Vladimir Putin’s cyberwar in Ukraine hasn’t been successful since Ukraine’s 2016 hybrid war: Analysis of Russian cyber attacks on Ukrainian critical infrastructure

It’s clear that Vladimir Putin’s cyberwar in the country was a different type of indicator of what would happen during the war in Ukraine. It showed how Russia would carry out its physical attacks on Ukraine with a much higher human cost. In 2022’s war, just as in that earlier digital blitz, Russia’s real playbook has proven to be one of ruthless bombardment of civilian critical infrastructure, with no tactical intention other than to project its power and inflict pain hundreds of miles past the war’s front lines.

But officials tell CNN thatUkraine deserves a lot of credit for its improved cyber defenses. In April, Kyiv claimed to thwart a hacking attempt on power substations by the same group of Russian military hackers that caused blackouts in Ukraine in 2015 and 2016.

But experts who spoke to CNN suggest there is likely more to the question of why Russia’s cyberattacks haven’t made a more visible impact on the battlefield.

The senior US official said that Putin was trying to go for a big, showy public response to the attack on the bridge, because it took many months for a cyber operation to plan.

The effects of Russia’s devastating cyberattacks against its neighbor have been ignored as a result of the terrible toll on the country. The most active digital conflict in history has been the cyberwar that has raged between Ukraine and Russia for the past year. Nowhere on the planet has ever been targeted with more specimens of data-destroying code in a single year.

Four officials from the State Service of Special Communications and Information Protection, one of the main cyber and communications agencies in the country, were killed in an attack by missiles. The four officials did not have cybersecurity responsibilities, but their loss has weighed heavily on cybersecurity officials at the agency during another grim month of war.

The Western official said that there was no way that Russia could measure success in cyberspace by a single attack.

In 2017, as Russia’s hybrid war in eastern Ukraine continued, Russia’s military intelligence agency unleashed destructive malware known as NotPetya that wiped computer systems at companies across Ukraine before spreading around the world, according to the Justice Department and private investigators. Billions of dollars was lost by the global economy because of the incident.

That operation involved identifying widely used Ukrainian software, infiltrating it and injecting malicious code to weaponize it, said Matt Olney, director of threat intelligence and interdiction at Talos, Cisco’s threat intelligence unit.

“All of that was just as astonishingly effective as the end product was,” said Olney, who has had a team in Ukraine responding to cyber incidents for years. It takes a lot of time, and sometimes it can be hard to come up with new ideas.

How Russian hackers are using malicious code to attack the government of the FSB: a case study on Turla’s cybercriminal attackers

The deputy chairman of the SSSCIP, Zhora, called on Western governments to impose harsher sanctions on Russia for its access to software tools that could feed its hacking arsenal.

Zhora told CNN that they should not discard the possibility that Russia is working on some high-complexity attacks. It is very unlikely that Russian military hackers are out of business.

Tanel Sepp, Estonia’s ambassador-at-large for cyber affairs, told CNN that it’s possible the Russians could turn to a “new wave” of stepped up cyberattacks as their battlefield struggles continue.

Sepp said their main goal is to eliminate Russia from the international stage and they’ve not communicated with Russia on cybersecurity issues in months.

Today, cybersecurity firm Mandiant revealed that it has found an incident in which, it says, Turla’s hackers—widely believed to work in the service of Russia’s FSB intelligence agency—gained access to victim networks by registering the expired domains of nearly decade-old cybercriminal malware that spread via infected USB drives. Turla took control of the command and control server in order to find people who were worthy of espionage targeting.

The timing of attacks for groups we think are based out of Russia and everywhere else were compared using the data. Our model looked at the number of attacks on a daily basis, and it shows that there is a increase in attacks in the months leading up to an election.

Dark-web sites that offer to name and shame victims have been culled for the data set. Nershi and fellow researcher Shelby Grossman, a scholar at the Stanford Internet Observatory, focused on popular so-called “double extortion” attacks in which hackers breach a target network and exfiltrate data before planting ransomware to encrypt systems. Then the attackers demand a ransom not only for the decryption key but to keep the stolen data secret instead of selling it. The data collection was thorough and the groups usually have an interest in publicizing their attacks, so the researchers weren’t able to capture every single person who used a double- Extortion actor.

The re-emergence of hacktivism has been on a large scale. Dozens of hacktivist groups on both sides of the conflict have arisen from the full-scale invasion of Ukraine by Russia. This new wave of hacktivism, which varies between groups and countries, comes with new tactics and approaches and, increasingly, is blurring lines between hacktivism and government-sponsored attacks.

When it came to hacktivism, it was withering for a while according to the principal threat researcher at the security firm. Hacktivism has existed at extremes for four or five years, according to Guerrero-Saade, and low-level disruptions and more sophisticated attacks are the ones that could cover for a nation-state’s hacking. “You have so many more players in the space and a much beefier middle ground between those two extremes,” Guerrero-Saade says of the current situation.

There are pro-Russian hacktivist groups that are on the other side of the conflict. No name, from Russia with Love and XakNet are some of the other ones. Killnet is probably the most active of these groups, Shykevich says. They have targeted around 650 targets since April, only 5 percent of them were from the country of Ukraine. The European Parliament’s targets were mostly countries that oppose Russia. The group makes a lot of noise on Telegram and appeals to Russian speakers.

DDoS attacks still have an outsize place within modern hacktivism. The FBI’s notification in November said that those behind the attacks have minimal impact on their victims. “Hacktivists often select targets perceived to have a greater perceived impact rather than an actual disruption of operations,” the FBI said. In other words: The bark is often worse than the bite.

“It’s like the central nervous system of the human body: If you mess with it, you put all sorts of systems out of whack,” says Rajan Menon, a director of the Defense Priorities think tank who recently returned from a trip to the Ukrainian capital, speaking about Russia’s power grid attacks. It is not only inconvenient but an economic cost as well. It’s an effort to show the government isn’t able to protect the civilians adequately.

Turla and Andromeda: How Russian hackers are piggybacking on other people’s activities in the shadow of the Dark Ages

Turla might stay undetected thanks to the hijacking technique, which hides other hackers’ footprints while combing through a vast amount of networks. And it shows how the Russian group’s methods have evolved and become far more sophisticated over the past decade and a half, says John Hultquist, who leads intelligence analysis at Mandiant. Turla can leverage that through the software it has already been downloaded to. Rather than use their own USB tools like agent.btz, they can sit on someone else’s,” Hultquist says. They are piggybacking on other people’s activities. It’s a really clever way of doing business.”

Andromeda is a relatively common banking trojan that cybercriminals have used to steal victims’ credentials since as early as 2013. But on one of the infected machines, Mandiant’s analysts saw that the Andromeda sample had quietly downloaded two other, more interesting pieces of malware. Turla has only used the first piece of software, called Quietcanary, in the past and it’s the only piece that they have ever used. “That was a red flag for us,” says Mandiant threat intelligence analyst Gabby Roncone.

Fortinet has also found that the growing volume of wiper malware specimens hitting Ukraine may in fact be creating a more global proliferation problem. Researchers at Fortinet claim their security tools have observed other hackers using the sample samples from the software to attack targets in 25 countries around the world. Anyone can pick it up and use it once it’s developed.