Security analysts with Microsoft have been tracking recent Russian cyber attacks and have seen a pattern of their use to support real world missile strikes and seizures of facilities, with destructive attacks (such as the use of “wiper” malware) sometimes used as a part of the overall strategy.
These targets have included nuclear plants and a television station, along with over 200 other incidents that involved espionage that seemed to support Russian military actions.
State-backed actors linked to Russian cyber attacks
The Russian cyber attacks against Ukraine have been conducted by a true “rogue’s gallery” of the country’s state-backed advanced persistent threat groups, including the infamous “Fancy Bear” and “Cozy Bear” groups (called STRONTIUM and NOBELIUM by Microsoft) known for election interference efforts in the United States and the recent SolarWinds attack.
These groups have been conducting actions in Ukraine for over 10 years as the two countries have remained in some level of conflict for all of that time, but the Microsoft researchers believe that Russian hacking teams were prepping for the current invasion as early as late 2020. The report cites evidence that Russian hacking teams targeted NATO members for espionage purposes as early as July 2020 (with a strong emphasis on the United States), and attempted to attack many organizations in Ukraine in a broad phishing campaign conducted in early 2021.
Less prominent state-backed groups have been linked to Russian cyber attacks in Ukraine, primarily conducting disinformation campaigns but also actively attacking organizations in the country to spy and, in some cases, to wipe their systems with malware. One of these groups appears to have infiltrated a nuclear safety group’s servers several months prior to the start of the invasion, with the apparent goal of securing materials related to planned attacks on nuclear facilities.
Destructive Attacks on TV Station, Nuclear Facility Linked to Russian Ground Campaign
Microsoft researchers have logged 237 Russian cyber attacks of this nature to date, with 40 described as “destructive” rather than some sort of intelligence-gathering effort. One of the biggest destructive attacks accompanied a March 1 missile attack on the television tower of a Ukraine broadcaster. The capture of a nuclear plant on March 13 is also thought to have been backed by attacks from these state-backed groups as well.
Prior efforts by the Russians in 2020 and 2021 appear to have been almost exclusively focused on quiet intelligence gathering; the destructive wiper malware makes its first appearance in early 2022 as it became more likely that war was going to break out.
Microsoft says that the wiper malware essentially functions as ransomware does in the way it targets systems and encrypts files, but it is designed to permanently “brick” these systems rather than recover a ransom fee. It says that defenses against ransomware campaigns are also proving to be effective in stopping these particular Russian cyber attacks.
The Russian activity was most intense in late February to early March, during the outset of the invasion. It has since settled down to several cyber attacks per week, and in April sometimes as few as two that have been noted by security researchers.