A new study by Microsoft shows that Russian cyberattacks often happened within days or even hours of missile strikes.
PLUS: inside Ukraine’s online defense – the battle against Moscow’s cyber attacks
28 April 2022 – Let’s start with the obvious: the current dynamic nature of armed conflict in Ukraine has introduced a level of uncertainty not seen since Russia’s annexation of Crimea in 2014. But as war has progressed from that time, actors with a vested interest in the conflict operated under increasingly urgent requirements to fill critical intelligence gaps and achieve specific tactical objectives. Enter: the cyber operators.
But for weeks after the outbreak of the war in Ukraine this past February, American officials wondered about the weapon that seemed to be missing: Russia’s mighty cyber arsenal, which most experts expected would be used in the opening hours of an invasion to bring down Ukraine’s power grid, fry its cellphone system and cut off President Volodymyr Zelensky from the world.
NOTE: none of that happened. Well, sort of. There was nuanced activity. And to catch those nuances you needed to follow cyber security maven Andy Jenkinson who stayed on top of every Russian cyber attack move and strategy. It is well worth your time to follow him on Linkedin which you can do by clicking here.
But in a new study released yesterday by Microsoft, it is now clear that Russia used its A-team of hackers to conduct hundreds of far more subtle attacks, many timed to coincide with incoming missile or ground attacks. And it turned out that, just as in the ground war, the Russians were less skillful, and the Ukrainians were better defenders, than most experts expected. Noted the report:
“They brought destructive efforts, they brought espionage efforts, they brought all their best actors to focus on this. They had some success. But they were met with a robust defense from the Ukrainians that blocked some of the online attacks”. [In my postscript below I’ll cover some of those defenses]
The report adds considerable subtlety to an understanding of the early days of the war, when the shelling and troop movements were obvious, but the cyberoperations were less visible – and more difficult to blame, at least right away, on Russia’s major intelligence agencies. I have read the summary and scanned the complete report but I have not finished a word-for-word read so I’ll borrow some points made by two people who have read it: David Sanger (cyber security reporter for the New York Times) and Mehul Srivastava (cybersecurity correspondent for the Financial Times. Both have written articles for their respective newspapers, and also Tweeted/blogged additional points so I’ll try to do a mash-up.
One point Microsoft makes clear in its report (seconded by other cyber mavens I spoke with): Russia used hacking campaigns to support its ground campaign in Ukraine, pairing malware with missiles in several attacks, including on TV stations and government agencies. The Microsoft report demonstrates Russia’s persistent use of cyberweapons, upending early analysis that suggested they had not played a prominent role in the conflict. Tom Burt, who oversees Microsoft’s investigations into the biggest and most complex cyberattacks that are visible through its global networks, noted in several interviews:
“It’s been a relentless cyberwar that has paralleled, and in some cases directly supported, the kinetic war. Hackers affiliated with Russia were carrying out cyberattacks on a daily, 24/7 basis since hours before the physical invasion began”.
Quoting David Sanger:
“Microsoft could not determine whether Russia’s hackers and its troops had merely been given similar targets to pursue or had actively coordinated their efforts. But Russian cyberattacks often struck within days – and sometimes within hours – of on-the-ground activity. From the weeks leading up to the invasion through March, at least six Russian nation-state hacking groups launched more than 237 operations against Ukrainian businesses and government agencies, Microsoft said in its report. The attacks were often intended to destroy computer systems, but some also aimed to gather intelligence or spread misinformation.
Although Russia routinely relied on malware, espionage and disinformation to further its agenda in Ukraine, it appeared that Moscow was trying to limit its hacking campaigns to stay within Ukraine’s borders, Microsoft said, perhaps in an attempt to avoid drawing NATO countries into the conflict.
The attacks were sophisticated, with Russian hackers often making small modifications to the malware they used in an effort to evade detection”.
And as Burt noted: “Look, we’re talking the A-team. It’s basically all of the key nation-state actors – Russia, Ukraine, U.S., etc.”
Still, Ukrainian defenders were able to thwart some of the attacks, having become accustomed to fending off Russian hackers after years of online intrusions in Ukraine. At a news conference yesterday, Ukrainian officials said they believed Russia had brought all of its cybercapabilities to bear on the country. Still, Ukraine managed to fend off many of the attacks, they added. Microsoft detailed several attacks that appeared to show parallel cyberactivity and ground activity:
• On March 1, Russian cyberattacks hit media companies in Kyiv, including a major broadcasting network, using malware aimed at destroying computer systems and stealing information, Microsoft said. The same day, missiles destroyed a TV tower in Kyiv, knocking some stations off the air. The incident demonstrated Russia’s interest in controlling the flow of information in Ukraine during the invasion, Microsoft said.
• A group affiliated with the G.R.U., a Russian military intelligence agency, hacked into a government agency’s network in Vinnytsia, a city southwest of Kyiv, on March 4. The group, which was previously linked to the theft of emails related to Hillary Clinton’s 2016 presidential campaign, carried out phishing attacks against military officials and regional government employees that were intended to steal passwords to their online accounts.
The Microsoft report concludes by noting that destructive attacks have been a prominent component of Russian cyber operations during conflict. It notes that continued destructive attacks in Ukraine may increase in severity:
“Based on Russian military goals for information warfare, these actions are likely aimed at undermining Ukraine’s political will and ability to continue the fight, while facilitating collection of intelligence that could provide tactical or strategic advantages to Russian forces. Through our engagements with customers in Ukraine, we have observed that Russia’s computer-enabled efforts have had an impact in terms of technical disruption of services and causing a chaotic information environment, but Microsoft is not able to evaluate their broader strategic impact”.
The report is chock-a-block with cyber attack timelines, cyber attack events, cyber strategies and it is a quick read, only 21 pages. You can read it by clicking here.
A very brief look inside Ukraine’s online defenses
As Russian troops massed on the border of Ukraine in January 2022, dozens of Ukrainian government websites were defaced with the words “be afraid and wait for the worst”. The co-ordinated hack was viewed by Ukrainian and western cyber security officials as an initial warning that Russia would wage a fearsome digital war alongside a ground invasion of the country. And soon after, a series of major cyber attacks were detected on energy and communications groups – but they were quickly repelled.
Ukrainian officials have taken solace that critical networks did withstand weeks of cyber assaults, but as one official had warned, Russia’s vaster resources meant it could steadily wear down the online resistance. “Our networks are our people,” he said. “And Russia is killing our people”.
By February, the number of failed attempts was three times higher than a year earlier. One particularly audacious attempt involved a compromised local employee trying to sneak malicious code on to company premises. They were trying everything, trying to break in through websites, trying DDoS (distributed denial of service) where thousands of computers send simultaneous requests in order to bring down systems, etc. In the Microsoft report I noted above one researcher said “it was 24/7”.
The worse bit at the beginning? Within an hour of Vladimir Putin’s pre-dawn announcement on February 24 that he had ordered troops into Ukraine, thousands of modems across central Europe lost their connection to a satellite flying 36,000km above earth. As the modems that connected customers of the US-based ViaSat satellite flickered their warnings, the sudden loss of data cascaded through Europe. Some 5,800 wind turbines owned by Germany’s Enercon switched to back-up mode as the company lost its ability to remotely monitor their operation. Thousands of people in Italy, Germany and Poland lost their internet connections. ViaSat acknowledged a “cyber-event” – but did not blame Russia for it because all the players were engaged in a juggling act as far as response.
In Ukraine, that sudden loss of data connection hit its scattered army bases, according to two Ukrainian officials. But as dozens of military grade modems suddenly stopped working the troops quickly moved to other encrypted communications. There are always back-up systems. It was just as the war started, but the teams were trained for this situation, to avoid catastrophe at all costs. And we need to credit preparatory assistance and instruction from U.S. military intelligence and cyber teams over the last 5-6 years who have helped build that defensive infrastructure.
Ukrainian telecommunication networks and energy grids have largely remained resilient, with some, such as that in Mariupol, collapsing only after a rain of missiles and mortars had taken out physical infrastructure. The intensity of attacks, other than on the electricity networks, has fallen since the beginning of hostilities. Of late, there have been periods of more quiet than before, and that could be explained by the concentration of conventional war on attacks against Ukrainian civilians instead of IT infrastructure.
Ukrainian engineers, particularly those guarding civilian infrastructure from cyber attacks, have been able to call in support from western companies such as Cisco, Microsoft and Google, which are currently defending at least 150 Ukrainian firms and government facilities. One cyber maven told me there are numerous stories of Ukrainian security organizations averting devastating losses due to advance warnings from U.S. corporate partners.
A friend of mine in Cisco’s threat intelligence group says Ukraine has learned the lessons of the past five, six years. They have the expertise and infrastructure they didn’t have back in 2015. U.S. corporate partners studiedthe original Russian attack in 2015 that took down parts of Ukraine’s energy grid, and a 2017 malware, nicknamed NotPetya, that effectively deleted large parts of computer systems. So they built processes, playbooks, etc. – all the boring bits that are just obnoxious to do in peacetime but which pay off in war time. And one example from now: bombardments have required engineers to physically cart servers to a different city and bring them back online — a laborious and complex task even during normal times — to keep systems running.
And there is the mundane as I have noted before: both Russia and Ukraine are using their cyber arsenals for more traditional espionage, such as hacking western networks to stay ahead of sanctions, or monitor troop movements.
And … ah, kids today. One cyber contact told me that Russia certainly has or was given the resources to watch the Ukraine IT specialists very closely. But they might not be bright enough to figure out what’s going on: “we have hacker kids in Ukraine – homegrown and some kids we brought in – that have figured out all sorts of ways to beat the Russians or at least put them on the wrong trail”.