Security Experts:

Russia vs Ukraine - The War in Cyberspace

Russia vs Ukraine cyberwar

Russian troops have launched a major assault on Ukraine and while their forces battle in the physical world for control over various cities and regions, a battle is also taking place in cyberspace.

Just before Russia launched an invasion of Ukraine on February 24, Ukrainian government websites were disrupted by distributed denial-of-service (DDoS) attacks, and cybersecurity firms reported seeing a new piece of destructive malware on hundreds of devices in the country.

The malware used in this attack has been named HermeticWiper and it has been described by experts as a wiper malware disguised as ransomware. This attack wave came just weeks after Ukrainian government websites were disrupted as part of a campaign that involved WhisperGate, a completely different wiper malware that was also disguised as ransomware.

Due to the timing of the attacks, the main suspects are Russian state-sponsored threat actors. Russian hackers have often been accused of targeting Ukraine over the past decade, including in attacks that caused significant disruption to critical infrastructure.

However, the BBC reported that at least some of the latest DDoS attacks against Ukrainian government websites were launched by “patriotic” Russian hackers, including some who work at a “respectable Russian cyber-security company.” One of the individuals claiming to work at the unnamed firm admitted that they would be terminated if their employer found out about their after-hours activities.

These patriotic hackers also claim to have obtained access to Ukrainian government email accounts — which they plan on using for phishing attacks — and they claim to have stolen data.

The Conti ransomware gang, which has thrived in recent months amid crackdowns on other ransomware groups, has pledged its support for the Russian government, warning that it will use its “full capacity to deliver retaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking region of the world.” The cybercrime group has threatened to “strike back at the critical infrastructures of any enemy.”

Russia-linked ransomware groups demonstrated in the past that they are capable of causing significant disruption to critical infrastructure organizations.

The Ukrainian government has issued a warning to the population regarding an email attack campaign whose goal appears to be the delivery of malware.

The country’s Computer Emergency Response Team (CERT) has also reported seeing email attacks that have been linked to UNC1151, a threat actor previously tied to Belarus and possibly Russia, and which specializes in disinformation campaigns.

Several cybersecurity companies and industry professionals have offered free tools and services to organizations and individuals in Ukraine after Russia launched its invasion. Curated Intelligence has compiled a list of threat reports, access brokers, data brokers, and other resources that could be useful to Ukraine.

Ukraine’s activities in cyberspace have not been purely defensive. Mykhailo Fedorov, the country’s minister of digital transformation, over the weekend announced the creation of an “IT Army” and urged cyber specialists to join the new unit. A Telegram channel created for the IT Army urged members — instructions have been provided in both English and Ukrainian — to target major Russian businesses and government websites, with DDoS and other types of attacks.

[ READ: Russia, Ukraine and the Danger of a Global Cyberwar ]

The IT Army was created shortly after the Ukrainian government called for cyber volunteers to help defend the country’s critical infrastructure.

Several major Russian government and media websites have been intermittently offline since the conflict started, with many attributing the outages to DDoS attacks.

Some of these attacks were conducted by members of the Anonymous hacktivist movement, which has declared cyberwar against Russia. Hackers operating under the Anonymous banner have defaced Russian websites and leaked data allegedly stolen from high-profile organizations, including the Russian Ministry of Defense. However, these data leak claims have not been verified and hacktivists have been known to publish data that later turned out to be fake or obtained in older breaches.

Anonymous hackers have also claimed responsibility for disrupting the websites of pro-Kremlin Russian media, and posted messages appealing to Russians to try to stop the war and not participate as fighters. 

There have also been reports of Russian TV channels getting hacked to play Ukrainian songs.

Russia’s National Coordination Center for Computer Incidents warned last week that cyberattacks on Russian critical information infrastructure and other information resources could increase. The agency also said there could be misinformation operations whose goal was to damage Russia’s image.

The Russian government has also issued an alert to the media regarding the circulation of false information, and the country’s Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor) has lashed out at Facebook and YouTube after they suspended the accounts of several Russian media organizations.

NATO Secretary General Jens Stoltenberg warned that cyberattacks could trigger NATO’s Article 5, which considers an attack on any NATO ally an attack on all.

NBC reported last week that U.S. President Joe Biden had been presented with options for “massive cyberattacks” against Russia, but the White House called NBC’s report “off base” and claimed it did “not reflect what is actually being discussed in any shape or form.”

Users around the world have also been warned about scams exploiting the war in Ukraine. ESET has spotted several cyber fraud operations whose goal is to steal money and information from people using fake charity campaigns as a lure.

Related: Cybercriminals Seek to Profit From Russia-Ukraine Conflict

Related: New 'Cyclops Blink' Malware Linked to Russian State Hackers Targets Firewalls

Related: Ransomware Used as Decoy in Destructive Cyberattacks on Ukraine

*updated with information on more attacks by Anonymous on Russian media

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.