[BreachExchange] A digital conflict between Russia and Ukraine rages on behind the scenes of war

[Matthew Wheeler]

https://wskg.org/npr_story_post/a-digital-conflict-between-russia-and-ukraine-rages-on-behind-the-scenes-of-war/

SEATTLE — On the sidelines of a conference in Estonia on Wednesday, a
senior U.S. intelligence official told British outlet Sky News that the
U.S. is running offensive cyber operations in support of Ukraine.

“My job is to provide a series of options to the secretary of defense and
the president, and so that’s what I do,” said Gen. Paul Nakasone, the head
of the National Security Agency, who also serves as the chief of the
Pentagon’s digital branch, the U.S Cyber Command.

While he did not give any further detail, it was the first time the spy
chief alluded to the U.S. government’s efforts to launch counterattacks
against Russia in cyberspace, in addition to helping defend Ukrainian
agencies.

The so-called “cyberwar” in Ukraine hasn’t always been front and center of
news coverage, but it’s one of the things that might most directly impact
the West. It’s still a real possibility that U.S. companies or critical
infrastructure could become collateral damage if Russian hackers decide to
retaliate, according to cybersecurity officials.

Even as the U.S. government is a key ally to Ukrainian defenders, the
private sector might have a more complete picture of what’s going on at any
given time, because of their access to the digital systems in Russian
hackers’ crosshairs. The relationship between the U.S. private sector and
Ukraine has only deepened as the war drags on into its third month.

During an interview with NPR in Seattle last week, Microsoft head of
customer security and trust Tom Burt detailed what his team has been seeing
throughout the war, beginning a couple months prior to the official start
of the physical invasion.

The buildup

In January, according to Burt, Microsoft witnessed several “destructive
attacks against a number of Ukrainian government agencies.” This was the
first time Microsoft and others observed what’s become a major feature of
Russia’s digital strategy during the war — using wiper malware designed to
destroy data within Ukrainian agencies. Burt said his team was trying to
determine if the attacks might be a part of a broader offensive, or if it
was yet another example of Russia testing out digital attack techniques in
Ukraine, something the Kremlin has been doing for years.

“That’s the experimental zone for Russian cyberattacks,” he said.

Before publicly revealing what Microsoft had seen and attributing those
attacks to Russia, Burt said he reached out to U.S. and Ukrainian
government partners, to make sure Microsoft didn’t “disrupt what might be
very delicate conversations that were happening at the time.” However, Burt
said, both governments gave the green light — just one example of how
public officials have been more open about disclosing sensitive information
during the war in an effort to expose Russian aggression.

It became obvious to Burt that an invasion was imminent on February 23, a
day before Putin announced the “special military operation,” he said.

“So it’s commonly believed that the invasion of Ukraine started on February
24th. But from our viewpoint, it really started on February 23rd, about 10
hours before the missiles were launched and the tanks rolled across the
border,” said Burt. “There was a huge wiper attack across 300 different
systems in government agencies and private sector companies in Ukraine.”

According to Burt, at the beginning of the invasion, Microsoft only really
had a pinhole view into what was happening in Ukraine. While some Ukrainian
companies and agencies were using Microsoft products, where the company is
routinely looking for threats, very few were using the cloud, where
Microsoft has the most insights. Before the war, there was actually a law
that prevented Ukranian agencies from using the cloud. That position was
reversed on March 16, when the Ministry of Digital Transformation announced
that state authorities are now allowed to store data using cloud services.
According to Burt, Microsoft has been helping these agencies make the
transition, and has become more able to detect threats as a result.

There are still limitations, but the cloud had other benefits, says Burt.

“We’ve been working with Ukrainian government agencies to completely move
them to the cloud … at least as a backup means of operating in case they
get compromised on premises,” he explained.

The cyber and the physical

Throughout the war, Burt says his team has noticed a pattern — Russian
hackers will often have similar objectives to the Russian military on the
ground. While he couldn’t definitively say the two groups were actively
coordinating, it was clear to Microsoft analysts that they were working
from the same playbook.

In the first days of the invasion, both the Russian military and hackers
were targeting Ukrainian media and communications.

“They bombed radio towers. They physically invaded and seized media
companies. And at the same time, they were engaged in cyber attacks on
media companies,” he said.

Russian hackers also launched a series of denial-of-service attacks on
official government websites and financial institutions, stirring panic
about the public’s ability to access official information as well as their
own bank accounts. Meanwhile, behind the scenes, Russians were targeting
European satellite company Viasat as well as several other satellites
across Europe, disrupting Ukrainian military communications temporarily.

Ultimately, those early, fairly unsophisticated public attacks were mostly
unsuccessful in achieving long-term effects. Websites were quickly brought
back online, and no one was prevented from withdrawing money for long.
Ukrainian military officials were able to rely on alternative methods of
communication. Even so, the attacks contributed to a sense of panic and
unease in the early days of the invasion.

Ultimately, Burt said, he believes Microsoft was able to alert Ukrainian
media companies, for example, in the early phases of those attacks and help
them install countermeasures.

“Russia has not been successful in shutting down media communications to
Ukrainian citizens,” he concluded.

Burt said that Microsoft has detected several examples of Russian hackers
stealing information about Ukrainian cities in espionage-style attacks
before launching physical attacks, likely in an effort to find information
valuable to troops on the ground.

There have also been combined cyberattacks and physical assaults on energy
and IT infrastructure, from nuclear power plants to tech companies, Burt
said.

More recently, Burt told NPR, Microsoft has seen Russia targeting Ukrainian
railways with both cyberattacks and missiles. In this phase of the
invasion, there’s an effort to disrupt Ukraine’s ability to resupply and
move vital goods around the country.

Additionally, Microsoft noted that Russia is even weaponizing the trauma
caused by their own military operations. Microsoft detected at least one
operation in which a Russian actor pretended to be a victim from Mariupol,
a sieged Ukrainian city, to try to spread disinformation about how
Ukrainian officials had abandoned the city in an effort to pressure
citizens to surrender.

“And so we see, again, of course, sponsoring both the cyberattack and the
kinetic attack in in support of what is clearly a hybrid war where the
Russians are using all those resources in combination,” Burt said.

Working with Ukrainians on the front lines

On the ground in Ukraine, Ukrainian cybersecurity officials face a constant
barrage. On Tuesday, Ukrainian mobile communications operations in the
south in Kherson reported communication outages, which they linked to
Russia.

“It is not the first attempt to make it impossible for Ukrainian citizens
in the temporarily occupied areas to get in touch with their loved ones,
call an ambulance or rescuers, access the true information on the
developments in the war and the situation in the country,” representatives
from the Ukrainian State Service of Special Communication and Information
Protection said in a statement.

It’s a constant struggle. While Ukrainian officials were able to get
communications back online by routing internet traffic through a Russian
internet provider, according to Net Blocks, an organization that tracks
internet disruptions, that opens those communications up to even further
surveillance and disruption by Russia.

Burt recalled one instance where his team was trying to alert one Ukrainian
company to a possible cyberattack, when they received a message back that
the company couldn’t respond because the building was surrounded by Russian
tanks.

“If you are Ukrainian, this has been a relentless, unending cyber war that
has been launched in correspondence with the physical war in what is
clearly the world’s first major hybrid war,” said Burt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220603/81c66ac4/attachment.html>