New Delhi: In the months following Russia’s invasion of Ukraine in February, Russian cyber operations targeted not just Ukraine, but also the military facilities and public infrastructure in neighbouring Poland, Latvia and Lithuania, suggests a study by Microsoft released Wednesday. Apart from Ukraine and its allies, the other countries targeted by Russian cyberattacks include Denmark, Norway, Finland, and Sweden.
Though Ukraine has had to defend itself against Russian cyberattacks in the past, the study suggests that this time around, the campaign was more streamlined and influential.
Titled ‘Defending Ukraine: Early Lessons from the Cyber War’, the 30-page study released Wednesday describes in detail how the Russian cyber warfare targeted Ukraine and its allies, including former Soviet Socialist republics.
Apart from tracing a cyber weapon found in multiple government entities across Ukraine to the Russian Army, the study also identifies three key facets of the cyberattacks — targeted phishing, planting of a malware and software architecture.
However, the study claimed that “destructive (cyber) attacks (against Ukraine) have fallen” over the past month, since Russia mounted concentrated attacks in the Donbas region.
“Since the war began in Ukraine, some observers have expressed surprise at the relative absence of Russian destructive cyberattacks. To some degree, this is based on a comparison to the international destruction wrought by NotPetya [the 2017 ransomware attack on Ukrainian institutions], which Russia to date has avoided replicating”, the study said.
Russian modus operandi
The study elaborated on each of the three facets of Russian cyberattacks — targeted phishing, planting of a malware and software architecture.
“The first aspect, which is also common to ransomware and nation-state cyber espionage, involves targeted phishing and similar efforts to enter a computer network. This tactic reflects the determination, sophistication, and persistence long observed across the cyber activities of Russia’s intelligence community and military”, the study observed.
Detailing the second facet, the study said Russian cyberattacks involved the planting of a malware called “wiper” that wiped off computer hard disks and destroyed crucial data.
About “software architecture”, the study said that it was “designed to replicate or spread this malware (wiper) to other computers across a network domain, such as the network of an entire government ministry”.
One of the first cyber weapons Russia launched has been identified as “Foxblade”, a “wiper software” that Microsoft’s Threat Intelligence Centre (MSTIC) found in 19 government and critical infrastructure entities across Ukraine.
This cyber weapon, the study said, was “developed and launched by the same group associated with Russian military intelligence that developed and launched the NotPetya attack against Ukraine in 2017”.
How did cyberattacks aid Russia
The study goes further to add that as the war has progressed, Russia has adapted its “destructive cyberattacks to its changing war needs”.
“On several occasions, the Russian military has coupled its cyberattacks with conventional weapons aimed at the same targets. Like the combination of naval and ground forces long used in an amphibious invasion, the war in Ukraine has witnessed Russian use of cyberattacks to disable computer networks at a target before seeking to overrun it with ground troops or aerial or missile attacks”, the study said.
The study cited several instances where Russian cyberattacks were devised in a manner that assisted the army with their targets.
“The Russian military combined cyber and conventional weapons in assaulting a nuclear power plant in early March. On March 2, MSTIC identified a Russian group moving laterally on the nuclear power company’s computer network. The next day, the Russian military attacked and occupied the company’s largest nuclear power plant”, the study said.
Another instance was when the Russian army “compromised a government computer network in Vinnytsia” in Ukraine, followed by the launch of “eight missiles at the city’s airport”.
The Ukrainian government, according to the study, pre-empting a cyber war even before Russian troops began their invasion on 24 February, had amended the longstanding Data Protection Law. This allowed Ukraine to transfer its sensitive data to the public cloud from local servers that eventually fell prey to cyberattacks and artillery bombardment by Russia.
The study goes on to term the move by Ukraine as “prophetic” since a government data centre was one of the first structures targeted during earlier Russian attacks inside Ukrainian territory.
“The Russian military had targeted the government’s on-premises computer networks with its destructive cyber ‘wiper’ attacks. One reason these kinetic and cyberattacks have had a limited operational impact is because digital operations and data had been disbursed into the public cloud”, the study read.
After the bulk transfer of data to the public cloud, where it has been “hosted in data centers across Europe”, Ukraine was able to successfully counter cyber offensives by Russia.
(Edited by Amrtansh Arora)