Prior to the Russian attack on Ukraine, there were a number of cyber threats: Distributed Denial of Service (DDoS) attacks that sporadically disrupted Ukrainian government websites and financial services providers. What can we learn from history to be prepared? A timeline from 2007 to 2022. A commentary by Chester Wisniewski, Principal Research Scientist at Sophos.
“All companies should always be prepared for attacks from all directions. But it can be helpful to know what to look for when the risk of an attack increases. I have decided to review the history of the Russian state's known or suspected activities in the cyber environment and assess what types of activities to expect and how organizations can be prepared." Chester Wisniewski, Sophos.
Destabilizing denial of service attacks
The earliest known activity dates back to April 26, 2007, when the Estonian government moved a statue commemorating the Soviet Union's liberation of Estonia from the Nazis to a less prominent location. This action enraged the Russian-speaking population of Estonia and destabilized relations with Moscow. Shortly thereafter, there were riots in the streets, protests in front of the Estonian embassy in Moscow, and a wave of DDoS attacks on Estonian government and financial services websites.
Fully prepared tools and instructions on how to participate in DDoS attacks appeared on Russian forums almost immediately after the statue was laid. These attacks targeted websites belonging to the President, Parliament, the police, political parties and the main media outlets.
While other "Russian patriots" were called upon to help punish Estonia, this was hardly a grassroots movement* that came out of nowhere with tools and a list of targets. The same tactic was later used by Anonymous to defend Wikileaks using a tool called the Low Orbit Ion Canon (LOIC).
Actions since 2007
On May 4, 2007, the attacks intensified and also targeted banks. Exactly seven days later, at midnight, the attacks ended as abruptly as they had begun. All immediately blamed Russia, yet attributing it to distributed denial-of-service attacks is nearly impossible. It is now widely believed that these DDoS attacks were the work of the Russian Business Network (RBN), a notorious organized crime group in Russia with ties to spamming, botnets, and pharmaceutical affiliate programs. Their services were apparently "engaged" for exactly one week to carry out these attacks.
On July 19, 2008, a new wave of DDoS attacks began, targeting news and government websites in Georgia. These attacks mysteriously intensified dramatically on August 8, 2008, when Russian troops invaded the separatist province of South Ossetia. The attacks were initially directed against Georgian news and government sites, later also against financial institutions, companies, educational institutions, Western media and a Georgian hacking website.
As with previous attacks on Estonia, a website appeared with a list of targets and a set of tools with instructions on how to use them. Here, too, attempts have been made to attribute the attacks to the “patriots” who resisted Georgian aggression. However, most of the actual attack traffic came from a known large botnet that was believed to be controlled by RBN.
Digital Defacement and Spam
Attacks on Georgia also included defacing websites and massive spam campaigns designed to clog Georgian inboxes. All of this apparently served to shake confidence in Georgia's ability to defend and govern itself, and to prevent the government from communicating effectively with its citizens and the outside world.
Less than a year later, in January 2009, another series of DDoS attacks began in Kyrgyzstan. This happened at the same time that the Kyrgyz government decided to extend the lease of a US air force base in their country. An accident? It looked like the action was being taken by RBN again, but this time it wasn't a ploy by "patriots" voicing their digital opinions.
This brings us to the most recent kinetic conflict, the 2014 invasion of Crimea.
disinformation and isolation
A low-level information war has been waged against Ukraine since 2009, with many attacks coinciding with events that could be interpreted as a threat to Russian interests, such as a NATO summit and Ukraine-EU negotiations on an association agreement.
In March 2014, The New York Times reported that Snake malware infiltrated the office of Ukraine's prime minister and several remote embassies as anti-government protests began in Ukraine. In late 2013 and early 2014, ESET also released investigations documenting attacks on military targets and media, dubbed Operation Potao Express.
As before, an indigenous cyber group called "Cyber Berkut" carried out DDoS attacks and web defacements, but without causing major damage. However, it created a great deal of confusion, and that alone has implications in times of conflict.
At the beginning of the conflict, soldiers without insignia took control of Crimea's telecommunications networks and the only internet hub in the region, causing an information freeze. The attackers misused their cellular network access to identify anti-Russian protesters and send them text messages that read: "Dear subscriber, you are registered as a participant in a mass riot."
After isolating Crimea's ability to communicate, the attackers also spoofed the mobile phones of members of Ukraine's parliament, preventing them from effectively responding to the invasion. As noted in Military Cyber Affairs, the disinformation campaigns were in full swing:
“In one case, Russia paid a single person to have multiple different web identities. One actor in St. Petersburg stated that they acted as three different bloggers with ten blogs and commented on other websites at the same time. Another person was hired to comment on news and social media 126 times every XNUMX hours."
Crippling power supply
On December 23, 2015, around half of the residents of Ivano-Frankivsk (Ukraine) suddenly had their electricity cut off. It is widely believed that this was the work of Russian state-sponsored hackers. The first attacks began more than six months before the blackout, when workers at three power distribution centers opened an infected Microsoft Office document containing a macro designed to install malware called BlackEnergy.
The attackers managed to remotely access data for the SCADA (Supervisory Control and Data Acquisition) network and take control of the substation controls to open the circuit breakers. They then compromised the remote controls to prevent the switches from being able to close to restore power. In addition, the attackers used a "wiper" to destroy the computers used to control the network, while simultaneously conducting a telephone denial-of-service (TDoS) attack, flooding customer service numbers and thus the customers who tried to report the outages got frustrated.
Almost a year later, on December 17, 2016, the lights went out again in Kyiv. An accident? Probably not.
This time the malware responsible was called Industroyer/CrashOverride and was far more sophisticated. The malware was equipped with modular components that could scan the network to find SCADA controllers and speak their language. It also had a wiper component to erase the system. The attack appeared unrelated to BlackEnergy or the well-known wiper tool KillDisk, but there was no doubt who was behind it.
Email Disclosure
In June 2016, during the close presidential campaign between Hillary Clinton and Donald Trump, a new figure called Guccifer 2.0 emerged who claimed to have hacked the Democratic National Committee and forwarded its emails to Wikileaks. While not officially attributed to Russia, it surfaced alongside other disinformation campaigns during the 2016 election and is widely believed to be the Kremlin's hand.
Supply Chain Attacks: NotPetya
Russia's persistent attacks on Ukraine weren't over yet, and on June 27, 2017, they exacerbated the situation by releasing a new malware called NotPetya. Disguised as new ransomware, NotPetya was distributed via a hacked supply chain of a Ukrainian accounting software provider. In fact, it wasn't ransomware at all. It did encrypt a computer but could not be decrypted, effectively wiping the device and rendering it unusable.
The victims were not limited to Ukrainian companies. The malware spread worldwide in a matter of hours, mostly affecting organizations operating in Ukraine, where the booby-trapped accounting software was deployed. It is estimated that NotPetya has caused at least $10 billion in damage worldwide.
Under a false flag
As the PyeongChang Winter Olympics opened on February 9, 2018, another attack was imminent that had the world in suspense. The malware attack disabled all domain controllers across the Olympic network, preventing everything from WiFi to ticket offices from working properly. Miraculously, the IT team was able to isolate the network, restore and remove the malware from the systems, and the next morning everything was working again without an error.
Then it was time to run a malware analysis to find out who was trying to attack and shut down the entire Olympia network. Attribution of malware is difficult, but there were some clues that could be helpful or were false leads that should point to an uninvolved third party. The "evidence" appeared to point to North Korea and China, but it was almost too obvious to blame North Korea. In the end, Kaspersky Lab's Igor Soumenkov, with brilliant detective work, found a hot lead that pointed directly to Moscow.
A few years later, just before the end of 2020 holidays, a supply chain attack was known targeting the SolarWinds Orion software used to manage the network infrastructure of large and medium-sized enterprises around the world, including many US federal agencies will. The software's updating mechanisms have been hijacked and used to install a backdoor.
The prominence of the victims combined with the access provided by the stealthily installed backdoor makes this attack possibly one of the largest and most damaging cyber espionage attacks in modern history.
The US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of Director of National Intelligence (ODNI) and the National Security Agency (NSA) issued a joint statement stating that their investigations indicate that..:
“…an advanced persistent threat actor, likely of Russian origin, is responsible for most or all of the recently discovered ongoing cyberattacks on governmental and non-governmental networks. At this point, we believe this is an intelligence action and will continue to be so."
Russian cyber conflict in 2022
In 2022, cyber-political tensions are increasing again and are about to be critically tested. On January 13-14, 2022, numerous Ukrainian government websites were defaced and systems were infected with malware disguised as ransomware.
Several components of these attacks are reminiscent of the past. The malware was not ransomware, but only a sophisticated wiper, as used in the NotPetya attacks. In addition, many false leads have been left, suggesting that it could be the work of Ukrainian dissidents or Polish partisans. Distracting, confusing, denying and trying to divide seems to be the standard repertoire now.
On Tuesday, February 15, 2022, a series of DDoS attacks was launched against Ukrainian government and military sites, as well as three of Ukraine's largest banks. In an unprecedented move, the White House has already declassified some intelligence information, attributing the attacks to the Russian GRU.
The Russian Cyber Warfare Playbook
What now? Regardless of whether the situation escalates further, cyber operations will certainly continue. Since the ouster of Viktor Yanukovych in 2014, Ukraine has faced a constant barrage of attacks that have had ups and downs of varying degrees.
According to Russia's official "Military Doctrine of the Russian Federation" from 2010: “the prior conduct of information warfare operations to achieve political goals without the use of military force, and subsequently in the interests of a positive response by the world community to the use of military force.”
This suggests a continuation of previous pre-conflict behaviors and makes DDoS attacks a potential sign of an imminent kinetic response. With information warfare, the Kremlin can attempt to direct the reaction of the rest of the world to actions in Ukraine or other targets.
Mistracking, misattribution, disrupted communications, and social media manipulation are all important components of Russia's information warfare concept. They do not need to provide permanent camouflage for activities on the ground or elsewhere, but simply to provide enough delay, confusion, and contradiction to allow other concurrent operations to achieve their goals.
Prepare and protect
Interestingly, the United States and United Kingdom try to forestall some of the misinformation campaigns, which could limit their effectiveness. However, we should not assume that the attackers will stop trying, so we must remain prepared and vigilant.
For example, organizations in Ukraine's neighboring countries should be prepared to be drawn into online scams even if they do not operate directly in Ukraine. Previous attacks and misinformation have leaked out to Estonia, Poland and other bordering states, albeit only as collateral damage. From a global perspective, we should expect that a number of “patriotic” freelancers in Russia, ie ransomware criminals, phish authors and botnet operators, will act with even greater zeal than usual against targets perceived as anti-motherland.
Russia is unlikely to attack NATO members directly and risk Article V enactment. However, recent gestures by Russia to contain criminals operating out of the Russian Federation and its partners in the Commonwealth of Independent States (CIS) are likely to come to an end and instead threats will multiply.
While defense in depth should be the most normal thing in the world, it is especially important when we face an increase in the frequency and severity of attacks. The misinformation and propaganda will soon peak, but we must be on guard, shutting the hatches and monitoring our networks for anything unusual as the cycles of conflict ebb—even if they end soon. Because, as we all know, it can take months before evidence of a digital intrusion related to the Russian-Ukrainian conflict emerges.
Chester Wisniewski, Principal Research Scientist at Sophos (Image: Sophos).
About the Author Chester Wisniewski
Chester Wisniewski is a Principal Research Scientist at Sophos, a leading provider of next-generation security solutions. He has more than 20 years of professional experience.
Chester analyzes the vast amounts of attack data collected by SophosLabs to distill and share relevant information to give the industry a better understanding of evolving threats, attacker behavior and effective security measures. He has helped companies develop enterprise-scale defense strategies, served as technical lead on the development of Sophos' first email security appliance, and has advised on security planning for some of the largest global brands.
Chester is based in Vancouver and is a regular speaker at industry events including the RSA Conference, Virus Bulletin, Security BSides (Vancouver, London, Wales, Perth, Austin, Detroit, Los Angeles, Boston and Calgary) and others. Recognized as one of the industry's top security researchers, he is regularly consulted by the press including BBC News, ABC, NBC, Bloomberg, CNBC, CBC and NPR.
When he's not fighting cybercrime, Chester spends his free time cooking, biking, and mentoring newcomers to security through his volunteer work at InfoSec BC. Chester is on Twitter (@chetwisniewski).
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.