
On the 24th February 2022 armed forces of the Russian state crossed into Ukraine in what Vladimir Vladimirovich Putin described as a ‘special military operation’. Since then, the majority of news coverage has understandably centred on the military conflict and the humanitarian tragedy that has unfolded. However, today any such conflict inevitably includes a cyber component. Russia is acknowledged to be a leader in the use of cyber ‘weapons’ including traditional hacking of systems and networks, large scale disinformation and social media manipulation.
Most likely uses for such weapons are disruption of government operation, military operation, disinformation, interference with industrial systems such as power grids and telecommunications and propaganda. The best cyber weapons and the best infiltrations are, by their nature, difficult to detect. When at war there is no time for careful, forensic analysis of systems. Adaptation is likely to be the first stage in reacting to technical issues. Maintaining services and working around or patching broken elements of networks in order to re-enable or replace systems under threat. So with this in mind let’s take a look at the various aspects of the cyber conflict that is happening in parallel with the more traditional battles. Some background looking at previous attacks by Russia on Ukraine’s infrastructure will give us an idea of what type of attacks are likely taking place now. It should be stressed that, although we know much about the use of cyber in the conflict, so far full technical and strategic details will only emerge over time…
Trial run: Ukraine ‘Snake’ attacks 2014
In March 2014 a rootkit called Uroburos was detected and active on Ukrainian Government systems. This became known as the ‘Snake’ campaign in cyber security circles and affected more than just Ukraine. Research revealed that the rootkit may have been active in some systems for many years and parts of what became known as the Snake software toolkit had been detected as long ago as 2005. At that point the average time an adversary could be hidden within an exploited system was counted in years.
Trial run: Ukraine power grid attack 2015
On December 23rd 2015 a Russian group known as Sandworm infiltrated the Ukraine power grid and caused power outages for around 230,000 consumers. This has become recognised as the first successful real world attack on a power grid. It could be argued that the Ukrainian grid was particularly susceptible to Russian attack as it still used much of the technology from the Soviet era. The attack followed a familiar pattern with phishing attacks using the BlackEnergy malware. Due to this compromise, various Supervisory Control And Data Acquisition (SCADA) systems were seized and used to switch off substations. There were attempts to destroy or disable other components such as uninterruptible power supplies, modems, remote terminals and commutators. Files on associated servers and workstations were destroyed using the KillDisk malware. Denial of service attacks were used to disable call centres to maintain the confusion for as long as possible.
Trial run: Ukraine artillery targeting exploit 2014-2016
Between 2014 and 2016, US security company Crowdstrike believe that Russian group Fancy Bear used Android malware to target the Ukraine military. Without realising it, the Ukraine military distributed an infected version of an Android app whose original purpose was to control targeting data for Howitzer artillery pieces. Crowdstrike estimate that 80% of the Ukraine D-30 Howitzers were destroyed as a result. The Ukraine military disputes these claims.
Trial run: Ukraine ransomware attacks 2017
On June 27th 2017, Ukraine was again targeted when sites including banks, Government ministries, newspapers and electricity companies were attacked with a modified version of the Petya malware. While other countries’ sites were infected, around 80% were in the Ukraine.
The source of the infections is believed to have been a Ukrainian accounting package called MeDoc. As part of a routine update, on June 27th, malware was downloaded to machines running MeDoc in what is called a ‘supply chain attack’. At the time, it was estimated that this amounted to around one million machines. Petya, like WannaCry had used the EternalBlue exploit (created by the CIA and published to the world as part of the Shadow Brokers trove of CIA tools on April 14th 2017). This had been patched by Microsoft and it is believed that the Ukraine attack used a modified version of Petya called NotPetya or Nyetna. NotPetya encrypted all the files on the infected systems and in some cases files were wiped. One notable victim was the radiation monitoring system at the Chernobyl Nuclear Power Plant, which went offline. Attribution of this attack is less clear than for the power grid attack. Wired magazine journalist, Andy Greenberg, believes that this second attack was also the work of the Sandworm group. He also said that this group had been originally working to try to undermine Ukraine’s financial system when it stumbled accidentally on the vulnerability in the MeDoc updating software.
There are other cases of interference in national infrastructure from elsewhere in the world, but these examples highlight how Russia seems to have used Ukraine as a testing ground for some of its cyber weapons. If we now fast forward to earlier this year and the start of the Russian aggression towards Ukraine, the CyberPeace Institute has recorded all directed attacks against Ukrainian entities starting on January 13th 2022. At the time of writing there have been 28 separate attacks logged by the CyberPeace Institute since hostilities commenced and nine further attacks this calendar year. Attribution of these attacks may take some time to confirm, but the large majority have already been identified as Russian or Belarus hacker groups. Perhaps, significantly, one attempted intrusion is attributed to a Chinese group (Scarab/UAC-0026) indicating that other parties may be trying to take advantage of the confusion.
Since the conflict is ongoing, many of these reported attacks are not yet clearly understood. Neither their tactical purpose, beyond increasing confusion, nor their technical details. In most cases, samples will have been quickly examined and compared to databases of known malware rather than individually analysed. It is common for nation state actors to use readily available hacking tools to further frustrate attempts at attribution.
Dangers of public networks
It was widely reported in the first weeks of the conflict that the Russian communications system for their forces was not working. This caused the Russian military to loot electronics shops in Ukraine towns and cities to get hold of mobile phones and SIM cards to allow their commanders to communicate. Once this became known, the Ukraine defence forces were able to identify such activity and either intercept calls or geo-locate the caller using tools on the internet. At least one and likely more senior Russian commanders have been ‘taken off the battlefield’ (killed via drone strikes) in this way.
IT army of Ukraine
The IT Army of Ukraine was formed by Mykhailo Fedorov, Deputy Prime Minister of Ukraine and Minister of Digital Transformation, on February 26th via his Twitter account. It uses a Telegram channel to pass on instructions and list both domain names and IPs of Russian systems that the group wished to ‘target’. It encourages people from anywhere to help the Ukrainian cause by performing DDoS attacks or other exploits against the listed sites. Western news outlets soon began suggesting that helping the Ukrainians in this way could be unlawful and was discouraged. The Anonymous Hacking Collective also weighed in with a number of website exploits, defacements and data dumps. It could be argued, individuals from around the world randomly hacking Russian sites might interfere with coordinated attacks from Western nation states. No Western states have admitted to any form of cyber operations against Russia since the conflict started, but it is highly likely that at least some activities are ongoing.
Western governments fear an escalation of the Ukraine conflict. Any identifiable use of cyber weapons by the west may well produce such an escalation. It may be that governments are reluctant to use any cyber weapons, preferring to ‘keep their powder dry’. We may never know for sure if any such weapons are deployed.
Social media sites have already been alerted to the so-called Russian trolls that setup fake accounts to spread disinformation. Such techniques hit the headlines during the US Elections in 2016, but can nonetheless be hard to police effectively. Once a fake social media account is permitted to be created it can begin posting disinformation. Even if the social media platform is quick to spot and remove such accounts, new ones can automatically be generated and more flashes of disinformation appear. It becomes a ‘whack-a-mole’ exercise during which the disinformation seeps out and is passed on by unwitting real people, gradually gaining authority as it spreads.
As with previous conflicts, the war in Ukraine is providing valuable data for those in the business of war. The conflict will be minutely analysed in all its aspects by militaries and intelligence agencies around the world. While simulations give ever more realistic ways to test weapons and strategies the real thing provides the best demonstration. Our news broadcasts show us the horrors of the war as never before. It will take time, but over the coming months analysts will also reveal (perhaps not publicly) the effectiveness of the various cyber weapons deployed as well.
(This article was first published on the British Computer Society website: Ukraine: The cyber battlefield | BCS )
As a Newbie, I am permanently browsing online for articles that can aid me. Thank you
Wow! Thank you! I continuously needed to write on my blog something like that. Can I take a portion of your post to my site?
Itís difficult to find well-informed people in this particular topic, but you seem like you know what youíre talking about! Thanks
Regards for helping out, good information.
I am often to blogging and i really appreciate your content. The article has really peaks my interest. I am going to bookmark your site and keep checking for new information.
This design is steller! You obviously know how to keep a reader amused. Between your wit and your videos, I was almost moved to start my own blog (well, almost…HaHa!) Excellent job. I really enjoyed what you had to say, and more than that, how you presented it. Too cool!
I’m often to blogging and i really appreciate your content. The article has actually peaks my interest. I’m going to bookmark your web site and maintain checking for brand spanking new information.
This is my first time pay a quick visit at here and i am really happy to read everthing at one place
You’re so awesome! I don’t believe I have read a single thing like that before. So great to find someone with some original thoughts on this topic. Really.. thank you for starting this up. This website is something that is needed on the internet, someone with a little originality!
I am truly thankful to the owner of this web site who has shared this fantastic piece of writing at at this place.
There is definately a lot to find out about this subject. I like all the points you made
This was beautiful Admin. Thank you for your reflections.
I just like the helpful information you provide in your articles
I like the efforts you have put in this, regards for all the great content.
Good post! We will be linking to this particularly great post on our site. Keep up the great writing
Great information shared.. really enjoyed reading this post thank you author for sharing this post .. appreciated
I just like the helpful information you provide in your articles
This is my first time pay a quick visit at here and i am really happy to read everthing at one place
Good post! We will be linking to this particularly great post on our site. Keep up the great writing
Great information shared.. really enjoyed reading this post thank you author for sharing this post .. appreciated
This is a thought-provoking article that challenges readers to think about the topic in a new way. I appreciate the fresh perspective you bring to the table.
I’m glad I came across your article. It’s informative and insightful.
This article has been very useful in helping me understand this complex topic.
You have a talent for writing and communicating your ideas effectively. This is a great article.
This article has been very useful in helping me understand some of the issues that are important about the topic.
This article provides many different perspectives and broadens my understanding of the topic.
Your writing style is engaging and easy to follow. It made reading this article a pleasure.
I agree with the practical and useful advice you provide in this article.
Try to slowly read the articles on this website, don’t just comment, I think the posts on this page are very helpful, because I understand the intent of the author of this article.
Great information shared.. really enjoyed reading this post thank you author for sharing this post .. appreciated
Yeah bookmaking this wasn’t a risky decision outstanding post!.
Some truly quality articles on this website , saved to favorites.
Awesome! Its genuinely remarkable post, I have got much clear idea regarding from this post
Great work on this article! Your writing style is engaging and your ideas are presented in a way that is both informative and interesting.
Your article is so thought-provoking and insightful. It’s given me a new perspective on this topic and challenged me to think more critically.
Cool that really helps, thank you.
Your article is a great resource for anyone seeking to learn more about this topic. I’m grateful for the time and effort you put into creating it.
I really like reading through a post that can make men and women think. Also, thank you for allowing me to comment!