The ongoing conflict between Ukraine and Russia has transformed the cyber threat landscape, as state-sponsored hacking groups have become increasingly aggressive in their tactics and targeting. Google’s Threat Analysis Group in conjunction with Mandiant has released a report finding Russian government-backed attackers have engaged in aggressive, multi-step attacks to gain a decisive advantage in cyber against Ukraine and its allies, often with mixed results.
Russia cyberattacks against Ukraine go back years
The report describes several key incidents in the conflict, including the 2015 attack on Ukraine’s power grid, which was carried out by a group known as SandWorm, believed to have ties to the Russian government. The attack caused widespread power outages, leaving over 200,000 people without electricity for several hours. This incident demonstrated the potential of cyberattacks to cause physical damage and highlighted the importance of protecting critical infrastructure from such attacks.
Since then, state-sponsored hacking groups have continued to target Ukraine, using increasingly sophisticated tactics. For example, in 2017, the hacking group known as Dragonfly targeted Ukrainian energy companies, using spear-phishing emails to gain access to their networks. This allowed the group to conduct reconnaissance and gather information that could be used in future attacks.
State-sponsored hacking groups have also targeted individuals and organizations that are critical of the government. For example, in 2016, the hacking group known as Fancy Bear targeted the email accounts of several journalists and human rights activists in Ukraine. This allowed the group to monitor their communications and potentially compromise their sources.
The report also highlights the role of social media in the conflict, with state-sponsored groups using fake social media accounts and propaganda to spread misinformation and sow discord. These tactics have been used not only in Ukraine but also in other countries, including the United States.
Russia cyber operations during the 2022 war in Ukraine
Google and Mandiant researchers have identified five phases of the Russian cyber operations during the 2022 war in Ukraine. The time period spans from January to December 2022.
Mandiant observed initial cyberattacks targeted to Ukraine for pre-positioning and espionage purposes ahead of the initial invasion. This is significant, as it shows Russia’s intent of invasion and intelligence gathering in anticipation of its full kinetic war efforts. Subsequent phases indicate Russia’s continuous cyber bombardment against Ukraine targets, maintaining persistent presence on target networks, and future waves of cyberattacks for disruption.
Russia also carried out multiple social media and psyop campaigns to help shape perception of the war. Google and Mandiant believe Russia has three goals for this public perception operation:
- Undermine the Ukrainian government
- Fracture international support for Ukraine
- Maintain domestic support in Russia for the war
Google states that it works aggressively to counter these social media and internet campaigns by Russia, as they “violate our policies.” Yet, it acknowledges that Russia continues to attempt to circumvent Google policies.
Google and Mandiant conclude the report by stating that it believes that Russia government-backed cybercriminals will continue to conduct cyberattacks against Ukraine and NATO partners to further Russian strategic objectives.
It is unclear to Google and Mandiant whether these continued cyberattack and influence campaigns by Russia will achieve the desired impact, or just further harden opposition against Russia over time.
