Cyber attacks against Ukraine shift to NATO countries

New data from Check Point Research (CPR) shows that cyber warfare has escalated in line with the Russia–Ukraine war. Notable trends include a shift in cyber attacks on NATO countries.

CPR says September 2022 marked a turning point, with weekly cyber attacks against Ukraine decreasing by 44% (period to February 2023), while attacks on NATO countries increased nearly 57% in some cases, for the same period. CPR lists wipers, multi-pronged attacks and hacktivism as key trends and forces as factors in the pivot.

Threat Intelligence Group Manager at Check Point Research Sergey Shykevich has spoken to the trends CPR has observed over the year-long conflict.

“We see a change in the direction of cyber attacks at a specific point during the war. Starting the third quarter of 2022, we see a decline in the attacks against Ukraine, while also seeing increases in the attacks against certain NATO countries. We see the deployed efforts especially against specific NATO countries that are more hostile to Russia. Some of those attacks are malware attacks, and some of those are focused on information operations around specific political, geo-political and military events,” Shykevich said.

The rise of wipers

CPR also saw the perception of wiper malware, which disrupts the operations of targeted systems, undergo a major transformation because of the war. Previously, wipers were rarely used. Over the past year however, wipers have become a much more frequently deployed mechanism as part of escalated conflicts, and not only in Eastern Europe.

The start of the Russian–Ukrainian war saw a massive increase in disruptive cyber attacks carried out by Russian-affiliated threat actors against Ukraine. On the eve of the ground invasion in February, three wipers were deployed: HermeticWiper, HermeticWizard and HermeticRansom. Another attack was directed at the Ukrainian power grid in April, using a new version of Industroyer, the malware that was used in a similar attack in 2016. In total, at least nine different wipers were deployed in Ukraine in less than a year. Many of them were separately developed by various Russian intelligence services and employed different wiping and evasion mechanisms.

The Russia-affiliated hacktivist group From Russia With Love (FRwL) deployed Somnia against Ukrainian targets. CryWiper malware was deployed against municipalities and courts in Russia. Inspired by these events, wiper activity spread to other regions. Iranian affiliated groups attacked targets in Albania, and a mysterious Azov ransomware, which is in fact a destructive data wiper, was spread across the world.

Multi-pronged cyber efforts

Reviewing the attacks against Ukraine, some of the offensive cyber actions were intended to cause general damage and disrupt civilian daily life and morale, while other attacks were more precisely aimed, and intended to achieve tactical objectives, and were coordinated with the battle. The Viasat attack, which was deployed hours before the ground invasion of Ukraine, was designed to interfere with satellite communications that provide services to military and civil entities in Ukraine. The attack used a wiper called AcidRain and was tailored to destroy modems and routers and cut off internet access for tens of thousands of systems. Another example of a tactical coordinated attack occurred on 1 March. Additionally, when the Kyiv TV tower was hit by Russian missiles that halted the city’s television broadcasts, a cyber attack was launched to intensify the effects.

Tactical high-precision cyber attacks require preparation and planning. The prerequisites include gaining access to the targeted networks and often the creation of customised tools for different stages of the attack. Much like in the kinetic battle, evidence suggests that the Russians did not prepare for a long campaign. The deployment of multiple new tools and wipers that was characteristic of the initial stages of the campaign was later mostly replaced with rapid exploitations of detected opportunities, using already known attack tools and tactics like Caddywiper and FoxBlade. These attacks were not intended to act in concert with tactical combat efforts, but rather, inflict physical as well as psychological damage on the Ukrainian civilian population across the country.

CPR data shows that a gradual, but major decline in the number of attacks per gateway in Ukraine has started in the third quarter of 2022. On the flip side, there was a significant increase in the attacks against NATO members. While the increase in the attacks against the UK and the US since September are slim, 11% and 6% respectively, the increase against some of the EU countries that are in escalated hostility towards Russia, like Estonia, Poland and Denmark, are much sharper at 57%, 31% and 31% respectively. This shows a shift in the modus operandi and the priorities of Russia and Russia-affiliated groups in the cyber area, whose focus then switched from Ukraine to the NATO countries that support Ukraine.

Figure 1 — Average weekly cyber attacks per organisation

Ukraine’s response to cyber hostilities in the past year has improved, with the head of the UK’s intelligence, cyber and security agency labelling it “the most effective defensive cyber activity in history”. Part of the reason for this success is due to the fact that Ukraine has suffered repeated cyber attacks since 2014.

As Lycurgus, the legendary Spartan legislator, famously warned, “Repeated attacks of the same opponents could result in their improved military capabilities.” For example, the effect of the Indistroyer2 attack on the energy sector in March 2022 was limited compared to Industroyer’s first deployment in 2016. Ukraine received significant external assistance to repair the damage of these cyber attacks.

Aided by foreign governments and private companies, Ukraine quickly transferred much of its IT infrastructure to the cloud, thus physically distancing its data centres from fighting zones and gaining additional protection layers from service providers.

Hacktivism emerges

Ukraine’s establishment and management of the “IT Army of Ukraine”, an army of volunteer IT specialists, has transformed hacktivism. Previously characterised by loose cooperation between individuals in ad hoc collaboration, new-hacktivist groups tightened their level of organisation and control, and now conduct military-like operations. This new mode of operation includes recruitment and training, tool sharing, intelligence and target allocation, and more. Anti-Russian hacktivist activity continued throughout the year, affecting infrastructure, financial and governmental entities.

Figure 2 — Average weekly cyber attacks per organisation for government and military industry

Most of the new hacktivist groups have a clear and consistent political ideology that is affiliated with government narratives. Pro-Russian hacktivist activity shifted its focus from targeting primarily Ukrainian targets to focusing on neighbouring NATO member states and other Western allies. Killnet executed targeted DDoS attacks against critical infrastructures in the US, targeting healthcare organisations, hospitals and airports in the US.

The Russian-affiliated NoName057(16) hacktivist group targeted the Czech Presidential election. Some cybercriminal entities were forced to join the national effort and had to reduce their criminal activity. Attacks on Russian businesses, which were once considered off-limits to many cybercrime entities, have now increased and Russia has been struggling under an unprecedented hacking wave caused by government activity, political hacktivism and criminal action. The borders between nation-state activity, hacktivism and cybercrime are becoming more blurred and harder to distinguish.

Different nation-state actors also took advantage of the war to advance their own interests. CPR reported several campaigns by different APT groups using the ongoing Russian–Ukrainian war to increase the efficiency of their campaigns, starting from the very beginning of the conflict. Other nations enhanced their espionage activity in Russia to target state-owned Russian defence institutions. Cloud Atlas continuously targeted Russian and Belarussian entities.

Image credit: iStock.com/traffic_analyzer