Analysis: Russia may be facing issues with cybersecurity despite being obscured by a cloud of disinformation

Illustration: Forsvaret

There are many reports on the situation in Ukraine after Russia started the invasion of the country just over a week ago.

Some are true, but many are, to say the least, modified versions of reality. In the same way, the Internet is flooded with statements from the other front of the war—the digital one. Version2 has looked at several of the published leaks, and in this article, we will try to help you get an overview of the incredibly complex cyber conflict.

While the slow, armed fist in the form of Putin’s forces is slowly approaching Kyiv in kilometre-long columns, the economic and digital pressure on Moscow, where the orders are coming from, is escalating. Sanctions are pouring down on Russia and Belarus, and the loose network of activist hackers, Anonymous, has declared war on Russia.

At the same time, the Ukrainian Minister of Digital Transformation has called on hackers around the world to join Ukraine’s IT army. On the other side of the conflict, we have Russia’s civilian and military hackers, who over many years have positioned themselves among the world’s best. They have openly received statements of support from hacker gangs such as Conti, which is behind ransomware attacks against several Danish companies.

What we know

Having established that, we can move on to what we know about the cyber conflict. First of all, we know that Conti’s support for Russia has cost them at least one member with access to the gang’s chat system. This person has hacked the hackers and published their internal communications and their Bitcoin-related data that reveals staggering amounts of stolen Bitcoins. On a scale of billions.

We also know that over the last few months, Ukraine has been hit by more or less targeted attacks with so-called wipers. As the name indicates, they do not bother to encrypt data in order to demand ransom. They destroy systems. Thus, they stand in contrast to ransomware attacks and a number of other more conventional attacks that have been mainly financially motivated.

On the other hand, we cannot say with certainty that it was Russian hackers who were behind them. And here we get to one of the big problems—it is incredibly difficult to pinpoint who is behind which attacks in cyberspace. We already saw this back in the case of Hillary Clinton’s hacked emails, where Version2 was able to find concrete gaps in FBI’s conclusions. For example, Switzerland was blamed for attacks committed by IP addresses in Swaziland.

Right now, Ukraine is experiencing an intermittent, slower internet service and has asked for assistance from, among others, Elon Musk, who has ensured stable connections in some of the war zones through Starlink satellites, not least in the capital Kyiv. We do not know if this is due to cyber attacks or the general pressure on Ukraine’s infrastructure. In the United States, we have seen an attack on Nvidia that cannot be directly linked to Russia.

We also know that a myriad of Russian websites have been under pressure for days—Version2 was also able to verify this. They pop back up every now and then, but the vast majority of Russian news sites and Russia’s official websites are not at all available to the rest of the world. Access to the open Internet has simply been terminated to protect the services from outside attacks. If you test the uptime with a Russian VPN, however, there are also downtimes, and this confirms what one of Ukraine’s hackers has told Version2:

That a not at all insignificant botnet is about to be established in Russia.

What we are told

And if we look even closer at what is hurled the other way, it is far more complex. Ukraine’s IT army and Anonymous have put up an incredible number of examples of what they claim are hacked Russian systems and people online. We have downloaded some of them, but it is, to say the least, impossible to verify. If we compare them with the leaks we have analysed from, for example, Vestas and Kompan, it is much less clear where the files come from.

There are pictures of Scada systems in utilities, charging stations that display ”Fuck Putin!” instead of the electricity price, and long lists of customers from Russian banks. We have no idea if this is genuine—but social media clearly hopes so and greatly incites hackers to keep going.

Illustration: Anonymous

A more explosive example is a leak—according to Anonymous themselves—of the radio frequencies that the Russian ground forces use to communicate. All the way down to division level. The only thing that confirms the authenticity of the frequencies is that since the leak, several videos and audio clips have appeared of Ukrainian soldiers arguing with Russians on the latter’s radio channels. However, this could easily be forged Ukrainian communications material because there is no doubt that Ukraine is fighting for the country’s survival with everything it has.

The world’s favour and desire to help Ukraine is the country’s only ace against the numerically and materially superior Russian invasion force.

Busy defending

There may be several reasons why we have not seen stronger cyber attacks against Ukraine or the country’s many supporters in the West. First of all, Ukraine has no reason to publicly reveal attacks on the country, since it is already fighting a fierce information war in an attempt to look as strong as possible and demoralize the Russian invaders.

But it may also be because the country is, for the first time ever, under a general and real cyber pressure that has forced the Russian hackers on the defensive. If only a tenth of the allegations of hacks, leaks, and DDoS attacks from the IT army and Anonymous are true, then there is an unprecedented pressure on the country’s infrastructure built up in a very short time.

Or it could be a combination of things. Moscow is more obscured than ever and very few know what decisions are actually being made. Next to Ukraine being invaded, of course.

The long haul

How much damage have the attacks on both sides caused? Nobody knows. But when Nordea was recently hit by an attack in Denmark, the author of this article felt a small punch to the gut. Did the cyber war come to Denmark? Is our banking system going to get into trouble?

With that in mind, one can well imagine that the attacks put the Russian people in an extremely unpleasant situation, which reinforces the feeling of isolation and paralyzes the country further on top of the harsh economic sanctions the country is experiencing.

It will also be exciting to see if Anonymous and the IT army can continue to keep up at this pace as the war progresses. Several people have anonymously told Version2 that they are considering joining the effort.

But before you suddenly own part of a Russian botnet, you have to remember that it is a war on the web, not a waggish trick. As former CIA analyst Michael E. van Landingham told Technology Review:

“Despite the United States government saying ‘We’re not allowing hacktivists to use American routers to do DDoS attacks on your state propaganda sites,’ Russia is probably not going to believe that. Russia uses cyber tools as an extension of state power. And Russian leaders mirror-image a lot. I think they’ll perceive attacks from Anonymous or any Western collective as attacks that Western governments promote.”

He therefore believes that the activists must be careful when they act—even if they operate under Anonymous.

If you have been digitally involved in the conflict, or if you know someone who has, we would love to hear from you at Signal 61690917 or mlo@ing.dk (not secure)

Sign up for V2 Security 2022 | Denmark’s largest expo on cyber security

Illustration: Teknologiens Mediehus

Sign up for the expo here