Russia plumbs new depths in cyber war on Ukraine

Russian threat actors are sinking to new lows in support of Moscow’s illegal and unprovoked war on Ukraine, according to new intelligence from Microsoft, which has catalogued more than 230 distinct cyber operations from at least six threat groups since the war began in February.

Alongside more broad-brush espionage and intelligence-gathering activities that might be expected during a cyber war, Russia has been conducting destructive cyber attacks that are clearly designed to threaten the welfare of Ukrainian civilians by degrading the systems of Ukrainian institutions, disrupting access to reliable information and critical services, and attempting to damage citizen confidence in the Ukrainian government.

“We believe it’s important to share this information so that policymakers and the public around the world know what’s occurring, so others in the security community can continue to identify and defend against this activity,” said Tom Burt, corporate vice-president of security and trust at Microsoft.

“All of this work is ultimately focused on protecting civilians from attacks that can directly impact their lives and their access to critical services.”

Burt said Microsoft has seen close to 40 destructive attacks targeting hundreds of systems, 32% of those targeting Ukrainian government organisations, and 40% targeting critical national infrastructure (CNI).

The attackers are using various techniques to obtain access, including phishing, exploitation of unpatched vulnerabilities, and supply chain attacks through compromised service providers.

Microsoft said Russia’s use of cyber warfare techniques is strongly correlated – and often directly timed – with kinetic military operations. One such cyber attack against a Ukrainian broadcasting company on 1 March took place alongside military action against what Moscow describes as “disinformation” targets, including missile strikes on the main TV tower in Kyiv.

On 13 March, Microsoft observed a cyber attack on a nuclear safety organisation that took place alongside Russian actions against Ukraine’s nuclear power infrastructure, sparking fears of potential radiation leaks on a par with the 1986 Chernobyl disaster. The Chernobyl site itself, which was occupied for a time by Russian forces, was returned to Ukrainian control at the end of March.

In another highly concerning incident, during the siege and destruction of the city of Mariupol – which is thought to have killed thousands of civilians and has been accompanied by allegations of war crimes against Ukrainian citizens including rape and forced deportation to Russia – Ukrainians received phishing emails from a Russian actor masquerading as a Mariupol resident, accusing Kyiv of “abandoning” ordinary people.

Microsoft’s full report – which can be read here – also reveals for the first time that Russia-aligned threat actors began positioning themselves in readiness to support a kinetic conflict as long ago as March 2021.

At about that time, there was a clear ramping-up of cyber operations against organisations inside or aligned with Ukraine, which, with the benefit of hindsight, can now be seen as an attempt to gain a foothold inside Ukrainian systems.

When Russia began to move troops up to the Ukrainian border – falsely claiming it was conducting training exercises – these efforts apparently intensified, with actions seen against targets that could provide intelligence on Ukrainian military and foreign partnerships. By the middle of 2021, Russian actors were targeting supply chain vendors around the world to secure additional access to targets in both Ukraine and Nato states.

By early 2022, as diplomatic efforts to ward off a Russian attack intensified, Microsoft – along with many others – observed the first wiper malware attacks against Ukraine, which we now know to have been a final cyber prelude to the invasion.

Since then, Microsoft’s security teams have been working closely alongside the Ukrainian authorities to identify and remediate various Russian campaigns, and now operates a secure hotline with key cyber officials in Kyiv, in order to act rapidly to defend against further intrusions. This defence includes threat intelligence-sharing and the use of undisclosed technical countermeasures.

Burt said there could be little doubt that Russian cyber attacks would continue to escalate in the coming weeks.

“Russian nation-state threat actors may be tasked to expand their destructive actions outside of Ukraine to retaliate against those countries that decide to provide more military assistance to Ukraine and take more punitive measures against the Russian government in response to the continued aggression,” he said.

“We have observed Russian-aligned actors active in Ukraine show interest in, or conduct operations against, organisations in the Baltics and Turkey – all Nato member states actively providing political, humanitarian or military support to Ukraine.

“The alerts published by CISA [Cybersecurity and Infrastructure Security Agency] and other US government agencies, and cyber officials in other countries, should be taken seriously and the recommended defensive and resilience measures should be taken.”