Russia’s cyber attacks against Ukraine surged by 250% in 2022 when compared to two years ago, Google’s Threat Analysis Group (TAG) and Mandiant disclosed in a new joint report.
The targeting, which coincided and has since persisted following the country’s military invasion of Ukraine in February 2022, focused heavily on the Ukrainian government and military entities, alongside critical infrastructure, utilities, public services, and media sectors.
Mandiant said it observed, “more destructive cyber attacks in Ukraine during the first four months of 2022 than in the previous eight years with attacks peaking around the start of the invasion.”
As many as six unique wiper strains – including WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, and SDelete – have been deployed against Ukrainian networks, suggesting a willingness on the part of Russian threat actors to forgo persistent access.
Phishing attacks aimed at NATO countries witnessed a 300% spike over the course of the same period. These efforts were driven by a Belarusian government-backed group dubbed PUSHCHA (aka Ghostwriter or UNC1151) that’s aligned with Russia.
“Russian government-backed attackers have engaged in an aggressive, multi-pronged effort to gain a decisive wartime advantage in cyberspace, often with mixed results,” TAG’s Shane Huntley noted.
Some of the key actors involved in the efforts include FROZENBARENTS (aka Sandworm or Voodoo Bear), FROZENLAKE (aka APT28 or Fancy Bear), COLDRIVER (aka Callisto Group), FROZENVISTA (aka DEV-0586 or UNC2589), and SUMMIT (aka Turla or Venomous Bear).
The uptick in the intensity and frequency of the operations aside, the invasion has also been accompanied by the Kremlin engaging in covert and overt information operations designed to shape public perception with the goal of undermining the Ukrainian government, fracturing international support for Ukraine, and maintaining domestic support for Russia.
“GRU-sponsored actors have used their access to steal sensitive information and release it to the public to further a narrative, or use that same access to conduct destructive cyber attacks or information operations campaigns,” the tech giant said.
With the war splintering hacking groups over political allegiances, and in some cases, even causing them to close shop, the development further points to a “notable shift in the Eastern European cybercriminal ecosystem” in a manner that blurs the lines between financially motivated actors and state-sponsored attackers.
This is evidenced by the fact that UAC-0098, a threat actor that has historically delivered the IcedID malware, was observed repurposing its techniques to assault Ukraine as part of a set of ransomware attacks.
Some members of UAC-0098 are assessed to be former members of the now-defunct Conti cybercrime group. TrickBot, which was absorbed into the Conti operation last year prior to the latter’s shutdown, has also resorted to systematically targeting Ukraine.
It’s not just Russia, as the ongoing conflict has led Chinese government-backed attackers such as CURIOUS GORGE (aka UNC3742) and BASIN (aka Mustang Panda) to shift their focus towards Ukrainian and Western European targets for intelligence gathering.
“It is clear cyber will continue to play an integral role in future armed conflict, supplementing traditional forms of warfare,” Huntley said.
The disclosure comes as the Computer Emergency Response Team of Ukraine (CERT-UA) warned of phishing emails targeting organizations and institutions that purport to be critical security updates but actually contain executables that lead to the deployment of remote desktop control software on the infected systems.
CERT-UA attributed the operation to a threat actor it tracks under the moniker UAC-0096, which was previously detected adopting the same modus operandi back in late January 2022 in the weeks leading to the war.
“A year after Russia launched its full-scale invasion of Ukraine, Russia remains unsuccessful in bringing Ukraine under its control as it struggles to overcome months of compounding strategic and tactical failures,” cybersecurity firm Recorded Future said in a report published this month.
“Despite Russia’s conventional military setbacks and its failure to substantively advance its agenda through cyber operations, Russia maintains its intent to bring Ukraine under Russian control,” it added, while also highlighting its “burgeoning military cooperation with Iran and North Korea.”