Security Experts:

Russian Use of Cyberweapons in Ukraine and the Growing Threat to the West

Russian Cyber Weapons

It started with AcidRain. AcidRain was a targeted attack against a Viasat server in Italy that managed a large number of modems, and therefore internet communication, throughout Europe – and Ukraine. The attack was timed for Russia’s physical invasion of Ukraine and marked a dramatic increase in the tempo of Russia’s cyberwar against that country.

The tactical argument for the use of AcidRain is obvious. By degrading Ukraine’s communications, Russia’s invading army would gain a battlefield advantage. 

SentinelLabs detected similarities between AcidRain and the VPNFilter malware. The FBI attributed the latter to APT28 (aka Fancy Bear and Sofacy), although others have suggested Sandworm (aka Black Energy). However, both groups are operated by the Russian GRU (the foreign military intelligence agency of the General Staff of the Armed Forces of the Russian Federation). It is a reasonable assertion to suggest that the Russian GRU was behind the AcidRain attack.

But AcidRain stands out from other Russian state cyberweapons in current use. It took down elements of critical infrastructure in nations (NATO nations) outside of Ukraine. Among the victims, for example, were 5,800 wind turbines in Germany. 

A study (PDF) from Trustwave looks at the many other Russian state cyberweapons subsequently unleashed against Ukraine. There is one common factor: they are all targeted specifically at and within Ukraine. 

Ziv Mador, VP of security research at Trustwave, told SecurityWeek, “Even if the primary target for AcidRain was modems in Ukraine, the attackers would have known it would also affect modems across Europe.” So, AcidRain stands out from other current Russian cyberwar attacks.

There are serious implications to this that should be considered. The Russian attitude towards attacking western critical infrastructure is a cost/benefit analysis rather than an ethical reluctance. With AcidRain, the benefit of degrading Ukrainian communications was worth the cost of disturbing the norm of not attacking western critical infrastructure – regardless of implications.

“My guess,” comments Jonathan Reiber, VP of cybersecurity policy and strategy at AttackIQ, “is that to avoid escalation right now, Vladimir Putin is not going to conduct a destructive cyberattack on Western targets until such time as he’s completely out of options with Ukraine and on the backfoot.” AcidRain tells us that if that point is reached, Putin will not be constrained by existing ‘norms’ of international behavior – the rules of international cyberwar are breaking down.

The Trustwave study analyzes the Russian state cyberattacks against Ukraine since the war began, tying the attack groups back to their controlling state agencies. The main attackers are APT29 (aka Cozy Bear and The Dukes) controlled by the SVR (the Russian Foreign Intelligence Service); APT 28 and Sandworm controlled by the GRU; and Gameredon (aka Primitive Bear and Armageddon) and Dragonfly (aka Energetic Bear and Crouching Yeti) controlled by the FSB (the Federal Security Service). InvisiMole is included because of its ties to Gameredon.

A separate timeline shows the sheer volume of attacks against Ukraine since the war began, separated into the two categories of destruction and espionage.

The malware used in these various attacks are HermeticWiper, HermeticRansom and IsaacWiper (Gameredon); LoadEdge (InvisiMole); DoubleZero (a .NET wiper not yet attributed to a specific group); CaddyWiper, AwfulShred, SoloShred and Industroyer2 (Sandworm); and CredoMap (APT28).

The sheer volume of these state-sponsored attacks over just a few months indicates they will have been in development for some time – possibly with Russia on a cyberwar footing since the annexation of Crimea in 2014.

Mador doesn’t believe anything should be written into the development time. “My guess,” he said, “is that countries like Russia, and I’m sure it’s not the only one, prepare cyberweapons for years – ready for some doomsday or for some future war.” Aside from AcidRain, the Russian state weapons have been solely targeted against Ukraine. This suggests that Putin is, for the moment trying to avoid global cyber escalation – but AcidRain already tells us this is not an inviolate rule for him.

“It is definitely in Russia’s interest not to escalate in cyberspace as Russia wants to avoid further costs imposed by the West,” comments Reiber. “My guess is that to avoid escalation right now, Vladimir Putin is not going to conduct a destructive cyberattack on western targets until such time as he’s completely out of options with Ukraine and on the backfoot.” Being on the backfoot would change that cost/benefit ratio over whether to launch cyberattacks against NATO countries.

But we should not assume that any attack currently emanating from Russia against western critical infrastructure is not a state-sponsored attack. “I wouldn’t assume anything,” said Reiber. “I think the pattern we’ve seen with Russia is the Russian government will use proxy groups to achieve advantages strategically whenever it’s in its interest, and pull them back whenever it decides it needs to show that it’s operating within some bare-bones restraint.” 

He gave an example. “We saw that in the Colonial Pipeline attack, and before that the Russian Business Network; a lot of non-state groups act as proxy groups to conduct operations. Even if it’s not an attack in direct support of the Russian government, we can perceive proxy groups as acting in many cases in the interests of the government.”

The use of proxy groups to attack the West muddies the water over what is and is not Russian state activity – it gives Putin an element of plausible deniability that we’ve seen him use many times.

But the sore thumb in this precarious balance is AcidRain. It was a cyberattack funded by the Russian government through the GRU that took down elements of a critical infrastructure (the German wind turbines) outside of the Ukrainian war zone and inside a NATO country. It suggests that a line has already been breached. 

We should be aware that Russia will not hesitate to directly attack western critical infrastructure whenever Putin decides it is in Russia’s best interests, and whenever he decides the benefits outweigh the costs. 

Whatever the outcome of the Ukraine war, geopolitical tensions will continue to rise for many years to come. Western organizations should consider the growing potential for elite Russian government hackers to directly attack them in the future – and expanding from espionage to destruction.

The Trustwave study shows the size of the Russian cyber armory – and as Ziv Mador told SecurityWeek, “They will have an additional arsenal of zero days and cyber tools they haven’t used yet.”

Related: Russia vs Ukraine - The War in Cyberspace

Related: Russia-Ukraine: Threat of Local Cyber Ops Escalating Into Global Cyberwar

Related: Russia, Ukraine and the Danger of a Global Cyberwar

Related: Army of Cyber Hackers Rise Up to Back Ukraine

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.