Google Says Russian Cyberattacks Against Ukraine Have Increased Significantly

Google Says Russian Cyberattacks Against Ukraine Have Increased Significantly

According to a recent analysis from Google’s Threat Analysis Group (TAG) and Mandiant, Russian cyberattacks on Ukraine increased by 250% in 2022 compared to 2021. Their attacks primarily concentrated on the Ukrainian government and military groups, as well as crucial infrastructure, utilities, public services, and media sectors. It continued after the country’s military invasion of Ukraine in February 2022.

Mandiant said it observed, “more destructive cyber attacks in Ukraine during the first four months of 2022 than in the previous eight years with attacks peaking around the start of the invasion.”

WhisperGate, IsaacWiper, HermeticWiper, Industroyer2, CaddyWiper, and SDelete are only a few of the six distinct wiper strains used against Ukrainian networks, indicating readiness of Russian threat actors to give up permanent access. Over the same time frame, phishing attempts against NATO nations increased by 300 percent. These initiatives were led by PUSHCHA, a pro-Russian organization supported by the Belarusian government (also known as Ghostwriter or UNC1151).

“Russian government-backed attackers have engaged in an aggressive, multi-pronged effort to gain a decisive wartime advantage in cyberspace, often with mixed results,” noted TAG’s Shane Huntley.

FROZENBARENTS (also known as Sandworm or Voodoo Bear), FROZENLAKE (also known as APT28 or Fancy Bear), COLDRIVER (also known as Callisto Group), FROZENVISTA (also known as DEV-0586 or UNC2589), and SUMMIT are some of the prominent participants in the initiative (aka Turla or Venomous Bear). Aside from the increased frequency and intensity of the operations, the Kremlin has also conducted covert and overt information campaigns to influence public opinion to undermine the Ukrainian government, fracture international support for Ukraine, and preserve domestic support for Russia.

“GRU-sponsored actors have used their access to steal sensitive information and release it to the public to further a narrative, or use that same access to conduct destructive cyber attacks or information operations campaigns,” said the tech giant.

The war’s division of hacking organizations based on political allegiances, and in some cases, their closure, alludes to a “notable shift in the Eastern European cybercriminal ecosystem” that makes it harder to distinguish between individuals acting for financial gain and state-sponsored attackers. The fact that UAC-0098, a threat actor who previously distributed the IcedID malware, was seen reusing its tactics to attack Ukraine as part of a series of ransomware attacks proves this.

It has been determined that several UAC-0098 members once belonged to the departed Conti cybercrime organization. TrickBot, which was integrated into the Conti operation last year before the latter was shut down, has also turned to routinely hitting Ukraine. It’s not only Russia, however; because of the ongoing conflict, attackers with support from the Chinese government, such as CURIOUS GORGE (a.k.a. UNC3742) and BASIN (a.k.a. Mustang Panda), have shifted their attention to Western European and Ukrainian sites to gather intelligence.

“It is clear cyber will continue to play an integral role in future armed conflict, supplementing traditional forms of warfare,” Huntley stated.

The information was revealed shortly after the Computer Emergency Response Team of Ukraine (CERT-UA) issued a warning about phishing emails that target businesses and institutions and pretend to be urgent security updates but contain executables that install remote desktop control software on compromised systems. CERT-UA linked the operation to a threat actor known as UAC-0096, first discovered using the same tactics in late January 2022, only weeks before the conflict.

According to a study released this month by cybersecurity company Recorded Future, Russia is still struggling to recover from months of accumulating strategic and tactical setbacks a year after beginning its full-scale invasion of Ukraine. It also highlighted Russia’s expanding military ties with Iran and North Korea, saying that despite its conventional military defeats and inability to further its goals through cyber operations, Russia still intends to invade Ukraine.

About the author

Yehudah Sunshine

Yehudah Sunshine

Bringing together his diverse professional cyber know-how, intellectual fascination with history and culture, and eclectic academic background focusing on diplomacy and the cultures of Central Asia, Yehudah Sunshine keenly blends his deep understanding of the global tech ecosystem with a nuanced worldview of the underlying socio-economic and political forces which drive policy and impact innovation in the cyber sectors. Yehudah's current work focuses on how to create and or opportunities enhance marketing strategies and elevate cyber driven thought leadership for cyfluencer (www.cyfluencer .com), the cybersecurity thought leadership platform. Sunshine has written and researched extensively within cybersecurity, the service sectors, international criminal accountability, Israel's economy, Israeli diplomatic inroads, Israeli innovation and technology, and Chinese economic policy.