Microsoft asserts that the public cloud has proved to be a relatively safe haven in the face of ongoing Russian cyber-attacks, which the company spells out in a report “Defending Ukraine: Early Lessons from the Cyber War.”
Foxblade was first salvo of war
Microsoft begins the report by pointing out that it was one of the first to detect the start of the cyber war.
(See full 29-page PDF of Microsoft report here.)
“The first weapon to be fired was the wiper software that we call 'Foxblade,'" launched against computers in Ukraine on February 23, 2022, according to Microsoft.
Microsoft’s Threat Intelligence Center (MSTIC) detected the launch against 19 government and critical infrastructure entities across Ukraine.
Foxblade was developed and launched by the same group associated with Russian military intelligence that launched the NotPetya attack against Ukraine in 2017, Microsoft says.
But Russian cyber tactics in the war have differed from those in the NotPetya attack against Ukraine in 2017.
“That attack used ‘wormable’ destructive malware that could jump from one computer domain to another and hence cross borders into other countries. Russia has been careful in 2022 to confine destructive ‘wiper software’ to specific network domains inside Ukraine itself. But the recent and ongoing destructive attacks themselves have been sophisticated and more widespread than many reports recognize,” the report said.
Disperse to cloud
“We remain the most concerned about government computers that are running on premises rather than in the cloud,” Microsoft said.
As an example of the danger this poses, Microsoft says on-premise networks were an early target. “Russia not surprisingly targeted Ukraine’s governmental data center in an early cruise missile attack,” the report said.
And the destructive wiper malware attacks also targeted on-premises computer networks.
“Prior to the war, Ukraine had a longstanding Data Protection Law prohibiting government authorities from processing and storing data in the public cloud. This meant that the country’s public-sector digital infrastructure was run locally on servers physically located within the country’s borders. A week before the Russian invasion, the Ukrainian government was running entirely on servers located within government buildings—locations that were vulnerable to missile attacks and artillery bombardment."
Tech companies, including Microsoft, rallied to help.
Within 10 weeks, Ukraine’s Ministry of Digital Transformation and more than 90 chief digital transformation officers across the Ukrainian government worked with the company to transfer to the cloud many of the central government’s most important digital operations and data, the report said.
Ukraine’s government “successfully sustained its civil and military operations by acting quickly to disburse its digital infrastructure into the public cloud, where it has been hosted in data centers across Europe.”
Microsoft goes on to say that that “while not perfect and some destructive attacks have been successful, these cyber defenses have proven stronger than offensive cyber capabilities.”
Microsoft attributes this to “threat intelligence advances,” including the use of artificial intelligence and internet-connected end-point protection which “has made it possible to distribute protective software code quickly both to cloud services and other connected computing devices to identify and disable…malware.”
Cloud as haven but concern about future attacks
Kevin Bocek, VP, Ecosystem & Threat Intelligence at Venafi, said that dispersing computer resources to the cloud makes it harder for bad actors.
“Ukraine is dispersing its computing resources to the cloud to a) make it harder to find b) reduce the impact of any one attack c) make it easier to detect malicious activity on an otherwise well-hidden resource,” Bocek said.
“The public cloud makes it easy to do this,” he added.
But future attacks could move to the cloud. “We are likely to see in the future attacks on clouds to reach these military targets. This will bring collateral damage to other cloud users. Bringing the war closer and closer to Europe and rest of the world,” Bocek said.
The report offers five conclusions from the first four months of the war.
(1) Defense against a military invasion now requires for most countries the ability to disburse and distribute digital operations and data assets across borders and into other countries.
(2) Recent advances in cyber threat intelligence and end-point protection have helped Ukraine withstand a high percentage of destructive Russian cyberattacks.
(3) As a coalition of countries has come together to defend Ukraine, Russian intelligence agencies have stepped up network penetration and espionage activities targeting allied governments outside Ukraine.
(4) In coordination with these other cyber activities, Russian agencies are conducting global cyber influence operations to support their war efforts.
(5) The lessons from Ukraine call for a coordinated and comprehensive strategy to strengthen defenses against the full range of cyber destructive, espionage, and influence operations.
Finally, it should be noted that there was some media criticism of the report by CyberScoop, a cybersecurity news site.
“Leading cybersecurity experts and foreign policy scholars began raising serious questions and concerns…and they complained that Microsoft is attempting to characterize the state of the cyber conflict in Ukraine to further its commercial interests,” the article said.
“Microsoft’s powerful global market position, the potential commercial benefits from positioning itself as a bulwark against Russian cyberattacks and the extremely delicate situation in Ukraine make this report’s bold claims and lack of data concerning,” the article added.
- Global Security Report: How Are Organizations Reacting to the Rapid Increase in Ransomware Threats
- Russia-Linked Hackers Take Lion’s Share of Ransomware Revenue [Report]
- DOJ Indictment Links Russian Nationals to Supply Chain Attacks
- Open Source Sabotage and Encryption Efficacy Emerge as Tactics in Ukraine Resistance