Ukraine flag on computer screen with program code showing cyber espionage against Ukraine's allies

Russia Accelerated Cyber Espionage Against Ukraine’s Allies During the Invasion, Warned Microsoft

Microsoft Threat Intelligence Center (MSTIC) says that Russia targeted Ukraine’s allies in a cyber espionage campaign before the ground invasion on February 24 and thereafter. Researchers said in a report that Russia employed tactics similar to other historical invasions, including Nazi Germany’s blitzkrieg in Poland, using the technology of the day.

“Each of these incidents also provides an account of the technology of the time — technology that would play a role in the war that ensued and the lives of the people who lived through it,” noted Microsoft.

According to Microsoft, Russia did not fire the first bullet when its troops poured through Ukraine’s borders but when it launched the cyberweapon Foxblade on February 23.

 A model for future armed conflicts

Microsoft noted that the Russian invasion of Ukraine highlighted a trend witnessed during conflicts in the last two centuries.  Subsequently, Microsoft warned that the Russian kinetic and cyber warfare strategies could become a model for future armed conflicts.

“Countries wage wars using the latest technology, and the wars themselves accelerate technological change,” Microsoft wrote in a blog post. “It’s therefore important to continually assess the impact of the war on the development and use of technology.”

Microsoft identified three cyber strategies that accompanied the ground invasion. These include “destructive cyberattacks in Ukraine, network penetration and espionage outside Ukraine, and cyber influence operations targeting people around the world.”

Microsoft noted that Russia began its invasion by targeting Ukraine’s data centers with conventional weapons and wiper malware. However, Ukraine weathered these attacks by distributing its digital infrastructure into the public cloud hosted in European data centers.

According to Microsoft, Russian coordinated malware attacks with conventional weapons. In one incident, Russian hackers attempted to breach Ukraine’s nuclear power company before Russian troops occupied the largest power plant. MSTIC observed at least six incidents preceding military strikes.

Russia targeted Ukraine’s allies in a cyber espionage campaign

Microsoft warned that Russian cyber espionage activities associated with Ukraine’s invasion extend beyond the country, thus calling for collective defense.

“The cyber aspects of the current war extend far beyond Ukraine and reflect the unique nature of cyberspace,” Microsoft President Brad Smith said in the report.

According to Microsoft, the Russian intelligence agencies targeted at least 128 organizations in 42 countries outside Ukraine. Nearly two-thirds (63%) of Russian cyber espionage activity targeted NATO members such as Turkey, Denmark, and Norway. Apart from the United States, Poland, one of Ukraine’s allies supplying weapons and humanitarian aid, was also a key target in the Russian cyber espionage campaign. Similarly, NATO membership candidates and Ukraine’s allies Finland and Sweden came under attack. Russia had warned the two Ukraine’s allies against joining the military alliance.

According to Microsoft, nearly half (49%) of all attacks have targeted government organizations, while 12% targeted non-governmental organizations (NGOs) on foreign policy and humanitarian groups. Additionally, Russian hackers targeted IT companies (20%) and energy and other critical infrastructure suppliers (19%). According to MSTIC, Russian attacks against Ukraine’s allies had a 29 percent success rate.

Russia’s cyber warfare could exploit democracy

The Russian cyber espionage campaign against Ukraine’s allies paralleled the spread of propaganda and disinformation. Microsoft found that the Russian propaganda campaign increased by 216% in Ukraine and 82% in the US after it invaded Ukraine.

Microsoft discovered that Russia was integrating tactics developed by the dreaded KGB into modern technology to exert influence over a wider geographical area. The Russian government also targeted Americans and Europeans to undermine Western unity and deflect its responsibility for war crimes in Ukraine.

Additionally, Kremlin targeted the Russian population to sustain support for the war and the Ukrainian people to undermine their confidence in their government and country’s ability to fight Russia. Similarly, Russia targeted non-aligned countries to court support from these countries at the United Nations.

Microsoft warned that these tactics could take advantage of democratic openness, especially during the current political and social polarization.

Need for cyber threat intelligence, endpoint protection, and collective defense

Microsoft noted that Russian cyber activities were difficult to track even by military analysts. However, Microsoft was able to track Russian hackers’ cyber espionage campaign against “48 distinct Ukrainian agencies and enterprises.”

According to the report, Russia started by distributing malware targeting hundreds of computers to penetrate Ukrainian domains. Unlike the NotPetya attack in 2017, when Russia used malware that could jump domains across borders to compromise targets in Ukraine, Russia constrained the malware to Ukrainian domains.

Microsoft notes that while not perfect, cyber defenses were largely more effective than cyber offensive attacks by the adversary.

Microsoft attributes the success of cyber defenses to advances in threat intelligence, including the use of artificial intelligence in detection, and inter-connected end-point protection.