Ukraine versus Russia: Cyber warriors sabotage their enemies with digital hand grenades
There are fronts in every war. For the parties in conventional warfare, it is about holding one’s own front while trying to create an opening in the enemy’s front, which can be utilized to push forward and perhaps surround the enemy.
But it is often dangerous and risky because the defender almost always has an advantage.
Alternatively, one can try to break the fighting spirit of the opposing nation. This is highly relevant to the war over Ukraine, in which hackers are trying to demoralize and disrupt the enemy far from the front on both sides.
This Russian state-sponsored hacker group has been accused of carrying out sophisticated attacks on top politicians and institutions in the West. They include an attack on the Democratic Party in the USA during the presidential election campaign that Trump won, as well as attacks during elections in both France and Germany. The group uses advanced methods and performs precisely timed attacks.Hacker group: APT28 / Fancy Bear
Websites are being taken down, personal data of citizens is being stolen and leaked, and cyberattacks are raining down on both Ukrainian and Russian services and networks. Both sides hope that the other will lose its fighting spirit, as the alternative increasingly seems to be a bloody, protracted war.
“The home front is always underrated by generals in the field. And yet that is where the Great War was won and lost,” said David Lloyd George, Prime Minister of the United Kingdom during World War I, with the wisdom of hindsight.
“The Russian, Bulgarian, Austrian and German home fronts fell to pieces before their armies collapsed.”
Pressure on the home front
Putin’s Russia is paralyzed by sanctions and embargoes on exports that make it difficult for Russians to develop and produce technology. Ordinary goods such as sugar have become almost impossible to find in some places in Russia.
Ukraine’s economy is also under pressure from Russia’s naval blockade, and the country is experiencing a general and massive bombardment of factories and infrastructure and has mobilized all men between the ages of 18 and 60.
Both countries are thus under pressure on the home front, and both parties are fighting a war online. They are fighting for favour, and it is the favour of both the outside world and their respective people that is at stake.
“IT Army of Ukraine” is the name of a loose group of hackers from Ukraine and the West in general, who at the time of writing are leaking a huge amount of data about Russian soldiers in Ukraine. The group calls their relatives and friends and tries to increase the pressure on Russia’s home front. Russian ministries and agencies go dark when the group overloads their sites with so-called DDoS attacks.
In the group’s thread on the messaging service Telegram, which Ingeniøren’s IT media site Version2 is part of, there is an atmosphere of “everything counts”. No target is too small, and no means are too harsh. Dead soldiers’ partners receive calls by distorted hackers’ voices, and large amounts of raw data about Russian soldiers can be retrieved free of charge. However, Version2 has not been able to verify them.
Satellite connection down
On the other side, the situation is more diffuse. The total destruction of Ukraine is taking its time, both militarily and digitally, and the idea of Russia as the world champion in hybrid warfare has suffered a blow. But Ukraine has been hit hard by cyberattacks. Leading up to the invasion, the number of attacks on Ukrainian services exploded, new analyses by Kaspersky and Trend Micro show.
It is unknown whether this group works with APT28 / Fancy Bear. But it also acts where Russia wants it to—albeit with significantly simpler methods. The group’s activities in Ukraine have grown steadily since 2019, and since February this year, the number of cyberattack command centres—so-called C&C servers—has increased tenfold.Hacker group: Gamaredon / Primitive Bear
And while the attack on European satellite services provider Viasat hit several satellite users around the EU, it hit Ukraine hardest at a critical moment. While Russians were trying to surround the Ukrainian capital Kyiv and assassinate the country’s president, several parts of the country suddenly lost the possibility of flexible satellite communication.
Ukraine had to ask Tesla founder Elon Musk for help with coverage from his satellite network. They got the help, but only a day later.
Wipers erase disks
During the first days of the war, Russia also deliberately went after the TV and radio tower in Kyiv, which was blown to pieces with several civilian casualties as a result—Kyiv had to be silenced.
“Ukraine is the victim of a complex mix of hostile actors. Some of them are commercial, but there are definitely state-owned players among the attackers,” says Costin Raiu, director of Kaspersky’s Global Research & Analysis Team (GReAT).
Together with some colleagues, he tells at an online briefing Version2 and a number of other media about the latest IT security findings in the war over Ukraine. He also says that camouflage is not reserved for physical war.
“There are all sorts of attacks on Ukraine right now. There are the usual ransomware attacks, but more and more of them turn out to be camouflaged wipers,” says the security specialist, who explains that the goal of a wiper is not to encrypt files in order to demand a ransom from the victim.
One cannot talk about cyber warfare in Ukraine without mentioning the attack on the satellite company Viasat, which was hacked immediately after the invasion of Ukraine. The attack rendered thousands of satellite terminals useless both inside and outside Ukraine—and they are still not operational to this day. The attack has made it even harder for Ukrainian civilians and military to communicate in the war-torn country.Cyberattack: Viasat
Wipers erase everything on the disk instead. Then they overwrite it again and finally fragment the disk so that nothing is where it was before the attack—in other words, the hope of recovery of the affected system is quite low. It is a digital hand grenade, and even if it does not get all the way to the centre of a system, it can do great damage.
“Wipers have become smart and they don’t have to erase much for the system to no longer function,” says Costin Raiu, who considers the situation in Ukraine’s cyberspace to be quite extraordinary.
Listen to Mads Lorenzen talk about the arsenal of digital weapons that hackers use in the cyber warfare between Russia and Ukraine in Ingeniøren’s podcast Transformator:
The different wipers come from different servers and groups, and this makes it difficult to prove that Russia or a specific group are behind it.
“In general, there is a clear and coordinated effort to destroy. The attacks are, among other things, hosted on Discord, which is incredibly impractical, but also difficult to attribute,” says Costin Raiu, and explains that it is a jumble of malicious code that indicates cooperation between several individuals, perhaps even several groups.
“We have never seen anything like this before, but at the same time we don’t think that we have seen the most sophisticated attacks yet.”
Striking timing
Together with his colleagues in the Moscow-based antivirus company, he has kept an eye on some of the hacking tools that have been used in Ukraine up until the war and after it broke out.
One of the more interesting ones is the so-called IsaacWiper. It already appeared in the company’s sensor network in December. It was a crude version that only kind of worked, but it was refined, fine-tuned—and then it disappeared from the radar.
Right up until it reappeared on 23 February, shortly before the invasion of Ukraine began.
“The malware was compiled in December and was ready to run, so why does it only show up in late February?” says Costin Raiu, who finds the timing striking.
Without any warning, this latest version of the destructive wiper malware can render even the most modern systems completely useless by erasing, overwriting, and moving data. These are programs that have only one purpose: destroying digital infrastructure. There is no money involved, and therefore everything points to the fact that it is state-sponsored actors and not ordinary criminals who are behind wipers.Hacking tool: HermeticWiper
One of his colleagues, the director of GReAT Europe Marco Preuss, says that attacks on Ukraine make up more than half of all the attacks the security company records globally.
“Over the past month, our sensor network has captured 21 000 unique IP addresses, 12 000 of which were involved in attacks against Ukraine. It’s quite thought-provoking that more than half of them are in Ukraine only,” Marco Preuss says.
At the same time, both sides are trying to apply constant pressure on each other’s infrastructure. Right now, Ukraine is experiencing an intermittent, slower internet service. We also know that a myriad of Russian websites have been for weeks—Version2 was also able to verify this. They pop back up every now and then, but the vast majority of Russian news sites and Russia’s official websites are not at all available to the rest of the world. Access to the open Internet has simply been terminated to protect the services from outside attacks.
If you test the uptime with a Russian VPN, however, there are also downtimes, and this confirms what one of Ukraine’s hackers has told Version2: that a not at all insignificant botnet is about to be established in Russia.
Hacktivists should think twice
No one knows how much damage the attacks on both sides have actually caused, or how to deal with that kind of destruction. But when Nordea was recently hit by an attack in Denmark, the author of this article felt a small punch to the gut. Did the cyber war come to Denmark? Is our banking system going to get into trouble?
With that in mind, one can well imagine that the attacks put the populations of both countries in an extremely unpleasant situation, which reinforces the feeling of isolation and paralyzes the countries further on top of the harsh economic and humanitarian situation that Russia and especially Ukraine are experiencing.
A simple but effective hacking tool that is currently pouring into Ukrainian inboxes. Camouflaged as emails from Ukrainian authorities, PandoraBlade creates an entry point for more sophisticated cyberattacks, and the software can be purchased for around USD 300.Hacking tool: PandoraBlade
It will also be exciting to see if Anonymous and the IT army can continue to keep up at this pace as the war progresses. Several Danes have anonymously told Version2 that they are considering joining the effort.
But before you suddenly own part of a Russian botnet, you have to remember that it is a war on the web, and not a waggish trick. As former CIA analyst Michael E. van Landingham told Technology Review:
“Despite the United States government saying ‘We’re not allowing hacktivists to use American routers to do DDoS attacks on your state propaganda sites,’ Russia is probably not going to believe that. Russia uses cyber tools as an extension of state power. And Russian leaders mirror-image a lot. I think they’ll perceive attacks from Anonymous or any Western collective as attacks that Western governments promote.”
