The Russia-Ukraine cyber war: one year later

Spread the love

In a bid to soften up Ukraine just ahead of its February 24, 2022 invasion, Russia, or Russian-backed threat groups unleash a wave of wiperware against the country’s organizations, deploying a new version of the Industrialist malware against power generation stations did and Removed thousands of routers used by Ukrainian (and other) customers for Viasat’s satellite Internet service.

That was just the beginning of cyber warfare.

Wiperware is a favorite weapon. Alex Rudolph, a doctoral candidate at Carleton University, told the House of Commons Defense Committee last week that at least 16 Viper malware families have been deployed in Ukraine since the fighting began.

Those 12 months are giving a window into what modern hybrid warfare – physical and cyber warfare – looks like, at least in a limited theater of war. The global cyber war hasn’t officially broken out yet.

But the bombings of some Ukrainian power stations, for example, were linked with cyberattacks, notes Jean-Ian Boutin, Ottawa-based director of threat research for ESET, which is headquartered in Slovakia. They are not sure whether it was a coincidence or a joint attack.

Meanwhile, there have been suspicious cyber attacks against countries that support Ukraine. Last week, for example, a group called Anonymous Russia took credit for DDoS [distributed denial of service] Attacks on the websites of several German airports. The pro-Russian Kilnet group took credit for an IT outage at Lufthansa – for which the airline accidentally disconnected a damaged broadband cable on a railway line during construction work.

In November, 2022, hackers from the Russian-affiliated group Kilnet The website of the European Parliament was taken down hours after the legislative body declared Russia a terrorist state.

However, cyber attacks outside Ukraine have not been as severe as some experts had feared.

On the anniversary of the start of the invasion, we look back at what happened after and the lessons learned.

Cyberattacks are a feared weapon: In the worst-case scenarios, they can paralyze health care systems and cause death. But a Canadian expert points out that cyber attacks alone cannot win wars.

“Cyber ​​attacks may not gain territory, but they can disrupt the other side’s operations, target infrastructure and civilians, and influence public opinion during the process of gaining physical territory, ” written by abby macdonaldA fellow at the Canadian Global Affairs Institute, when the war was only two months old. “In this conflict, full cyber-warfare does not appear to be strategically useful, although cyber activities, including disinformation, will continue.”

David Swan, Alberta-based director of cyber intelligence Center for Strategic Cyberspace and International StudiesNo surprise at the start of Cyber ​​Warfare, an international think tank.

“Russia has a very well developed standard cyber warfare plan,” he said. “They used it in Georgia [in 2008]they used it in estonia [in 2007] … It has been developing since the mid-1990s”

That plan looks at cyber or DDoS attacks to deface or shut down media websites and broadcast systems; to prevent residents from making any purchases at financial institutions unless they have cash; on infrastructure (eg: gas stations with regulated electronic pumps over the Internet were closed or jammed); on government web sites to prevent the country from running; and on military wireless communications.

But against Ukraine, the Russians haven’t been as successful for a number of reasons. “He believed that most Ukrainians were pro-Russia and would happily support the coming of the Russians,” Swan observes. “Wow, what they did wrong!”

Second, Swan said, Ukraine has been preparing for physical and cyber warfare since the Russian annexation of Crimea in 2014. It has learned some lessons during cyber attacks. In 2015, there was a power failure in some parts of Ukraine. ukraine Said the attack happened from inside Russia.

Furthermore, Swan said, in the months leading up to the invasion, Ukraine moved closer to the European Union. In June, 2021, the European Union and Ukraine held its first cyber dialogue About responsible state behavior in cyberspace, but also about cyber resilience. Two days before the invasion, several EU countries Activated a Cyber ​​Rapid Response Team to help Ukraine. Since the start of the war, the US, Canada and the European Union have been offering intelligence and cyber defense assistance. US Cyber ​​support began in 2017. This May 2022 US document describes what has been done since then.

Separately, since the war began, Microsoft, Google, Amazon, Mandiant, ESET, Palo Alto Networks, Cisco Systems and other IT companies Has donated software to enhance Ukraine’s capabilities, provide threat intelligence and combat disinformation. He helped the government Ukrainian hacker underground who emerged.

Microsoft’s role started earlier. Before the invasion began, Russia launched a cyberattack that targeted Ukrainian government and financial websites, notes this analysis of the first six months of the cyberwar In Journal Lawfair. This attack is known as foxblade – Was ready to erase data from computer. Within hours of it being revealed, the Microsoft Threat Intelligence Center had written code to stop it, which was immediately shared with Ukraine.

Ukraine has come up with at least one unique defensive strategy: It ordered wireless carriers in the country to block mobile devices from roaming with carriers in Russia and Belarus. This is unprecedented, said Cathal McDaid, chief technology officer at Sweden’s Enea AdaptiveMobile Security. This meant that Russian forces in Ukraine could not use mobile phones as a backup or primary communication system. “We know from history (the 2008 Russia-Georgia war) and in Ukraine itself, that the Russian military has used mobile phones for communication,” he said in an email. IT World Canada, “But this decision by Ukraine on the day of the invasion made the Russian military’s communication problems worse.”

None of this suggests that Ukraine has been attuned to cyber attacks. But the government has so far been able to persevere and direct military action. Or, to put it another way, Russia has so far failed to deliver a knockout cyberattack.

Meanwhile, Russia and the threat groups it supports are still active. In fact news broke this week That Russian hackers installed backdoors in many government websites by December 2021. Ukraine’s Computer Emergency Response Team said it spotted a webshell submitted via those backdoors yesterday (23 February). It is not clear whether Access has gone undetected for months.

There’s a long list of Russian-deployments [and Western-named] Wiperware that has been deployed since the attack: HermeticViper, IsaacViper, WhisperGate, and CadViper, to name a few. And Ukrainian hacktivists hit back with RURransom Viper.

Just as Ukraine has civilian cyber forces, so does Russia. One, says Hans, is dubbed name057(16), They believe it is composed of Killnet members. Attacks by this group have affected the Polish government and organizations (mainly cargo and shipping firms) in Lithuania. For more information on NoName057(16) See this report by SentinelLabs.

in the January report Published by CSCIS, Swan said it is also trying to recruit and encourage hackers to attack targets by launching a project called “DDosia”. Volunteers are encouraged to attack ‘anti-Russian targets’, earning 80,000 rubles (US$1,200) for a successful attack.

In an analysis of the first year of attacks, Researchers at Checkpoint Software It has been noted that, since September, there has been a slow but significant decline in the number of attacks per gateway in Ukraine. On the other hand, it added, there had been a significant increase in attacks against NATO members.

In his analysis of the war so far, Google predicts with “extreme confidence” that Moscow will escalate disruptive and destructive attacks in response to developments on the battlefield that will fundamentally shift the balance – real or perceived – toward Ukraine (for example, military losses , new foreign commitments to provide political or military support), etcetera.). It says these attacks will primarily target Ukraine, but will rapidly expand to include NATO partners.

More than one analyst has noted that DDoS attacks do not have a large impact. Nor, does it appear that they aim to cause significant harm – until now.

“It’s an important question,” said Dave Mason, head of Darktrace Canada. “One Year Later, Does the Threat of Cyber ​​Attack Still Remain?” The answer is a resounding yes. While there is no direct evidence of a large-scale cyber attack on the horizon, it is absolutely vital that defenders remain vigilant. The history of cyber threats has shown us time and time again that we cannot rely on historical attack data to predict future threats. The risk of Russian retaliation is real, widespread, and cannot be underestimated.

ESET’s Jean-Ian Boutin said the lessons from cyber conflict so far have been the importance of the public and private sectors working together. “We already knew that communication is key, but this really reinforced our thinking that the key to thwarting attacks is keeping communication open and reporting attacks when you see them.”

The Communications Security Establishment (CSE), responsible for securing Canada’s government networks, declined a request for an interview. Instead, he sent this statement:

“As mentioned in the CSE National Cyber ​​Threat Assessment (NCTA 2023-24), Russia’s illegal invasion of Ukraine in February 2022 gave the world a new understanding of how cyber activity is used to support wartime operations.

“While we cannot speak about specific events or tactics that we have monitored through our foreign intelligence mandate, we can confirm that CSE is engaged in cyber threat activity linked to Russia’s war with Ukraine. is keeping an eye on. CSE is sharing valuable cyber threat intelligence with key partners in Ukraine. We also continue to work with the Canadian Armed Forces (CAF) in support of Ukraine, including through intelligence sharing, cyber security and cyber operations.

Through the Canadian Cyber ​​Security Centre, CSE urges Canadian organizations

  • Separation of critical infrastructure components and services from the Internet and corporate/internal networks If disrupting those components would be considered attractive to a hostile threat actor. When using industrial control systems or operational techniques, test manual controls to ensure that critical functions continue to operate when the organization’s network is unavailable or unreliable;
  • Increase organizational vigilance, Monitor your network with a focus on the strategy, techniques and procedures (TTP) reported in CISA Consultant, Ensure cyber security/IT personnel are focused on identifying and promptly assessing any unexpected or unusual network behavior. Enable logging to better investigate issues or incidents.
  • increase your security depositPatch your system with a focus on vulnerabilities in : CISA Consultant, Enable logging and backups. Deploy network and endpoint monitoring (such as anti-virus software), and implement multi-factor authentication where appropriate. Create and test an offline backup.
  • have a cyber incident response planContinuity of operations and a communications plan and be ready to use them.
  • Notify Cyber ​​Center Suspicious or malicious cyber activity.

“What I’m hoping for is one of those Viper families that has a new front end, a new way to break into the network, to break loose and come out west,” Swan said. ” “I know a lot of effort is being made to support Ukraine and prevent malware families from coming to the West. Problem is, Russia only has to get it right once, and they have some of the best hackers in the world writing this stuff. My concern is that the longer the war drags on, the more likely it is that one or more of these things will break loose and there will be hell to pay.

Source link

Spread the love

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.