The first anniversary of the Russian invasion of Ukraine is February 24, 2023. The Ukrainian people have fought bravely but the loss of life and damage to their country has been devastating.
In addition to kinetic warfare, there has been significant cyber warfare in Ukraine and Russia. This is not new. Intercepting electronic communications has been an objective since armies first used radios in the battlefield. Ukraine has served as Russia’s proving grounds for modern cyber warfare for several years. A cyber-attack on the country’s voting system days before the 2014 presidential election was designed to change vote totals. Ukraine’s power grid was attacked in 2015 and 2016.
Cyber-attacks in the Russia-Ukraine war have had several objectives, including political, sabotage, and data theft for espionage.
Political Objectives: Adversaries can also use cyber-attacks for political purposes by disrupting government, transportation, and financial services organizations to create panic. Russia began this effort weeks before the attack with a series of emailed bomb threats, messages to Ukrainian citizens claiming that bank ATMs were disabled, “false flag” videos, and hacking dozens of government websites to display the message “be afraid and expect the worst.”
Political tactics continued to be used by both sides as the war continued. The Office of the National Security and Defense Council of Ukraine created a website to provide Russian citizens with “information about prisoners of war of the Russian Armed Forces who have invaded the territory of Ukraine since February 24, 2022.” Russia countered this site with a Distributed Denial of Service (DDoS) of the site.
Sabotage Objectives: We frequently see attacks used to disrupt or sabotage critical defensive systems. In the run up to last year’s invasion, attacks escalated to prepare the battleground:
In January, wiper malware (WhisperGate) designed to delete all data on the infected system was found on Ukrainian systems
The UK government attributed distributed denial of service (DDoS) attacks against the Ukrainian banking sector on 15 and 16 February 2022 to having involved the Russian Main Intelligence Directorate (GRU).
Digital Transformation, tweeted to Elon Musk, “We ask you to provide Ukraine with Starlink stations and to address sane Russians to stand.” Later that day Musk responded, “Starlink service is now active in Ukraine. More terminals en route.”
Data Theft and Espionage: In modern times cyber warfare has focused more on intelligence, surveillance, and reconnaissance. Russia has been aggressive on this front, including against the US. A nation’s enemies can use personal information on individuals for tracking or capturing key targets, identifying information that could be used for blackmail, or uncover spies. Data theft of IP can allow nation-states to reverse engineer weapons systems. Information on troop readiness and locations is invaluable to an adversary.
Russia aggressively developed “digital dossiers” on Ukraine’s citizens. Shortly before the invasion, Ukraine’s Ministry of Internal Affairs, which oversees the police, national guard and border patrol, and a national database of 80 percent of the country’s automobile insurance policies were breached. The combined information provided Russia with contact information and likely transportation mode for key personnel.
Russia also sought data from Ukrainian government and industrial targets. One attack in early February 2022 was “QuietSieve.” When successfully executed, the malware searched for files with doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z extensions within removable, fixed, or networked drives. Those files were then bundled for exfiltration.
Ukraine countered using human intelligence and technology to monitor Russian troop movements. It launched a chatbot for the Telegram messaging app to allow near real-time battlefield intelligence by citizens and troops.
Russian aggression is not limited to Ukraine. In the 2020 SolarWinds Breach, suspected Russian hackers compromised SolarWinds’ code base to install back doors. This resulted in SolarWinds “distributing” the attack to over 18,000 customers, providing the attackers with access to the networks, systems and data of thousands of SolarWinds customers, including the US Departments of Defense, Energy, Commerce, State, Homeland Security, Treasury, and Justice. In 2022 the Colonial Pipeline ransomware attack shut down pipelines across the East Coast.
Strategic data theft is also not limited to Russia, of course. China was responsible for 2009’s Operation Aurora. The attack was designed to steal design documents and steal or modify source code from dozens of defense contractors and technology companies. A 2015 breach attributed to China of the US Government’s Office of Personnel Management (OPM) exposed highly sensitive 127-page Standard Forms (SF) 86 questionnaires used for background checks and security clearances on over 20 million people, including fingerprints. In 2019 researchers identified a backdoor in Chinese-made security cameras used by state, local, and federal government customers. The backdoor could allow adversaries to access the cameras’ video feeds; a critical weakness in the event of a national emergency.
Data will always be an adversary’s target. Information on troops, technology, and infrastructure is critical to achieving the desired outcome. Protecting that data requires far more than access control lists and static rules dictating which individuals can view, move, or print which sets of data. Instead, it requires an understanding of the human factor.
Organizations must assume their foes will be able to gain access to credentials and gain a foothold. The key to stopping these attacks is to understand Indicators of Compromise (IOC); the activities people must take before exfiltrating sensitive data.