Russia May Be Reviving Cyber Ops Ahead of Spring OffensiveMicrosoft Predicts Uptick in Ransomware, Initial Access Hacks, Influence Operations
What happens next in Russia's invasion of Ukraine isn't clear, but experts tracking signs of Kremlin hacking say it may be preparing for intensified cyber operations ahead of a spring offensive.
See Also: 2022 Unit 42 Incident Response Report
British intelligence reports that since early in January, the Russian military appears to have been "attempting to restart major operations" with a focus on capturing "the remaining Ukrainian-held parts of Donetsk Oblast," a territory the size of Massachusetts located in the eastern part of the country.
In new analysis, Microsoft reports Russia in recent months appears to have increased cyberespionage efforts aimed at nations helping with the defense of Ukraine, mostly governments of European nations.
Based on a recent flurry of activity by Russia, Microsoft foresees an uptick in ransomware, an emphasis on obtaining initial access to systems, and increased influence operations.
Using crypto-locking malware allows state-backed hackers to cause destruction but in a more deniable and hard-to-attribute manner. Moscow has never been above using a wave of phishing emails to establish digital footholds or distributing weaponized versions of Windows 10 and backdoored versions of Microsoft Office posted onto file-sharing sites. And it has long made use of influence campaigns to elevate messages favorable to its foreign policy objectives. Microsoft says Russia has been using Telegram channels it curates as well as hacktivists - real or sock puppets - for "power projection" influence operations by claiming hack attacks and disruptions that security experts say largely never happen, but nevertheless get trumpeted by Russian and Western media alike.
From an initial access and malicious code standpoint, the Ukrainian government's assessment is that Moscow is keeping such capabilities set aside for its stealth long-term cyberespionage efforts, rather than burning them in high-profile, one-off attacks.
The Sandworm, aka Iridium, hacking team, which Western intelligence says is part of Russia's GRU military intelligence agency, also "appears to be preparing for a renewed destructive campaign" by testing newly developed destructive malware, in part to see if security firms and intelligence agencies can accurately attribute it, Microsoft says.
Russia's Evolving Cyber Strategy
When Russia launched its full-scale invasion of Ukraine on Feb. 24, 2022, the all-out cyberwar predicted by many military pundits failed to materialize.
Poor planning, misplaced faith in Russia's ability to quickly subdue Kyiv, better than expected Ukrainian cyber defenses and a meagre supply of zero-day exploits and wiper malware have all been cited as potential reasons why cyberattacks haven't turned the tide of battle for Russia. Western technology companies have also contributed to Ukraine's cyber defense and offered cloud-based hosting for essential government organizations and services, which largely appear to have resisted any Russian efforts to disrupt or infiltrate them.
Some disruptions have been successful, including cyberattacks launched against Ukraine's energy sector at the beginning of the winter, at the same time as kinetic military attacks against the sector.
By the end of 2022, Ukraine's cybersecurity establishment had found that "phishing, exploiting technical vulnerabilities and spyware" were the top tactics being wielded by Russian government-associated hackers.
Russia's information operations also have remained robust, likely intensifying tensions in Moldova and Georgia. Kremlin propaganda also seeks to undermine the morale of Ukraine and its expatriates, said Clint Watts, general manager of Microsoft's Digital Threat Analysis Center.
"Moscow's propaganda machine has recently taken aim at Ukrainian refugee populations across Europe, trying to convince them that they could be deported and conscripted into the Ukrainian military," he said in a blog post.
Ukrainian allies should remain at heightened alert for Russian attempts to influence their elections and foreign policy discussions, including via hack-and-leak operations, Microsoft says. Sweden and Finland are also likely targets, since they have applied to become members of NATO.
Fresh Wiper Ransomware
Russia used extensive wiper malware attacks in the run-up to its February 2022 invasion and immediately afterward. Security experts spotted at least nine families of wiper malware. But such attacks peaked last February and March, before disappearing altogether last summer.
Then, Ukrainian and Polish transportation organizations were hit by Prestige ransomware last October. Security firms have attributed the attack to Russian government advanced persistent threat attackers.
In late November 2022, security researchers spotted multiple variants of a new type of ransomware called Sullivan - aka RansomBoggs - being used and refined over the course of a few days against a single Ukrainian organization with no apparent ties to the conflict. The name Sullivan comes from the malware's ransom note, which says it's been sent by "James P. Sullivan, an employee of Monsters Inc.," in reference to the eponymous 2001 Pixar film starring "Sulley," a blue-furred, purple-spotted creature employed as a "top scarer."
Security researchers deduce the malware was then in a research and development phase. "The testing and refinement of Sullivan on networks that seem more like cyber test ranges than actual targets suggest the actor is preparing Sullivan, or related malware, for use outside of Ukraine," Microsoft says.