Russia Continues to Focus on Cyber Operations and Espionage

Russia continues to direct immense resources toward supporting cyber operations and espionage that target Ukraine’s military, government and civil society in support of its ground campaign, researchers said.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

Google’s Threat Analysis Group, which combats nation-state threats, said in a report that its analysts’ prediction last year of “Russian government-backed attackers continuing their cyberattacks against Ukraine and NATO partners, and Russian-government backed attackers continuing to target multiple sectors in Ukraine and regionally” has come to pass.

“They’re going to be targeting anything that falls into the supply chain, learning about troop movements, trying to understand anything that will give them an edge on the battlefield,” Shane Huntley, senior director of Google TAG, said Monday in a call with reporters. “They will use cyberattacks or cyberespionage to support that, and that is the key mission here” (see: US Disrupts Russian Military Intelligence Botnet).

Google said the volume of Russian phishing attacks has been high for the past 13 months, especially in the lead-up to the counteroffensive Ukraine launched last June. Many of those campaigns trace to APT29, aka CozyBear, which is part of Russia’s Foreign Intelligence Service, it said.

The volume of wiper malware has declined significantly since the early days of the war and the time before that, when Russia bombarded Ukraine with destructive cyberattacks. When Moscow launched an all-out war of conquest in February 2022, Russia’s AcidRain malware permanently disabled tens of thousands of Viasat KA-SAT satellite communications network consumer broadband modems. But even so, Russia’s invasion stalled.

Russian cyber forces eventually scored some notable destructive attacks in recent months against Ukrainian telecommunications giant Kyivstar and the Parkovy data center facility in Kyiv.

“Moscow also continues to pair cyberattacks with kinetic activity,” Google said.

Moscow’s apparent shift to cyberespionage and cyber operations to support its ground offensive began as its invasion stalled and its nation-state hacking groups exhausted their arsenal of wiper malware, security experts have said.

Hacktivist groups also remain in play, although experts said it remains unclear whether they’re directly run by the intelligence services. The function of these groups, including KillNet, is “to target hearts and minds, to degrade the confidence in governments,” through distributed denial-of-service attacks that typically claim greater disruption than what really occurred, such as with Canada’s airport arrival kiosks last September, Sandra Joyce, head of global intelligence at Mandiant, told reporters.

“Really, the effect was not very much,” Joyce said. Rather, the intention was to “signal the intent and capability” via an information operations designed to influence not just adversaries but also allies by creating “some kind of effect that appears to be more than it actually is,” she said.

Sandworm at Work

While multiple Russian intelligence agencies and other agencies have online forces committed to cyber operations and espionage, the GRU Main Intelligence Directorate threat actor known as Sandworm, aka FrozenBarents and Iridium, appears to pose the greatest threat, said John Hultquist, chief analyst at Google’s Mandiant threat intelligence division.

Sandworm has previously taken down big targets, including the Olympics and U.S. and French elections. Sandworm also successfully turned out the lights in parts of Ukraine in the dead of winter in 2016 and again in 2017. In 2018, the group launched NotPetya, a wiper malware campaign that caused an estimated $10 billion in global damage.

Since the start of the war, the group’s efforts to disrupt the Ukrainian electric grid have been “an uphill battle,” despite repeat attempts, thanks to the quality of Kyiv’s cyber defenses, Hultquist told reporters.

In October 2022, Sandworm successfully tripped the circuit breakers of a power grid substation, causing a power outage timed to coincide with mass missile strikes on critical infrastructure across Ukraine.

Hultquist described the power outage as a psychological operation and said that to accomplish it, Sandworm had to “level up” its efforts, which included using “living off the land” tactics to target operational technology environments.

“Living off the land” refers to using built-in functionality, which experts say makes such attacks much more time-intensive and difficult to scale. On the upside for attackers, it’s difficult to distinguish their activity from legitimate administrator activity and signature-based malware checks can’t be used to block what they’re doing, Hultquist said.

This is hardly a Russia-only strategy. “Chinese operators are currently using it in the United States against critical infrastructure, where they are digging in, across multiple sectors,” he said (see: Chinese Hackers Preparing ‘Destructive Attacks,’ CISA Warns).

Hultquist also talked about a smaller, newer group with the codename UNC5101 – UNC refers to uncategorized, meaning there’s not yet enough evidence to definitively detail the group’s agenda. He said the group is running phishing campaigns designed to steal credentials and is conducting cyberespionage and information operations, including against the U.S.

Tracking these types of activities is essential, Hultquist said, because specific advanced persistent hacking groups are doing – be they linked to Russia, Hamas, Iran, China or beyond – will likely keep bringing these capabilities to bear against others.

“These things that are happening in Israel, Iran or Ukraine – they have global implications, and they especially have global implications as we move into the elections because these are the same players,” he said (see: Hamas Isn’t Fighting a Cyberwar).