The use of cyber weapons in Russia’s war with Ukraine has so far been limited. Within 6 months of Russia’s invasion of Ukraine, cyber warfare has become an important tool for supporting hostilities in physical space. As of the beginning of September 2022, at least 76 cyber groups participated in the cyber war in Ukraine. There are constant Russian cyber attacks targeting Ukrainian citizens, businesses and critical infrastructure. At the same time, there is an unprecedented number of attacks targeting Russian corporations and the government. The cyber threat landscape is dynamic and rapidly changing, but there are also some common tactics, techniques and procedures used by Russian cyber threat actors.
Before the invasion, Russia was hardly on ransomware target lists. Now the situation has changed, and today cybercriminals are focusing their efforts more on Russia than on other countries of the world. Reasons for this include the rise of ransomware activists protesting the war and a general lack of international will to stop cyberattacks targeting Russia. At the same time, increased international sanctions are making it more difficult for companies in the US and Europe to pay Russian-speaking ransomware cyber groups, which has led to a slight decrease in the number of ransomware attacks in the US and Europe. While there were a few high-profile attacks, overall ransomware detections decreased by 4% from July 2021 to March 2022. To date, Russia’s only significant sophisticated cyber operations have been cyber attacks on the Viasat satellite network, a Ukrainian government system (attempts to install malware to destroy data), and attacks on Ukrainian telecommunications companies.
Notable attacks include those by the Conti cyber group (53% of daily detections) and LockBit (quickly taking its place as one of the most experienced ransomware cyber groups). Other attacks include a series of criminal and Russian-sponsored state attacks on Ukrainian organizations. There are large cyber ransomware groups that maintain allegiance to the Russian government and target businesses and governments around the world.
There is a noticeable increase in the activity of Russian cyber actors targeting governments outside of Ukraine, particularly in cyber espionage campaigns. Cyber operations are aimed at gathering intelligence about Western allies that help Ukraine in military operations. Since the beginning of the war, Russian hackers have attempted to penetrate the network of 128 different targets in 42 countries outside of Ukraine. Over the past 6 months, there has been a constant number of attacks by Russian-language ransomware cybergroups, with attackers openly pledging allegiance to Russia. These attacks are mostly directed against companies in the US and Europe, with private enterprises being the main targets. In the US, attacks tend to focus on large multi-billion dollar companies that are not considered critical infrastructure. This shows that Russian cybercriminals are careful to disrupt important targets without provoking a response that could lead to open war. European renewable and alternative energy companies are under attack for making it difficult for these countries to transition from Russian oil to cleaner energy sources.
Germany, the second largest importer of Russian oil after China, has become a particular target for Russian cyber activities. At the start of the war, the German company Enercon watched as the 5,800 wind turbines it controls via a SATCOM link in Central Europe lost contact with its SCADA server. In the past 6 months, there have been at least 2 more notable cyber attacks against German wind energy companies. There were also attacks on wind turbine manufacturer Nordex and wind farm maintenance company Deutsche Windtechnik.
One notable trend has been the sharp increase in the use of Wiper malware by Russian threat actors. Unlike ransomware, the tool has no financial component, but is specifically designed to destroy data and systems. This type of attack is clearly resurgent now, as the Russian Federation has taken a more targeted approach to malware over the past 6 months.
Russia has used Wiper software before, most recently in the 2017 NotPetya attack. In December 2016, Ukrainians became victims of the first ever cyber attack using software specially designed to attack power grids. The malware has been identified as being linked to the Russian Sandworm APT group and is called Industroyer. The researchers noted that the malware was “second only to Stuxnet” in its sophistication. Industroyer lay dormant until April 2022.
In addition to using malware, Russia is separately focused on deploying its “sovereign” Internet — a completely independent, isolated, totalitarian network. Nation-states are increasingly united along ideological lines, inventing new ways to isolate their internet space. This, in turn, defines sharper battle lines than have ever existed before in cyberspace. This has several potential implications for cyber activity:
1. It will be more difficult to obtain intelligence on Russia. Taking more drastic measures to achieve this goal can potentially cause collateral damage.
2. Russian cybercriminals can do more damage by feeling safe behind the wall of an isolated Internet.
3. There is potential for future Russian, North Korean, and Chinese Internet “cooperation” that will increase the number of threats and the ability to carry out attacks.
Russia’s fully independent technology infrastructure will enable even more devastating single point of failure (SpoF) attacks.
Russia’s advanced persistent APT threat actors use a preferred set of technologies as initial network entry vectors. At least 12 technologies commonly used by Russian APTs to gain initial access are installed: CISCO ROUTER, ORACLE WEBLOGIC SERVER, FORTIGATE VPNS, KIBANA, ZIMBRA SOFTWARE, EXIM MAIL PROTOCOL, PULSE SECURE, CITRIX, MICROSOFT EXCHANGE, VMWARE, ORACLE WEBLOGIC, BIG-IP . An analysis of the leading Russian-language cyber ransomware groups also shows the use of certain tactics, techniques and procedures that they currently prefer.
Intelligence sharing and cyber situational awareness proved vital before and during the war in Ukraine, but the future effectiveness of cyber deterrence and mitigation strategies will depend on the willingness of Ukraine’s partner countries to provide timely and actionable intelligence.
To the extent that cyberattacks have harmed Ukraine, the following lessons can be identified:
1. The so-called Russian “information troops”, which some experts considered to be roughly equivalent to the US cyber command in terms of training and equipment, actually turned out to be optimized and more suitable for conducting information and psychological operations (propaganda) than for conducting successful and large-scale offensive or defensive actions .
2. Cyberspace, as the fifth dimension (sphere) of armed conflict, is a sphere artificially formed by human activity. Means of both cyber and radio-electronic warfare require constant adjustment during the conduct of hostilities, depending on the development of the situation. Cyber weapons require constant testing, verification, adjustment and optimization for their successful deployment and further warfare in cyberspace.
3. Radio-electronic warfare (signal suppression) and radio direction finding are increasingly important as armed conflict has turned into conventional protracted warfare. It is essential that cyber operations, along with electronic warfare, are integrated into common arms operations to ensure the military’s speed and relevance on the battlefield. At present, both EW, REP, and conducting attacks in cyberspace play an important role in hostilities in Ukraine.
4. Cyber and electronic attacks are more visible in the zone without active hostilities. When a zone moves into an active combat domain, they remain useful, but no longer play a central role. The effective combination of EW, REP and cyber weapons with long-range precision fire is the most effective application of the capabilities of the armed forces.
Russia’s cyber operations in Ukraine failed to achieve their goals. Preparation, planning and integration of cyber operations with other methods of attacks allows to achieve the maximum effect. Cyber ransomware groups loyal to Russia will continue to attack businesses, while state-sponsored cybercriminals will focus on government institutions. In the event of a cease-fire, Russia’s cyber and disinformation operations will be one of the few avenues available to Russia to harm Ukraine beyond direct confrontation.