Cyber Standoff: 51 Groups Tied to Russia-Ukraine War AttacksUkrainian Official: Country Hit by Over 1,600 'Major Cyber Incidents' This Year
A crowded field of 51 different threat groups active in the Russia-Ukraine cyber conflict has led to digital attacks in more than two dozen nations so far - albeit concentrated in Ukraine, where hackers look to sow "chaos and confusion" on and off the battlefield, says Ukraine's deputy head of cyber defense.
Kyiv has fended off more than 1,600 "major cyber incidents" since January, an average of seven attacks a day, says Victor Zhora, deputy head of Ukraine's State Service of Special Communications and Information Protection, in an exclusive interview with Information Security Media Group.
The nonprofit CyberPeace Institute reports that keyboard combatants reacting to Russia's ongoing invasion of its southern neighbor are a combination of nation-state groups, hacking collectives and cybercriminal groups. Kyiv is also working with cyber-vigilantes to supplement its cyberspace activities.
It's easy to distinguish between the collectives and the nation-state groups, Zhora says. Collectives such as KillNet primarily engage in DDoS attacks and openly recruit new members over social media outlets such as Telegram. Nation-state adversaries work covertly and try to avoid attribution.
"When we're talking about serious and well-planned operations that require a lot of human resources and technically advanced tools and financial resources, obviously they will be organized in stealth mode in order to gain as much effect and impact on our infrastructure as possible," Zhora says.
Zhora adds that most attacks appear to be "opportunistic and rather chaotic," chasing vulnerabilities rather than following a coordinated strategy.
"But every day, we are waiting for new attacks," he says, "and we monitor our networks, critical information infrastructure, state information resources every 24 hours, expecting new strikes in the cyber role from Russian side."
In this video, cybersecurity analysts and researchers from around the world tell Information Security Media Group about how the conflict has expanded beyond the war zone, including:
- The tactics, techniques and motivations of the various threat groups;
- Fallout from cyberattacks against dozens of other nations;
- Key attack vectors and the industries that will likely be targeted as the cyberwar escalates.
Global Field of Adversaries
Cyber incidents motivated by the Russian invasion affecting non-combatant countries have intensified over the past five months, driven primarily by the entrance of dozens of hacktivists groups, such as the pro-Ukrainian Anonymous collective and pro-Russian counterpart KillNet.
Based on publicly available information, the CyberPeace Institute says out of 338 known attacks and cyber operations since January, 114 attacks targeted Ukraine, 102 targeted Russia and 104 targeted the rest of the world. Of the 51 hacking groups identified in the conflict, 13 new groups have emerged in the past month, according to the institute's research. The institute is a Geneva-based group that focuses on the civilian casualties of cyberattacks.
"I remind people all the time: You're on a conflict zone, a battlefield, as long as you're logged in and plugged in," says Chase Cunningham, chief security officer for Ericom Software.
Ukraine's cybersecurity defenses have been under assault since 2014, the year of the Maidan Revolution and Moscow's first assault against the Donbas region and seizure of Crimea. Resultant cyber conflict has assumed global dimensions, not least when Russian hackers unleashed NotPetya malware. Although intended to target Ukrainian systems, it quickly spread throughout the world, causing $10 billion in damages and becoming the single most costly cyberattack.
Researchers say two strains of wiper malware detected this year in Ukraine bear similarities to NotPetya. Technical signatures indicate these wipers were created by multiple groups.
The 2022 cyberwar began Jan. 14 with the hacking of 70 Ukrainian websites, which posted the message "be afraid and wait for the worst" before they were taken down. Targets included the Ukraine Ministry of Foreign Affairs, the Cabinet of Ministers, and the Security and Defense Council. Russia's full-scale invasion in February sparked a more intensive round of attacks, including wipers, hack-and-leak incidents and cyberespionage targeting government services, satellite communications, financial, energy and media industries.
"The targets of these attacks that are being committed, both by state and nonstate actors in the context of the conflict, are actually going far beyond the targeting of military objectives," says Emma Raffray, a senior cyber data analyst at CyberPeace Institute.
Hacktivist groups are responsible for most known attacks. Some are jumping to Russia's defense by targeting NATO and pro-Ukraine countries. KillNet, a group of pro-Russia hackers recruited over Telegram, has conducted 31 DDoS attacks since January, according to the CyberPeace Institute.
Five national security agencies in April released a joint advisory warning that Russian state-sponsored cyber actors could compromise networks, look for ways to maintain long-term interest and potentially disrupt industrial processes by hacking operational technology. The agencies named 13 groups affiliated the Russian Federal Security Service and GRU Main Special Service Center.
Nation-state attackers include Sandworm, known for targeting the Ukrainian power grid, and Fancy Bear, a cyberespionage group known for hacking the U.S. Democratic National Committee during America's 2016 presidential election. One group, UNC1151, is tied to Belarus and linked to the GhostWriter campaign aimed at disseminating pro-Russia propaganda in the Baltics and NATO countries.
Anonymous, the oldest and most well-known collective, has conducted defacements, hack-and-leak operations and other attacks against the Russian government, businesses and the media.
Anonymous has hacked Russian government and business networks and leaked millions of pages of documents, which researchers say could take years to comb through. At the same time, some Anonymous hacks appear to be glorified pranks. Collective members hijacked surveillance video feeds inside the Kremlin, halted online ticket sales to Russian cinemas and hacked an electric vehicle charging station to display pro-Ukrainian messages and declare in Russian, "Putin is a dick----."
Meanwhile, the IT Army of Ukraine - a group of volunteer hackers recruited by the Ukrainian government - hijacked several Russian TV channels and interrupted alcohol distributors for three days with DDoS attacks. The group, formed after the Ukrainian Vice Prime Minister Mykhailo Fedorov in February called for cyberattacks against a list of Russian organizations, conducts offensive cyberwarfare operations and supports defensive activities in Ukraine.
Another threat actor, Network Battalion 65 - known as NB65 - is using the leaked Conti ransomware code to attack Russia. Its 23 victims include the Russian space agency and a state-owned media company. The group has pledged to donate any ransom proceeds in support of Ukraine. The Belarusian Cyber Partisans, formed in 2020 amid election upheavals in that country, disrupted railway services in Belarus to slow the deployment of Russian troops.
Government security agencies are warning the public and private sectors to prepare for attacks. As Western sanctions against the Russian economy take hold, the number of threat actors attacking NATO countries is expected to grow.
"You could see every day law-abiding Russians out of work or with limited work with a skill that they could use as a freelancing ransom actor - a zone that's already flooded right now and really hurting America's businesses," says U.S. Rep. Eric Swalwell, D-Calif. "We could see three or four or five times as many people in the space because they just need to feed their family."
Ukraine cyber defense official Zhora says governments and private sector companies need to continue to work together and share information.
"Ukraine wants to bring our experience from this war, from getting prepared, from continuing being resilient, to our partners to contribute to the global cybersecurity ecosystem," Zhora says.