The extensive use of cyber and information operations in the ongoing Ukraine-Russia conflict was highlighted by threat intelligence experts during a virtual session organized by Recorded Future.
Opening the session, Christopher Ahlberg, co-founder and CEO of Recorded Future, explained that the Russian invasion of Ukraine represents a new type of warfare, which has been “converted into geopolitical and kinetic, cyber and information operations.”
Other notable aspects of the conflict are that “it is unfolding in front of us on social media” via platforms like Twitter and TikTok, and the “sheer volume of data” coming out.
Craig Terron, global issues team, Insikt Group, part of Recorded Future, provided an overview of the conflict to date. Essentially, the Russian advance has been slower than anticipated, so far failing to capture a city, achieve air superiority and suffering significant losses. This appears to have led to a change in approach by the Russian military, adopting “siege warfare tactics.”
Cyber-attacks have already played a significant role in the conflict, both before and since the invasion. In the build-up to the invasion, Terron said Insikt observed many attacks that were “aligned with Russia’s strategic objectives.” These involved “undermining the Ukrainian government, intimidating and demoralizing the Ukrainian population, causing confusion and disrupting the everyday lives of Ukrainian citizens.”
The principal methods utilized by Russian state-sponsored and nexus threat groups were DDoS attacks, malware, website defacements and fraudulent messaging. Additionally, Terron noted a significant uptick in dark web adverts related to Ukraine in the past three months; for example, the sale of data related to the Ukrainian Ministry of Foreign Affairs.
These attacks, which primarily targeted government and critical sectors, such as banking, were highly coordinated. Terron highlighted a simultaneous DDoS and wiper malware attack last week, the day before the invasion began. Based on the timing, “Insikt group assesses that it is likely the attacks were conducted by a Russian state-sponsored or state nexus threat group.” He added that there is evidence the Wiper malware was installed on hundreds of devices in Ukraine in November/December.
Terron also discussed the role of the threat group UNC1151, which is believed to be linked to the Belarusian government, an ally of Russia. This included mass phishing attacks targeting Ukrainian military personnel and related individuals, most likely in a bid to discredit and undermine Ukraine.
Since the invasion started, Terron said a number of cyber-criminal groups have chosen sides. For example, “the Conti ransomware group announced on their ransomware extortion website that they would support all actions of the Russian government during the invasion of Ukraine, would put in all efforts to resist any cyber-attacks against Russia and would target the critical infrastructure of Russia’s enemies in retaliation for any attacks against Russia.” Notably, a vast trove of its internal chat data was leaked by a Ukrainian researcher following this pronouncement.
On the other side, the hacktivist group Anonymous declared “cyber war” against Vladimir Putin’s government following the Russian invasion of Ukraine and appeared to successfully take down several Russian state websites. Terron noted that in response, “Russian government websites have since put in place mitigations against DDoS attacks, including only being accessible to users within Russia.”
“Offensive Russian cyber activity has failed to achieve information superiority”
Overall, “offensive Russian cyber activity has failed to achieve information superiority,” according to Terron, observing that “news has continued flowing, open-source researchers and intelligence analysts have continued monitoring Russia’s invasion, and the Ukrainian government has still been able to communicate with its citizens and the world, including through social media.”
Nevertheless, he expects Russian state-sponsored groups will continue to conduct cyber activities as the conflict expands, including influence operations “to undermine and discredit the Ukrainian government and military.”
Terron also believes there is an “even chance” Western organizations will be targeted in retaliation for the West’s support of Ukraine and sanctions imposed on Russia. However, currently, both sides are trying to disincentivize one another from conducting cyber-attacks on one another, with Western nations warning Russia of their own offensive cyber capabilities. “Russian and Western governments are in a stand-off, waiting to see who will conduct a cyber-attack first, with cyber-criminal groups offering Russia a potential method of retaliation against the West,” commented Terron.
In the next part of the virtual session, Brian Liston, global issues team Insikt Group, discussed the information/influence operations taking place during the conflict. From the Russian side, this is “looking to create a narrative that this is a conflict of necessity and not a conflict of choice.”
In the weeks before the invasion, this message was being promoted to positively shape internal and external audience perceptions towards a Russian offensive against Ukraine, including via intelligence assets inside Ukraine.
This messaging has taken on a range of themes. This included framing Russia as a defensive protector and “putting Ukraine, NATO and the US as the aggressors.” Russian media also claimed Russian minorities in Ukraine were subject to human rights violations and labeled “Ukrainians and government collectively as fascists and neo-Nazis.”
Since the invasion started, “Russian sources continue to blame the West for its necessity to intervene and its continued supply of lethal weapons, sanctions and other forms of response as an aggressive retaliation.”
In addition, Liston observed a significant falsification of events on the ground. A prominent example was a fake telegram from Ukrainian President Zelensky telling his soldiers to lay down their arms and stop resisting Russian troops. He added that “we do know that Russia is heavily underreporting its losses, at least to the Russian public.”
He acknowledged that it is highly likely Ukrainian sources are underestimating their own losses in the conflict.
There have also been several instances of deepfakes being created in respect of the conflict. This includes an instance of Vladimir Putin’s face being programmed onto the body of a Hitler Youth figure.
Going forward, Liston expects continued Russian influence operations that “look to generate panic among Ukrainians, potentially in an attempt to coerce a change in government.”
Looking further ahead, beyond the end of the current conflict, “we anticipate that Russia will look to interfere in the domestic and political affairs of NATO and EU countries, both in retaliation for the West’s response to the invasion and then with the broader hope of promoting political leaders and government coalitions that they believe are likely to restore improved relations and sanctions.”