Microsoft report on Russian cyber attacks on Ukraine
Microsoft detected destructive cyberattacks against Ukraine and released a special report on April 27, 2022, titled “Special Report: Ukraine.” The DHS (Department of Homeland Security) warns Ukraine that Russian cyberattack frequency may increase and potentially become even more aggressive. Cyber threat actors have already caused significant damage and may exploit any number of vulnerabilities that either already existed or emerged as a consequence of recent cyber onslaughts.
Numerous global news and social media outlets are investigating and reporting on the most recent events of the second Ukraine War. The cyber element of this conflict is so advanced that Microsoft, as the leading tech company, had to conduct a special investigation to discover the magnitude of damage it has and continues to cause.
This article has several objectives. The first is the analysis of Russian cyber-attack strategies and goals; the second is divulging the types of cyber-attacks and malware Russian threat actors are deploying while the third revolves around the consequences of cyber attack Russia instigated.
Russian cyber wars in peace and conflict
A cyber war with Russia can take different forms depending on the target and the environment. The intensity, persistence, and methods by which cyber-attacks are conducted are different in peacetime and wartime.
Peacetime Cyber Warfare
The word “peace” should be taken at face value, as Russian cyber threat actors orchestrate attacks many countries would only resort to during times of conflict. In peacetime, cyber actors have several goals, including but not limited to:
- Weakening the target’s critical infrastructure
- Diminishing the target’s resources
- Instigating or orchestrating revolts
- Intimidating the target to either take or refrain from taking specific actions
- Causing civil unrest and weakening the target’s political cohesion
Russians achieve these goals in numerous ways. Threat actors deploy a range of sophisticated malware, spread disinformation, and launch smear campaigns, but more importantly, they show the target that they are fully aware of its cyber vulnerabilities.
Russian cyber wars in conflict
Putin cyber war methods are vastly different during wartime. The most lethal malware is deployed, the persistence of attacks is dramatically higher, and unlike sporadic intimidating/probing attacks, wartime cyber attacks are surgically precise and coordinated with other kinetic, military, aerial, naval, and land attacks. Wartime cyber attacks have far more devastating consequences, such as:
- Complete disruption of key facilities belonging to critical infrastructure
- The spread of disinformation is taking a toll on logical resources
- Compromised communication channels
- Long-term electricity blackouts
Disruption of key facilities
Most cyberattacks since the Russian attacks Ukraine has targeted key facilities, such as national gas stations, hospitals, infantry barracks, and most prominently, IT components of the infrastructure. Ukraine military and banks hit by cyberattack have caused a major disturbance among the local citizens. Coupled with a shortage of essential supplies, many citizens have not been able to purchase food, water, or clean clothes for weeks. Keeping track of people who lost their homes or became missing throughout the war was also a particularly difficult task for the Ukraine government. For example, before the nuclear plant in Zaporizhzhia was captured by land troops, it was targeted by a series of micro cyberattacks that hindered recon attempts.
Dwindling morale of soldiers and citizens
Morale is one of the key factors in every battle. It influences the will to fight despite all odds, and it inspires the soldiers to take heroic actions even when faced with an overwhelming force. After a series of successful cyberattacks on Ukrainian hospitals, banks, and other parts of the infrastructure, the morale of both citizens and soldiers started to drop. With missiles razing the ground on one end and cyberattacks on the other, a state of confusion and despair became commonplace.
The recent hit on the Ukraine military by apparent DDoS cyberattack was not the first. At the tail-end of 2015, a group of Russian hackers successfully executed a cyberattack on a massive scale, disabling the country’s national power grid for full six hours.In the second Ukraine war, a combination of cyberattacks and kinetic attacks was deployed, which nearly destroyed three electrical stations and caused major power outages. Culminating with the shelling on the 3rd of May, these multi-pronged attacks have left a good portion of Ukraine in the complete dark. Even though Ukraine’s infrastructure features backup generators that would allow the main grid to function for weeks, if not months on end, thousands of households were left with no electricity.
Cyberattacks and Diplomacy
A country has minimal (if any) diplomatic leverage when invading another country. Typically, countries make defensive and offensive alliances, calling upon their friends to support their efforts. Cyberattacks are often used to complement diplomacy. Hacking endeavors are used to mark certain targets in such a way that the target can only assume who the culprit was. This is, in a sense, a show of power.
While assaulting a country with troops and artillery on the ground is an obvious declaration of war, a cyber “probe” does not cross that line. It simply shows that the attacking country could gain access to the target’s critical systems and significantly weaken it with a click of a button if needed. A recent example perfectly illustrates this situation. Ukrainian president Volodymyr Zelensky sought help from the Finnish Parliament on the 8th of April; the country allegedly suffered a DDoS cyberattack as a warning.
In that regard, cyber-attacks are meant to enforce diplomacy through intimidation. Unlike peacetime diplomacy between friendly countries that work towards mutual improvement, wartime diplomacy backed by hacking actors is not as long-lived, but it can be significantly more effective.
Malware Deployed in the Second War
Numerous types of malware during the first Ukraine war could not be identified until years later. Microsoft’s report has tracked several exceptionally dangerous types of viruses and malicious software deployed in the second war, which we discuss in the sections below:
Whisper Gate is a sophisticated type of malware that serves multiple functions. It overwrites the affected system’s data and prevents it from booting until the malware is removed. Furthermore, a fake note is displayed, showing the system operator that the unit has been compromised. Additional features include:
- Ransomware aspect as final component
- It encrypts corrupted files on highly specific file extensions and denies access to everyone apart from the attacking party.
- It takes months to decrypt.
In ordinary situations, the malware deployer would ask for “compensation” and remove the virus. In wartime, affected machines are virtually useless and are almost certain to lose all data contained in them.
More popularly known as Hermetic Wiper, Fox Blade is a wiper malware named after a certificate stolen from Hemertica Digital company. It is one of the viruses that were most widely used for targeting numerous Ukrainian organizations and companies, especially during the second war.
This virus mainly targets Microsoft Windows devices and was designed to bypass the system’s built-in defenses. The wiper was named after its ability to “wipe” the system clean, providing the attacker with the ability to delete files they have access to. Ordinary wipers are only capable of providing low-level data access. Fox Blade is more sophisticated and capable of providing the attacker with high-level privileges. With it, any Windows system can be completely erased along with all files contained on the drives.
Sonic Vote is a less advanced variation of the Hermetic Wiper and is often referred to as “Hermetic Ransom.” Instead of allowing the attacker to delete any file in a compromised Windows system, it enables the attacker to encrypt the files, denying access to the owner. While Hermetic Wiper is generally used to permanently disable critical systems, Sonic Vote is more suitable for mass deployment.
In many cases, the team fighting Sonic Vote will spend days decrypting chunks of data, sometimes even weeks when critical information is at stake. The deployment of Sonic Vote on thousands of Windows systems was a strategic move to both cause confusion and split the attention of defending party.
CaddyWiper is another type of wiper malware that serves a similar purpose to the Hermetic Wiper. It was designed to destroy files by overwriting data with void values.However, it grants a far greater level of flexibility. The attacker can retain anonymity by deleting bits of information, or launch a full-scale attack and wipe the entire system and everything in it. Like all wipers, Caddy Wiper grants the user privileged access to all system files and can be used for espionage as well.
According to Microsoft’s Report, the DesertBlade hacking attack is a “limited destructive malware attack.” It targeted a sole Ukrainian entity and was engineered to overwrite and delete all files except the system itself. It is not as destructive as Hermetic or Caddy Wiper, but it still renders the device temporarily unbootable. This malware was probably deployed alongside other wipers to catch the defender off guard. After a barrage of Hermetic and Caddy Wiper attacks, the system’s defenses were not adequately prepared for DesertBlade viruses.
Named after its target, Industroyer.B was created to grant the attacker access to industrial control systems. It is fairly similar to Wiper malware, as it possesses the ability to overwrite and delete files that the attacker can access. It is more of a specialty virus, designed specifically for industrial systems.
Frequently asked questions
What is a cyber attack from Russia?
A cyber attack from Russia is an orchestrated hacking operation that can have one or multiple goals. It is usually aimed at targets that were deemed threats to Russia’s national security, which can be an individual, a corporation, or a government. In the case of the second Ukrainian war, cyber-attacks were aimed not only at Ukraine but also at countries that offered aid.
Retaliatory attacks are different in that they are often announced. When the country issued a statement that it will retaliate against anyone that supports Ukraine joining the NATO pact, cyber actors issued a DDoS attack on the Finnish Parliament. Another form of cyber-attack is an intimidation attack. Should a country openly state that it plans to send mercenaries, weapons, or resources to Ukraine, it may be dissuaded from doing that after a series of persistent hacking attacks.
How is Ukraine responding to the Russian cyber threat?
This is not the first information war between Russia and Ukraine. During the first Ukraine war, Russia brought Ukraine’s power grid down and deployed a barrage of persistent micro attacks, showing how real and dangerous of a threat it can be. Currently, Russian tactics, technologies, and hacking techniques are much different. Ukraine is not only faced with far more sophisticated cyberattacks but it is also defending against a much larger kinetic force. Ukraine is relying heavily on its counter-intelligence units to detect and react to new threats, but the multi-pronged onslaught of cyberattacks and kinetic destruction is far more dangerous than during the first Ukraine war.
What would a Russian cyber attack look like?
During the second war, Russia mainly deployed malware belonging to the Wiper family. These viruses were purposefully engineered to bypass Microsoft antivirus systems and grant the attacker access to system files. In the majority of cases, Russian cyber attacks deployed a combination of multiple wipers (DesertBlade, HermeticWiper, Industroyer, and more). Nearly all of these viruses could delete all data from the target system. Additionally, the malware could copy and encrypt sensitive files data, leaking crucial information to Russian authorities.
When did the Ukraine cyber war start in 2022?
The first cyber attack during the second Ukraine war was launched on the 22nd of March, 2022. Cyber threat actors deployed a Caddy Wiper, after which Hermetic Wiper, Sonic Vote, and Industroyer viruses were being launched daily.
In wartime, access to information is arguably even more important than military strength and advanced weaponry. Whichever side is capable of obtaining accurate information first has the upper hand. Russian cyberattacks are not just a threat to organizations in Ukraine but also to companies in America, Europe, and Australia as these countries openly support Ukraine in the current war. The best way to protect yourself is to sign up for DIESEC risk management services and allow our cybersecurity experts to review and improve your IT security measures. Contact us for a free consultation today!