To soften up Ukraine just prior to its February 24, 2022 invasion, Russia, or Russian-backed threat groups, unleashed a wave of wiperware against the country’s organizations, deployed a new version of the Industroyer malware against power generating stations and took down thousands of routers used by Ukrainian (and other) subscribers to Viasat’s satellite internet service.
That was just the start of the cyber war.
Wiperware is a favoured weapon. Alex Rudolph, a Carleton University doctoral candidate, told a House of Commons defence committee last week that there have been at least 16 wiper malware families deployed into Ukraine since the start of fighting.
Those 12 months are giving a window into what modern hybrid war — physical and cyber combat — looks like, at least in a limited theatre of war. Global cyber war officially hasn’t broken out yet.
But, for example, the bombardment of some Ukrainian power stations was combined with cyber attacks, notes Jean-Ian Boutin, Ottawa-based director of threat research for ESET, which is headquartered in Slovakia. He’s not sure if was a coincidence or a combined attack.
Meanwhile, there have been suspected cyber attacks against countries supporting Ukraine. Last week, for example, a group called Anonymous Russia took credit for DDoS [distributed denial of service] attacks on the websites of several German airports. The pro-Russian Killnet group took credit for an IT outage at Lufthansa — which the airline blamed on damaged broadband cables mistakenly cut on a railway line during construction work.
In November, 2022, hackers from the Russian-affiliated group KillNet took down the website of the European parliament, hours after the legislative body declared Russia a terrorist state.
However, cyber attacks outside Ukraine haven’t been as crippling as some experts feared.
On the anniversary of the start of the invasion, we look back at what happened since and lessons learned.
Cyber attacks are a feared weapon: Under the worst conditions, they can cripple a heathcare system and cause death. But a Canadian expert points out that cyber attacks alone can’t win wars.
“Cyber-attacks cannot gain territory, but they can disrupt the other side’s operations, target infrastructure and civilians, and affect public opinion during the process of gaining physical territory,” wrote Abby MacDonald, a fellow at the Canadian Global Affairs Institute, when the war was only two months old. “In this conflict, complete cyber-war does not appear to be strategically useful, though cyber-activities including disinformation will continue.”
To David Swan, Alberta-based cyber intelligence director of the Center for Strategic CyberSpace and International Studies, an international think tank, the outset of the cyber war held no surprises.
“Russia has a very well-developed standard cyber battle plan,” he said. “They used it in Georgia [in 2008], they used it in Estonia [in 2007] … it’s been developing since the mid-1990s”
That plan sees cyber or DDoS attacks to impair or close media websites and broadcast systems; on financial institutions to block residents from making any purchases unless they had cash; on infrastructure (eg: gas stations with electronic pumps regulated over the internet were shut or jammed); on government web sites to stop the country from running; and on military wireless communications.
But against Ukraine, the Russians haven’t been as successful for a number of reasons. “They believed most Ukrainians were pro-Russian and would happily support the Russians coming in,” Swan believes. “Wow, did they get that wrong!”
Second, Swan said, Ukraine has been preparing for physical and cyber war since the Russian capture of Crimea in 2014. It learned some lessons during cyber attacks that knocked power out across parts of Ukraine in 2015. Ukraine said the attack came from inside Russia.
In addition, said Swan, in the months leading up to the invasion, Ukraine moved closer to the European Union. In June, 2021, the EU and Ukraine held their first cyber dialogue about responsible state behaviour in cyberspace, but also about cyber resilience. Two days before the invasion, several EU countries activated a cyber rapid response team to help Ukraine. Since the war started, the U.S., Canada and the EU have been offering intelligence and cyber defence support. U.S. cyber support began in 2017. This May 2022 U.S. document outlines what has been done since.
Separately, since the war began, Microsoft, Google, Amazon, Mandiant, ESET, Palo Alto Networks, Cisco Systems and other IT companies have donated software, threat intelligence and countered misinformation to augment Ukraine’s capabilities. They helped the government and the Ukrainian hacker underground that emerged.
Microsoft’s role began earlier. Before the start of the invasion, Russia launched a cyberattack that targeted Ukrainian government and financial websites, notes this analysis of the first six months of the cyberwar in the journal Lawfare. This attack — known as FoxBlade — was poised to wipe data from computers. Within hours of its appearance, the Microsoft Threat Intelligence Center had written code to stop it, which was quickly shared with Ukraine.
Ukraine has come up with at least one unique defensive tactic: It ordered wireless carriers in the country to block mobile devices from roaming with carriers in Russia and Belarus. This is unprecedented, said Cathal Mc Daid, chief technology officer of Sweden’s Enea AdaptiveMobile Security. It meant Russian forces in Ukraine couldn’t use mobile phones as a backup or primary communication system. “We know from history (Russia-Georgia war of 2008) and in Ukraine itself, that Russian forces have used mobile phones to communicate,” he said in an email to IT World Canada, “but this decision by Ukraine, on the day of the invasion, made Russian forces’ communications problems much worse.”
None of this suggests that Ukraine has been impervious to cyber attacks. But the government has been able so far to persevere and direct military action. Or, to put it another way, Russia has so far failed to strike a knockout cyber blow.
Russia, and threat groups that support it, meanwhile, are still active. In fact news emerged this week that Russian hackers planted backdoors in multiple government websites as far back as December 2021. Ukraine’s computer emergency response team said it spotted a webshell deposited through one of those backdoors yesterday (Feb. 23). It isn’t clear if the access has been used undetected for months.
There’s a long list of Russian-deployed [and Western-named] wiperware that has been deployed since the invasion: HermeticWiper, IsaccWiper, WhisperGate, and CaddyWiper, to name a few. And Ukrainian hacktivists struck back with the RURansom wiper.
Just as Ukraine has its civilian cyber forces, so does Russia. One, Swan says, is dubbed NoName057(16). He believes it was formed from KillNet members. This group’s attacks have hit the Polish government and organizations in Lithuania (mainly cargo and shipping firms). For more on NoName057(16) see this report from SentinelLabs.
In a January report published by CSCIS, Swan said it is also attempting to recruit and encourage hackers to attack targets by starting a project called “DDosia”. Volunteers are encouraged to attack ‘anti-Russian targets’, earning as much as 80,000 rubles (US$1,200) for a successful attack.
In a first-year analysis of attacks, researchers at CheckPoint software noticed that, since September, there has been a gradual but major decline in the number of attacks per gateway in Ukraine. On the flip side, it added, there was a significant increase in the attacks against NATO members.
In its analysis of the war so far, Google predicts with “high confidence” that Moscow will increase disruptive and destructive attacks in response to developments on the battlefield that fundamentally shift the balance – real or perceived – towards Ukraine (e.g., troop losses, new foreign commitments to provide political or military support, etc.). These attacks will primarily target Ukraine, it says, but increasingly expand to include NATO partners.
More than one analyst has noted DDoS attacks don’t have large impacts. Nor, seemingly are they aimed at causing significant damage — so far.
“This begs a critical question,” said Dave Masson, head of Darktrace Canada. “One year on, is the risk of a cyber fallout still there? The answer is a resounding yes. While there is no direct evidence of a large-scale cyber-attack on the horizon, it is absolutely critical that defenders stay on guard. The history of cyber threats has shown us time and time again that we cannot rely on historical attack data to predict future threats. The risk of Russian retaliation is real, pervasive, and cannot be underestimated.”
Among the lessons of the cyber conflict so far, said Jean-Ian Boutin of ESET, is the importance of public and private sectors working together. “We already knew that communications is key, but this really strengthened our thinking that the key to thwarting attacks is to keep communications open and report attacks as soon as we see them.”
The Communications Security Establishment (CSE), responsible for securing Canadian government networks, declined a request for an interview. Instead, it sent this statement:
“As mentioned in CSE’s National Cyber Threat Assessment (NCTA 2023-24), Russia’s unlawful invasion of Ukraine in February 2022 gave the world a new understanding of how cyber activity is used to support wartime operations.
“While we can’t speak about specific events or tactics that we’ve monitored through our foreign intelligence mandate, we can confirm that CSE has been tracking cyber threat activity associated with Russia’s war with Ukraine. CSE has been sharing valuable cyber threat intelligence with key partners in Ukraine. We also continue to work with the Canadian Armed Forces (CAF) in support of Ukraine, including intelligence sharing, cyber security, and cyber operations.”
Through the Canadian Centre for Cyber Security, the CSE urges Canadian organizations to
- isolate critical infrastructure components and services from the internet and corporate/internal networks if those components would be considered attractive to a hostile threat actor to disrupt. When using industrial control systems or operational technology, conduct a test of manual controls to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted;
- increase organizational vigilance. Monitor your networks with a focus on the Tactics, Techniques, and Procedures (TTPs) reported in the CISA advisory. Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior. Enable logging in order to better investigate issues or events.
- enhance your security posture: Patch your systems with a focus on the vulnerabilities in the CISA advisory, enable logging and backup. Deploy network and endpoint monitoring (such as anti-virus software), and implement multifactor authentication where appropriate. Create and test offline backups.
- have a cyber incident response plan, a continuity of operations and a communications plan and be prepared to use them.
- inform the Cyber Centre of suspicious or malicious cyber activity.
“The thing I’m expecting is one of those wiper families with a new front end, a new way of breaking into networks, to get loose and come West,” said Swan. “I know that there’s a lot of effort going into backstop to support Ukraine and pre-empt malware families coming West. The problem is Russia only has to get it right once, and they’ve got some of the world’s best hackers on their side writing this stuff. My concern is the longer the war goes on, the higher the likelihood that one or more of these things is going to get loose and there’s going to be hell to pay.”