The Russia vs Ukraine Cyberwarfare: What we know so far

On 24 February 2022, Russia officially began its invasion of Ukraine through a series of missile and artillery attacks commissioned by President Putin. Five months later, there are no indicators to suggest the war may be over soon and what’s scarier is that the war is being fought on two fronts.

On one hand, we have soldiers battling it out on the ground and, on the other hand, we have groups of hacktivists trying to derail the enemy through a bunch of coordinated cyberattacks.

Russians were the first to attack through a wiper malware that infected hundreds of machines in Ukraine.

Security researchers at Eset estimate that the malware was created in December 2021 which could serve as evidence that Russia had been planning on the invasion for months before it launched its attack.

The malware, dubbed Hermetic Wiper, allows attackers to take control of the victim’s Active Directory Server.

When explaining how it works, the Cisco Tallos Intelligence group notes that it begins by identifying and listing a system’s physical drives and then corrupting the first 512 bytes to destroy the master boot record. This means that even if the malware does not execute to completion it will still have rendered the system unusable.

Wiper malware is expected to be a key trend in 2022

Maya Horowitz, director of threat intelligence and research products at Check Point had already predicted that wiper malware will be a key trend in cybersecurity this year.

She argued that, unlike ransomware gangs, hacktivists are not looking to profit from attacks. Therefore, they are less likely to invest so much in encryption and instead opt for attacks that ruin systems and make restoration impossible.

“Wipers are very relevant when it comes to hacktivists and we’re seeing more cyber hacktivists these days, so we’ll probably see more wipers as well,” read part of her statement.

The Wiper malware was used in the initial stages of the war and then again in the few first months but they have been no known follow-up attacks afterwards.

That’s not to mean there have been no further attacks though.

Multiple forms of cyberattacks are being used

During the time that the war has been ongoing, numerous Ukrainian government departments have been hit by distributed denial of service (DDoS) attacks making it one of the most used forms of attack. The banking sector has also been a target and security company, Cloudflare, had to get involved and offer DDoS protection to Ukraine's public service.

The US cyber command also recently discovered 20 new forms of malware targeting Ukraine systems. The discoveries were a result of intelligence-sharing efforts between Ukraine and the US as Ukraine looks to strengthen their Cyber defence.

As experts continue to analyze the Russia vs Ukraine cyber warfare, it has been determined that phishing is the preferred attack model by Russian-backed hackers. According to cyber security company Mandiant, the majority of the new strains of malware discovered are injected into systems through phishing attacks.

The people responsible

The Russian cyberattacks look to be led by two major threat groups. The first is UNC1151 which is based in Belarus, a country with close ties to Russia.

The second is UNC2589 which is the group thought to be responsible for the wiper malware. Since the group was formed in 2021, a lot of its attacks have targeted Georgia and Ukraine.

Common phishing methods used include evacuation warnings, wages, and anti-virus messages. Once deployed successfully, the malware help the attacks steal data, and account credentials as well as record keystrokes and also remotely execute files.

Ukraine Response

The continued cyberattacks on Ukraine by Russia has led to the creation of pro-Ukraine hacktivist group aimed at countering Russian attacks. A good example is the IT Army of Ukraine which was mobilised through the Telegram app.

The group is made up of hundreds of thousands of members who are assigned daily tasks by their group leaders.

For instance, the group leader may issue the IP addresses of Russian targets and then advise the members on the best easy-to-use tools to launch DDoS attacks by leveraging the whole group’s computational power.

Also, in the early stages of the war, Belarus’ rail network was hacked in a move aimed to derail the transportation of Russian troops and weapons.

There is also a back and forth hacking of media houses in both countries as both parties look to gain the favour of the masses.

What to expect

It’s hard to say what this Warfare will bring in the future, but one predicted consequence that is already being witnessed is service disruption in other countries beyond the war. Russia’s attack on Viasat before the war really kicked off is a prime example. It led to internet issues and outages all over the world with wind farms in neighbouring countries also being affected.

That said, the one thing we can be sure of is that we will still continue to see cyber operations from both sides regardless of how the war turns out. And when that happens, we will be there to keep you updated.