Microsoft’s Digital Security Unit has issued a special report on Russian cyber attacks in Ukraine, in which evidence is presented that some were timed to support military strikes.
Specifically, the Microsoft researchers say that cyber attacks in March against a television broadcaster and a nuclear plant directly preceded military action directed at those targets, and that over 70% of the destructive attacks were targeted either at Ukrainian government organizations or critical infrastructure companies.
Some Russian cyber attacks synced with real-world military attacks
Since just prior to the invasion of Ukraine in February, Microsoft reports seeing 237 operations against the country that are collectively linked to six nation-state groups that are aligned with Russia. Of these, about 40 of these were classified as “destructive” attacks meant to reduce the capabilities of the target. Espionage and intelligence activities are more common, and the researchers say they have observed “limited” espionage being conducted against NATO member states along with disinformation campaigns.
The report names two major Russian cyber attacks that preceded physical attacks on locations in Ukraine. On March 1, cyber attacks on a Ukraine TV broadcaster were followed by a missile attack against one of its TV towers. And on March 13, data was exfiltrated from a nuclear safety organization in the midst of a campaign by ground forces to capture nuclear power plants in the country. An additional email-based disinformation campaign accompanied the outset of the siege of Mariupol, with Ukrainians receiving fake emails from someone purporting to be a resident of the city and claiming that the government was going to abandon its population.
The Microsoft researchers also believe that Russia’s pre-invasion cyber work dates all the way back to March 2021, with Russia-linked hackers probing organizations inside Ukraine to establish a long-term foothold. As the country began to move troops toward the border in mid-2021, this campaign shifted to focus on military intelligence targets as well as supply chain vendors that might provide an “in” to organizations in NATO member states. A campaign of Russian cyber attacks using wiper malware began in early 2022 as diplomatic efforts failed and the prospect of war became more likely. Over half a dozen types of wiper malware were detected by the Microsoft Threat Intelligence Center (MSTIC), including variants meant to permanently encrypt files and render machines unbootable.
The biggest wave of Russian cyber attacks of this nature came during the period just before and after the start of the invasion, with 22 incidents logged between February 23 and March 2. There was a lull from March 3 to 9 of no recorder incidents, and then a handful each week from there; this has decreased to about two per week at the outset of April.
Known Russian threat actors spotted moving against Ukraine
The Microsoft team reports seeing activity against Ukraine conducted by known Russia-linked threat actors. Russian cyber attacks with links to the current campaign have cropped up since early 2021, when the NOBELIUM group attempted a large-scale phishing campaign against organizations in the country. Microsoft has previously called this group “the most sophisticated” of the world’s state-backed hacking teams; the group was behind the SolarWinds attack of 2020 along with other major campaigns in recent years.
Microsoft also finds that NOBELIUM was moving against NATO members as well from July 2020 to June 2021, and actually targeted organizations in the United States much more heavily than even those in the Ukraine. These actions were conducted with the specific goal of surveilling entities that could provide information on Ukraine.
Since the invasion began, the STRONTIUM group has also been observed engaging in phishing campaigns targeting government and military employees in central Ukraine. This group was more commonly called “Fancy Bear” in US reporting of its activities against the Democratic National Committee in 2016. It has existed in some form since the mid-2000s and has been particularly active in high-profile attacks on the international stage since 2014.
Two other known threat groups, IRIDIUM and BROMINE, have also been involved in the war. IRIDIUM is a primarily disinformation-focused group that invades networks to find documents to leak for propaganda purposes, but has also been linked to a destructive mid-March attack on a transportation and logistics firm in western Ukraine. BROMINE is the group linked to the infiltration of a Ukraine nuclear safety organization and is thought to have stolen data over a breach window of potentially three months.
For organizations that may be in the crosshairs of Russian cyber attacks, the Microsoft researchers note that those running endpoint detection and response (EDR) solutions are having a great deal of success identifying and remediating intrusions that have destructive intent. The report also ends with a section of defensive suggestions, including a note that the campaign of Russian cyber attacks bears similarities to recent ransomware campaigns and that related defensive measures are proving effective.