In 2015, a Russia cyberattack took down the power grid of 230,000 Ukrainians, one of the first successful cyberattacks on an energy company. And in 2017, the NotPetya “wiper” virus, aimed at companies doing business in Ukraine, caused more than $10 billion of damage globally. The West assigned most of the blame to the GRU, Russia's military intelligence service. But this time reports of large-scale electric grid shutdowns, attacks on industry, or communications jamming have not surfaced.
While no one is ruling out a large-scale cyberattack on Ukraine, attacks reported by the media to date have been mostly anti-Russian hacker activity and smaller-scale attacks against the Ukraine government attributed to Russia.
But this isn’t necessarily because larger attacks aren’t happening.
Others say it may be a matter of when not if. “Russia thought they could win quickly and with low damage to civilian populations, helping post-war governance objectives. Restrained cyber was consistent with that,” said Swarthmore University political science professor Sam Handlin in a tweet.
“Now the war is changing. Whether cyber component also changes seems like an open question to me,” he added.
Attacks attributed to Russia
Cyberattacks against Ukrainian government websites and affiliated organizations include:
- Data-wiping malware that “infected hundreds of computers” including those in neighboring Latvia and Lithuania.
- A distributed-denial-of-service (DDoS) attack that temporarily knocked government websites offline accompanied by sporadic outages.
But these kinds of attacks are ongoing and standard operating procedure for Russia. What has been most surprising was the absence of major offensives.
“Many people are quite surprised that there isn’t significant integration of cyberattacks into the overall campaign that Russia is undertaking in Ukraine,” Shane Huntley, the director of Google’s threat analysis group, told the New York Times. “This is mostly business as normal as to the levels of Russian targeting.”
Hacker groups are garnering most of the media attention and picking sides in the wake of the Russian invasion of the Ukraine.
Hacktivists tend to be ostentatious, which isn’t always to their advantage, a Wired report said.
“Hacktivism by its very nature is always loud, and intelligence by its nature is usually quiet,” former NSA hacker Jake Williams told Wired. “Well-meaning hacktivists being loud may unwittingly lead security forces to intelligence operation that may have been ongoing in that network and flying under the radar. So they're essentially outed and lose access because of an investigation into a hacktivist attack,” Williams said.
Hacktivist activity includes:
- DDoS attacks against Russian sites: Major Russian websites were hit by a denial-of-service attack. Sites for Russia’s military and the Kremlin “were unreachable or slow to load as a result.”
- Hackers hit Russian space institute: Hackers “defaced a Russian Space Research Institute website and leaked files that they allege are stolen from Roscosmos, the Russian space agency,” according to Wired. “Meanwhile a DDoS attack pummeled Russia's .ru top level domain with the aim of essentially cutting off access to all URLs that end in .ru,” the report said.
- Russia-affiliated Conti ransomware group impacted: Meanwhile, the Conti and CoomingProject (another group sympathetic to Russia) have reportedly seen massive leaks of internal messages, according to reports. “Conti seemed to be dismantling its infrastructure, evidence of the impacts hacktivism can have,” BleepingComputer said.
- Raidforums takes anti-Russia stance: Raidforums, a notorious hacking forum, has been posting messages claiming that it would impose its own sanctions by banning any user connecting from Russia.
- Hacktivist collective Anonymous (boasting 7.4 million Twitter followers) said “it's open season on all Russian government servers,” in a tweet.
- U.S. private sector takes action: Before the start of military action Microsoft stepped up to help the Ukrainian government. “Several hours before the launch of missiles or movement of tanks on February 24, Microsoft’s Threat Intelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure. We immediately advised the Ukrainian government about the situation,” Microsoft’s president Brad Smith said. That warning to the Ukrainian government included identification of a new malware package, which Microsoft calls FoxBlade. “Within three hours of this discovery, signatures to detect this new exploit had been written and added to our Defender anti-malware service,” Microsoft said, adding that “this work is ongoing.”