In 2022, Russia-backed cyberattacks targeting Ukraine will increase by 250% compared to 2020, while those targeting NATO countries will increase by 300%.
This staggering surge is one of several findings released by the Google Threat Analysis Group (TAG) in its February 16th report. Fog of War: How the Ukraine Conflict Changed the Cyber Threat Landscapepublished jointly with Google Trust & Safety, now part of Google Cloud, and threat intelligence firm Mandiant.
In a report, Google found that Russia’s offensive, multipronged strategy to “gain a decisive wartime advantage in cyberspace” may actually date back to 2019. bottom.
Five Phases of Cyber Operations
From 2019 to early 2022, in the first phase highlighted by Google, Russia launched a cyber espionage campaign against Ukraine and NATO member states.
Beginning in April 2021, a month after Russian forces began massing on the Ukrainian border, Russian Advanced Persistent Threat (APT) group UNC2589 (aka Frozenvista) has been identified as a “new likely GRU actor.” Started deploying phishing attacks against Ukrainian organizations. Report a claim. GRU is a common acronym for the General Staff of the Russian Armed Forces, the military intelligence agency.
Several other Russian-backed companies followed throughout 2021, including Fancy Bear (APT28, aka Frozenlake).
In mid-January 2022, a wave of disruptive and destructive cyberattacks began with wiper attacks such as WhisperGate (aka PayWipe) and its affiliate WhisperKill (aka ShadyLook).
These were what would happen in the second stage when Russian forces launched a dynamic invasion of Ukraine. The February land advance was accompanied by many more devastating and devastating wiper attacks. This phase continued into his April, with the emergence of several new malware families, including PartyTicket ransomware, the wiper CaddyWiper, and Industroyer 2 (Industroyer 2), a destructive malware targeting industrial control systems (ICS). Did. It was used in a cyberattack on the Ukrainian power grid in December 2016.
In May, Russian-backed actors entered the third stage, reusing the same malware (mainly CaddyWiper) and began attacking organizations in Ukraine and NATO countries.
According to the report, this phase lasted until July, after which activity calmed down in August and September. Cyberattacks resumed in October, with a fifth stage in which Russian threat actors used CaddyWiper along with other new malware.
“From our incident response work, Mandiant has observed more devastating cyberattacks in Ukraine in the first four months of 2022 than in the previous eight years. Attacks peaked around the start of the invasion. bottom. […] Many operations represent an attempt by the GRU to balance competing priorities of access, collection, and disruption throughout each phase of operations,” the report said.
multifaceted strategy
In summary, Russia’s multipronged attack approach in cyberspace included:
- Ukrainian Government Dramatically Increases Use Of Destructive Attacks Against Military And Civilian Infrastructure
- Surge in Spear Phishing Activity Targeting NATO Countries
- Increase in cyber operations designed to further multiple Russian objectives, including hack-and-leak attacks targeting sensitive information
The report notes that some actors, including Frozenlake/Fancy Bear, Frozenvista, and Belarusian actor Puschcha (UNC1151), have launched phishing campaigns against Ukraine and NATO countries, while Coldriver (aka Gossamer Bear) has carried out hacks and leaks. indicated a focus on a particular type of attack, such as Campaign against Ukraine and Britain.
However, one group, the Frozenbarents (aka Sandworm, Voodoo Bear), dubbed by Google as “the GRU’s most versatile operator,” carried out all kinds of cyberattacks against Ukraine and NATO countries.
“While we can see that these attackers are focused on the Ukrainian government and military establishments, the campaigns we sabotaged also focused on critical infrastructure, utilities and public services, and the media and information space. ,” the report said.
But the report also notes that many of these manipulations have led to “various results.”
An attempt by Industroyer 2 to attack the Ukrainian energy sector appeared to have failed.
Overt and covert disinformation campaigns
In addition to these simple cyberattacks, the report showed that Russia is carrying out all kinds of information operations (IO) campaigns. Among them are the most obvious state-sponsored disinformation campaigns run by the infamous St. Petersburg-based “troll farm.” To more covert campaigns run by the Internet Research Agency (IRA), affiliates such as the Russian consulting firm Krymskybridge, or groups associated with the Russian intelligence service.
Google claimed it “interrupted more than 1950 instances of Russian IO activity in 2022” and targeted both Russian and foreign audiences.
The report also said that “war divides the loyalties of financially motivated attackers, [which has increased] overlap between [them] Government-sponsored threat actors. “
This phenomenon is best illustrated by the fate of the Conti gang, which counted members of both Russia and Ukraine and exploded after some of its alleged leaders publicly supported the invasion.
“This change in Eastern Europe’s cybercrime ecosystem could have long-term implications for coordination among criminal groups and the scale of cybercrime around the world,” notes the report.
Looking to the future, Google believes that “Russian government-backed actors will continue to carry out cyberattacks against Ukraine and NATO partners, increasing their devastating and devastating attacks as they unfold on the battlefield.” doing. [and] Increasingly expanding to include NATO partners.
The researchers also said, “We are moderately confident that Russia will continue to increase the pace and scope of its IO, especially as we approach critical moments such as international funding, military aid and domestic referendums.” .
