In what is widely described as an example of “hybrid” warfare, Russia’s military invasion of Ukraine on February 23 was preceded and accompanied by major cyber assaults. This week alone witnessed the second round of DDoS attacks against Ukrainian websites and the second round of wiper malware infections spreading in Ukraine and possibly spilling over into Latvia and Lithuania.
Although these second rounds of attacks have not been formally attributed to any threat actor, the U.S. and other authorities officially identified Russia as the culprit in the first round of attacks. Cybersecurity experts and government officials seem to reasonably assume that Russia is to blame for these most recent incidents.
Further cyber action could create unintended consequences
The prospect of further cyberattacks in Ukraine fosters anxiety because of cyberattacks’ unpredictable and uncontrollable nature. Senator Mark Warner (D-VA), Chairman of the Senate Select Committee on Intelligence and co-founder of the Senate Cybersecurity Caucus, warns that “if Russia unleashes its full cyber power against Ukraine, once you put malware into the wild, it knows no geographic boundaries. So, if the Russians decide they’re going to turn off the power, turn off all the electricity across all of Ukraine, very likely that might turn off the power in Eastern Poland and Romania.”
By spreading out to NATO nations, further cyberattacks in Ukraine could rapidly spark a wider geopolitical conflict. It “could affect our troops if suddenly hospitals are shut down, if those NATO troops, those American troops somehow have a car accident because the stoplights don’t work. We are suddenly in an area hypothetically in Article 5 where one NATO country is attacked; we all have to come to each other’s aid.”
Representative Adam Schiff (D-CA), Chairman of the House Intelligence Committee, said that “Russian tools used to attack Ukraine in the cyber realm may not stay in Ukraine. We have seen in the past Russia deploy cyberattacks at a particular target, but those tools get into the wild and cause global damage. One pressing concern is what the Kremlin is directing at Ukraine may not stay in Ukraine.”
Melissa Griffith, a senior program associate at the Wilson Center, said during a press briefing at the Wilson Center that “the most pressing question as we look at cyber activity in the context of Ukraine is not what any single cyber operation is likely to achieve but the ways in which cyber operations will be layered, their effects layered on top of other types of tools of statecraft that Russia has at its disposal. And it’s going to be the ability to layer in kind of unexpected ways that will cause unanticipated costs for the Ukrainian government as fighting continues there, or irrecoverable costs to Ukraine.”
Griffith said that “the other thing to keep an eye as we look at that layering effect within this crisis geographically bounded within Ukraine is the reality that with cyber operations where due diligence is not done upfront has a bad habit of spilling over into other regions and other countries’ networks. There is a real spillover effect here that could have unintended consequences.”
Timeline on Russia-linked cyber incidents
Given the rapid pace of events surrounding Ukraine, we have updated our timeline of Russia-linked attacks in the country, originally published January 19. The following is a chronological timeline of this year’s developments related to the cyberattacks in Ukraine:
January 11: U.S. releases cybersecurity advisory
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a joint Cybersecurity Advisory (CSA) providing an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques, and procedures. The advisory also provided detection actions, incident response guidance, and mitigations.
CISA also recommended that network defenders review CISA’s Russia Cyber Threat Overview and Advisories page for more information on Russian state-sponsored malicious cyber activity. The agencies seemingly released the CSA as part of an occasional series of joint cybersecurity advisories.
January 13 to 14: Ukrainian websites defaced
Following a breakdown of diplomatic talks between Russia and the West intended to forestall a threatened Russian invasion of Ukraine, hackers launched defacement attacks that brought down dozens of Ukrainian government websites, including the Ministry of Foreign Affairs the Ministry of Education, and others. The hackers posted a message that said, “Be afraid and expect the worst.”
The message also warned Ukrainians that “All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered,” and raised historical grievances between Poland and Ukraine. Ukraine’s State Bureau of Investigations (SBI) press service said that no data were stolen in the attack.
Although Ukraine did not attribute the attacks to Russia definitively, the European Union’s chief diplomat Josep Borrell hinted that Russia was the culprit. Serhiy Demedyuk, deputy secretary of Ukraine’s national security and defense council, preliminarily pinned the attacks on a hacker group linked to Belarusian intelligence known as UNC1151. Belarus is a close ally of Russia.
The European Union condemned the attacks and said it stands “ready to provide additional, direct, technical assistance to Ukraine to remediate this attack and further support Ukraine against any destabilizing actions, including by further building up its resilience against hybrid and cyber threats.” NATO Secretary-General Jens Stoltenberg said that his cyber experts in Brussels were exchanging information with their Ukrainian counterparts on the malicious cyber activities and would sign an agreement on enhanced cyber cooperation.
January 14: Russia takes down REvil ransomware group
In what seemingly appeared to be a surprise demonstration of U.S.-Russian collaboration, Russia’s FSB domestic intelligence service said that it dismantled ransomware crime group REvil at the request of the United States in an operation that resulted in the arrest of the group’s members. The announcement was made even as the attacks on the Ukraine websites were underway.
A senior administration official notably stopped short of confirming that the arrests were made at the administration’s request. The official did say they were the product of the “President’s commitment to diplomacy and the channel that he established and the work that has been underway in sharing information and in discussing the need for Russia to take action.”
January 15: Microsoft reveals discovery of malware on Ukrainian websites
Microsoft observed destructive malware disguised as ransomware in systems belonging to dozens of Ukrainian government agencies and organizations that work closely with the Ukrainian government. Microsoft didn’t specify which agencies and organizations were targeted but said they “provide critical executive branch or emergency response functions,” as well as an IT firm that manages websites for public and private sector clients, including government agencies whose websites were recently defaced.
If activated by the attacker, the wiper malware would render the infected computer system inoperable. Microsoft’s Threat Intelligence Center (MSTIC) issued a technical post outlining the malware, saying that while designed to look like ransomware, it lacked a ransom recovery mechanism, was intended to be destructive, and was built to render targeted devices inoperable rather than to obtain a ransom.
MSTIC found no notable associations between the observed activity, tracked as DEV-0586, and other known activity groups. Microsoft has implemented protections to detect this malware family, known as WhisperGate, via Microsoft Defender Antivirus and Microsoft Defender for Endpoint.
January 16: Ukraine blames Russia for attack on Ukrainian websites
Ukraine’s Ministry of Digital Transformation said that all the evidence pointed to the fact that Russia is behind the defacement attacks on Ukraine’s government websites. “The latest cyberattack is one of the manifestations of Russia’s hybrid war against Ukraine, which has been going on since 2014,” the ministry said.
January 18: Data wiped at Ukrainian government agencies
According to the Ukrainian government and other individuals familiar with the incident, several Ukrainian government agencies had their data wiped in a cyberattack coordinated with the defacement attacks against government agency websites. The Ukrainian government said that it believed Russia was responsible.
January 23: DHS issues bulletin for critical infrastructure operators
The Department of Homeland Security sent an intelligence bulletin to critical infrastructure operators and state and local governments warning that Russia would consider conducting a cyberattack on the U.S. homeland if Moscow perceived that a U.S. or NATO response to a potential Russian invasion of Ukraine “threatened [Russia’s] long-term national security.”
February 15: Ukraine’s defense ministry hit by DDoS attack
Ukraine’s State Service of Special Communications and Information Protection of Ukraine (SSSCIP) confirmed that a distributed denial of service (DDoS) attack hit the websites of Ukraine’s defense ministry and armed forces and the websites of two Ukrainian banks.
February 15: Declassified intelligence reveals Russian presence in critical Ukrainian networks
Newly declassified intelligence showed that Russian government hackers likely penetrated Ukrainian military, energy, and other critical computer networks to collect intelligence and position themselves potentially to disrupt those systems should Russia launch a military assault on Ukraine.
February 16: U.S. agencies issue joint Cybersecurity Advisory
CISA, along with the FBI and the NSA, issued a joint Cybersecurity Advisory titled, “Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology.” CISA said that compromised entities have included cleared defense contractors (CDCs) supporting the U.S. Army, U.S. Air Force, U.S. Navy, U.S. Space Force, and Intelligence Community programs over the last two years.
February 18: CISA releases guidance regarding the Russia-Ukraine conflict
In the face of ongoing Russia-Ukraine geopolitical tensions, CISA released a new CISA Insight, Preparing for and Mitigating Foreign Influence Operations Targeting Critical Infrastructure, which provides critical infrastructure owners and operators with guidance on how to identify and mitigate the risks of influence operations that use mis-, dis-, and malinformation (MDM) narratives.
February 18: U.S. attributes February DDoS attack to Russia’s GRU
In an unprecedented development, the U.S. publicly attributed the February DDoS attacks against Ukraine’s defense ministry and significant banks to Russian GRU military intelligence officers. This attribution occurred in only a few days following the attacks, a process that usually takes months or even years. The Biden administration’s deputy national security adviser for cyber and emerging technologies, Anne Neuberger, announced this attribution at a White House press briefing saying that the U.S. moved swiftly to “call out the behavior” in the hopes of averting an invasion of Ukraine.
February 22: FBI warns U.S. businesses of potential for ransomware attacks
In a phone call with private executives and state and local officials, senior FBI cyber official David Ring asked U.S. businesses and local governments to be mindful of the potential for ransomware attacks as the crisis between the Kremlin and Ukraine deepened.
February 23: New form of destructive malware discovered in Ukrainian networks
Researchers from ESET and Symantec report that a new form of destructive malware called HermeticWiper that can delete or corrupt data on a targeted computer or network has been seen spreading in Ukraine. Symantec also said that the wiper had been detected in Latvia, Lithuania and Ukraine and that targets included financial organizations and government contractors.
February 23: Ukrainian banking and government websites hit by DDoS attack
A new, second round of DDoS attacks took down Ukrainian government and banking websites. Mykhailo Fedorov, Ukraine’s digital transformation minister, confirmed that a sizeable DDOS attack affected the stability of several government websites and some Ukrainian banks and websites related to Ukraine’s parliament.
February 24: President Bidean warns of risks to U.S. businesses, critical infrastructure
President Biden said during remarks on Russia’s invasion of Ukraine that “If Russia pursues cyberattacks against our companies, our critical infrastructure, we are prepared to respond.” Biden added that “For months, we’ve been working closely with the private sector to harden our cyber defenses, sharpen our ability to respond to Russian cyberattacks as well.”
February 24: Russian websites, critical information infrastructure hit by cyberattacks
The Russian government’s National Computer Incident Response and Coordination Center warned of “the threat of an increase in the intensity of computer attacks on Russian information resources, including critical information infrastructure (CII).” The warning follows numerous reports of outages on official Russian government websites, including the website of the Kremlin itself.