Russia’s war on Ukraine signals shift from traditional cyberattacks to information warfare 

Long before Russia shocked the world by invading Ukraine, it was engaged in cyber warfare aimed at weakening the country’s critical infrastructure. Yet once Vladmir Putin gave the order for all-out war, it’s likely he never expected Ukraine’s defenses on both the ground and within its networks to put up such a fight. 

While Russia is known as an intelligence juggernaut, its traditional cyberattacks have done surprisingly little to throw Ukraine and the rest of the Western world off its scent. Ukraine’s cyber resilience has so far proven to be strong enough to fend off Russian advances. With mistrust and radicalism hanging heavy in the political air, cyberespionage and disinformation have ramped up in Russia—while guerilla cyber tactics and hacktivism have put Ukraine on the offensive.  

It’s no longer about taking down websites and power grids for strategic advantage. It’s about the truth and who owns it. It’s information warfare, and it just might sway the outcome of this war. Read on to learn more about how information warfare is outgunning traditional cyberattacks in the war between Russia and Ukraine, and how a hybrid of physical, cyber, and informational campaigns may be the future of war. 

Cheers,  

Marcin Kleczynski 

CEO, Malwarebytes 

The future of war is hybrid: Russia-Ukraine conflict pits traditional cyberattacks against information warfare 

When Russian forces entered the Crimean Peninsula of Ukraine on March 2, 2014, they had already shut down the area’s telecommunications infrastructure, disabled major Ukrainian websites, and jammed the mobile phones of important Ukrainian officials. With that one-two punch, Russia was able to annex Crimea within one month of its advance. 

Ever since the Russian attacks on Crimea, Ukraine has been steeling itself against another hostile takeover attempt by Russia. So when troops began to gather on Ukraine’s eastern border in late 2021, they braced for another destructive cyberattack, too. The world held its breath and waited for Cybergeddon. Already, advanced cyber espionage activity was ramping up in Ukraine, especially the Russian APT Gamaredon.  

With all eyes on the geopolitical conflict, Russia not-so-quietly unleashed a new wiper-like worm dubbed WhisperGate on more than 70 Ukrainian government websites. Masquerading as ransomware, the wiper targets the master boot record (MBR) instead of encrypting files—and completely wipes it out, rendering the system useless.  

Reading the writing on the wall, Ukrainian officials proactively recruited cybersecurity help from allies. In January, Ukraine signed an agreement with NATO on enhanced cyber cooperation, including access to NATO’s malware information-sharing platform. Six EU countries—Lithuania, Netherlands, Poland, Estonia, Romania, and Croatia—sent teams of experts to help Ukraine cope with cyberthreats. The United States sent security teams, as well as its top security official to brief NATO on ways to deter and disrupt potential Russian cyberattacks.  

In February, cyber tensions escalated as several wipers were released against Ukraine, as well as a massive DDoS attack on the country’s Defense Ministry, army and state banks—the largest cyberattack in Ukraine’s history. Ukrainian officials recognized the attacks for what they were: attempts to sow confusion, chaos, and fear, as well as identify weaknesses in Ukraine’s critical infrastructure. Yet, in a little over 24 hours, Ukraine had significantly reduced harmful internet traffic from the attack. 

On the eve of the invasion, another new, destructive malware from Russia called HermeticWiper was lodged at Ukraine that not only overrides the MBR but also corrupts file systems and individual data. With the country’s critical infrastructures in peril, Russia once again simultaneously knocked out Ukrainian communications systems while advancing its troops across the border. Targets included internet service providers, satellites, and network operators.  

A month later, Russia doubled down on disrupting communications. On March 28, Ukraine was hit with a country-wide outage of its national telephone, internet, and mobile provider. Russian cyberattacks on comms also hit radiation monitoring systems and long-term cleanup efforts of nuclear waste sites.  

Yet, if there was panic in Ukrainian national circles, you wouldn’t know it. The country’s intelligence agency, the SBU, said it had neutralized more than 2,200 cyberattacks on state authorities and critical infrastructure over the last year. Bearing the brunt of Russia’s cyberthreat arsenal over the years, Ukraine seems less battle-worn than fiercely determined not to be steamrolled again. While Russia’s cyberattacks have been sophisticated, strategic, and cruelly calculated alongside physical strikes, they have also been, so far, predictable.  

On the evening of April 8, Russia dropped its most advanced cyberattack of the war yet, this time against Ukraine’s vulnerable power grid—while simultaneously sabotaging the computer systems used to bring the grid back online. However, Ukraine’s response was swift, and the attack was unsuccessful. Perhaps using Ukrainian energy, finance, and critical infrastructure organizations as a testing ground for all these years had an effect Russia did not intend: It built up Ukraine’s cyber resilience.  

Ukraine fights back 

Just after the invasion, the infamous Conti ransomware group—long suspected of having a relationship with the Kremlin—voiced its support of the Russian government and threatened retaliation against any western country who attempted to target Russia via cyberattack or otherwise.  

This triggered a strong emotional response from a Ukrainian national likely with unique access to the Conti infrastructure, as within days of the announcement, the individual leaked a treasure trove of valuable data about the group and its members, including internal chat messages, raw data files, and even ransomware source code. The Conti leaks no doubt cost the ransomware group a great deal of money, but more importantly, they showed Russia that Ukraine wasn’t going down without a fight. 

Just days after Russia sent thousands of tanks across its borders, Ukraine made a bold move to go on the cyber offensive. On February 26, Ukrainian Vice Prime Minister Mykhailo Fedorov publicly called on volunteer hackers to take down strategic Russian websites. He had a list of 31 government, banking, and corporate websites ready to go. Within days, Ukraine had amassed an “IT army” of more than 400,000 volunteers.  

Since then, the IT army has not only taken down key Russian websites, but it’s provided Ukraine with threat intelligence, attacked Russian military systems, and even tried to circumvent Russian censorship by sending information and pictures of the war to its citizens. In one case, a volunteer group obtained over 200GB of emails from a Belarusian weapons manufacturer and posted them online.  

In fact, since the start of the war, anonymous users have come to Ukraine’s aid from both inside the country and out, doxxing Russian soldiers, generals, and government leaders by exposing their locations. A week after the Conti leaks, information about members and source code of the Russian ransomware group TrickBot also appeared online. And in a twist of irony, the hacktivist group known as Network Battalion 65 used the leaked Conti ransomware code to create another variant that attacked Russian businesses in April. 

The future of war 

While the outcome of the Russia-Ukraine conflict is still foggy, a few important lessons are already beginning taking shape. For one, it appears that even the most technical, sophisticated cyberattacks can be thwarted with a combination of good threat intelligence and smart rapid response. Having a cyber resilience strategy focused not just on prevention but on mitigation and recovery has been key to Ukraine’s ability to maintain operational functionality during wartime. 

Second, enlisting the help of international allies can shore up any weaknesses in cyber defenses—plus take out dangerous enemies in the process. Assistance from NATO, neighboring EU countries, and the United States enabled Ukraine to harden networks as best they could prior to the invasion, plus prepare smart, efficient response strategies to security incidents. And the help didn’t stop once the war begun. Western assistance came from both sovereign countries and private companies.  

In March, the US Department of Justice (DOJ) disrupted a botnet controlled by Sandworm, the powerful Russian threat actor group behind NotPetya. Experts had feared Sandworm would launch a potentially highly-damaging cyber strike against Ukraine that could also be used to cripple organizations in other countries. A day later, Microsoft disrupted the Russian threat group Strontium’s attempted cyberattacks on Ukraine by dumping the domains used to launch attacks into a sinkhole.  

And finally, maintaining the upper hand in information warfare may be just as, if not more important than being able to deliver traditional malware campaigns. Ukraine’s ability to galvanize thousands of hackers, root out Russian operatives through data leaks, and cut off disinformation pipelines has left Russia exposed. And unlike in 2016, Russia is unable to sway public opinion via Facebook, as parent company Meta banned Russian disinformation campaigns on the social media platform, as well as on Instagram. 

The future of this cyberwar, and of wartime tactics as a whole, are murky. But it’s clear we’re moving into a new phase of hybrid military operations: physical combat, traditional cyberattacks, and informational warfare. Each may be used to destabilize, undermine, weaken, and ultimately gain the high ground on political adversaries. What’s dangerous about this approach is that it might ensnare innocent victims in its wake.  

The volunteer IT army that’s helped Ukraine take down Russian oligarchs through data dumps and online leaks—they may not understand the potential collateral damage or fallout from their actions. For example, if a Russian business is targeted and its data stolen, innocent Russian civilian patrons of that business might also have their PII stolen.  

Even now, US and other “western” organizations should remain vigilant against potential retaliation from Russia.  

Ukraine’s valiant spirit should serve as inspiration for embattled IT leaders on the front lines of cybercrime. While Russia’s cyberattacks have been shrewd and calculated, Ukraine exemplifies resiliency at scale. It’s a reminder that we need to be prepared with more than a slingshot to take down a Goliath like Russia: We need every tool in our cyber arsenal. 

For more information on what small businesses can do to protect against potential cyberattacks in a time of geopolitical turmoil, read our blog on Malwarebytes Labs: https://blog.malwarebytes.com/awareness/2022/03/four-smb-cybersecurity-practices-during-geopolitical-upheaval/  

For advice, the latest updates, and additional references on shielding US businesses from Russian payback: https://www.cisa.gov/shields-up  

To read a different take on the future of cyber warfare: https://hbr.org/2022/03/what-russias-ongoing-cyberattacks-in-ukraine-suggest-about-the-future-of-cyber-warfare