Russia’s cyber attacks on Ukraine increased by 250% in 2022 compared to two years before, according to a new joint analysis from Google’s Threat Analysis Group (TAG) and Mandiant.
The targeting, which corresponded with and has since lasted following the country’s military invasion of Ukraine in February 2022, was primarily directed against the Ukrainian government and military entities, as well as key infrastructure, utilities, public services, and the media sectors.
According to Mandiant, the first four months of 2022 saw “more harmful cyber attacks in Ukraine than in the preceding eight years, with intrusions spiking around the start of the invasion.”
WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, and SDelete, among other wiper strains, have been used against Ukrainian networks, indicating a willingness on the part of Russian threat actors to forego sustained access.
Throughout the same time span, phishing assaults against NATO countries increased by 300%. These activities were spearheaded by PUSHCHA (aka Ghostwriter or UNC1151), a Belarusian government-backed organisation affiliated with Russia.
“Russian government-backed attackers have engaged in an aggressive, multi-pronged campaign to obtain a significant battlefield advantage in cyberspace,” TAG’s Shane Huntley said.
FROZENBARENTS (aka Sandworm or Voodoo Bear), FROZENLAKE (aka APT28 or Fancy Bear), COLDRIVER (aka Callisto Group), FROZEENVISTA (aka DEV-0586 or UNC2589), and SUMMIT are some of the primary participants involved in the initiatives (aka Turla or Venomous Bear).
Aside from the increased intensity and frequency of operations, the invasion has been accompanied by the Kremlin engaging in covert and overt information operations aimed at undermining the Ukrainian government, fracturing international support for Ukraine, and maintaining domestic support for Russia.
“GRU-sponsored actors have utilised their access to steal sensitive material and disseminate it to the public to support a narrative, or to conduct harmful cyber assaults or information operations campaigns,” the tech behemoth stated.
With the war splintering hacking groups over political allegiances, and in some cases, forcing them to close shop, the trend alludes to a “significant shift in the Eastern European cybercriminal ecosystem” that blurs the lines between financially driven individuals and state-sponsored attackers.
This is demonstrated by the fact that UAC-0098, a threat actor known for delivering the IcedID malware, has been seen repurposing its techniques to attack Ukraine as part of a series of ransomware operations.
Several UAC-0098 members have been identified as previous members of the now-defunct Conti cybercrime gang. TrickBot, which was integrated into the Conti operation previous to its suspension last year, has also resorted to systematically targeting Ukraine.
The prolonged conflict has prompted Chinese government-backed attackers such as CURIOUS GORGE (aka UNC3742) and BASIN (aka Mustang Panda) to shift their focus to Ukrainian and Western European targets for intelligence gathering.
“It is apparent that cyber will continue to play an important role in future armed conflict, augmenting traditional forms of combat,” Huntley added.
The discovery comes as the Computer Emergency Response Team of Ukraine (CERT-UA) issued a warning about phishing emails posing as essential security updates but containing executables that lead to the install of remote desktop control malware on vulnerable PCs.
The operation was linked to a threat actor known as UAC-0096, which was earlier spotted using the similar tactic in the weeks preceding up to the battle in late January 2022.
“A year after launching its full-scale invasion of Ukraine, Russia remains unsuccessful in bringing Ukraine under its control as it battles to overcome months of accumulating strategic and tactical errors,” cybersecurity firm Recorded Future stated in a study released this month.
“Despite Russia’s conventional military defeats and its failure to substantively advance its agenda through cyber operations,” it stated, while also emphasising its “burgeoning military collaboration with Iran and North Korea.”
Info source – The Hacker News