When Russian forces began invading Ukraine on February 24, 2022, many expected cyberattacks to play a significant part in the war. But while Russia has a long history of targeting Ukraine with cyberattacks, it’s yet to launch a successful large-scale cyberattack targeting Ukraine’s critical infrastructure since starting the war. Instead, it appears that Russia’s cyberattacks are mainly used to spread disinformation.
Some experts believe that just like Russia’s military power, the country’s cyber capabilities have been overestimated, which could explain why Russia has failed to carry out successful cyberattacks against Ukraine since the start of the full-scale invasion. However, Russia’s past attacks and actions have proven that the threat should not be taken lightly. Furthermore, some of the most notorious cybercrime gangs are known to operate from Russia, and some have since declared loyalty to Russia. That is not unexpected considering that many of these gangs are sponsored by the state.
However, a large number of hacker groups have also sided with Ukraine. Notably, the hacker collective Anonymous has declared war on Russia’s President Putin, and have since carried out multiple successful cyberattacks. Ukraine has also created its own IT army made up of professionals from all over the world.
Russia’s past cyberattacks on Ukraine
During the early days of the Russia-Ukraine war, Russia carried out multiple cyberattacks targeting Ukraine’s critical infrastructure, the country’s power grids in particular. In December 2015, hacker group Sandworm carried out the first successful power grid attack when it used the BlackEnergy trojan to attack Ukraine’s energy companies that provide energy to Kyiv, Ivano-Frankivsk, and Chernivtsi regions. Around 230,000 consumers were left with no power for 1-6 hours. The attack was attributed to Sandworm (Unit 74455), an alleged Russian cyber military unit. It is believed that the corporate network was initially compromised using spear-phishing emails with BlackEnergy malware.
The 2015 Ukraine power grid attack is the first successful attack of this kind but it is believed that Ukraine was a special case and certain circumstances allowed the attack to happen. It was argued that the attacked power grid was built while Ukraine was part of the Soviet Union and was upgraded with Russian parts, which means Russian attackers were very familiar with the power grid and software. Furthermore, the attack was carried out during the Christmas holiday season, and not many workers were present.
A year later, on December 17, 2016, Ukraine’s power grid was attacked once again. Industroyer is the malware believed to have been used during the attack. It’s considered to be the first known malware specifically made to attack power grids. Ukraine’s capital Kyiv was cut off from power for an hour. The attack is widely believed to have been a large-scale test.
In 2017, various Ukrainian organizations (banks, ministries, newspapers, electricity firms, and many others) were targeted in a series of cyberattacks using the Petya malware. Petya is malware that encrypts files and is believed to be operated by the Sandworm hacker group. The malware permanently damaged essential files on infected computers, indicating that the attacks were meant to cripple the Ukrainian state rather than to make money. The attack was carried out during a public holiday, meaning many offices were closed, allowing the malware to spread more widely. Among the affected systems was the radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant.
On January 14, 2022, around 70 Ukrainian government websites were affected by a massive cyberattack. Among those affected were official websites for the Ministry of Foreign Affairs, the Cabinet of Ministers, and the Security and Defense Council. Hacked sites displayed a text in Ukrainian, Polish, and Russian saying citizens’ personal data has been uploaded to the public network. Images of the crossed-out Ukrainian flag, Ukraine’s map, and the symbol of the Ukrainian Insurgent Army were also displayed. Sites displaying the images were taken down and brought back online within a few hours. UNC11151, a hacker group associated with Belarusian intelligence, is believed to be behind the attack. The cyberattack came at a time when tensions between Russia and Ukraine were high, with over 100,000 Russian troops stationed near the border. A little over a month later, Russian forces began a large-scale invasion of Ukraine.
On April 12, 2022, Ukraine officials confirmed that they prevented a Russian cyberattack on Ukraine’s power grid. Had it been successful, over two million people would have lost power. But while Ukraine was able to thwart this attack, it’s considered to have been highly sophisticated, raising fears that Russia may start increasing its use of cyberweapons. Kyiv has blamed the attack on Sandworm.
Anonymous announces war on Putin
The hacker group Anonymous has been actively performing cyberattacks on Russia. The hacktivist collective has declared a “cyberwar” on Russia’s President Putin and has so far carried out numerous cyberattacks. Two days after Russia’s military forces started invading Ukraine, Anonymous carried out a cyberattack on Russia’s TV networks. The group was able to interrupt normal programming and show images of the war caused by Russia to its citizens. According to Anonymous, the images were shown for 12 minutes.
Then, in early March, the group announced that they had taken over more than 400 Russian cameras and shared the feed on their website. The camera feed also had overlaid texts with messages about the atrocities Russia tries to hide from its citizens. On March 23, the hacktivist group announced a hack on Russia’s Central Bank by its affiliate group, leaking 28GB of information. According to those who have looked through the massive amount of leaked information, the data dump contains invoices, internal communications, documents, memos, bank statements, names and addresses of high-profile clients, etc.
On April 3, Anonymous announced that the group has acquired the personal information of 120,000 Russian soldiers. The Twitter announcement also contains a link to the information. The leaked information contains dates of birth, addresses, passport numbers, and unit affiliation.
“All soldiers participating in the invasion of Ukraine should be subjected to a war crime tribunal,” the hacktivist group’s Twitter announcement reads.
Anonymous’ associate group Network Battalion 65 group has also announced a leak of 900,000 emails from All-Russia State Television and Radio Broadcasting Company (VGTRK), Russia’s largest state media corporation. Operating since 1990, the VGTRK (or RTR) controls five national TV channels, five radio stations, two international networks, and over 80 regional TV and radio networks. According to the Daily Dot, the emails cover more than 20 years of communications and include emails from around 250 inboxes, as well as discuss issues related to daily operations and even international sanctions against Russia.
IT army of Ukraine
On February 26, 2022, Vice Prime Minister of Ukraine Mykhailo Fedorov announced the creation of Ukraine’s IT army made up of volunteers that would be fighting on the cyber front. This is arguably the largest effort by the Ukrainian government to coordinate hackers from all over the world. Targets are often posted on special Telegram channels with hundreds of thousands of hackers who then proceed to launch cyberattacks on the specified targets. So far, Ukraine’s IT army is responsible for carrying out attacks against Russian banks, the Russian power grid/railway systems, as well as numerous DDoS attacks.
Malware gangs side with Russia
One of the first cybercrime gangs to side with Russia was the Conti ransomware gang. Members of the gang even went as far as to threaten retaliation against any cyberattacks targeting Russia. The Conti ransomware gang is one of the most successful gangs in operation today and works similarly to legitimate corporations (regular payrolls, five-day workweek, offices, etc.). The gang is believed to have extorted at least $180 million from victims in 2021. The Conti ransomware gang is known to target the healthcare sector. While the ransomware gang has shown support for Russia, it’s not believed that there are any formal ties between it and the Russian government.
The cybercriminals behind Conti initially announced full support of the Russian government but not long after released a modified statement in which they claim to condemn the war but threaten retaliation if attacks on Russian critical infrastructure were made. Soon after, an alleged Ukrainian security researcher leaked Conti’s chat logs. The chat logs show that opinions on the war differ among members of Conti. It also shows how the ransomware group operates as an organization and how victims are chosen.
Many other cybercrime groups have also picked sides. But while groups like Sandworm are known to be affiliated and managed to some extent by the Russian government, many other groups siding with Russia are independent. It’s not impossible that these groups can launch attacks targeting Ukraine or its allies’ critical infrastructure with little understanding of what their actions could mean.
Russia’s disinformation attacks
While Russia is no stranger to disinformation attacks, the scale of the current stream of false information coming from Russia is astounding. Russia’s disinformation is spreading full force, with social media platforms, forums, and even news agencies struggling to keep up. From claims that the US had a biological weapon lab in Ukraine to declarations that victims of the Bucha massacre were actors, malicious actors behind such campaigns are doing their best to make Russia seem like the victim of a war it started.
Disinformation is coming from all sides, the Russian government, Russian trolls, as well as regular users in Russia. And it’s not only affecting people living in Russia, fake narratives pushed by this dangerous propaganda machine are reaching people all over the world. The scale of these attacks has proven to be difficult to handle for social media platforms that fail to remove disinformation before it spreads too widely. Platforms like YouTube and Facebook have received criticism over how they’re handling disinformation attacks, with much of the criticism focused on their inability to completely remove fake information. But while the false information pushed by Russia is often too ridiculous to take seriously, it does its job of further convincing people already siding with Russia.
Disinformation in Russia is a particularly big issue. With platforms like TikTok limiting their presence in Russia, the Russian government blocking platforms like Instagram, and independent Russian news platforms shutting down, Russian citizens are especially susceptible to disinformation about Russia’s role and its crimes in the current Russia-Ukraine war. The Russian state has a monopoly over the information in the country, allowing it to spread false narratives, pointing the blame of the war onto Ukraine and Western nations.
Scammers aim to take advantage of people donating to Ukraine
To the surprise of no one, scammers started taking advantage of people who wish to donate money to support Ukraine. Malicious actors from various countries have launched spam campaigns that target people who wish to donate to Ukraine. Users can encounter these scams in emails and on social media. The spam campaigns often use names of legitimate organizations/institutions like the National Bank of Ukraine to trick users. Some campaigns even have links that lead to legitimate campaigns but give incorrect bank accounts or ask to make donations in cryptocurrencies. These scam campaigns were especially common in the first week of Russia’s invasion of Ukraine because many people rushed to donate money. How successful these scam campaigns are is debatable but users should not let their guard down.
People should be very careful when donating money to charities and organizations, especially now. Unless people are subscribed to some organization and have agreed to receive emails, they will not receive emails asking for donations. Before making any kind of donation, it’s essential that people research the organization/charity and make sure the money would actually reach those in need.