Russia’s cyberwar against Ukraine: charges of Russian hackers and feats of Ukrainian cyber forces

Author

Nataliya Tolub

Today’s war is being waged not only in Ukrainian cities and villages. Russia’s full-scale invasion of our country is actively supported by enemy hackers spreading disinformation and propaganda, conducting psychological operations, and mounting cyberattacks on critical infrastructure facilities in our country.

discovered how the Ukrainian cyber forces are fighting and how Russian and pro-Russian hackers have been attacking Ukraine since January 2022.

How many cyberattacks on Ukraine did Russia launch?

Since the beginning of 2022, the Security Service of Ukraine has neutralized more than 4,500 cyberattacks on Ukraine. While there were nearly 800 cyberattacks recorded in 2020 and 1400 in 2021, their number more than tripled last year.

The Computer Emergency Response Team of Ukraine (CERT-UA), a unit reporting to the State Special Communications, recorded and investigated 2,100 cyber incidents and cyberattacks in 2022. This includes more than 1,500 after Russia’s full-scale invasion of Ukraine.

The most frequent attacks by enemy hackers are those against the public sector, accounting for about a quarter of all the studied cases.

The primary goals of the adversary hackers are as follows:

espionage (obtaining intelligence as regards logistics, armaments, and plans and operations of the Security and Defense Forces);
attempts to disable critical information infrastructure facilities;
depriving citizens of access to public, banking services, etc.

In addition, there are psyops and fake information aimed at undermining confidence in public authorities, the Security and Defense Forces, and spreading panic among the people.

The energy sector remains a particular focus for Russian hackers. Cyberattacks on energy-related companies are especially sophisticated with respect to their preparation and implementation, so they are much harder to detect. Companies that provide services, hardware, and software to energy suppliers are also under constant surveillance.

Ukrainian cyber defense: how Ukraine is countering cyberattacks

Today, the Security Operation Center of the Ministry of Defense of Ukraine is monitoring security events 24/7 on all levels, from infrastructure to application. The center also analyzes cyberspace on a daily basis and works out hypotheses on the tactics and techniques currently applied by enemy special services.

"So far, enemy hackers have not managed to achieve any strategic goals. But despite our fairly effective activities to prevent cyberattacks, the enemy continues to look for opportunities and use them to gain access to the information and communication networks of critical infrastructure facilities. Moreover, there’s a high probability that Russian aggression in cyberspace will continue even after our victory," says Viktor Zhora, deputy head of the State Special Communications.

The best domestic and international specialists are involved in the cyber defense of Ukrainian information systems. We are receiving assistance from the governments and commercial enterprises of most of the world's democratic countries.

The government also actively recruits cyber volunteers, for instance, by inviting them to join the Ukrainian cyber forces via SMS.

However, Kostiantyn Korsun, author of digital content, wrote in a Facebook post:

"There aren’t any cyber forces in Ukraine. There is no such thing, speaking of forces in a strict sense and not volunteer partisan IT crews who can call themselves whatever they want. And their members will possibly have problems with the law after our victory. If the cyber police knew the bare basics of cyber hygiene, they would never have sent mass invitations to "cyber forces" via the Ruscist Telegram messenger. It’s a total taboo for any cyber security professional."

For his part, Volodymyr Kondrashov, spokesman for the State Service for Special Communications and Information Protection of Ukraine, emphasizes that the use of one or another messenger is determined by the communication tasks of each user, the available functionality, and the required degree of protection:

"One has to understand that there are no absolutely safe or secure systems. Like before, we recommend using verified open-source messengers."

What Russian and pro-Russian hackers attack Ukraine

According to the State Service of Special Communications and Information Protection of Ukraine, the following Russian and pro-Russian hacking groups had been operating in Ukraine between September and December 2022:

ARMAGEDDON/GAMAREDON/PRIMITIVE BEAR (Russian Federal Security Service, activity tracked by the ID UAC-0010)
SANDWORM (the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, activity tracked by the ID UAC-0082)
APT28/FANCY BEAR (the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, activity tracked by the ID UAC-0028)
АРТ29/COZY BEAR (the Foreign Intelligence Service of Russia, activity tracked by the ID UAC-0029)
UNC1151/ GHOSTWRITER (Belarus Ministry of Defense, activity tracked by the ID UAC-0051)
XAKNET, KILLNET, Z-TEAM, CYBERARMYOFRUSSIA_REBORN (pro-Russian cyber terrorists, activity tracked by the IDs UAC-0106, UAC-0108, UAC-0109, UAC-0107, respectively)

Russia has launched at least several malware families upon Ukraine since the beginning of the year:

WhisperGate/WhisperKill;
CaddyWiper;
Hermetic Wiper;
Industroyer2;
DoubleZero;

and other.

Types of cyber attacks in 2022:

scanning(gathering information about systems or networks);
vulnerability exploitation attempts (attempted intrusions using vulnerabilities in a system, component, or network);
malicious connection (attempted connections from/to an IP/URL address connected with known malware, for instance, C2C or a component distributing resource related to the activity of a particular botnet);
login attempts (attempted login to access services or mechanisms or failed attempts to guess authentication data or use previously compromised (no longer relevant) data;
DoS/DDoS attacks (disruption of normal functioning of a system or service by overwhelming the target resource with requests from one or more sources).

(According to the Human Rights Platform NGO.)

Examples of cyberattacks: disguising as the State Emergency Service and the General Staff

On October 21, specialists of CERT-UA discovered letters spread allegedly by the press service of the General Staff of the AFU. The messages contained a link to download a "decree", which redirected the user to a page instructing them to update software (PDF Reader). The RomCom.11 malware was downloaded after clicking the Download button.

Russian hackers also disguised themselves as the State Emergency Service, sending out letters with the subject saying, "How to recognize a kamikaze drone." This was to spread the DolphinCape malware, which, among other things, gathers information, runs EXE/DLL files, displays a list of files and uploads them, as well as captures and exfiltrates screenshots.

Russia’s attacks on Ukraine in cyberspace are as intense as its missile shelling. The enemy targets primarily civil infrastructure, the energy sector, communications, databases, registers, and governmental websites. The purpose is to incite panic and create a humanitarian crisis in Ukraine, thus undermining the defense capabilities of the Armed Forces. Russian hackers are skilled at social engineering and are knowledgeable about "hot" topics in the country, which they use to deceive the entire world.

So far, we’ve got a powerful army of cyber volunteers, skilled cyber security specialists in the public sectors, and a high level of public-private collaboration supported by business. However, there’s an urgent need to pass a law on the creation of cyber forces within the system of the Ministry of Defense in order to lay the foundation for recruiting cyber volunteers in the area of cyber defense and creating a cyber reserve.