Since the Russian invasion of Ukraine on February 24th, 2022, a significant amount of cyber activity has trickled throughout cyberspace, demonstrated through the wave of cyber attacks against Ukrainian government institutions, military facilities, and critical infrastructure, as well as against Ukrainian citizens. Russian hackers utilize a large array of tactics to carry out these attacks ranging from pesky denial of service and defacement attacks to more severe attacks involving espionage and data destruction with wiper malware. As the prolonged conflict shows no signs of resolution, it is certain to retain its pressure and poses further difficulties in cyberspace. By examining the key patterns identified in 2022, we can prepare ourselves to face the upcoming challenges.
As the war continues, Russia is likely to maintain its pressure in cyberspace to synchronize with kinetic strikes, facilitate strategic Russian objectives, and obtain wartime advantages. Even during the early days of the war, Mandiant described Russian attacks as "controlled escalation” or “escalation management/dominance," to apply pressure progressively, using kinetic or non-kinetic techniques. Russian retaliation has also escalated due to the economic pressures generated by sanctions issued from over 30 countries, including The United States, Australia, Canada, France, Germany, Italy, Japan, South Korea, Singapore, Switzerland, the United Kingdom, and the European Commission.
Russia has led many attacks against critical infrastructure organizations in Ukraine, damaging telecommunications capabilities and attempts to cripple energy supplies in Ukraine. Attacks against Ukraine’s energy facilities are of grave concern as the country could be at the mercy of harsh winter temperatures. No sector is left spared from attacks as each is critical to Ukraine and the global economy. Cisco Talos and CISA warned in August 2022 of increased threats to agricultural services. Ukraine is known as the “Ukraine bread basket” due to its significant contributions to the production of grains, including wheat, barley, corn, and sunflower oil.
The most prominent trends from Russia’s cyber attack include
Threat Actors: APT28, APT29, Ember Bear, Dragonfly, IRIDIUM, Magic Hound, Sandworm
One of the earliest data wipers reported in January 2022 is WhisperGate (aka PayWipe) and its affiliate, WhisperKill (aka ShadyLook), used to target Ukrainian organizations. Russian threat actors tied to deploying data wipers include APT28, TEMP.Isotope and Sandworm as the groups most likely to engage in espionage and disruptive or destructive attacks. APT29 is unknown to be participating in destructive attacks, as the group is not known to have a "destructive mandate" however, with the Russian offensive, the group's objectives can change.
Since the war, Ukraine has endured multiple power and communication outages. Progressively through the year, new wipers were unleashed in an attempt to weaken Ukraine. The country has relied on backup generators and Elon Musk’s satellite internet Starlink for service. Damages in cyberspace will likely follow, as assessed by Ukraine’s Defense Intelligence, predicting Russia to leverage past experiences to attack Ukraine's energy systems.
In the early stages of the war, several wipers were used, including WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero. Subsequently, more notable wipers were deployed, such as: AcidRain, which targeted a Ukrainian satellite service provider; Viasat, which caused spillover damages to the German wind energy supplier, Enercon; and an attempt was made to attack a Ukrainian energy company using NikoWiper. Recently, on January 17th, 2023, five data wipers, namely CaddyWiper, ZeroWipe, SDelete, AwfulShred, and BidSwipe, were used in an attempted cyber-attack on Ukrinform, as reported by the Ukrainian Computer Emergency Response Team (CERT-UA). Mandiant's "Five Phases of Russia Cyber Operations During the 2022 War in Ukraine" diagram below illustrates the progression of wipers deployed.
2) Distributed Denial-of-Service (DDoS) & Web Defacements
Threat Actors: Killnet, NoName057(16)
Lower-in-severity Russian threat actors and hacktivists launched DDoS and web defacement campaigns to disrupt their targets. The Killnet and NoName057(16) hacking groups are the main contributors to these attacks and have been very active since the start of the Russian and Ukraine war. Both groups are very vocal and boastful about their attacks through public defacements and on their Telegram channels. Verticals they’ve targeted include critical infrastructure organizations, government agencies, healthcare institutions, and financial institutions. In late January 2023, a series of DDoS attacks initiated by pro-Russian hacking groups against financial, hospital, and government websites raised alarms from Denmark and the United States. A notice was released by the United States Health Sector Cybersecurity Coordination Center (HC3), identifying the hacktivist group 'KillNet' as a leading instigator of DDoS attacks against the U.S. healthcare industry.
Killnet and NoName057(16) are also aided by followers on their social media channels where they’ve coordinated and organized their campaigns. They have even organized competitions to encourage contributors to their campaign offering monetary contributions to the highest performers. Various DDoS tools are available to lower the bar for entry and lure interest from prospective and curious low-level hackers. Although many easily accessible DDoS tools are available, the most prominent tools are the 'DDOSIA’ DDoS platform created through a pro-Russian crowdsourcing project and the Passion DDoS botnet, a subscription-based platform that allows users to customize attacks based on the attack vector, duration, and intensity.
Threat Actors: APT28, APT29, Cuba Ransomware, Ember Bear, Gamaredon, IRIDIUM, Sandworm, SEABORGIUM, TA445/UNC1151, Turla, WinterVivern, UAC-0050
Last but certainly not least, are the tried and tested phishing attacks. There have been numerous phishing campaigns attributed to Russia that have targeted Ukrainian organizations and citizens. According to a report by Google’s Threat Analysis Group and its Mandiant cybersecurity unit, there has been a notable surge in phishing campaigns. The report revealed that in “2022, Russia increased targeting of users in Ukraine by 250% compared to 2020. Targeting of users in NATO countries increased over 300% in the same period.” These lures used in the campaigns often masqueraded themselves as Ukrainian entities or took advantage of geopolitical situations of the war and relief efforts to entice action from victims. The emails would contain malicious attachments or links to fake login pages in an attempt to steal sensitive information or gain access to high-value targets such as the Ukrainian government, military systems, or critical infrastructure systems resulting in data collection or data destruction.
The insights gained from the 2022 trends can aid us in better equipping ourselves to confront forthcoming challenges and minimizing the repercussions of future cyber assaults. Given the ongoing conflict, cyberspace remains fraught with difficulties, but we can bolster our defenses by staying informed. Our sympathies go out to those impacted by the war, and we stand in solidarity with them. The challenges that lie ahead will demand endurance from us all.
About the Forge Author
Kevin Lo is a threat researcher for the Anvilogic Forge team, where he is responsible for threat research and intelligence.
Prior to Anvilogic, Kevin was a cybersecurity analyst at a US financial institution serving roles in digital forensics, cybersecurity operations, and detection engineering. Kevin currently resides in Albany, NY. He holds a Bachelor's degree from Syracuse University in Information Management & Technology with a concentration in Information Security. Kevin holds several cybersecurity certifications with GIAC and MITRE ATT&CK.
Happy to connect with you on LinkedIn!
CERT-UA: Cyber attack on the Ukrinform information and communication system (CERT-UA#5850): https://cert.gov.ua/article/3718487
Cisco Talos: Ukraine war spotlights agriculture sector's vulnerability to cyber attack: https://blog.talosintelligence.com/ukraine-and-fragility-of-agriculture/
Google & Mandiant: Fog of War How the Ukraine Conflict Transformed the Cyber Threat Landscape: https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf
Mandiant: Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation: https://www.mandiant.com/resources/russia-invasion-ukraine-retaliation
Radware: Passion: A Russian Botnet: https://www.radware.com/security/ddos-threats-attacks/passion-russian-botnet/
SentinelOne: NoName057(16) – The Pro-Russian Hacktivist Group Targeting NATO: https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/
The Record: Pro-Russian DDoS attacks raise alarm in Denmark, U.S.: https://therecord.media/ddos-denmark-us-russia-killnet/