While Russia’s war in Ukraine hasn’t led to the massive, countrywide blackout level events many experts feared, new research suggests a less obvious cyberwar is playing out just below the surface, with hacking attacks appearing to occur in tandem with physical military strikes.
Since the Russian invasion began more than two months ago, Ukraine has found itself on the receiving end of at least 237 operations carried out by at least six Russian linked cyber threat groups, according to a Microsoft report released this week. Russian aligned attackers reportedly carried out two to three attacks per week between February 23 and April 8 resulting in some 40 destructive attacks aimed at permanently destroying files.
Nearly half, (40%) of those destructive attacks targeted hundreds of organizations in critical infrastructure systems which could potentially have had “second-order effects,” on Ukraine’s military or government, the report notes. The attackers reportedly stepped in and tweaked their malware after attacks in an effort to evade detection.
“A timeline of military strikes and cyber intrusions shows several examples of computer network operations and military operations seeming to work in tandem against a shared target set,” the report reads. “At times, computer network attacks immediately preceded a military attack, but those instances have been rare from our perspective.”
The attacks drew on a variety of tactics, ranging from reconnaissance and phishing attempts to data theft and deletion. In effect, the combined toll of these attacks disrupted services across Ukraine and manifested an even more chaotic information environment, serving to ultimately “degrade, disrupt or discredit [the] Ukrainian government” and stymie the public’s access to reliable information.
Microsoft acknowledged it’s likely only seeing some of the attacks actually occurring on Ukrainian systems and anticipated more over the horizon.
In a blog post accompanying the report, Microsoft Corporate Vice President Tom Burt said the company chose to share its findings in an effort to inform members of international cybersecurity of the types of attacks occurring within the country. “We believe it’s important to share this information so that policymakers and the public around the world know what’s occurring, and so others in the security community can continue to identify and defend against this activity,” Burt said. “Given Russian threat actors have been mirroring and augmenting military actions, we believe cyberattacks will continue to escalate as the conflict rages.”
Russian activity within Ukrainian networks isn’t particularly new. The report claims Russian intrusions into Ukrainian networks actually date back to March 2021, nearly a full year before the actual ground invasion began. During that time, Microsoft claimed Russia was, “pre-positioning for conflict,” gathering battlefield intelligence and planting the seeds for future attacks. Hours before Russian troops crossed the border on February 24, attacks reportedly launched thousands of “wiper attacks” on the Ukrainian government, IT, energy, and financial organizations.
Microsoft’s a legacy U.S. tech giant offering services around the globe, but it’s not politically neutral. The company has long standing close ties with the U.S. military and was the preferred choice for the Department of Defense’s estimated $10 billion long awaited Joint Enterprise Defense Infrastructure, or JEDI, contract. That contract faltered due to legal threats from Amazon, but Microsoft nonetheless reaffirmed its commitment to the U.S. Department of Defense.More recently, the company won an estimated $21.9 billion contract with the U.S. military to provide its HoloLens augmented reality headsets to soldiers.
And while Microsoft’s findings this week focused primarily on attacks within Ukrainian borders, the company raised the possibility of similar attacks one day being launched against other, particularly neighboring NATO allies.
“Russian nation-state threat actors may be tasked to expand their destructive actions outside of Ukraine to retaliate against those countries that decide to provide more military assistance to Ukraine and take more punitive measures against the Russian government in response to the continued aggression,” Burt said.
Those concerns were top of mind among NATO member state cybersecurity experts, who earlier this month participated in cyber war games to test their response to potential attacks. Participants in those games were tasked with defending the fictional northern Atlantic Ocean island country Berylia from hostile attacks that left its government and military networks, water purification systems, and electric power grid at near-zero capacity.
Cyber conflicts in Ukraine were top of minds for those participants, who in reality, were located just around 100 miles north in Estonia. “This year’s exercise is significant for the countries participating because their cyber defense units have been on high alert since the outbreak of the war in Ukraine,” a North Atlantic Treaty Organization Cooperative Cyber Defense Centre of Excellence spokesperson told Gizmodo in an email at the time.