The Ukrainian conflict did not start with an invasion. Patrick O’Connor CISSP, CEH, MBCS explores the many ‘trial runs’ of cyber attacks leading up to the physical war in Ukraine.

On the 24th February 2022 armed forces of the Russian state crossed into Ukraine in what Vladimir Vladimirovich Putin described as a ‘special military operation’. Since then, the majority of news coverage has understandably centred on the military conflict and the humanitarian tragedy that has unfolded. However, today any such conflict inevitably includes a cyber component. Russia is acknowledged to be a leader in the use of cyber ‘weapons’ including traditional hacking of systems and networks, large scale disinformation and social media manipulation.

Most likely uses for such weapons are disruption of government operation, military operation, disinformation, interference with industrial systems such as power grids and telecommunications and propaganda. The best cyber weapons and the best infiltrations are, by their nature, difficult to detect. When at war there is no time for careful, forensic analysis of systems. Adaptation is likely to be the first stage in reacting to technical issues. Maintaining services and working around or patching broken elements of networks in order to re-enable or replace systems under threat. So with this in mind let’s take a look at the various aspects of the cyber conflict that is happening in parallel with the more traditional battles. Some background looking at previous attacks by Russia on Ukraine’s infrastructure will give us an idea of what type of attacks are likely taking place now. It should be stressed that, although we know much about the use of cyber in the conflict, so far full technical and strategic details will only emerge over time...

Trial run: Ukraine ‘Snake’ attacks 2014

In March 2014 a rootkit called Uroburos was detected and active on Ukrainian Government systems. This became known as the ‘Snake’ campaign in cyber security circles and affected more than just Ukraine. Research revealed that the rootkit may have been active in some systems for many years and parts of what became known as the Snake software toolkit had been detected as long ago as 2005. At that point the average time an adversary could be hidden within an exploited system was counted in years.

Trial run: Ukraine power grid attack 2015

On December 23rd 2015 a Russian group known as Sandworm infiltrated the Ukraine power grid and caused power outages for around 230,000 consumers. This has become recognised as the first successful real world attack on a power grid. It could be argued that the Ukrainian grid was particularly susceptible to Russian attack as it still used much of the technology from the Soviet era. The attack followed a familiar pattern with phishing attacks using the BlackEnergy malware. Due to this compromise, various Supervisory Control And Data Acquisition (SCADA) systems were seized and used to switch off substations. There were attempts to destroy or disable other components such as uninterruptible power supplies, modems, remote terminals and commutators. Files on associated servers and workstations were destroyed using the KillDisk malware. Denial of service attacks were used to disable call centres to maintain the confusion for as long as possible.

Trial run: Ukraine artillery targeting exploit 2014-2016

Between 2014 and 2016, US security company Crowdstrike believe that Russian group Fancy Bear used Android malware to target the Ukraine military. Without realising it, the Ukraine military distributed an infected version of an Android app whose original purpose was to control targeting data for Howitzer artillery pieces. Crowdstrike estimate that 80% of the Ukraine D-30 Howitzers were destroyed as a result. The Ukraine military disputes these claims.

Trial run: Ukraine ransomware attacks 2017

On June 27th 2017, Ukraine was again targeted when sites including banks, Government ministries, newspapers and electricity companies were attacked with a modified version of the Petya malware. While other countries’ sites were infected, around 80% were in the Ukraine.

The source of the infections is believed to have been a Ukrainian accounting package called MeDoc. As part of a routine update, on June 27th, malware was downloaded to machines running MeDoc in what is called a ‘supply chain attack’. At the time, it was estimated that this amounted to around one million machines. Petya, like WannaCry had used the EternalBlue exploit (created by the CIA and published to the world as part of the Shadow Brokers trove of CIA tools on April 14th 2017). This had been patched by Microsoft and it is believed that the Ukraine attack used a modified version of Petya called NotPetya or Nyetna. NotPetya encrypted all the files on the infected systems and in some cases files were wiped. One notable victim was the radiation monitoring system at the Chernobyl Nuclear Power Plant, which went offline. Attribution of this attack is less clear than for the power grid attack. Wired magazine journalist, Andy Greenberg, believes that this second attack was also the work of the Sandworm group. He also said that this group had been originally working to try to undermine Ukraine’s financial system when it stumbled accidentally on the vulnerability in the MeDoc updating software.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

There are other cases of interference in national infrastructure from elsewhere in the world, but these examples highlight how Russia seems to have used Ukraine as a testing ground for some of its cyber weapons. If we now fast forward to earlier this year and the start of the Russian aggression towards Ukraine, the CyberPeace Institute has recorded all directed attacks against Ukrainian entities starting on January 13th 2022. At the time of writing there have been 28 separate attacks logged by the CyberPeace Institute since hostilities commenced and nine further attacks this calendar year. Attribution of these attacks may take some time to confirm, but the large majority have already been identified as Russian or Belarus hacker groups. Perhaps, significantly, one attempted intrusion is attributed to a Chinese group (Scarab/UAC-0026) indicating that other parties may be trying to take advantage of the confusion.

Since the conflict is ongoing, many of these reported attacks are not yet clearly understood. Neither their tactical purpose, beyond increasing confusion, nor their technical details. In most cases, samples will have been quickly examined and compared to databases of known malware rather than individually analysed. It is common for nation state actors to use readily available hacking tools to further frustrate attempts at attribution.

Dangers of public networks

It was widely reported in the first weeks of the conflict that the Russian communications system for their forces was not working. This caused the Russian military to loot electronics shops in Ukraine towns and cities to get hold of mobile phones and SIM cards to allow their commanders to communicate. Once this became known, the Ukraine defence forces were able to identify such activity and either intercept calls or geo-locate the caller using tools on the internet. At least one and likely more senior Russian commanders have been ‘taken off the battlefield’ (killed via drone strikes) in this way.

IT army of Ukraine

The IT Army of Ukraine was formed by Mykhailo Fedorov, Deputy Prime Minister of Ukraine and Minister of Digital Transformation, on February 26th via his Twitter account. It uses a Telegram channel to pass on instructions and list both domain names and IPs of Russian systems that the group wished to ‘target’. It encourages people from anywhere to help the Ukrainian cause by performing DDoS attacks or other exploits against the listed sites. Western news outlets soon began suggesting that helping the Ukrainians in this way could be unlawful and was discouraged. The Anonymous Hacking Collective also weighed in with a number of website exploits, defacements and data dumps. It could be argued, individuals from around the world randomly hacking Russian sites might interfere with coordinated attacks from Western nation states. No Western states have admitted to any form of cyber operations against Russia since the conflict started, but it is highly likely that at least some activities are ongoing.

Western governments fear an escalation of the Ukraine conflict. Any identifiable use of cyber weapons by the west may well produce such an escalation. It may be that governments are reluctant to use any cyber weapons, preferring to ‘keep their powder dry’. We may never know for sure if any such weapons are deployed.

Social media sites have already been alerted to the so-called Russian trolls that setup fake accounts to spread disinformation. Such techniques hit the headlines during the US Elections in 2016, but can nonetheless be hard to police effectively. Once a fake social media account is permitted to be created it can begin posting disinformation. Even if the social media platform is quick to spot and remove such accounts, new ones can automatically be generated and more flashes of disinformation appear. It becomes a ‘whack-a-mole’ exercise during which the disinformation seeps out and is passed on by unwitting real people, gradually gaining authority as it spreads.

As with previous conflicts, the war in Ukraine is providing valuable data for those in the business of war. The conflict will be minutely analysed in all its aspects by militaries and intelligence agencies around the world. While simulations give ever more realistic ways to test weapons and strategies the real thing provides the best demonstration. Our news broadcasts show us the horrors of the war as never before. It will take time, but over the coming months analysts will also reveal (perhaps not publicly) the effectiveness of the various cyber weapons deployed as well.