Russia continues to look for a weak link in Ukrainian cyberspace

From 13 to 14 January 2022, cyberattackers broke into the websites of Ukrainian state institutions and made these inaccessible to the public. During the same period, cyberattackers spread the WhisperKill/WhisperGate malware in Ukrainian computer networks.[3] From 15 to 16 February 2022, denial-of-service attacks took place against the websites of Ukrainian state institutions and banks.[4]

A few hours before the reactivation of kinetic warfare, cyberattacks against Ukraine suddenly increased even more.

On 23 February 2022, denial-of-service attacks took place against the websites of Ukrainian state institutions and banks.
From 23 to 25 February 2022, cyberattackers installed several types of malware in Ukrainian information systems, which can disrupt computer use or make data on the computer inaccessible. For example, on 23 February, the GRU installed the destructive HermeticWiper malware in the information systems of Ukrainian government agencies, the IT sector, and the energy and financial sectors. On 24 February, it conducted a cyberattack on Viasat’s subsidiary KA-SAT by installing the AcidRain malware in the latter’s information system.[5]

It is possible that specific cyberattacks against energy, water supply or other similar critical infrastructure,An attack on the specific industrial control information systems, which are used for vital services such as energy and water supply, is somewhat different from attacking ordinary information systems. Simply put, these information systems are built differently. The Industroyer2 malware was specially developed to attack industrial control information systems, and the GRU probably used it on 8 April 2022 against the Ukrainian energy sector. https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/[6] which would lead to long-term service interruptions, were not organised early on because Russia expected to achieve its military objectives quicker and wanted to maintain the support of the local population.

Despite failing to occupy Ukraine in a few days as originally intended, Russia continued its cyberattacks against Ukraine. These were more frequent during certain periods. For example, Ukrainian cyber defenders working with cybersecurity companies repeatedly detected destructive malware over a period of about 30 days from the second half of March. Cyberattacks started to gain momentum again in the autumn.On detected cyberattacks, see e.g. https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/[7] Cyberattacks to obtain information have continued.[8] Cyber espionage is likely the biggest threat stemming from cyberspace. Stolen information can effectively be used as input to Russian special services’ operations and influence activities.

During the war, Russia has used several destructive malware repeatedly. On 11 October 2022, Microsoft detected the CaddyWiper malware in the critical infrastructure of the Mykolaiv and Kyiv regions. The cybersecurity company ESET detected this malware for the first time on 14 March 2022 in the information system of a Ukrainian bank.[9]

On 14 October 2022, Microsoft identified the Prestige ransomware in the information system of Ukrainian and Polish logistics and transport companies.

In 2022, cybersecurity researchers identified at least nine types of destructive malware in Ukrainian cyberspace that have attempted to disrupt services (ENISA Threat Landscape 2022, p. 25; Recorded Future, 2022[10]). Destructive malware makes a computer unusable by corrupting programs or data. Ransomware that encrypts data without the possibility of decrypting, such as Prestige, can be used to the same end. Such an amount of destructive malware has never been observed anywhere in such a short period of time. This shows that Russia is capable of quickly developing new malware.

Russian cyberattacks, like the actions of its armed forces, are likely aimed at wearing down Ukraine’s cyber defenders and then finding the weakest link that would help achieve Russia’s overall military goal – to wear down Ukraine, damage the international image and credibility of the Ukrainian leadership, reduce aid from allies, and undermine the society’s morale. Therefore, a cyberattack need not actually disrupt an information system, as with each attack, investigators have to spend human and time resources to check whether and how extensively the information system has been attacked, how to improve defence, etc.

Russia underestimated the resilience of Ukraine’s cyberspace and the help it receives from Western countries and cybersecurity companies. Despite denial-of-service attacks on the websites of state institutions to disrupt the flow of information, among other things, the Ukrainian government has found alternative ways of communication, for example, using social media. Using Starlink devices also plays an important role in maintaining civilian and military communications. Cybersecurity companies have been helping Ukraine defend its cyberspace since 2014. Aid intensified during the full-scale Russian invasion and, with allied support, was likely instrumental in ensuring the resilience of Ukraine’s cyberspace. Russia’s influence operations in cyberspace have not had the expected effect. Ukrainian society remains united and trusts its government despite threats posted on social media and data leaks.

Russian cyberattacks go beyond the territory of Ukraine. Pro-Kremlin cyberattackers threaten the cyberspace of countries that support Ukraine, including Estonia, Latvia, Lithuania and Poland. In the active phase of kinetic warfare, they have attempted to intimidate societies with threats on social media, denial-of-service attacks and data leaks. Their activities support Russian special services’ influence operations.

From 16 to 17 August 2022, denial-of-service attacks took place on the information systems of Estonian companies and state institutions.[11] Pro-Russian hacktivists took responsibility for these cyberattacks and claimed to have attacked 207 targets in Estonia.[12] In fact, they just copied a list of services where the Smart-ID app can be used, and actual attacks were not carried out against all these targets.

 

Russia uses cyberattacks to support its strategic objectives (e.g., causing fear and weakening society’s resistance to the aggressor, disrupting the functioning of the state, and creating information noise to make it difficult to distinguish reality from disinformation). The Russo-Ukrainian war confirms that cybersecurity measures [13] make it possible to withstand cyber espionage, cyber sabotage and influence operations.