In 2022, Russia-backed cyber-attacks targeting Ukraine rose 250% compared to 2020 and those targeting NATO countries, 300%.
This staggering surge is one of the findings from Google Threat Analysis Group (TAG) in a February 16 report, Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape, published in collaboration with Google Trust & Safety and threat intelligence firm Mandiant, now part of Google Cloud.
In the report, Google found that Russia’s aggressive, multi-faceted strategy to “gain a decisive wartime advantage in cyberspace” could actually date back to 2019.
Five Phases of Cyber Operations
During the first phase highlighted by Google, which spanned between 2019 and early 2022, Russia ran cyber espionage campaigns against Ukraine and NATO member-states, as well as what the American tech giant calls “pre-positioning” operations.
From April 2021, one month after Russian troops started to mass on the Ukraine border, the Russian Advanced Persistent Threat (APT) group UNC2589 (aka Frozenvista), “a new, probable GRU actor,” started deploying phishing attacks against Ukrainian organizations, the report claims. The GRU is the common acronym given to the Russian Armed Forces’ Main Directorate of the General Staff, a military intelligence agency.
Several other Russian-sponsored followed suit throughout 2021, including Fancy Bear (APT28, aka Frozenlake).
In mid-January 2022, a wave of disruptive and destructive cyber-attacks started, with wiper attacks such as WhisperGate (aka PayWipe) and its affiliate, WhisperKill (aka ShadyLook).
These were a taste of what was to come in the second phase when Russian troops began their kinetic invasion of Ukraine. The land-advance in February was accompanied by many more disruptive and destructive wiper attacks. This phase lasted until April, with the emergence of several new malware families, including the PartyTicket ransomware, the wiper CaddyWiper and Industroyer 2, an updated version of Industroyer, a destructive malware targeting industrial control systems (ICS), which is considered to have been used in the cyber-attack on Ukraine’s power grid in December 2016.
In May, Russian-backed threat actors entered a third phase where they started to reuse the same malware, primarily CaddyWiper, to attack entities in Ukraine and NATO countries.
According to the report, this phase lasted until July, followed by a lull in activity during August and September. Cyber-attacks resumed in October, in a fifth phase that saw Russian threat actors use CaddyWiper along with other new malware.
No tags.
