In the modern world, it makes sense that cyber warfare would coordinate with more traditional “kinetic” warfare. The cyber team knocks out the enemy’s communications just before the boots-on-the-ground team launches an attack, say. However, that’s not what’s happening in Ukraine, according to a research report from Kaspersky’s experts. The near-continuous stream of cyberattacks arrive, for the most part, completely uncoupled from physical attacks, and the quality of the war-fighting code varies wildly.
Wait, Kaspersky?
This report comes from Kaspersky’s Global Research and Analysis Team (GReAT) team. Yes, the same Kaspersky that was recently deemed an “unacceptable risk to the national security of the United States,” banned by Germany’s Federal Office for Information Security, and even dropped from the bug bounty program run by one-time partner HackerOne.
We at PCMag have found it necessary to pull Kaspersky products from our “Best of” roundups, though we still evaluate and report on their capabilities. So why shouldn’t we assume this research report is pure disinformation?
The thing is, the researchers on the GReAT team(Opens in a new window) do their work all over the world. Picking a few at random, I found Sweden, Germany, Australia, and Argentina. Many, perhaps most, of them have worked at other security companies, from Dr. Solomon to McAfee to Symantec. I’ve met some of them personally, and attended their illuminating briefings at Black Hat and other security conferences. Yes, some are clearly Russian nationals. Some are based in Russia. But overall, it’s an international effort, and this group’s research has been well-respected among security experts for many years.
Smart and Not-So-Smart Attacks
The full report on cyber activities in Ukraine(Opens in a new window) is dense with information, but not impossibly technical. For those tempted to skim, it pauses for a point-by-point recap every so often.
One important takeaway is the “vastly disparate degrees of sophistication” in the observed cyberattacks. Picture two guerilla teams aiming to take over a fortified enemy building. One team compromises the security cameras, infiltrates silently, and totally owns the building. The other team flings a few Molotov cocktails through the windows and runs away. Yes, it’s that different.
At the sophisticated end, perpetrators of the HermeticWiper attack craftily acquired a valid certificate to digitally sign their dangerous payload. Once in place, the malware surreptitiously copied itself through networks and then wiped data from its host computer, eliminating the evidence. After defenses went up against HermeticWiper, a much less sophisticated follow-up called IsaacWiper tried to take its place. The report characterizes IsaacWiper as rushed, “as if their operators had been tasked with destroying data at the eleventh hour.”
Amateur attacks go both directions, it’s true. You can find websites offering a chance to enlist your own computer in a DDoS attack on Russian military and resource targets. We don’t advise that you participate, though. In any case, the report didn’t cover attacks against Russia.
Next to No Coordination
In February, an attack on the Viasat network interfered with Ukrainian military communications just as Russia launched a physical attack on Ukraine. As with the HermeticWiper attack, there are no fingerprints, smoking gun, or other hard evidence linking the cyberattack to Russia’s invasion, but Britain, the EU, and the US all blame Russia.
Recommended by Our Editors
EU and UK Blame Russia for Hack That Disrupted Viasat's Satellite InternetWho's Actually Behind the Cyberattacks Hitting Ukraine? US, UK Blame Russia for NotPetya Ransomware OutbreakThis example of coordination is rare, the report notes. It’s also a rare case in which an attack on Ukraine spilled over to affect other countries. Some wind farms in Germany and other European nations were knocked offline. The researchers say they “have little reason to believe that there was any intent to provoke adverse effects outside Ukraine,” and that they don’t expect any widespread problems like the NotPetya outbreak of 2017.
In addition, the numerous attacks don’t seem to be coordinated with each other. “Our best guess is that separate groups decided to take advantage and wreak havoc immediately after the conflict erupted,” states the report.
What’s Next?
The report suggests that attacks will become more focused and powerful going forward. “As the conflict drags on, we predict that more sophisticated threat actors will get involved and refocus their intelligence collection activities. For this reason, we advise companies all around the world to prepare for a resurgence of ransomware attacks.” Individuals aren’t likely to be affected, but even so, it’s a good time to make sure your antivirus is updated.
I do wonder if Russia’s technology push may be steering toward goals other than cyberwarfare. The country recently announced its development of the Peresvet laser, a weapon allegedly capable of burning up drones and blinding satellites. That weapon could certainly cause problems for Starlink’s campaign to keep Ukraine connected.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
