As EclecticIQ looks back at the year since Russia’s initial invasion of Ukraine, it is clear cyberattacks have been an important part of Russia’s arsenal. This assessment is based on the variety of types of cyberattack methods leveraged, but also the prolonged timeline over which this cyber activity played out. EclecticIQ analysts observed seven different cyber-related approaches being used against Kyiv.
Type of Attack | Description |
Phishing campaign |
Russia-linked groups targeted Ukrainian and Latvian officials with a spearphishing campaign. Phishing lures focused on the war in Ukraine, including aid-themed lures. (12, 13) |
SMS campaign |
Large-scale smishing campaigns targeted different groups in the early days of the war, probably aiming to instill fear in civilians in and outside of Ukraine and to erode the cohesion of Ukrainian forces. (5, 6, 7) |
Wiper malware |
Even prior to the start of the war (January 2022), experts detected wipers malware targeting Ukrainian organizations. The malware at times appeared to be ransomware but had no mechanism for paying ransoms, which made it inconsistent with typical criminal activity. Various versions of wipers have targeted Ukraine in successive waves (HermeticWiper, IsaacWiper, HermeticWizard, CaddyWiper). Microsoft dubs this destructive malware operation “Whispergate.” The campaign continued well for months after the start of the war. (1, 2, 3, 4) |
DDoS |
Also prior to the start of the war, Ukrainian organizations were targeted by distributed denial of service (DDoS) attacks, taking down key infrastructure in the lead-up to the war. (10 ,11) |
Deepfake |
Threat actors leveraged newer technology to produce a deepfake video of Ukrainian President Zelensky urging Ukrainian military members to surrender. The video was quickly proven to be a fake and was removed from social media sites. (8, 9) |
Cybercriminal groups |
One of the unanticipated events resulting from the war was the dissolution of the cybercriminal group Conti. After members of the group publicly declared support for Russia after the invasion of Ukraine, a former member of the group released chats of the group’s internal conversations. (14, 15) Conversely, Killnet, a group aligned with Russia, gained notoriety in 2022 by publicly aligning themselves with Moscow. (16) |
Government-linked cyber activity |
More and more reporting is available about groups such as Sandworm and Gamaredon, which may work with or for Moscow to some degree. Groups like these often have various types of destructive cyber activity attributed to them. (4, 17) In addition to the publicly available information about various cyber activities, there is almost certainly cyberespionage activity occurring targeting Ukrainian organizations. This activity is intended to be discreet; the longer cyber espionage actors remain undiscovered the longer they are able to maintain access to victim networks, conducting sabotage and gathering information. |
Moscow began setting favorable conditions for the invasion well prior to February 24th, using wipers to reduce access to critical systems in a campaign later dubbed WhisperGate. Many of the organizations targeted in the early days of this campaign were the Ukrainian government and commercial enterprises. (2) On the day of the initial land invasion, a wiper named AcidRain disrupted the services of satellite communications provider Viasat across central and eastern Europe and turned off remote access to nearly six thousand German wind turbines. (17) Later, broad SMS campaigns were used to intimidate both Ukrainian soldiers and the public in Ukraine and neighboring countries, and a deepfake video of President Zelensky attempted to sow confusion among Ukrainian troops. In the months that followed, phishing campaigns, DDoS attacks, and cybercriminal activity all had a role to play in the cyber angle of this conflict—including intimidation, denial of service, and attempting to influence the public narrative about the war.
The frequency and variety of cyberattacks levied against Ukraine were unsurprising, but the lack of overt success from cyber operations was unexpected. EclecticIQ analysts expected at least some long-lasting outages to critical IT systems or cyber disruptions that clearly derailed Kyiv’s planned military operations. While there were some detrimental effects to cyber operations, they seemed to be relatively easy to overcome or circumvent. Contrary to what was expected, cyberattacks did not appear to play a decisive role in the first year of the war.
Analysts assess these efforts have fallen well short of their intended goals of degrading Ukrainian morale and driving a wedge between Kyiv and Western Allies, as noted in EclecticIQ’s End of Year Retrospective. EclecticIQ assesses the lukewarm results of Moscow’s cyberattacks are unlikely to change as the war drags on into a second year. Cyber-focused efforts will continue to support and augment efforts on the battlefield. Moscow is most likely to use cyber tactics to amplify and out-size narratives of Russian battlefield victory when they occur or to achieve a mix of disruption and annoyance to slow or minimize Kyiv’s battlefield advances.
About EclecticIQ Intelligence & Research Team
EclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence & Research Team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.
You might also be interested in:
Mustang Panda APT Group Uses European Commission-Themed Lure to Deliver PlugX Malware
Appendix
- https://www.cisa.gov/uscert/ncas/alerts/aa22-057a
- https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
- https://twitter.com/ESETresearch/status/1503436420886712321
- https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-russian-apt-groups-including-sandworm-continue-their-attacks-against-ukraine-with-wipe/
- https://apnews.com/article/Fact-Check-Ukraine-Transnistria-Text-193532583260
- https://www.dailymail.co.uk/news/article-10759375/Moldovans-living-Russian-separatists-sent-fake-texts-claiming-Ukrainians-kill-them.html
- https://www.thedailybeast.com/cyberattacks-hit-websites-and-psy-ops-sms-messages-targeting-ukrainians-ramp-up-as-russia-moves-into-ukraine
- https://www.reuters.com/world/europe/deepfake-footage-purports-show-ukrainian-president-capitulating-2022-03-16/
- https://nypost.com/2022/03/17/deepfake-video-shows-volodymyr-zelensky-telling-ukrainians-to-surrender/
- https://www.ncsc.gov.uk/news/russia-ddos-involvement-in-ukraine
- https://cip.gov.ua/en/news/chergova-kiberataka-na-saiti-derzhavnikh-organiv-ta-banki
- https://www.techrepublic.com/article/how-phishing-exploits-russian-invasion/
- https://therecord.media/ukrainian-cert-details-russia-linked-phishing-attacks-targeting-government-officials/
- https://www.securityweek.com/conti-chats-leaked-after-ransomware-gang-expresses-support-russia/
- https://www.scmagazine.com/analysis/ransomware/conti-ransomware-gang-dismantles-infrastructure-amid-ukraine-row
- https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/killnet
- https://therecord.media/a-deeper-look-at-the-malware-being-used-on-ukrainian-targets/