Cyberwarfare: Russia vs Ukraine
David Swan Director, CSCIS Cyber Intelligence Defence Centre (CIDC)
Publisher – CSCIS / David Swan, Director CIDC
Release – March 18, 2022
Cyber Intelligence Report
Cyberwarfare: Russia vs Ukraine
This report contains selected cyber-security information from 7th to 18th March 2022.
1. We are continuing our tracking of the cyber-warfare environment in Russia’s invasion of Ukraine. On 22-03- 08 we released a Cyber Alert warning of a Russian Cyber Attack in response to sanctions. Russia was assessed as having three Courses of Action (COA) for its cyber forces:
COA 1. Best Case Scenario: Russian cyber forces will continue to lack coordination and will remain ineffective.
COA 2. Most Likely Scenario: Russian cyber forces will launch global cyber attacks as ‘consequences’ for nations that opposed Russia’s invasion of Ukraine.
COA 3. Worst Case Scenario: President Putin decides to select one country to focus Russia’s cyberattacks on. Canada would be an obvious choice of a country to target.
This report tracks cyber warfare, updating the Russian cyber COA, a selection of the cyber impacts as well as third-party participation.
2. Observations: In previous reports, we noted Russia’s initial cyber attacks on Ukraine lacked the force and sophistication anticipated. It turned out that Russia had not vetted the ranks of its cyber warriors for Ukrainians. That oversight appears to have been rectified. During the past ten days, Russia has renewed its cyber campaign including new malware, new phishing campaigns as well as new information operations.
3. American Cyber security journalist Brian Krebs reported on March 11th that there had been a tenfold increase in malware and phishing attacks on Ukraine. His sources were Internet providers and security companies who provide services in Ukraine and Eastern Europe. “They’re being targeted by a huge amount of phishing, and a lot of malware that is getting onto machines is trying to contact malicious command-and-control infrastructure”.
Source: Krebs on Security: Report: Recent 10x Increase in Cyberattacks on Ukraine
4. It was predictable that Russia would attempt to take over Ukrainian Internet Service Providers (ISP), however only two have been hacked. One is a major provider who had trouble getting service fully resorted.
Source: cpomagazine: Major Ukrainian Internet Provider Triolan Suffers Severe Cyber Attacks and Infrastructure Destruction During Russian Invasion
Russian hackers reset routers to factory defaults. In order to correct the settings, physical access was required, a dangerous task while under fire. Unfortunately, another ISP has been hacked for a second time.
Source: udaipurkiran.com : Ukrainian internet service hacked for the second time
The ISP was expected to be back in operation in less than 24 hours. Apart from those incidents, Ukraine’s internet infrastructure appears to be operating well.
5. Russian hackers have deployed three new families of malware: two possibly three ‘wipers’
Source: We Live Security: IsaacWiper and HermeticWizard: New wiper and worm targeting Ukraine and a ‘worm’.
Source: Security Week Magazine: CaddyWiper: Another Destructive Wiper Malware Targeting Ukraine
Wipers attempt to wipe all information off hard drives. Malware worms infect computers, replicate themselves and attempt to infect other, attached or networked computers. The worm, HermeticWizard, includes a disk wiper and a ransomware component. Forensic engineering reveals all the malware was engineered in 2021, but not released into Ukraine until late February/March 2022.
6. Similar to the release of malware, Russia has launched multiple ‘phishing’ campaigns targeting Ukrainian organizations and Ukraine’s supporters. Google’s Threat Analysis Group (TAG) has identified the campaign as originating from Russian Military Intelligence (GRU) and targeting a Ukrainian media company.
Source: ZDNet: Phishing attempts from FancyBear and Ghostwriter stepping up says Google
Another phishing attack appears to be based in India in the city of Bengaluru. The email addresses involved have all been compromised by the Russian Federations’ ‘special services’, meaning it is actually a Russian attack.
Source: The Hacker News: Ukrainian CERT Warns Citizens of Phishing Attacks Using Compromised Accounts
In a related attack, a malware tool for ‘attacking Russia’ is being advertised on the messaging program Telegram. The program loads the Phoenix Information Stealer – stealing data from the would-be Ukrainian supporter.
Source: ThreatPost: Malware Posing as Russia DDoS Tool Bites Pro-Ukraine Hackers
7. Russia’s Information Operations have to a large extent been identified and shut down. In addition to the refusal to carry the ‘Russian Times’ (RT), Russia’s government media outlet, many Internet Service Providers (ISP) have refused to allow RT or identifiable Russian government supporting accounts on their systems. Google, Meta (formerly Facebook) are two of many organizations refusing to permit Russian disinformation. Analysts Comment: It is worth remembering that the Internet was designed to be a communication system that would adapt if areas of it were destroyed by nuclear weapons. The flexibility of the Internet would permit communications to be re-routed. That principle is applicable because there are many ways for the Russian government to continue to spread disinformation, which includes using more obscure applications, ‘useful idiots’ and ‘true believers’.
8. There is a Russian campaign to circulate a ‘deepfake’ video of Ukraine’s President Zelenskyy telling people to lay down arms.
Source: Security Affairs: Russia’s disinformation uses deepfake video of Zelenskyy telling people to lay down arms
‘Deepfake’ videos are when computer technology is used to generate a fake video of a person, including them, speaking or doing things. The video has been both deleted a number of times and debunked however it remains in circulation. More ‘deepfakes’ should be expected.
9. There are early indications that Russia’s reconstituted cyber forces are conducting reconnaissance in preparation for cyber strikes against western countries. To date, there is limited coverage by mainstream media. A Financial Post article says: “We are literally and figuratively poking the bear,” … “So Canadians should not feel that we are not connected to this conflict. We are.”
Source: Financial Post: ‘They may already be happening’: Canada at higher risk of cyberattacks from Russian hackers after siding with Ukraine
10. Analysis: Russia is recovering from the exodus of Ukrainians from the ranks of its cyber warriors. I estimate that they are 80 to 85% recovered. Russia continues to recruit and accept volunteers from criminal hackers and pro-Russia hackers.
A. COA 1. Will not happen. Russia’s cyber forces have reconstituted and have resumed operations. Volunteers are being added to their ranks.
B. Russia’s cyber focus will remain on the close battle for the near term, dominating Ukrainian cyberspace as well as controlling Russian cyberspace.
C. Cyber Security professionals are agreed, Russia will re-focus its cyber forces on western nations. What is not agreed upon is how Russia will attack. Will it be a general attack or focused on one or a few nations. (COA 2 or COA 3)
Ukraine & Supporting Organizations
11. It’s becoming difficult to separate what Ukraine’s Cyber forces are doing from what supporting organizations are doing. Ukraine did put out a call for hackers to help them. As reported by Reuters on February 24th, Ukraine was looking for Ukrainian hackers to assist with military support tasks. What they received was 300,000 volunteers from across the globe.
Source: The Guardian: ‘It’s the right thing to do’: the 300,000 volunteer hackers coming together to fight Russia
Multiple sources confirmed that Ukraine IT coordinators used the message application ‘Telegram’ as a command and control system to organize, task and track their volunteers.
12. In addition, the hacker group Anonymous announced their intention to declare cyberwar on Russia. As Anonymous engaged it became difficult to determine which group was attacking what Russian target. Anonymous has made some serious claims including:
A. Responsibility for disabling prominent Russian government, news and corporate websites,
B. Leaking data from entities such as Roskomnadzor, the federal agency responsible for censoring Russian media,
C. Hacking Russian state TV stations and
D. Launched Denial of Service attacks on government and corporate websites.
13. Cyber security organizations tracking the attacks said they “didn’t find any instances where Anonymous had overstated its claims.”
Source: CNBC: Anonymous declared a ‘cyber war’ against Russia. Here are the results
Two additional things Anonymous did was send: Russians text messages to ‘remove Putin’
Source: Security Affairs: Anonymous sent a message to Russians: “remove Putin”
and release files about Russia’s censorship of the invasion.
Source: UPI: Anonymous releases 364,000 files about Russia’s censorship of invasion
An effort is being made by independent hackers, Anonymous and Ukrainian hackers to reach Russians directly through any means possible from text messages
Source: Wall Street Journal: Using a New Cyber Tool, Westerners Have Been Texting Russians About the War in Ukraine to dating applications.
Source: Wired: Activists Are Reaching Russians Behind Putin’s Propaganda Wall
Unfortunately, other sources suggest that many Russians refuse to consider that they are being lied to by their government, even when talking to family members.
13. Notable among the hacked Russian corporate sites was the take-down of the Russian defence firm Rostoc. Rostec claims the website was brought back online quickly and attributed the attack to Ukrainian “radicals.” “We had to briefly close the website. The attack has been repelled, and now the website is functioning again and all information about the corporation is available in full,” Rostec told Interfax.
Source: Beeping Computer: Russian defense firm Rostec shuts down website after DDoS attack
The article did state that attacks had started again after the website was restored.
14. Analysis: The fact that Western media are using Ukrainian Internet services and their President is talking to western governments over the Internet three weeks into this conflict tells us the defenders are doing respectably well. Ukrainian government cyber teams are using good OPSEC. We don’t know who they are, where they are or what their targets are. The efforts of Anonymous and independent hackers provide effective cover for the activities of Ukrainian government hackers.
15. For all the expertise being demonstrated by Anonymous and independent hackers, their targets are relatively ‘soft’ meaning non-essential. Their social media efforts to convince Russians that the war is real, are largely ineffective. Anonymous is not, yet, seeking to do serious damage so they are not an important participant.
16. Russian cyber forces are currently focused on the battle for Ukraine. Their focus appears to be to disrupt and destroy Ukrainian computers and networks. There will come a point where President Putin will shift his focus to Western Countries. He has vowed ‘severe consequences’ for nations who interfere. Many western nations have interfered, some loudly. It follows that President Putin will direct his cyber troops to inflict those severe consequences. Since no nation has been punished for cyber attacks, we should expect the cyber equivalent of ‘unrestricted warfare.