Russia uses cyberattacks in Ukraine to support military strikes, report says

WASHINGTON. In the weeks following the start of the war in Ukraine, U.S. officials wondered about a weapon that didn’t seem to exist: Russia’s powerful cyber arsenal that most experts expected would be used in the early hours of the invasion to cripple Ukraine’s power grid. fry your cell phone and cut off President Volodymyr Zelensky from the world.

None of this happened. But in a new study published by Microsoft on Wednesday, it is now clear that Russia used its hacking team to carry out hundreds of far more sophisticated attacks, in many cases coinciding with incoming missile or ground attacks. And it turned out that, as in a ground war, the Russians turned out to be less adept and the Ukrainians better defenders than most experts expected.

“They put in a disruptive effort, they put in an effort to spy, they made all of their best contributors focus on it,” said Tom Burt, who oversees Microsoft’s investigation into the biggest and most complex cyberattacks that are visible across its global networks. But he also noted that while “they had some success,” the Russians met with solid defense from the Ukrainians, who blocked some online attacks.

Report adds considerable subtlety to understanding the early days of the war, when shelling and troop movements were obvious, but cyber operations were less visible – and harder to blame, at least immediately, on the main Russian intelligence agencies.

But it is now clear that Russia has used hacking campaigns to support its ground campaign in Ukraine, pairing malware with missiles in several attacks, including on TV channels and government offices, according to a Microsoft study. The report demonstrates Russia’s continued use of cyber weapons, refuting early analysis that suggested they played no prominent role in the conflict.

“It was a relentless cyberwar that paralleled, and in some cases directly supported, kinetic warfare,” Mr. Burt said. Russia-linked hackers carried out cyberattacks “every day, 24 hours a day, seven days a week, hours before a physical intrusion,” he added.

Microsoft was unable to determine whether the Russian hackers and Russian troops were simply assigned similar goals or if they were actively coordinating their actions. But Russian cyberattacks often occur within days, sometimes hours, of activity on the ground.

At least six Russian national hacker groups have carried out more than 237 operations against Ukrainian companies and government agencies, Microsoft said in a report. The attacks were often aimed at destroying computer systems, but some were also aimed at gathering intelligence or spreading misinformation.

While Russia has typically relied on malware, espionage and disinformation to advance its agenda in Ukraine, it appears Moscow has tried to limit its hacking campaigns to stay within Ukraine’s borders, Microsoft said, possibly in an attempt to avoid bringing NATO countries into the conflict.

The attacks were sophisticated, with Russian hackers often making small changes to the malware they used to avoid detection.

“It’s definitely the A-team,” Mr. Burt said. “It’s basically all the key actors in the nation state.”

However, Ukrainian defenders have been able to fend off some of the attacks, accustomed to fending off Russian hackers from years of online incursions into Ukraine. At a press conference on Wednesday, Ukrainian officials said they believe Russia has used all of its cyber capabilities against Ukraine. Nevertheless, Ukraine managed to repel many attacks, they added.

Microsoft detailed several attacks that appeared to show parallel cyber activity and ground activity.

On March 1, Russian cyberattacks hit media companies in Kyiv, including a major broadcasting network, using malware designed to destroy computer systems and steal information, according to Microsoft. On the same day, rockets destroyed a TV tower in Kyiv, shutting down several stations.

The incident demonstrated Russia’s interest in controlling the flow of information in Ukraine at the time of the invasion, Microsoft said.

On March 4, a group linked to the GRU, Russian military intelligence, hacked into the network of a government agency in Vinnitsa, a city southwest of Kyiv. A group previously linked to the theft of Hillary-related emails During the 2016 Clinton presidential campaign, phishing attacks were carried out on military officials and regional government employees to steal passwords to their online accounts.

Microsoft said the hack attempts were a turning point for the group, which typically focuses its efforts on national offices rather than regional governments.

Two days after the phishing attempts, Russian missiles hit the Vinnitsa airport, damaging the control towers and the aircraft. At the time, the airport was not near ground combat areas, but it did have some Ukrainian military presence.

Russian hackers and troops appeared to be working together again on March 11, when, according to Microsoft, a government office in Dnipro was attacked with destructive malware and government buildings in Dnipro were hit.

Parallels have also emerged between strikes on nuclear facilities in Ukraine and Russian disinformation campaigns spreading false rumors that Ukraine is developing biological weapons. In early March, Russian troops seized the Zaporozhye nuclear facility, the largest nuclear power plant in Europe. During the same time period, Russian hackers were working to steal data from nuclear energy organizations and research institutes in Ukraine that could be used to spread disinformation, Microsoft said.

Microsoft said that one of the groups, linked to the Russian Federal Security Service and experienced in attacks on companies in the energy, aviation and defense sectors, was able to steal data from the Ukrainian nuclear security organization between December and mid-March.

By the end of March, Russian hackers began to focus on eastern Ukraine as the Russian military began reorganizing its troops there. Little is known about the Russia-backed hacking campaigns that took place in April as investigations into many of these incidents continue.

“The Ukrainians themselves have turned out to be better defenders than expected, and I think this is true for both sides of this hybrid war,” Mr. Bert said. “They do a good job of defending themselves against cyberattacks and recovering from them if successful.”