Recent reports indicate that from February 23 to April 8, a coalition of at least six Russia-aligned cyber actors executed over 237 cyberattacks targeting Ukraine. Among these attacks, 38 were particularly destructive, resulting in irreversible data loss across various organizations within the nation. The objective of these cyber operations appears to be a coordinated effort to disrupt governmental and military operations while eroding public trust in both authorities and institutions, according to insights from Microsoft’s Digital Security Unit (DSU).
The attacks employed various notorious malware families, including WhisperGate, HermeticWiper, and Industroyer2, which illustrate the severity of the threat landscape. WhisperGate and similar wipers are designed to overwrite data, rendering systems unbootable, while HermeticRansom acts as a file encryptor to mask intrusions as ransomware incidents. Notably, Industroyer2 is crafted to infiltrate operational technology networks, endangering vital industrial processes.
Microsoft’s attribution efforts link HermeticWiper and Industroyer2 to the Russian state-sponsored group Sandworm, also recognized as Iridium. Other malware, like WhisperGate, is thought to belong to a previously unidentified cyber cluster known as DEV-0586, which is speculated to have ties to Russia’s GRU military intelligence.
Analysis of the destructive attack outcomes reveals that approximately 32% targeted Ukrainian government entities, affecting various civic levels, from national to municipal. Notably, over 40% of the attacks were aimed at critical infrastructure sectors, which are vital for maintaining essential services and national security.
In a concerning extension of the threat, Microsoft reported that the group Nobeliuim, responsible for the 2020 SolarWinds attack, has been attempting incursions into IT companies that service NATO member government clients. This activity suggests a strategic effort to harvest sensitive data concerning Western diplomatic operations.
Phishing attacks have also intensified, with initiatives aimed at military and governmental officials attributed to groups like Fancy Bear and Primitive Bear, which have previously engaged in data theft and reconnaissance efforts. This aligns with a broader pattern observed by security experts, indicating that Russia’s cyberattacks are likely synchronized with its military operations against civilian infrastructure.
Tom Burt, Microsoft’s corporate vice president of customer security and trust, remarked on the emerging complexity of these cyber threats, noting that the attacks observed thus far may represent only a small portion of the overall efforts targeting Ukraine. He anticipates a continued escalation in cybersecurity incidents as the conflict unfolds.
Kaspersky, a Russian cybersecurity firm, has echoed these sentiments, predicting a spike in cyberattacks over the next six months. Their analysis posits that while many current attacks might utilize low-complexity methods like Distributed Denial of Service (DDoS), there are more sophisticated tactics on the horizon.
In terms of adversary tactics, the attacks align with several categories within the MITRE ATT&CK framework, including initial access and persistence techniques for cybersecurity breaches, alongside more advanced privilege escalation and data exfiltration methods.
As the conflict shows no signs of resolution, business leaders and cybersecurity professionals are urged to remain vigilant and enhance their defense mechanisms against these persistent threats.
