned from 3 such publications.
Podcast "Le Comptoir Sécu" of 25-Dec-2022
This episode (in French) on the Russia-Ukraine war brings up the following points:
- Cyber is a new weapon, which complements conventional weapons (aviation, artillery, infantry, etc.), but does not replace them.
- It was mainly used for reconnaissance, destabilisation and propaganda operations.
- Performing advanced cyber-attack is complex. Finding 0-day vulnerabilities is not enough: you have to design a complete mission. This is time consuming and expensive.
- Destroying a target with a cyber-attack is complex, often uncertain and usually not definitive, as the adversary can often get it back online quite quickly. For destructive actions, conventional weapons (missiles) therefore seem simpler to implement and more effective.
- Ukraine has stood up well to cyber-attacks, perhaps because it is used to these situations with the Russian cyber-attacks it has suffered since 2013.
- As far as is known, there were mainly attacks with Wipers. A few attacks aimed at cutting off communications were also seen at the beginning of the conflict (attack on the KA-SAT satellite, attacks on about 50 core routers).
- The Hacktivist movement is a prominent phenomenon, with the mobilisation of a large number of groups, either in defence of Ukraine (36 pro-Ukrainian groups were identified, e.g. the IT Army of Ukraine) or in defence of Russia (42 pro-Russian groups were identified, e.g. the Killnet group). Hacktivist groups with undefined motivations were also seen (6 groups in this category, which appear to be Chinese groups).
- The Hacktivist movement has managed to get some victims into trouble, but overall the effect of these attacks has been rather marginal.
- It is worth noting the important role played by private actors such as Microsoft (which helped the Ukrainian administration) and Amazon (which helped the central bank). Civilians were also involved (for example, to report the passage of drones). And there have also been OSINT (open source intelligence) actions by civilians (for example to identify Russian fighters). This involvement of companies or individuals (around the world) is a somewhat new phenomenon compared to traditional conflicts.
- The war has brought to light questions that had not been asked until now: migrating data to the cloud provides protection from physical attacks, but what about sovereignty if the data goes abroad? Are datacenters safe places if they can be bombed? How do we deal with the fact that some of the software used is potentially controlled by the enemy (Kaspersky, Nginx and Veeam are originally Russian software).
Sekoia: One year after - the cyber implications of the russo-ukrainian war
In this article dated 21-Feb-2023, Sekoia makes the following observations:
- There have been a significant number of attacks using Wipers (Sekoia counts 12 while Google counts 6, others being variants) and some destructive actions (such as the attack on KA-SAT satellite modems), but there have been no large-scale cyber-attacks as might have been feared.
- Destructive actions (e.g. Wipers) were carried out by the GRU (which belongs to the Russian army) while the FSB (homeland security) and the SVR (foreign intelligence) carried out reconnaissance and espionage attacks (phishing and intrusion campaigns).
- The wipers were rather technically simple, with no automatic propagation capability, probably to avoid mass spread effects as seen in 2017 with NotPetya.
- Influence operations (Info Ops) were conducted by Russia and Belarus in particular to develop anti-NATO sentiment in Eastern countries (Ukraine, Poland, Lithuania and Latvia). Google opinion on this topic differs (see below) and mainly talk about Info Ops aiming at Russian citizens.
- The pro-Russian (such as Killnet) or pro-Ukrainian (such as IT Army of Ukraine) hacktivist movements have been very active. Their actions have been numerous and have been a lot in the news. They have carried out DDOS attacks, some ransomware attacks (to block organisations rather than to demand money) and hack-and-leak operations (theft of data with the aim of making it public). So it is mainly about destabilisation and image damage.
- Cyber-criminals have remained rather aloof from the conflict. Some groups have been disorganised or disbanded (e.g. Conti), some have carried out isolated actions, but most have continued their activities, without interacting with the conflict.
Google: Fog of war - how the Ukraine conflict transformed the cyber threat landscape
Google published its report on 16-Feb-2023. A 30-minute webcast is also available. Google's analysis is split into 3 chapters:
- State sponsored attacks
- Information Operations (Influence Operations)
- Cybercrime
State sponsored attacks
Cyber preparatory attacks began long before the war. Google gives a timeline on phishing attacks (often the first step in an intrusion) that shows massive campaigns in April 2021 (targeting Ukraine) and late September 2021 (possibly targeting NATO countries, but Google is not very clear on this aspect).
A large number of Wipers attacks have been carried out all along the year 2022. These attacks are carried out almost exclusively by the GRU (the Russian military, as opposed to the FSB or SVR). A break in the activity was noted in August and September and this probably corresponds to a time when Russia prioritised spying and information gathering operations (triggering a Wipers and spying at the same company are generally not possible).
Information Operations
Russia's actions in this area have mainly targeted Russian citizens.
Note: we did not read this section in detail because it is not related to protection of IT systems.
Cybercrime
The war has caused disruptions in cybercriminal activities and in particular for ransomware groups. Some groups (such as Conti) have split in two, depending on their convictions (pro-Russian or pro-Ukraine). Some actors have stopped their activities (the developer of the Raccoon infostealer was arrested after leaving Ukraine). The rule of non-aggression between countries of the former USSR zone that used to apply (most ransomware refusing to run in these countries) is now less enforced. There have been cases of ransomware attacks targeting Russia and attacks by cyber-criminal groups against Ukraine. However, there has been no increase in attacks on critical infrastructure in the US and NATO countries.
The overall impression from this Google report is that there have been a significant number of Russian attacks, but with a rather mixed result (for both State attacks as well as for information operations). Google says that attacks against Ukraine and NATO countries will unfortunately continue.
Note: The Google report mentions that the Russian group Sandworm (named Frozenbarents by Google) attacked the Turkish company Baykar in March 2022. Baykar manufactures the TB2 military drones that was used by Ukraine at the beginning of the war. To our knowledge, this attack was not previously known.
Other analysis reports
Here are some other resources that provide an overview of the cyber aspects of the Russia-Ukraine war.
- Check Point: https://blog.checkpoint.com/2023/02/21/the-russian-ukrainian-war-one-year-later/
- CERT-EU: https://cert.europa.eu/blog/1yua-cyberops
- Microsoft : https://www.microsoft.com/en-us/security/business/security-insider/wp-content/uploads/2023/03/A-year-of-Russian-hybrid-warfare-in-Ukraine_MS-Threat-Intelligence-1.pdf
- L'Usine Digital (French Magazine): https://www.usine-digitale.fr/article/les-cinq-points-cles-de-la-cyberguerre-russe-en-ukraine.N2102156
- NoLImitSecu (French): podcast: https://www.nolimitsecu.fr/cyber-guerre/