.png)
Russia-linked hackers have launched hundreds of cyberattacks in Ukraine, Microsoft says
War with Russia is now being fought on all fronts, including information security.
At least six hacker groups linked to the Russian government have made hundreds of attempts at cyberattacks in Ukraine following Russia’s invasion in February, including dozens aimed at destroying computer systems, according to new research by Microsoft Corp.
According to Microsoft, Moscow’s hacker activity represents ongoing attempts at disruptive and destructive operations, often tactically aligned with Russian military maneuvers in addition to traditional cyber espionage. While many attacks have been successful, Ukraine’s cyber defenses have repelled many others, and the country has so far largely avoided large-scale or nationwide cyber disruptions that Western officials feared at the beginning of the war.
“The attacks not only degraded institutional systems in Ukraine, but were also aimed at denying people access to reliable information and essential services, as well as attempting to undermine trust in the country’s leadership,” said Tom Burt, Microsoft’s vice president for security and customer trust.
During a briefing with journalists on Wednesday, Viktor Zhora, Deputy Head of Ukraine’s State Service of Special Communications, said he believes Russia has activated all of its offensive cyber capabilities against Ukraine as the war drags on, and is unlikely to deploy “completely new” or unexpected cyber tools.
.png)
Explosion at a TV tower in Kyiv in March. PHOTO: CARLOS BARRIA/REUTERS
“They represent a serious threat. It would be a mistake to underestimate their capabilities,” said Mr. Zhora. “But at the same time… I believe we are quite capable of resisting both in cyber warfare and in war in general.”
According to Burt, Russia-backed hackers had also been “preparing for conflict” as early as March 2021, apparently in hopes of gaining broader access to Ukrainian networks that could be used during the war. By mid-2021, some hackers targeted supply chain providers in Ukraine and other countries, “to ensure further access not only to systems in Ukraine, but also in NATO member states,” Burt said, referring to the North Atlantic Treaty Organization. Supply chain providers are companies that sell software or other products widely used by other companies, making them convenient targets for hackers.
The Russian embassy in Washington did not immediately respond to a request for comment. Moscow regularly denies accusations of cyberattacks against other countries and says it has itself recently been a victim of cyberattacks carried out by Western powers.
Microsoft’s new findings largely confirm what cybersecurity experts, major tech companies, and Western intelligence officials have observed so far: while large-scale attacks have been blocked or disrupted, Russian hackers have been highly active in the war, focusing much of their efforts on more limited tactical operations in support of their military.
Some attacks were crude and amounted to simple nuisances, slowing internet services for some Ukrainians or shutting them down entirely, defacing websites, and destroying files on a small number of computers. Others did more than just keep Ukrainian cyber defenders busy. More recently, as Russia’s strategic focus shifted to eastern Ukraine, new and more concerning attacks on Ukraine’s energy sector have been observed.
Hackers have targeted the Ukrainian government and critical infrastructure since the beginning of the war, but over the past three weeks researchers from Cisco Systems Inc. have observed a gradual increase in sophisticated attacks from more experienced hackers, said Matt Olney, Cisco’s director of threat analysis. “It used to be something like an elephant in a china shop,” he said. “Now it’s more like a sophisticated art theft.”
In some cases, Russian cyberattacks appeared “closely linked and sometimes directly timed with active military operations,” Burt said. He cited an example of cyberattacks on the major broadcaster Ukrtelecom on March 1, the same day Russian forces struck a TV tower in Kyiv with a missile. Another example: in mid-March, a separate Russian hacker group stole data from a nuclear safety organization weeks after Russia seized nuclear power plants, Microsoft reported.
Attempts to hybridize the war have also been observed in the disinformation space. According to Microsoft, as Mariupol was under prolonged siege by Russian forces, some Ukrainians received an email from a Russian hacking group impersonating a city resident, blaming the Ukrainian government for abandoning its citizens.
Unlike Zhora’s confidence in the Ukrainian government, U.S. and Western intelligence officials say they believe Russia has the capability and resources to carry out far more destructive cyberattacks against Ukraine than what has been seen so far. Some say Russia’s initial miscalculation that Kyiv would fall within days contributed to early restraint in cyberattacks on critical infrastructure that could severely disrupt daily life in Ukraine.
Microsoft said it has observed around 40 destructive cyberattacks in Ukraine across hundreds of systems. Of these, about a third directly targeted Ukrainian government agencies at the national, regional, and city levels, while more than 40% targeted critical infrastructure sectors that could have indirect effects on government, military, economy, and population.