A look back at six months of the Ukraine war: what strategy did the Russian cyber attacks pursue and how effective have they been so far? Cyber warfare was carried out according to 4 strategies: destruction, disinformation, hacktivism and e-espionage. A comment by Chester Wisniewski, Principal Research Scientist at Sophos.
When Russia invaded Ukraine on February 24, 2022, despite many attempts at assessment, none of us knew what role cyberattacks could play in a full-scale invasion. Russia had been conducting cyberattacks on Ukraine since occupying Crimea in 2014, and it seemed inevitable that these tools would continue to play a role, especially after the attacks on the Ukrainian power grid and the worldwide spread of the NotPetya worm.
One of the challenges in evaluating the effectiveness or impact of cyberattacks is seeing how they fit into the "big picture". When we are in the midst of a conflict, the "information fog" of war often obscures and distorts our view of the effectiveness of a particular action. Now, more than six months into the war, let's look back and try to determine the role of cyberweapons up to that point.
Over 1.100 cyber attacks on Ukraine
According to the Ukrainian State Service for Special Communications and Information Protection (SSSCIP), the Ukraine attacked 1.123 times since the beginning of the war. 36,9% of the targets were government/defense and the attacks consisted of 23,7% malicious code and 27,2% intelligence gathering.
The cyber component of the war began almost 24 hours before the land invasion. In my diary of the conflict, I noted that DDoS attacks and wiper attacks began around 23:16 p.m. local time on February 00. Immediately afterwards it became very confusing, as a large number of attacks and techniques were used in parallel. To better analyze the intensity, effectiveness, and targets, I have divided these attacks into four categories: destruction, disinformation, hacktivism, and espionage.
Strategy 1: Destruction
Since the war was not progressing according to plan for Russia, some of these techniques have been used differently at different stages of the war. The first and most obvious was the destructive malware phase. As of January 2022, according to SSSCIP, Russian and pro-Russian attackers began releasing wiper and boot sector-altering malware aimed at wiping a system's contents or rendering it inoperable. They primarily targeted Ukrainian service providers, critical infrastructure and government agencies.
These attacks continued for the first six weeks of the conflict and then weakened. Most of this activity was concentrated between February 22nd and 24th - ie in the immediate run-up to and during the invasion. These activities did have an impact on various systems in Ukraine, but ultimately do not appear to have had a positive impact on the success of the Russian land invasion.
One reason may be that a few days before these attacks, the Ukrainian government moved many of its official online functions to a cloud infrastructure managed and controlled by third parties not involved in the fighting. This avoided interference and allowed Ukraine to maintain many services and communicate with the world. This is reminiscent of a similar move when Georgia moved key government websites to third countries during Russia's DDoS attacks on the country in 2008.
The Viasat attack was very effective and also affected German wind turbines
Another devastating attack was the attack on the Viasat satellite communications modems deployed across Central and Eastern Europe just as the invasion was beginning. According to Reuters' Raphael Satter, a senior Ukrainian cybersecurity official explained that this resulted in "a really huge loss of communications right at the start of the war." This attack also inflicted collateral damage on NATO members and disrupted, among other things, the operation of more than 5.800 wind turbines in Germany.
This is probably the most effective of all attacks made so far during the war. Given that most pundits have speculated that Russia was planning a 72-hour war, should this strategy work, a disruption in military communications could have had a significant negative impact on Ukraine. In addition, the Ukrainian commanders were able to regroup and establish alternative connections to minimize the disruption. Over the long term, Russia has proven to struggle far more with the chain of command than Ukraine. Perhaps partly due to support from tech companies like Microsoft and ESET, as well as US intelligence agencies, Ukraine's success in repelling destructive attacks has been impressive.
Industroyer2 malware attacked Ukrainian energy company
One of the most sophisticated malware threats targeting critical infrastructure was recognized and neutralized when it was detected on a Ukrainian utility's network. The malware known as Industroyer2 was a combination of traditional wipers targeting Windows, Linux, and Solaris, and ICS-specific malware targeting the operational technology (OT) used to control and monitor the power grid.
Microsoft has pointed out in a recent report that many Russian cyberattacks appear to have been coordinated with conventional attacks in Dnipro, Kyiv and Vinnytsia Airport. But there is still no evidence that the cyber component contributed to apparent advances in the Russian offensive. In my estimation, destructive cyber operations have so far had almost no impact on the outcome of real war events. They've given a lot of people extra work and made a lot of headlines, but what they haven't done is make a real difference to the war.
Strategy 2: disinformation
The disinformation strategy targeted three groups: the Ukrainian people, Russia itself and the rest of the world. Russia is no stranger to using disinformation as a weapon to achieve political results. The original mission appears to have envisaged a quick victory and the use of a puppet government. With this plan, disinformation would be critical in two spheres of influence first, and then three spheres of influence as it progressed.
The most obvious target is the Ukrainian people - they should (should) be convinced that Russia is a liberator and eventually accept a pro-Kremlin leader. Although the Russians appear to have attempted numerous forms of influence via SMS and traditional social media, the increasingly patriotic Ukraine made this attempt unlikely to succeed from the start.
Disinformation inside Russia
Russia has had far more success with disinformation at home, its second most important target. It has largely banned foreign and independent media, blocked access to social media and criminalized the use of the word "war" in connection with the Ukraine invasion. It's difficult to actually gauge the impact of these actions on the general population, although polls suggest the propaganda is working -- or at least the only opinion that can be publicly expressed is support for "military special operations."
The third target of disinformation as the war drags on is the rest of the world. Attempting to influence non-aligned countries like India, Egypt and Indonesia can help discourage them from voting against Russia in United Nations votes and potentially persuade them to support Russia.
Propaganda for the worldwide media
Propagated stories about US bioweapons laboratories, denazification and alleged genocide by the Ukrainian army are intended to challenge Western media's portrayal of the conflict. Much of this activity seems to come from pre-existing people generating disinformation rather than compromised accounts or any type of malware.
Disinformation clearly has an impact, but much like the destructive attacks, it doesn't directly affect the outcome of the war in any way. Civilians do not welcome Russian troops as liberators, and Ukrainian forces do not lay down their arms or surrender. The US and Europe still support Ukraine and the Russian people appear cautious but not rebellious. Most notably, in recent days Ukrainian forces have retaken areas under Russian control and have even been welcomed as liberators by some civilians near Kharkiv.
Strategy 3: Hacktivism
🔎 Chester Wisniewski, Principal Research Scientist at Sophos (Image: Sophos).
Would the well-known, highly experienced hackers across Russia and Ukraine take up cyber weapons and unleash waves of malicious attacks, each supporting their own side? It looked as if that might be the case early in the war. Some well-known cybercrime groups like Conti and Lockbit immediately declared they were for one side or the other, but most of them said they didn't care and would carry on as usual. But we saw a significant drop in ransomware attacks for about six weeks after the initial invasion. The normal volume of attacks resumed in early May, suggesting that the criminals, like the rest of us, were experiencing supply chain disruptions.
One of the most notorious groups, Conti, made threatening statements against the West on their leak site, which led to a Ukrainian researcher revealing their identity and practices, eventually leading to their dissolution.
Internal war at Conti caused their dissolution
On the other hand, hacktivists on both sides went into overdrive in the early days of the war. Web defacements, DDoS attacks, and other trivial hacks targeted just about anything vulnerable and clearly identifiable as Russian or Ukrainian. However, the phase did not last long and does not seem to have any lasting effect. Research shows that these groups quickly got bored and moved on to the next distraction. Here, too, the activities did not lead to material effects on the war - but to pranks, for which the respective hacktivists may have celebrated. For example, recently a group allegedly hacked Yandex Taxi and ordered all taxis to central Moscow, causing a traffic jam.
Category 4: E-espionage
The last category is the most difficult to quantify, since assessing the impact of something that is inherently obscure is intrinsically complicated. The most promising way of estimating how extensive espionage was carried out in this war is to look at the times when the attempts were discovered. You can then start trying to extrapolate how often attempts could have been successful, given how often they weren't.
Unlike destructive attacks, e-espionage attacks are useful against all enemy targets, not just Ukraine, due to their covert nature and the associated difficulty in identifying them. As with disinformation, there is far more activity in this area targeting Ukraine's supporters than other types of attacks that US and NATO allies could inject into the ground war.
More war-motivated cyberattacks
Allegations of attacks against non-Ukrainian companies must be carefully considered. It is nothing new that Russia is targeting the United States, the European Union and other NATO member states with malware, phishing attacks and data theft, but in some cases there is compelling evidence that attacks are specifically motivated by the war in Ukraine .
In March 2022, Google's Threat Analysis Group (TAG) published a report highlighting Russian and Belarusian phishing attacks targeting US-based NGOs and think tanks, a Balkan country's military and a Ukrainian defense contractor. Proofpoint also published research showing that EU officials working in support of refugees were the target of phishing campaigns launched from a Ukrainian email account allegedly previously compromised by Russian intelligence.
Russian attacks on Ukrainian targets have not abated over the past six months, always taking advantage of the latest vulnerabilities as soon as they are publicly disclosed. For example, in July 2022, a Russia-based cybercrime group was among the key players, i.eThey extensively exploited a new vulnerability in Microsoft Office called "Follina".. It appears that one of the targets for malicious documents in this campaign was media organizations - an important tool during a war.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.