It is now some three months since soldiers of the Russian Army entered eastern Ukraine, but the ‘war’ had started some months earlier. This one didn’t involve tanks, aircraft, and artillery but computers – the cyber war.
As the ground forces were moving in, so hackers crippled tens of thousands of satellite internet modems in Ukraine and across Europe, preventing internet access to thousands of Ukrainians. It was the demonstrable start of a well-planned Russian campaign to effectively cripple Ukraine’s digital and communications infrastructure.
According to a report issued by Microsoft today – Defending Ukraine: Early Lessons from the Cyber War – there was evidence to suggest that Russia began laying the groundwork for a cyber war in late 2021 having gained access to the networks of several different Ukrainian energy and IT providers. Some of these targets were later hit in 2022 with destructive computer viruses that deleted data and disabled computers.
In the January, researchers discovered destructive malware called WhisperGate circulating in the country. This led to a spate of distributed denial of service (DDoS) attacks that briefly knocked Ukrainian banking and government websites offline, organised by Russian military hackers.
Whilst Russia denied that it was in anyway involved, both the US and UK were quick to move with condemnation, with Britain’s National Cyber Security Centre (NCSC) stating that Russian Military Intelligence GRU was “almost certainly” behind the Whispergate malware.
The use of malware was also discovered in April, when the Ukraine’s computer emergency response team stated that an elite Russian hacking team known as Sandworm, which attacked Ukraine’s power grid in 2015, had attempted to cause blackouts in the country. This time the malware named Industroyer 2, which could manipulate equipment in electrical utilities to control the flow of power, had been deployed on an unnamed electrical substation that provides power to roughly 2 million locals. The attack failed.
As Microsoft states: “The cyber aspects of the current war extend far beyond Ukraine and reflect the unique nature of cyberspace. When countries send code into battle, their weapons move at the speed of light. The internet’s global pathways mean that cyber activities erase much of the longstanding protection provided by borders, walls, and oceans. And the internet itself, unlike land, sea, and the air, is a human creation that relies on a combination of public and private- sector ownership, operation, and protection.”
This in turn requires a new form of collective defense – both formal and informal. At the outset of the invasion, the Ukrainians called upon hacktivists to help the country defend itself.
The response was impressive. Since the start of the war a steady stream of hacktivists have come to Ukraine’s aid, responding to orders issued everyday at 5.00pm with a new list of Russian targets. The volunteer group has been knocking Russian websites offline using wave after wave of distributed denial-of-service (DDoS) attacks. Notable targets have included Russia’s second largest bank VTB, online marketplace Avito and video hosting website RuTube.
In early March, a new kind of ransomware was discovered – designed to go after Russian organisations. “I, the creator of RU_Ransom, created this malware to harm Russia,” the code’s ransom note says, with the malware spreading as a worm, wiping systems of data.
More formally, a coalition of countries has come together to defend Ukraine, with Russian intelligence agencies retaliating by increasing network penetration and espionage activities targeted at allied governments outside Ukraine.
Microsoft have detected Russian network intrusion efforts on 128 organizations in 42 countries outside Ukraine. While the United States has been Russia’s number one target, this activity has also prioritized Poland, where much of the logistical delivery of military and humanitarian assistance is being coordinated. Russian targeting has prioritised governments, and not surprisingly NATO members.
Whilst it is estimated that about 25% of Russian activity is finding its target, Microsoft warned that its biggest concern was government computing systems running ‘on premise’ rather than in the cloud.
Whilst the world hopes that a peaceful solution can be found to the physical conflict quickly, it is anticipated that the war in the cyberspace will continue for years to come and that will directly affect everyone – not just Ukrainians and Russians.