While things can sometimes seem “back to normal” in the rest of the world, the devastating war is still going on in Ukraine, affecting millions of innocent civilians. Reflecting on the past year’s suffering of the Ukrainian people, we’d like to summarize the cyber warfare aspect of this conflict.
In 2022, Russian government-backed cyberattacks targeted users in Ukraine more than any other country. Considering Russia’s wealth of cyber threat talent, the Ukrainian defense has been impressive.
Russia is not new to cyber warfare. They did it in Georgia in 2008 and Estonia in 2007. What’s different now is that Russia severely underestimated the Ukrainians’ willingness to fight. Furthermore, Ukraine has been preparing for this since its conflict with Russia in 2014. Ukraine has worked closely with western allies to bolster its military and cyber defenses. The result of this work is evident: the success of Russian offensive tactics has been limited, both on the battlefield and online.
What is the impact of the Russian cyber offensive in Ukraine?
Russia’s cyber offensive started way before the first tanks entered Ukraine. In mid-January 2022, Russian hackers launched the WhisperGate wiper campaign targeting Ukrainian government organizations.
A Wiper Attack involves wiping/overwriting/removing data from the victim, making it unrecoverable. The wiper attacks continued throughout the early stages of the war. They were coupled with DoS (Denial-of-service) attacks targeting Ukrainian financial institutions. TV and radio stations were targeted to spread misinformation. Satellite communication was also blocked at the start of the invasion.
When Russia invaded Ukraine on February 24, 2022, security experts braced for an unprecedented escalation in cyber warfare. Still, there have been no reports of a major incident against Ukrainian critical infrastructure.
As SecurityScorecard’s SVP of Threat Research & Intelligence put it, “While the destructive cyberattacks did achieve significant widespread disruption initially in some Ukrainian networks, they were likely not as impactful as Russia would have hoped.”
There are several reasons for the limited impact of Russian cyberattacks to date:
- With the technical assistance of western allies, Ukraine has significantly boosted its continuous security monitoring capabilities in the past few years. This allows them to quickly detect and respond to attacks before they have a major impact. Ukraine has also moved critical data from on-premises servers to the cloud, where it could be better protected.
- Russian cybercriminals were unprepared for all-out cyber warfare and had little time to plan sophisticated attacks.
- The conflict has caused a divide among cybercriminal gangs. A prime example is the leaking of internal chats of the notorious Conti ransomware gang. After higher-ups in the gang announced support for Russia, a disgruntled Conti member leaked over 60,000 internal chats to security researchers.
SecurityScorecard researchers have noticed a limited operational impact of Russian attacks against Ukraine and its allies. The attackers likely understand that the attacks won’t cause more than short-term disruptions. Instead, they are targeting public perceptions of organizations rather than their actual technology.
One such instance is the “Zhadnost” botnet, which SecurityScorecard discovered in March 2022. The botnet contained over 3,000 unique IP addresses across multiple countries and continents that were the source of DDoS attacks against Ukrainian government and financial websites. The DDoS attacks had a minimal, temporary impact on their targets. Government websites and banking services were quickly restored, and customers’ balances were unaffected.
KillNet Telegram post providing DDoS instructions (Source: Telegram)
These attacks don’t come without a cost for Moscow. The world is publishing Russian TTPs and IOCs, making them easier to defend against. Furthermore, they clarify that Russia is having trouble creating a fusion between kinetic and cyber actions on objectives.
KillNet is another threat actor that SecurityScorecard has covered extensively throughout 2022 and the start of 2023. SecurityScorecard assesses with medium confidence that KillNet is operating out of Russia and with low confidence that KillNet is supported and possibly directly tasked by the Russian Federal Security Service (FSB).
KillNet Telegram post providing DDoS instructions (Source: Telegram)
What to expect in 2023 for nation-state cyberwarfare
According to Google, in 2022, Russia increased its targeting of Internet users in Ukraine by 250% compared to 2020. The targeting of users in NATO countries increased by over 300% in the same period. Russia’s lack of success on the cyber front isn’t for lack of trying, but they have failed to strike a knockout cyber blow.
But that doesn’t mean they never will. In the 2023 edition of the World Economic Forum’s Global Cybersecurity Outlook report, 86% of business leaders and 93% of cyber leaders believe global geopolitical instability is moderately or very likely to lead to a catastrophic cyber event in the next two years.
SecurityScorecard assesses with high confidence that Russian government-backed attackers will continue to conduct cyber attacks against Ukraine and NATO partners to further Russian strategic objectives. One advantage on the cyber front that Russia has in this conflict is its superior intelligence compared to that of Ukraine. If the war slows down, cyber attacks could be less costly and more effective for Russians.
Outside of Ukraine, we’ve already seen Russian threat actor Killnet take down the websites of 14 U.S. hospitals. Critical organizations in the UK, the Netherlands, and other NATO-aligned countries were also targeted this year. SecurityScorecard urges organizations worldwide to remain vigilant in the face of this threat.
SecurityScorecard is dedicated to helping organizations withstand nation-sponsored attacks
Driven by our mission to make the world a safer place, SecurityScorecard launched several initiatives to help Ukrainian organizations better prepare themselves to withstand cyber attacks.
SecurityScorecard’s Threat Research & Intelligence team has continually analyzed the scope, impact, and attribution of cyber attacks involving Russia and Ukraine. We’ve recently made available a list of Killnet open proxy IP addresses to help organizations protect themselves from attacks.
We want to applaud the combined efforts of the broader cybersecurity community for the continued threat intelligence sharing and support provided to limit the effects of damaging nation-sponsored attacks. This level of collaboration between governments, companies, and security stakeholders significantly bolsters cyber resilience.
