Microsoft: Russia Has Launched Hundreds of Cyber Operations in Ukraine

Russian state-aligned actors have launched 237 campaigns against Ukrainian targets since just before the invasion, according to new threat intelligence shared by Microsoft.

The tech giant has been monitoring and sharing updates on the situation to inform policymakers, the global populace and the security community about the scale and type of attacks being launched by the Kremlin.

“Starting just before the invasion, we have seen at least six separate Russia-aligned nation-state actors launch more than 237 operations against Ukraine – including destructive attacks that are ongoing and threaten civilian welfare. The destructive attacks have also been accompanied by broad espionage and intelligence activities,” explained Microsoft VP of customer security and trust, Tom Burt.

“The attacks have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country’s leadership. We have also observed limited espionage attack activity involving other NATO member states, and some disinformation activity.”

The cyber-attacks are often timed to coincide with real-world kinetic military operations, he continued.

For example, cyber-attacks were launched against a major Ukrainian broadcaster on March 1, the same day as a missile strike on a TV tower in Kyiv.

Nearly 40 destructive attacks have been aimed at hundreds of targets, a third (32%) of which were Ukrainian government organizations and two-fifths (40%) of which were critical infrastructure assets in the country.

“Actors engaging in these attacks are using a variety of techniques to gain initial access to their targets including phishing, use of unpatched vulnerabilities and compromising upstream IT service providers,” explained Burt.

“These actors often modify their malware with each deployment to evade detection. Notably, our report attributes wiper malware attacks we previously disclosed to a Russian nation-state actor we call Iridium.”

Interestingly, pre-positioning for such attacks appears to have begun as far back as March 2021.

“When Russian troops first started to move toward the border with Ukraine, we saw efforts to gain initial access to targets that could provide intelligence on Ukraine’s military and foreign partnerships. By mid-2021, Russian actors were targeting supply chain vendors in Ukraine and abroad to secure further access not only to systems in Ukraine but also NATO member states,” said Burt.

“In early 2022, when diplomatic efforts failed to de-escalate mounting tensions around Russia’s military build-up along Ukraine’s borders, Russian actors launched destructive wiper malware attacks against Ukrainian organizations with increasing intensity.”

Unfortunately for Ukraine, Burt claimed that cyber-attacks would continue to escalate, with destructive raids potentially even targeted outside the country. However, Microsoft admitted that it is probably observing only a “fraction” of the attacks hitting Ukrainian assets. The full report is available here.

What’s Hot on Infosecurity Magazine?