Cyberattacks as a means of war
Sophos Sophos, Cyber Threat, Cyberangriffe
In view of the deployment of Russian troops on the border with Ukraine and distributed denial of service (DDoS) attacks sporadically targeting sporadically disrupt Ukrainian government websites and financial services there is a lot of talk about being prepared for cyber-conflicts, whether they are whether or not there is an actual war. While all businesses should always be prepared for attacks from all directions, they should from all directions. But it can be helpful to know what to look for when the risk of attack increases. I have chosen to provide a history of the known or Russian state's known or suspected activities in the cyber environment. cyber environment and to assess what types of activities to expect and how or how organisations can be prepared for them.
Destabilising denial-of-service attacks
The earliest known activity dates back to 26 April 2007.
when the Estonian government destroyed a statue commemorating the liberation of
Estonia's liberation from the Nazis by the Soviet Union.
prominent location. This action enraged Estonia's Russian-speaking
Estonian population and destabilised relations with Moscow. Shortly
riots in the streets, protests in front of the Estonian embassy in Moscow and
Estonian embassy in Moscow, and a wave of DDoS-Angriffen auf estnische Regierungs- and
and financial services websites. Fully prepared tools and
instructions on how to participate in DDoS attacks appeared in Russian
forums almost immediately after the statue was moved. These attacks
were directed against websites of the president, parliament, police
police, political parties and major media outlets.
Although other "Russian patriots" were called upon to help in the Estonia, but this was hardly a grassroots movement*. a grassroots movement* that came out of nowhere with tools and a list of targets. out of nowhere. The same tactic was later used by Anonymous in defence of Wikileaks, using a tool called the Low Orbit Ion Canon (LOIC) was used. On 4 May 2007, the attacks intensified and additionally the attacks intensified and additionally targeted banks. Exactly seven days later, at midnight, the attacks ended as abruptly as they had begun. Everyone immediately blamed Russia, but it is nearly impossible to attribute distributed denial-of-service attacks. It is now widely believed that these DDoS attacks were the work of the Russian Business Network (RBN) were the work of a notorious organised crime group in Russia with links to spamming, botnets and pharmaceutical affiliate programmes. Their services were apparently "used" for exactly one week "engaged" to carry out these attacks.
On 19 July 2008, a new wave of DDoS attacks began, targeting against news and government websites in Georgia. These attacks mysteriously intensified dramatically on 8 August 2008, when 2008, when Russian troops invaded the separatist province of South Ossetia province. The attacks were initially directed against georgische Nachrichten- und Regierungsseiten, later against financial institutions, businesses, educational institutions, western media and a Georgian hacking website. Estonia, a website appeared with a list of targets and a series of targets and a set of tools with instructions on how to use them. Again, there was an attempt to attribute the attacks to the "patriots", who were resisting Georgian aggression. But the bulk of the traffic came from a known large botnet, presumably run by RBN. botnet believed to be controlled by RBN.
Digital defacement and spam
The attacks on Georgia also included website defacement and massive
websites and massive spam campaigns to clog up Georgian inboxes.
Georgian inboxes. All of this apparently served to
in Georgia's ability to defend itself and govern itself.
to defend itself and govern itself, and to prevent the government from communicating
from communicating effectively with its citizens and the outside world. Less than a year later.
than a year later, in January 2009, another series of
DDoS attacks began in Kyrgyzstan. This happened at the same time that the
Kyrgyz government was deciding whether to renew the lease for a
US airbase in their country. A coincidence? It looked
that the action was again carried out by the RBN, but this time
it was not a ruse by "patriots" expressing their digital opinion.
expression.
Disinformation and isolation
This brings us to the most recent kinetic conflict, the
Crimea in 2014. Since 2009, a low-level information war has been waged against Ukraine.
has been waged at a low level against Ukraine, with many attacks coinciding with
coincide with events that could be interpreted as a threat to Russian interests, such
interests, such as a NATO summit and negotiations between Ukraine and the
and negotiations between Ukraine and the EU on an association agreement.
2014, the New York Times reported that the malicious software had “Snake” in das Büro des ukrainischen Premierministers
and several remote embassies had been penetrated when anti-government protests in Ukraine
anti-government protests began. Towards the end of 2013 and
early 2014, ESET also published research,
documenting attacks on military targets and media outlets, referred to as "Operation Potao Express".
As before, a homegrown cyber group called the
cyber group called "Cyber Berkut" carried out DDoS attacks and web defacements without causing
but without causing any major damage. It did, however, cause great
confusion, and that alone has an impact in times of conflict.
At the beginning of the conflict, soldiers without insignia took over the Crimea's telecommunications networks and the only internet hub in the region. internet hub in the region and caused a freeze on information. information blackout. The attackers abused their access to the network to identify anti-Russian protesters and send them text messages and send them SMS messages saying: "Dear subscriber, you are you are registered as a participant in a mass riot. After isolating Crimea's communications capability, the attackers manipulated the network. Crimea's communications capability, the attackers also tampered with the mobile phones of members of the Ukrainian parliament and prevented them from effectively respond to the invasion. As Military Cyber Affairs mentioned, disinformation campaigns were in full swing: "In one case, Russia paid a single person to have several different web web identities. One actor in St. Petersburg stated that when three different bloggers with ten blogs, while commenting on other websites. commenting on other websites. Another person was employed to comment on news and social media 126 times every 12 hours. commenting."
Crippling electricity
On 23 December 2015, electricity was abruptly cut off to about half of the residents of
Ivano-Frankivsk (Ukraine) had their electricity abruptly cut off. It is generally
that this was the work of state-backed Russian hackers.
hackers. The first attacks began more than sechs Monate
before the blackout, when employees at three power distribution centres
opened an infected Microsoft Office document containing a macro that was supposed to
malware called BlackEnergy, and the attackers managed to obtain remote
remote access data for the Supervisory Control and Data Acquisition (SCADA) network.
and Data Acquisition) network and take control of the substation controls.
control of the substation controls to open the circuit breakers.
open circuit breakers. They then interfered with the remote controls in order to
prevent the breakers from being closed to restore power.
restore power. In addition, the attackers used
used a "wiper" to destroy the computers used to control the network, while also
computers used to control the network, and at the same time carried out a telephone
denial-of-service (TDoS) attack by flooding the customer service
customer service numbers, frustrating customers who tried to report the outages.
frustrate customers who tried to report the outages.
Almost a year later, on 17 December 2016, the lights went out again in Kiev. lights went out again. A coincidence? Probably not. This time the malware responsible was called Industroyer/CrashOverride and was weitaus ausgefeilter. The malware was equipped with modular components that could scan the network to find SCADA controllers and could speak their language. It also had a wiper component to delete the system. wipe the system. The attack did not appear to be possible with either BlackEnergy or or the well-known Wiper tool KillDisk, but there was no doubt who was behind it. there was no doubt who was behind it.
Email disclosure
In June 2016, during the close presidential election campaign
between Hillary Clinton and Donald Trump, a new figure came on the scene named Guccifer 2.0
who claimed to have hacked the Democratic National Committee and to have
and leaked its emails to Wikileaks. Although this
not officially attributed to Russia, it surfaced along with other disinformation
disinformation campaigns during the 2016 election and is widely believed to have been
widely believed that the Kremlin was behind it.
Supply chain attacks: NotPetya
Russia's persistent attacks on Ukraine were not yet
over, and on June 27, 2017, they compounded the situation when they
launched a new malware called NotPetya.
NotPetya was disguised as a new ransomware and was distributed via a hacked
supply chain of a Ukrainian accounting software provider.
accounting software provider. In fact, however, it was not ransomware at all.
It did encrypt a computer, but could not be decrypted, effectively
effectively wiping the device and rendering it unusable.
The victims were nicht auf ukrainische Unternehmen
limited. The malware spread worldwide within a few hours.
worldwide within hours, primarily affecting organisations operating in the
Ukraine, where the booby-trapped accounting software was used.
It is estimated that NotPetya has caused at least
estimated to have caused at least US$10 billion in damage worldwide.
has.
Under a false flag
As the PyeongChang Winter Olympics opened on 9 Feb.
2018, another attack was imminent that had the world on tenterhooks.
world on tenterhooks. The malware attack knocked out all domain controllers across the
network and prevented everything from the Wi-Fi to the ticketing
everything from the Wi-Fi to the ticket counters to function properly.
Miraculously, the IT team managed to isolate the network,
restored the malware and removed it from the systems so that by the next morning
so that by the next morning everything was working again, without a single error.
Then it was time to run a malware analysis,
to find out who was trying to attack and shut down
cripple the entire Olympic network. Attributing malware is difficult, but there were
some clues that could be helpful, or they were false leads pointing
false leads that were supposed to point to an uninvolved third party.
The "evidence" seemed to point to North Korea and China, but it was almost
it was almost too obvious to blame North Korea. In the end
Kaspersky Lab's Igor Soumenkov, with brilliant detective work.
found a hot lead that pointed directly to Moscow.
A few years later, just before the holidays at the end of 2020, an supply chain attack was revealed that targeted the SolarWinds Orion software, which is used to manage the network infrastructure of large and medium-sized enterprises around the world, including many US federal agencies. The software's update mechanisms were hijacked and used to install a backdoor. The prominence of the victims in connection with the combined with the access provided by the surreptitiously installed backdoor, makes this backdoor makes this attack potentially one of the largest and most most damaging cyber espionage attacks in modern history. The U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of Director of National Intelligence (ODNI), and the National Security Agency (NSA) issued a joint statement saying that their investigations indicate that investigations indicate that: "...an Advanced Persistent Threat actor, likely of Russian origin, is responsible for most or recently discovered ongoing cyberattacks against government and non-governmental government and non-government networks. At this point in time we assume that this is, and will continue to be, an intelligence Action and will continue to do so."
Russian cyber conflict in 2022
In 2022, cyber-political tensions are again on the rise
and are on the verge of breaking out. On 13 and 14 January 2022, numerous
Ukrainian government websites were defaced and systems were compromised
systems were infected with malware disguised as ransomware.
components of these attacks are reminiscent of the past.
malware was not ransomware, but merely a ausgeklügelten Wiper,
as was also used in the NotPetya attacks. In addition
many false trails were left behind, suggesting that it was the work of Ukrainians,
that it could be the work of Ukrainian dissidents or Polish partisans.
Distracting, confusing, denying and trying to divide now seems to be the standard
On Tuesday, February 15, 2022, a press conference was held in the
15 February 2022, a series of DDoS attacks was launched against Ukrainian
government and military websites, as well as three of Ukraine's largest
banks were launched. In an unprecedented move, the Weiße Haus bereits einige Geheimdienstinformationen freigegeben and attributed the attacks to the Russian GRU.
The Russian playbook for cyber warfare
What next? Regardless of whether the situation escalates further, the
cyber operations are certain to continue. Since the fall of
Viktor Yanukovych in 2014, Ukraine has been subjected to a constant barrage of
of attacks, with varying degrees of highs and lows.
Russia's official "Military Doctrine of the Russian Federation" of 2010
Federation" from 2010 states: “die
vorherige Durchführung von Maßnahmen der Informationskriegsführung, um
politische Ziele ohne den Einsatz militärischer Gewalt zu erreichen, und
in der Folge im Interesse einer positiven Reaktion der Weltgemeinschaft
auf den Einsatz militärischer Gewalt." This points to a
continuation of previous pre-conflict behaviours and makes
DDoS attacks a potential sign of an imminent kinetic response.
Information warfare is a way for the Kremlin to try to influence the
attempt to steer the rest of the world's response to actions in Ukraine
false leads, false attributions, disrupted communication and
mappings, disrupted communications and the manipulation of social media
are all important components of Russia's
information warfare concept. They do not need to create permanent cover for
activities on the ground or elsewhere, but merely to create sufficient
sufficient delay, confusion and contradiction to allow other concurrent operations
concurrent operations can achieve their objectives.
Prepare and protect
Interestingly, the United States and the
United Kingdom are trying to pre-empt some of the misinformation campaigns, which
which could limit their effectiveness. However, we should
should not assume that the attackers will stop trying, so we need to remain
so we must remain prepared and vigilant.
For example, organisations in countries neighbouring Ukraine should be prepared to be drawn into online scams, even if they are not directly even if they do not operate directly in Ukraine. Earlier attacks and misinformation have leaked into Estonia, Poland and other neighbouring Estonia, Poland and other neighbouring states, even if only as collateral damage. From a global perspective, we should expect to see a number of a number of "patriotic" freelancers in Russia, i.e. ransomware criminals, phish authors and botnet operators, will fight with even greater will act with even greater zeal than usual against targets perceived to be against the motherland. It is unlikely that Russia will directly attack NATO members. Russia to directly attack NATO members and risk the invocation of Artikel V risk. Russia's recent gestures to curb criminals, made by the Russian Federation and its partners in the Commonwealth of Independent States (CIS), however, are likely to come likely to come to an end and instead the threats will multiply. threats will multiply.
While a deep defence should be the most normal thing in the world should be the most normal thing in the world, but it is especially important when we are facing an increase in the frequency and severity of attacks. The misinformation and propaganda will soon reach a peak, but we must be but we must be on our guard, batten down the hatches and keep our monitor our networks for anything out of the ordinary as the cycles of conflict subside - even if they end soon. Because as we all know, it can take months to find evidence of a digital intrusion related to the Russian-Ukrainian conflict emerges.
Original blog post by Jörg Schindler - Senior PR Manager at Sophos