Ukraine Tracks Increased Russian Focus on CyberespionageMilitary Stalemate Has Driven Moscow to Also Pursue Data Theft, Psychological Ops
Russian hacking teams shifted their sights over the past year in Ukraine from disruption to cyberespionage, data theft and psychological operations, the government of Ukraine concludes.
Based on how Russian hackers have adjusted their tactics, the State Service of Special Communications and Information Protection says the Kremlin has changed its focus on the media and telecommunications sectors to targeting energy infrastructure. Rather than hitting targets directly with phishing attacks, hackers increasingly began exploiting software vulnerabilities inside service providers' infrastructure and using island hopping to ultimately gain access to desired end targets.
That conclusion comes from a report released just weeks after the one-year anniversary of Russia's full-blown invasion of its European neighbor.
Russian hackers "actively attack civil and critical infrastructure with the hope that it will open the door for influence operations and further negotiations," says the SSSCIP, the government agency charged with securing government communications and cyber defense.
Ukraine's Computer Emergency Response Team last year investigated 2,194 cyber incidents, and it said 1,148 of them posed a critical, high-level risk. Major online attacks launched by Russia declined last summer, followed by an end-of-year onrush that targeted partners and known vulnerabilities, CERT-UA says.
Such attacks crescendoed at the end of 2022, and Russian hackers at one point employed "four-hop supply chain attacks" to target Ukraine's energy infrastructure, the SSSCIP reports.
Russia Ends Up Stalemated
Russia's changing strategies reflect a shift from the quick invasion military planners envisioned, to the relative stalemate that now persists.
On Feb. 24, 2022, Russian President Vladimir Putin, as a pretext for the invasion, said he intended to "demilitarize and denazify" the country. In March, Putin's forces were ejected from the north of the country after failing to encircle Kyiv. The latter half of the year "was marked by a series of spectacular Ukrainian victories," says Washington think tank Atlantic Council.
As military efforts stalled, Putin ordered assaults on civilian infrastructure. While waves of missiles and kamikaze drones have left large parts of Ukraine intermittently without power in the dead of winter, in a clear attempt to undercut morale, defenders appear undeterred.
Russia's cyber operations parallel its shifting military tactics. In particular, Russia launched a massive wave of hack attacks targeting the energy sector in the second half of 2022. Compare that to early in Russia's all-out assault, when "cyberattacks focused on the media and telecom, since the Russian authorities expected a swift victory and hoped to influence Ukrainians through the mass media, to scare us," the SSSCIP report says.
The decline in phishing attacks appears to have been a response to Ukraine's IT teams migrating more government systems to the cloud, backed by service providers' email filtering and protection. While that doesn't eliminate the risk posed by social engineering and individuals "who fall victim to well-crafted phishing emails," it has taken a bite out of the impact of malicious Russian emails carrying information-stealing malware, the SSSCIP says (see: Russia-Ukraine War: Cyberattacks Fail to Best Partnerships).
Ukrainian officials say most cyber operations last year targeted the military, security and defense sector. Telecommunications, IT, logistics and transportation, media and energy, and banking were the next most targeted sectors, they say.
Internet service and hosting providers appear to remain a top target because they can be used to gain access to commercial entities. In some attacks, Russian hackers used a vulnerability in the open-source Linux-based email platform Zimbra to execute island hopping attacks, with the aim of ultimately gaining access to government or energy systems, which they would then try to disrupt.
"Where attackers were not able to penetrate an organization directly, they were exploring the opportunity to enter via hosting/provider," the report says.
At least some Russian government hackers' tooling appears to be off-the-shelf and to have used such malware as IcedID to steal information and drop more malicious code, including Cobalt Strike penetration testing framework beacons. Such tactics are also widely used by ransomware groups, which could complicate attribution.
Government Hacking Teams
Russian government APT hacking teams that actively engaged in cyber operations against Ukraine include the Federal Security Service unit called Gamaredon, aka Actinium, which carried out a large number of attacks in the second half of 2022; the GRU military intelligence unit APT28, aka Strontium and Fancy Bear; SVR units APT29, aka Nobelium and Cozy Bear; and UAC-0035, aka InvisiMole, which focuses on cyberespionage, the SSSCIP says.
As the InvisiMole name suggests, the group specializes in stealthy espionage operations that can cause much more damage than more overt attacks, Ukrainian officials say.
"Their primary targets include top-level officials, diplomats and other specialists that have access to the most sensitive information," the SSSCIP says. "Since such 'quiet' attacks are much harder to detect, they may have critical consequences."
CERT-UA says it is still attempting to attribute multiple attacks from last year, including some that it suspects were perpetrated by APT29. The same unit has also been accused of perpetrating the supply chain attack against SolarWinds. "They are known for having their own malware toolset and high proficiency in targeting Microsoft products and services," the SSSCIP says.
Cybercriminals - Real and Simulated
To disguise their activities, some Russian APT groups may pretend to be criminals. Security experts say Sandworm changed tactics last fall and began using Prestige ransomware to infect Polish and Ukrainian logistics firms, to try and make itself not look like a government hacking team.
Ukrainian cybersecurity officials say at least nine Russian criminal or hacktivist groups also appear to be regularly used to augment FSB, GRU and SVR groups' limitations, due to their scarce resources and headcount.
The most active groups are XakNet, CyberArmyofRussia and Zarya, which assist Moscow with attacks ranging "from phishing and malware distribution via email for initial access, to pervasive lateral movement, data theft, and data deletion," and in some cases also intelligence gathering.