Microsoft has revealed in a report that at least six separate Russian nation-state actors have launched damaging cyber-attacks against Ukraine since the invasion began earlier this year.
Microsoft researchers have tracked at least 237 cyber operations originated from Russia and stated that these attacks have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services on which civilians depend and have attempted to shake confidence in the country’s leadership.
These attacks are strongly correlated and sometimes directly timed with Russia’s kinetic military operations targeting services and institutions crucial for civilians.
As many as 32% of destructive attacks directly targeted Ukrainian government organizations at the national, regional, and city levels, while more than 40% of attacks were aimed at organizations in critical infrastructure sectors that could have negative second-order effects on the Ukrainian government, military, economy, and civilians.
At least six known or suspected Russian cyber threat groups in addition to other unattributed threat actors are engaged in activities that range from reconnaissance and phishing for initial access to pervasive lateral movement, data theft, and data deletion. The multiple phases of their operations suggest these actors are positioning themselves for continued compromises and impact on Ukrainian networks for the duration of this conflict and beyond.
Nation-state groups mentioned in the report include Sandworm, also known as Iridium, which Microsoft claims is responsible for the malware FoxBlade wiper, CaddyWiper, and Industroyer2. GRU is Russian military intelligence.
Nobelium, which is thought to be led by Russia’s Foreign Intelligence Service, has been seen using password spraying and phishing attacks against Ukrainian and NATO member diplomatic targets.
Microsoft stated that these attacks used a variety of techniques to gain initial access to their targets including phishing, use of unpatched vulnerabilities, and compromising upstream IT service providers.
The Windows-specific data wiper appeared on hundreds of machines that abuse legitimate drivers from the EaseUS Partition Master software to corrupt data.
Although primarily directed towards Ukraine, the ‘HermeticWiper’ malware strain has also been detected in the Baltic states of Latvia and Lithuania. Date stamps on the malware indicate that it was compiled two months before the invasion – evidence that the cyber-attack was premeditated.
“Given Russian threat actors have been mirroring and augmenting military actions, we believe cyber-attacks will continue to escalate as the conflict rages,” Microsoft concluded.
The full report contains more information, including a detailed timeline of individual attacks targeting Ukraine.