- One year after the beginning of the Russian Ukrainian War, Check Point Research (CPR) highlights that September 2022 was a turning point in the cyberattacks related to the conflict.
- Comparing March – September 2022 vs. October 2022 – February 2023:
- CPR identifies a decrease of 44% in average number of weekly attacks per organization against Ukraine, from 1,555 attacks to 877.
- CPR identifies an increase of 9% in average number of weekly attacks per organization against Russian Federation, from 1,505 to 1,635.
- CPR identifies an increase in average number of weekly attacks against certain NATO countries:
- Slight increase against UK and the US, of 11% and 6% respectively
- Sharp increase against Estonia, Poland and Denmark, which is 57% 31%, and 31% respectively.
- Given those stats, CPR shows that starting October 2022, there was a shift in cyberattacks around the war, while much more efforts in cyber area are now deployed towards NATO countries than towards Ukraine.
The Russian invasion of Ukraine in February 2022 was the most influential geopolitical event of the past year. Aside from being the bloodiest military conflict in Europe in decades, the war casts a new light on several issues, including the actual military power of Russia and its position in world leadership, the balance of power between Russia and the West, European dependency on external energy sources, and the effect on global energy prices and the world economy.
Other ramifications were seen in the field of cyber security, as this is the first major hybrid war that involves cyberspace as a battlefront along with other major kinetic fronts. We have learned several lessons regarding cyber collateral damage such as, the effectiveness of destructive malware, attribution of cyber activities in wartime, differentiation between nation-state, hacktivism and cyber-crime offensive activity, cyber hostilities and their effect on defense pacts, the ability of cyber operations to contribute to tactical warfare and the required preparations. In some areas, the effects on the global cyber arena are already visible.
The Rise of Wipers:
CPR also saw the perception of wiper malware, which disrupts the operations of targeted systems, take a major transformation because of the war. Previously, wipers were rarely used. Over the past year however, wipers have become a much more frequently deployed mechanism as part of escalated conflicts, and not only in Eastern Europe.
The start of the Russian-Ukrainian war saw a massive increase in disruptive cyberattacks carried out by Russian-affiliated threat actors against Ukraine. On the eve of the ground invasion in February, three wipers were deployed: HermeticWiper, HermeticWizard and HermeticRansom. Another attack was directed at the Ukrainian power grid in April, using a new version of Industroyer, the malware that was used in a similar attack in 2016. In total, at least nine different wipers were deployed in Ukraine in less than a year. Many of them were separately developed by various Russian intelligence services and employed different wiping and evasion mechanisms.
The Russia-affiliated hacktivist group From Russia With Love (FRwL) deployed Somnia against Ukrainian targets. CryWiper malware was deployed against municipalities and courts in Russia. Inspired by these events, wiper activity spread to other regions. Iranian affiliated groups attacked targets in Albania, and a mysterious Azov ransomware, which is in fact a destructive data wiper, was spread across the world.
Multi-pronged Cyber Efforts:
Reviewing the attacks against Ukraine, some of the offensive cyber actions were intended to cause general damage and disrupt civilian daily life and morale, while other attacks were more precisely aimed, and intended to achieve tactical objectives, and were coordinated with the battle. The Viasat attack, which was deployed hours before the ground invasion of Ukraine, was designed to interfere with satellite communications that provide services to military and civil entities in Ukraine. The attack used a wiper called AcidRain and was tailored to destroy modems and routers and cut off internet access for tens of thousands of systems. Another example of a tactical coordinated attack occurred on March 1. Additionally, when the Kyiv TV tower was hit by Russian missiles that halted the city’s television broadcasts, a cyberattack was launched to intensify the effects.
Tactical high-precision cyberattacks require preparation and planning. The prerequisites include gaining access to the targeted networks and often the creation of customized tools for different stages of the attack. Much like in the kinetic battle, evidence suggest that the Russians did not prepare for a long campaign. The characteristics of the cyber operations, which in the early stages included precise attacks with clear tactical objectives, like the attack on Viasat which changed since April. The deployment of multiple new tools and wipers that was characteristic of the initial stages of the campaign was later mostly replaced with rapid exploitations of detected opportunities, using already known attack tools and tactics like Caddywiper and FoxBlade. These attacks were not intended to act in concert with tactical combat efforts, but rather, inflict physical as well as psychological damage on the Ukrainian civilian population across the country.
CPR data shows that a gradual, but major decline in the number of attacks per gateway in Ukraine has started in the third quarter of 2022. On the flip side, there was a significant increase in the attacks against NATO members. While the increase in the attacks against the UK and the US since September are slim, 11% and 6% respectively, the increase against some of the EU countries that are in-escalated hostility towards Russia, like Estonia, Poland and Denmark are much sharper at 57%, 31% and 31% respectively. This shows a shift in the modus operandi and the priorities of Russia, and Russia affiliated groups, in cyber area, whose focus then switched from Ukraine, to the NATO countries that support Ukraine.
Figure 1 – Average weekly cyber-attacks per organization
Ukraine’s response to cyber hostilities in the past year has improved, with the head of the UK’s intelligence, cyber and security agency labeling it “the most effective defensive cyber activity in history.” Part of the reason for their success is due to the fact that Ukraine has suffered repeated cyberattacks since 2014. As Lycurgus, the legendary Spartan legislator, famously warned, “Repeated attacks of the same opponents could result in their improved military capabilities.” For example, the effect of the Indistroyer2 attack on the energy sector in March 2022 was limited compared to Industroyer’s first deployment in 2016. Ukraine received significant external assistance to repair the damage of these cyberattacks. Aided by foreign governments and private companies, Ukraine quickly transferred much of its IT infrastructure to the cloud, thus physically distancing its data centers from fighting zones and gaining additional protection layers from service providers.
Ukraine’s establishment and management of the “IT Army of Ukraine”, an army of volunteer IT specialists, has transformed hacktivism. Previously characterized by loose cooperation between individuals in ad hoc collaboration, new-hacktivist groups tightened their level of organization and control, and now conduct military-like operations. This new mode of operation includes recruitment and training, tool sharing, intelligence and target allocation, and more. Anti-Russian hacktivist activity continued throughout the year affecting infrastructure, financial and governmental entities.
Check Point Research data shows that the attack against organizations in Russia have significantly increased since September 2022, especially against the government and the military sectors in Russia.
Figure 2 – Average weekly cyber-attacks per organization
for Government and Military industry
Most of the new-hacktivist groups have a clear and consistent political ideology that is affiliated with government narratives. Pro-Russian hacktivist activity shifted its focus from targeting primarily Ukrainian targets to focusing on neighboring NATO member states and other Western allies. Killnet executed targeted DDoS attacks against critical infrastructures in the US, targeting healthcare organizations, hospitals and airports in the US. The Russian-affiliated NoName057(16) hacktivist group targeted the Czech Presidential election. Some cyber-criminal entities were forced to join the national effort and had to reduce their criminal activity. Attacks on Russian businesses, which were once considered off-limits to many cyber-crime entities, have now increased and Russia has been struggling under an unprecedented hacking wave caused by government activity, political hacktivism and criminal action. The borders between nation-state activity, hacktivism and cyber-crime are becoming more blurred and harder to distinguish.
Different nation-state actors also took advantage of the war to advance their own interests. CPR reported several campaigns by different APT groups using the ongoing Russian-Ukrainian war to increase the efficiency of their campaigns, starting from the very beginning of the conflict. Other nations enhanced their espionage activity in Russia to target state-owned Russian defense institutions. Cloud Atlas continuously targeted Russian and Belarussian entities.
We have seen the Russian-Ukrainian conflict affect cyber tactics in multiple fields. We believe that as long as the war continues, its developments will undoubtedly continue to impact other regions and domains.