Cyberattacks against Ukraine have been used strategically to support ground campaigns, with five state-sponsored advanced persistent threat (APT) groups behind attacks that began in February. According to research published by Microsoft on Wednesday, the APTs involved in the campaigns are state-sponsored by Russia.
Separate reports published this week also shed new light on the wave of cyberattacks against Ukrainian digital assets by APTs with ties to Russia.
Microsoft researchers believe six separate Russia-aligned threat actors carried out 237 cyber operations that resulted in threats to civilian welfare and attempted to carry out dozens of cyberespionage attacks against Ukrainian targets.
Moreover, Russia is believed to be using cyberattacks in a type of “hybrid war”, according to a blog post by Tom Burt, corporate vice president of Customer Security and Trust at Microsoft. That correlates “with its kinetic military operations targeting services and institutions crucial for civilians,” he said.
“The attacks have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country’s leadership,” Burt wrote.
Meanwhile, researchers at Computer Emergency Response Team of Ukraine (CERT-UA) have been doing analysis of their own on the cyber-attacks that have been hampered the country in the lead up to and during the war. The agency said it recorded 802 cyber attacks in the first quarter of 2022 alone, more than double the number for the same period last year, which was 362.
Carrying out those attacks are primarily five known Russia or Belarus-sponsored APTs, CERT-UA said. Specifically, those groups are: Armageddon/Garmaredon, UNC1151, Fancy Bear/APT28, AgentTesla/XLoader and Pandora hVNC/GrimPlant/GraphSteel.
Microsoft security teams have been working closely with Ukrainian government officials as well as both government and private-enterprise cybersecurity staff to identify and remediate threat activity against Ukrainian networks, researchers said.
Russia appears to have been preparing for the land conflict with Ukraine in cyberspace about a year before the war began, or since March 2021, according to the report.
In the lead up to the ground conflict and the subsequent invasion, threat groups with known or suspected ties Russia “continuously developed and used destructive wiper malware or similarly destructive tools on targeted Ukrainian networks at a pace of two to three incidents a week,” researchers found.
“From February 23 to April 8, we saw evidence of nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine,” they wrote.
Even before that, in January, Microsoft identified a Master Boot Record (MBR) wiper attack that it named WhisperGate targeting Ukraine to permanently disrupt organizations across the country and paint it as a failed state. Wipers are the most destructive of malware types because they permanently delete and destroy data and/or systems, causing great financial and reputational damage to victims.
From late February to mid-March, another series of wiper attacks using malware called HermeticWiper, IsaacWiper and CaddyWiper targeted organizations in the Ukraine as Russia commenced its physical invasion.
Attacks on Critical Infrastructure
In its latest report, Microsoft said that more than 40 percent of the destructive attacks against Ukraine were aimed at organizations in critical infrastructure sectors that could have negative second-order effects on the government, military, economy and the country’s people.
Moreover, 32 percent of destructive incidents affected Ukrainian government organizations at the national, regional and city levels.
“Acknowledging that there is ongoing activity that we cannot see, we estimate there have been at least eight destructive malware families deployed on Ukrainian networks, including one tailored to industrial control systems (ICS),” researchers wrote. ” If threat actors can maintain the current pace of development and deployment, we anticipate more destructive malware will be discovered as the conflict continues.”
The report includes a specific timeline of attacks and the malware used in the earliest weeks of the attack to support Russia’s military activities. In addition to the wipers previously mentioned, other malware deployed in the attacks includes: FoxBlade, DesertBlade, FiberLake, SonicVote and Industroyer2.
On the heels of CERT-UA’s revelation of the top ATPs pummeling Ukraine in cyberspace, research firm Recorded Future’s The Record took a deeper dive into each other to examine its specific affiliations and modus operandi.
Armageddon/Garmaredon is an aggressive threat actor that’s been targeting Ukraine since 2014 and is backed by the Russian Federal Security Service (FSB). During the Russian war on Ukraine the group has used phishing attacks to distribute malware, most recently new variants of the “Backdoor.Pterodo” malware payload, according to researchers.
UNC1151 is a Belarus-aligned hacking group who has been active since 2016 and has previously targeted government agencies and private organizations in Ukraine, Lithuania, Latvia, Poland and Germany, as well as attacked Belarusian dissidents and journalists, researchers said, citing research from Mandiant.
Since Russia attacked Ukraine UNC1151 the group has been linked to the defacement of multiple Ukrainian government websites as well as spearphishing campaigns targeting the email and facebook accounts of Ukrainian military personnel to spread the MicroBackdoor malware.
Fancy Bear/APT 28 is a well-known and prolific actor active since 2017 and backed by Russia’s military intelligence service (GRU). The politically motivated group has been linked to activity aiming to influence elections in the European Union and the United States as well as attacking sporting authorities connected to the 2020 Tokyo Olympic Games.
On Feb. 24, the day Russia attacked Ukraine, Fancy Bear gained access to U.S. satellite communications provider Viasat’s KA-SAT network in Ukraine, leaving many Ukrainians without internet access and thus communication capability at the critical time when attacks began, researchers said.
Russian threat actors have used the AgentTesla and XLoader malwares since at least 2014 and 2020, respectively; both have been used in high-profile attacks. During Russia’s invasion of Ukraine, one malicious email campaign targeting Ukrainian state organizations used XLoader as its payload, while a phishing campaign targeting Ukrainian citizens spread AgentTesla,, researchers said.
Pandora hVNC/GrimPlant/GraphSteel act as downloaders and droppers under the umbrella term “Elephant Framework,” or tools that are written in the same language and used to target government organizations through phishing attacks, researchers said. In two separate malicious phishing campaigns in March, they were used against Ukrainian targets to steal sensitive information from government officials, among others, they said.
History of Cyberattacks in Ukraine
In March, Kaspersky’s Global Research and Analysis Team (GReAT) outlined its’ tracking of current and past cyberattacks in Ukraine.
“The number of cyberattacks in Ukraine will increase during the next six months. While most of the current attacks are of low complexity – such as DDoS or attacks using commodity and low-quality tools – more sophisticated attacks exist also, and more are expected to come,” Kaspersky researchers wrote.
“Current complex activities include the employment of HermeticWiper, which stands out due to its sophistication, as well as the Viasat ‘cyber event’ – the partial network outage that impacted internet service for fixed broadband customers in Ukraine and elsewhere on the European KA-SAT network that affected over 30,000 plus terminals in Europe,” the Kaspersky report added.