Ukraine Withstands Torrent of Russian CyberattacksWipers and Phishing Attacks Rose Steeply in 2022
Russian state hackers pummeled Ukraine during the first four months of 2022 with more destructive malware than security researchers from Google and Mandiant detected in the previous eight years.
The attacks were attempts by Moscow to undermine confidence in Kyiv, and they continue to occur, albeit at a slower pace and in a pattern that appears less methodical, researchers from Google's Threat Analysis Group and Mandiant - now part of Google - say in a report reviewing the cyberspace dimension of Russia's attempt to conquer Ukraine.
Outside observers of the war have said that Russia's cyber operation focus in Ukraine has shifted to intelligence gathering, a conclusion somewhat matched by Google and Mandiant. Researchers from the two Google units say they see an uptick in cyber incidents designed to serve multiple strategic objectives, including data theft and data wiping.
"Many operations indicated an attempt by the GRU to balance competing priorities of access, collection, and disruption throughout each phase of activity," the report says. GRU is the Russian acronym for the military spying agency whose name translates as Main Intelligence Directorate.
New wipers spotted in the wild have been a hallmark of Ukrainian cyber defense, and the report says Mandiant observed six previously unknown destructive applications, some of which had multiple variants.
In all, the wave of destructive cyberattacks doesn't appear to have been as effective as previous Russian cyberattacks. In 2015 and 2016, Russian hackers disrupted Ukraine's power grid, an activity generally attributed to the GRU hacking group known as Sandworm.
Google tracks Sandworm as FrozenBarents. The group has had its successes, the report says. It targeted a Turkish manufacturer of drones initially used by the Ukrainian military that suddenly disappeared after Russia disabled the unmanned aerial vehicles, the report states.
Phishing is a prominent initial access vector. Unlike destructive attacks, which mostly don't appear to have spillover effect outside of Ukraine, Russian phishing attempts have skyrocketed inside Ukraine and inside the borders of NATO countries.
Compared to 2020, the report says, data from last year shows a 250% increase in phishing emails targeting users in Ukraine and an increase of more than 300% in NATO countries. The report includes phishing attacks made by a group Google tracks as Pushcha, located in Belarus but closely aligned with the Kremlin.
A phishing campaign by a group variously known as ColdDriver, Seaborgium and TA446 targeted the Proton email accounts of several prominent figures in the United Kingdom, and the attackers subsequently leaked information in an attempt to shape public opinion. A website published leaked emails from several leading proponents of Brexit and suggested that they were secretly making decisions in the U.K.
Behind the jump in activity is a shift in focus by Russian military intelligence hackers to Ukraine and an intensification of their efforts there. The report says that a relatively new GRU group, tracked as FrozenVista and also identified as UNC2589 appears to have become active in Ukraine in spring 2021. As Russia began massing troops on the Ukrainian border, it sent phishing emails to nearly 2,000 targets in Ukraine, mostly individuals in government or the military. In January, it deployed data wipers against Ukrainian government agencies "in what may have been a preliminary strike," the report says.
One notable development in Russia's war of conquest has been a rise in hacktivism on both sides. Most self-proclaimed pro-Kremlin or pro-Kyiv activity has come in the form of distributed denial-of-service attacks, although some groups have leaked stolen data. Mandiant assesses with "moderate confidence" that a handful of those Russian groups - XakNet Team, Infocentr and CyberArmyofRussia_Reborn - coordinate operations with the Russian government hacker group Google tracks as FrozenLake. The group is also known as Fancy Bear, APT28 and Strontium.
There is no direct evidence that the pro-Kremlin DDoS group KillNet has links to Russian intelligence, the report says.