The extensive use of cyber and information operations in the ongoing Ukraine-Russia conflict was highlighted by threat intelligence experts during a virtual session organized by Recorded Future.
Opening the session, Christopher Ahlberg, co-founder and CEO of Recorded Future, explained that the Russian invasion of Ukraine represents a new type of warfare, which has been “converted into geopolitical and kinetic, cyber and information operations.”
Other notable aspects of the conflict are that “it is unfolding in front of us on social media” via platforms like Twitter and TikTok, and the “sheer volume of data” coming out.
Craig Terron, global issues team, Insikt Group, part of Recorded Future, provided an overview of the conflict to date. Essentially, the Russian advance has been slower than anticipated, so far failing to capture a city, achieve air superiority and suffering significant losses. This appears to have led to a change in approach by the Russian military, adopting “siege warfare tactics.”
Cyber Operations
Cyber-attacks have already played a significant role in the conflict, both before and since the invasion. In the build-up to the invasion, Terron said Insikt observed many attacks that were “aligned with Russia’s strategic objectives.” These involved “undermining the Ukrainian government, intimidating and demoralizing the Ukrainian population, causing confusion and disrupting the everyday lives of Ukrainian citizens.”
The principal methods utilized by Russian state-sponsored and nexus threat groups were DDoS attacks, malware, website defacements and fraudulent messaging. Additionally, Terron noted a significant uptick in dark web adverts related to Ukraine in the past three months; for example, the sale of data related to the Ukrainian Ministry of Foreign Affairs.
These attacks, which primarily targeted government and critical sectors, such as banking, were highly coordinated. Terron highlighted a simultaneous DDoS and wiper malware attack last week, the day before the invasion began. Based on the timing, “Insikt group assesses that it is likely the attacks were conducted by a Russian state-sponsored or state nexus threat group.” He added that there is evidence the Wiper malware was installed on hundreds of devices in Ukraine in November/December.
Terron also discussed the role of the threat group UNC1151, which is believed to be linked to the Belarusian government, an ally of Russia. This included mass phishing attacks targeting Ukrainian military personnel and related individuals, most likely in a bid to discredit and undermine Ukraine.
Since the invasion started, Terron said a number of cyber-criminal groups have chosen sides. For example, “the Conti ransomware group announced on their ransomware extortion website that they would support all actions of the Russian government during the invasion of Ukraine, would put in all efforts to resist any cyber-attacks against Russia and would target the critical infrastructure of Russia’s enemies in retaliation for any attacks against Russia.” Notably, a vast trove of its internal chat data was leaked by a Ukrainian researcher following this pronouncement.
On the other side, the hacktivist group Anonymous declared “cyber war” against Vladimir Putin’s government following the Russian invasion of Ukraine and appeared to successfully take down several Russian state websites. Terron noted that in response, “Russian government websites have since put in place mitigations against DDoS attacks, including only being accessible to users within Russia.”
No tags.
