The protracted war on Ukraine has been fought on both physical and digital worlds, but after the initial forays last spring, Russian attacks on Ukrainian digital infrastructure have increased lately, according to new reports by three security analyst groups.

Since the Russian invasion last spring, there have been a number of cyberattacks. Google LLC said earlier this year that the Ukrainian government is under near-constant digital attack. “Russian government-backed attackers have engaged in an aggressive, multi-pronged effort to gain a decisive wartime advantage in cyberspace, often with mixed results,” wrote Shane Huntley, senior director of Google’s Threat Analysis Group.

In a conference event this week, White House Deputy National Security Adviser Anne Neuberger was quoted by The Record saying, ““We know Ukraine is currently experiencing a significant surge in cyberattacks in parallel to the kinetic aspects.” She didn’t provide any specifics, however.

To give some idea of context, in a 2023 report, Google’s Mandiant research unit observed more destructive cyberattacks against Ukrainian targets during the first four months of 2022 than in the previous eight years. It separates last year’s attack profile into five phases, with the last quarter’s phase being renewed disruptions.

The European Parliament issued this timeline last June that tracked them going back several years, showing a persistent series of threats including ransomware, installation of spyware, destruction of data on computer hard drives, and attacks on civilian infrastructure such as power stations and the postal service. The adjacent graphic shows just two months’ worth of attacks in 2022, with the European style of day/month shown.

Given that history, it’s no surprise that Russian state-sponsored actors have been tracked launching a new series of attacks. The first one was a set of phishing campaigns targeting high-profile entities in Ukraine, through compromises of users running the Roundcube webmail software.

Recorded Future’s Insikt Group worked with Ukraine’s Computer Emergency Response Team to figure this out and connected the campaigns with malware actors running BlueDelta exploits. They were discovered last year leveraging a zero-day Microsoft Outlook vulnerability. The targets include government and military personnel involved in aircraft industries and used spear-phishing techniques that used very current news articles as their lures to steal a variety of credentials.

Microsoft threat research recently uncovered another Russian state-sponsored effort it calls Cadet Blizzard targeting another group of Ukrainian officials. It claims this is a new threat source that was behind the 2021-22 WhisperGate campaign that deleted master boot records on government computers and conducted espionage and exposed sensitive military and government information.

Microsoft has linked Cadet Blizzard to the Russian GRU military intelligence organization. What makes this malware particularly evil is that it initially appears as a ransom attack before destroying data.

A third research effort comes from Symantec’s Threat Hunter Team examining the threat source it calls Shuckworm. (The name implies that this source is related to the creators of another Russian malware called Sandworm that was active several years ago.) This group also targeted Ukrainian military and government sources and succeeded in running a series of three-month-long network intrusions to steal sensitive information such as planned military strikes and troop movements.

It also used phishing lures with military subject lines, then loaded various malware to take control over the infected computer. Those attacks began in February, in some cases in human resources departments, looking for potential victim names with specific roles.

General William Hartman, who is in charge of a defensive Army cyber force, talks quite openly about their partnership with units in Ukraine and how his teams stopped various Russian malware attacks in this June 20 interview in The Record. They observed in January 2023 dozens of destructive data wiping attacks when working with their Ukrainian partners, again trying to disguise them as ordinary ransomware, “but they had no ability to pay any kind of ransom,” he said. “It was pretty easy to attribute these attacks to Russia.”

Hartman spoke about how the teams found malicious Russian activities and provided advice for counterparts on how to mitigate the threats, “without our adversaries having any idea that we were there,” which was very satisfying. His teams have located more than 6,000 threat indicators over the time they have been in Ukraine.

“Ukrainians have proved very resilient,” he said. “If the defender does the right things, we can build resilient networks even in the face of something like hundreds of Russian cyberattacks.”

Image: Pixabay