Russia, Ukraine Conflict Escalation Mirrored in Malware Activity

Political conflicts in the physical world have played out in the digital world more than once in the past. According to new research from FireEye, it may be happening yet again for people in Russia and the Ukraine.

In an analysis of malware “callbacks” – communications made from compromised computers to an attacker’s first-stage command-and-control server – researchers at FireEye found that callback activity involving Russia and the Ukraine increased as the military conflict escalated. In a list of the top 20 countries to receive first-stage malware callbacks during the last 16 months, Russia and Ukraine ranked fifth and ninth respectively. In 2013 however, Russia was on average number seven on the list while Ukraine was 12.

The biggest single monthly jump occurred March 2014, when Russia moved from seven on the list to number three. It was during that month that Russia President Vladimir Putin signed a bill annexing Crimea into the Russian Federation and Russian military forces began to gather on the Ukrainian border.

As the conflict escalated, there were also attacks on NATO Websites by hacktivists protesting NATO involvement. There were also reports of other politically-motivated attacks as well. 

Kenneth Geers, senior global threat analyst at FireEye, noted in a blog post that the rise in callbacks to Russia and Ukraine was drastically different than what many other countries were experiencing between February and March. In fact, he noted, nearly half of the world’s countries experienced a decrease in callbacks during that time period.

“It is not my intention here to suggest that Russia and/or Ukraine are the sole threat actors within this data set,” he blogged. “I also do not want to speculate too much on the precise motives of the attackers behind all of these callbacks. Within such a large volume of malware activity, there are likely to be lone hackers, “patriotic hackers,” cyber criminals, Russian and Ukrainian government operations, and cyber operations initiated by other nations.”

“What I want to convey in this blog is that generic, high-level traffic analysis – for which it is not always necessary to know the exact content or the original source of individual communications – might be used to draw a link between large-scale malware activity and important geopolitical events,” he explained. “In other words, the rise in callbacks to Russia and Ukraine (or to any other country or region of the world) during high levels of geopolitical tension suggests strongly that computer network operations are being used as one way to gain competitive advantage in the conflict.”