Rating Russia's Cyber Warfare Capabilities
Including attack phases and timeline
The Russian invasion of Ukraine was arguably the first war in history to combine the full power of an advanced kinetic and cyber arsenal.
Decades in the making, many experts predicted a new cold war; a world in which even basic needs like food and energy would be subject to the whims of a hostile government halfway around the world. Recent events, such as the SolarWinds and Colonial Pipeline attacks, only seemed to confirm our worst fears.
Yet, countless uncertainties remained:
How effective are Russia's cyber capabilities at achieving military aims?
How effective is cyber warfare in general at supporting kinetic attacks?
Can an effective cyber defense be mounted?
It is only now, over a year into the offensive, that we can begin to address some of these questions.
Preparation Phase: Intelligence and Staging
Back in 2021, when Russian troops began massing near the Ukrainian border, a similar movement was taking place online. NOBELIUM, a Russian actor, launched a number of large-scale phishing attacks against Ukrainian entities, while DEV-0257 (AKA Ghostwriter) targeted Ukrainian military email accounts and networks.
By the middle of 2021, Russian threat actors had infiltrated supply chain vendors in order to secure access and position themselves for future attacks against Ukrainian and NATO targets. A new unit of Russia's military intelligence arm (BRU), DEV-0586, was able to penetrate an IT firm that supported services for Ukraine's Ministry of Defense and organizations across the communications and transportation sectors. As the conflict continued, MSPs would become ground zero for many of Russia's offensive activities.
In addition, NOBELIUM launched further attacks against IT firms servicing NATO governments, often compromising and leveraging user accounts to access foreign policy departments. This is believed to be part of an effort to gather intelligence on NATO's plans, without any inherently destructive intentions.
Within Ukraine, ACTINIUM launched spearphishing campaigns to gain access to Ukrainian foreign military advisors and humanitarian workers while STRONTIUM attacked defense-related organizations.
All in all, ACTINIUM, NOBELIUM, BROMINE, SEABORGIUM, and DEV-0257 sought persistent access to Ukrainian defense, defense industrial base, foreign policy, national and local administration, law enforcement, and humanitarian organizations.
Attack Phase: Exfiltration and Destruction
Once diplomatic efforts appeared doomed to failure, destructive wiper malware attacks were launched against Ukrainian targets with increasing intensity. These attacks began in the run-up to Russia's kinetic invasion and helped clear the way for a full-scale invasion.
One such attack was launched by DEV-0586 which leveraged WhisperGate5 malware to seek out and delete selected file extensions and then manipulate the Master Boot Record (MBR) to render targeted machines inoperable. Although the wiper attacks were moderately successful, impacting a limited number of government and IT sector systems, it is likely that they were intended as more of a warning shot, with the (failed) hopes of eliciting Ukrainian concessions.
Support Phase: Tactical and Military
In addition to pursuing their own objectives, Russia's cyber warfare units also demonstrated their ability to support and enhance kinetic military aims. Below are two examples:
Media Disruption
From the onset of the war, Russian threat actors and troops made it their mission to control and/or disrupt the information and media landscape within Ukraine. In the very first week of the invasion, DesertBlade was launched against a major broadcasting company on the same day that a missile strike took down a TV tower in Kyiv.
According to numerous sources, as soon as Russian troops captured the southern city of Berdyansk, they occupied its TV tower and shut off broadcasting. Russia's focus on controlling, destroying, or disrupting information has remained a key objective throughout the conflict, and has been pursued equally by kinetic and cyber forces.
Energy Targets
TBack in 2021, BROMINE (a Russian government actor) compromised a nuclear safety organization within Ukraine. This began a months-long data exfiltration campaign during which strategic data was stolen for future use. This wasn't long in coming, as Russia seized both the Chernobyl and Zaporizhzhia nuclear power plants (Europe's largest) within two weeks of invading the country. Once again, clear coordination between cyber actors and kinetic troops were successful in achieving key military objectives.
Similar coordinated attacks targeted Ukraine's energy, agriculture, and communications capabilities, causing widespread outages.
Measuring Russia's Cyber Performance
Back in 2015, Ukraine's energy sector was hit with a massive cyberattack that shut off power for hundreds of thousands of consumers. Then, in 2017, a swarm of ransomware attacks blocked access to banking, media, government, and energy platforms.
These attacks, widely attributed to Russian operatives, prompted Ukraine to significantly bolster their cyber capabilities, an investment that has been paying off. Aided by their US and European allies, Ukraine has weathered the worst of Russia's onslaught, and has demonstrated their ability to rapidly transition away from compromised services.
For example, Ukraine successfully intercepted an attack on their electrical grid back in April 0f 2022 and, when communication channels were disrupted, fell back on the thousands of US-supplied emergency communications devices, including satellite phones and data terminals.
Thus far, Russia's cyber warfare has been mostly contained to intelligence gathering, with limited tactical gains. Although Ukraine has experienced a number of widespread electrical outages, these have been primarily due to kinetic strikes against their grid infrastructure rather than cyber attacks. The upshot? While it's important not to underestimate their competitive advantage, it seems clear that the nearly mythical powers attributed to Russia's cyber military units have been somewhat exaggerated.
Fortunately, Russia has shown a degree of restraint and has (at the time of writing) held back from launching the kinds of doomsday destructive attacks that many have feared. However, the longer the war draws on, the scale and impact of Russia's cyber arsenal is likely to grow. We can only hope that a peaceful resolution arrives before it's too late.
Learn more about how Quantum Armor can monitor your network around-the-clock, alerting you to live threats, vulnerabilities, and breaches.
Similar Reads:
How the Dark Web Can Protect Your Company
Does Crypto Need a Cybersecurity Refresh?
Top 10 Challenges Facing CISOs in 2022
About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.