The world has watched in shock over the last few weeks as the crisis in Ukraine has unfolded into all-out war with the invasion by Russian forces. While some may have thought and hoped that the situation would only escalate to simple saber rattling, the worst-case scenario has happened, and Eastern Europe is again at war. This time, the conflict is not confined to the battlefield; it is unfolding in cyberspace as well. On the eve of the invasion, machine-wiping malware and denial of service attacks targeted Ukraine government networks and systems, while Russian government websites fell to denial-of-service attacks not long after.
The opening salvo
Both Russia and Ukraine have conducted cyber operations in recent days, but almost more important has been the international reaction and support from hackers globally. Anonymous hackers from around the world have banded together to launch independent cyberattacks both in support of, and in opposition to, Ukraine. Over the last several days, several Russian government websites, databases, and servers have been popped by anonymous hackers. Vast swathes of data have been dumped, such as the personal details of over 120,000 Russian soldiers, information on nuclear power plants, and specifics of Russia’s air force capabilities. Even Russian ransomware group Conti had much of their communications, ransomware source code, and decryptor leaked to the general public. Accompanying the unorganized attackers, many different organized hacking groups have chosen sides in this conflict. TrendMicro has noted that both the Stormous and Coti ransomware gangs publicly declared their intent to target Ukrainian government institutions in support of Russia.
However, not all malicious actors are choosing sides. Opportunists are aplenty in times of conflict, which usually first presents itself in phishing attacks and scams perpetuated shortly after a crisis. Hackers have initiated large-scale phishing campaigns disguised as outreach for humanitarian aid for Ukrainian refugees displaced by the war. Financial scams and fake charities are making the rounds to prey on the good intentions of sympathetic observers around the world. Worse, one of the observed campaigns have originated from compromised Ukrainian military email addresses with the express purpose of phishing other government employees. Utilizing Excel documents tainted with malicious macros, it targeted a group of European personnel involved in managing the flow of refugees fleeing from Ukraine. Researchers stress that this campaign can’t be affirmatively tie to a particular threat actor, but it has many similarities with a campaign targeting US defense companies in July of last year.
There have also been concerns of cyberattacks on Ukraine’s allies, including the United States. Former CISA Director Chris Krebs has warned that the Russian government response to the sanctions may include extensive cyber operations against western banks. In particular, there are concerns that ransomware groups could ramp up their efforts against the west either in retaliation for our part in the conflict or worsening economic conditions in Russia driving some to commit cybercrime.
"I think it's entirely possible that as the sanctions continue to ratchet down on the Russian economy you could see ransomware actors lash out in retaliation," says former CISA director @C_C_Krebs. pic.twitter.com/pRkyVLCJp7
— Dan Patterson (@DanPatterson) March 3, 2022
The international response, a rush to cyber readiness, and misinformation campaigns
The response from the international community following the invasion has been swift, with immediate and extensive sanctions against Russian oligarchs and key sectors of Russia’s economy has left the county in shambles. In February, CISA created the Shields Up initiative to help organizations prepare to defend against foreign cyberattacks. Shields Up aims to improve the national readiness of organizations who may be caught in the digital crossfire by supplying organizations with free tools, guidance, and services to better protect their critical assets. Further, CISA has released a special advisory to prepare organizations to respond to foreign misinformation, disinformation, and malinformation campaigns. Perhaps the most effective tactic in the Russian playbook has to be the weaponization of propaganda and misinformation, which it is employing freely in the region. The Wall Street Journal reports that ahead of the conflict, Moscow initiated a destabilization campaign that combined cyber operations with misinformation efforts to incite panic in the local population and to undermine international reporting of the conflict. Some observed misinformation methods include planted pro-Russia articles from state media, fake social media activity, videos of false flag operations, and false reports of the widespread surrender of Ukrainian soldiers.
When we talked in our previous blog post about the possibility of cyber warfare leading up this conflict, we predicted that we would see a heavy focus from Moscow on compromising Ukraine’s national infrastructure. While attempts have been made, the Ukrainians have largely been able to fend off cyberattacks on their critical infrastructure. As this is an ongoing conflict, the on-the-ground reality will be in a rapid state of fluctuation for the foreseeable future. Just because it hasn’t happened yet does not mean that it will never happen, and all organizations around the world need to remain wary of foreign cyber operations.