CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Russia-Ukraine CyberWar: One Year Later

One year ago today, Russia launched a massive combined arms ground, air, and sea assault against Ukraine, including a large cyber component designed to sow confusion among Ukrainian authorities. At the first anniversary, the initial takeaway is the role played by cyber has not been as prominent as predicted for what has turned into the largest European land war since 1945.

Russia and Ukraine are still actively using their cyber troops to conduct a variety of attacks against their foe. Still, the impact these incidents have had taken a distant backseat to the kinetic warfare that has pulverized countless Ukrainian towns and cities. 

The Trustwave SpiderLabs team has been at the forefront tracking and reporting on this activity.

When the war kicked off, concerns ran high that any cyberattacks launched in conjunction with the war might spill out and affect others. This concern resulted in Trustwave security and engineering teams immediately going on heightened alert and actively monitoring for malicious cyber activity associated with and adjacent to the escalating military conflict between Russia and Ukraine. This work continues, and Trustwave is still working closely with its clients worldwide to enhance cyber preparedness as the war continues.

Over the first several weeks of the conflict, Trustwave SpiderLabs uncovered several attack schemes. These included spearphishing attacks from Russian APTs against Ukraine's government offices designed to deliver the CobaltStrike and GraphSteel backdoors.

However, as the year progressed, Trustwave learned a tremendous amount about Russia and Ukraine's cyber capabilities. The primary takeaway is that cyberattacks don't seem to have played a decisive role in the conflict but likely helped supply each side with a tremendous amount of intelligence. While not as obvious as the results of shelling or rolling tanks, the intel gathered likely created opportunities for psyops to support one side or the other, as well as attacks on critical infrastructure and even one of the primary methods of communication in the modern era, the Internet.

With that said, there have been a few examples of cyberattacks having a physical impact. For example, a Russian attack on Ukraine's access to the bricked tens of thousands of satellite modems in Ukraine and across Europe with the likely intention of harming Ukraine’s military ability to function in the first hours and days of the. Additionally, malware targeting Ukraine's power grid was customized specifically for their targets that used reconnaissance likely done in an unobserved cyberattack.

Cybers Impact on the War

The concern that one side or the other would initiate devastating cyberattacks at the start of the war did not come to fruition, particularly from the Russian side. Still, the lack of such a knock-out blow does not mean Russia's capabilities are lacking.

In fact, underestimating Russian cyber offensive capabilities is a mistake. While Ukraine has been Russia's cyber playground to try out various attack types over the years, one should not assume that the current cyber offensive and physical war against Ukraine is indicative of any weakness on Russia's part. Russia is also learning quite a lot from this incursion, so it may come out on the other side with skills practiced in the real world.

The type of attacks launched by both sides has ranged from phishing and misinformation campaigns to the HermeticWiper and IsaacWiper data wipers and Distributed Denial of Services (DDoS) attacks. For example, during the early phase of the war Ukraine launched multiple DDoS attacks against multiple Russian government and official sites while at the same time other hackers who communicated primarily on Telegram  targeted Ukrainian government and military officials and spreading misinformation about what is truly taking place in Ukraine. 

One might categorize KillNet, which uses DDoS attacks, and the IT Army of Ukraine's cyberattacks as low to mid-level and a nuisance, but repeated DDoS attacks on varying organizations and government agencies add another layer of problems to solve while simultaneously fending off and dealing with repercussions from Russia's kinetic attacks. While traditional "central command and control" may be loose or entirely missing in these cases, often these groups are leaned on for their chaos factor, which is a very low investment for an excellent return.

Russian Response to Outside Support for Ukraine

The amount of Western military hardware that has poured into Ukraine along with political support for Ukraine has been key to that nation's ability to not only fend off the initial onslaught but claw back vast tracks of land initially occupied by Russian forces. This very public support, however, has angered not only the Russian government but also native Russian cyber groups  resulting in several launching attacks against the countries providing arms to Ukraine.

Some infamous cyber threat actors have been connected to Russian activity against Ukraine. As can be seen in an earlier SpiderLabs report, they include the following: 

  • APT29 - also known as Cozy Bear or The Dukes to the Russian Foreign Intelligence Service (SVR)
  • APT28 - also known as Fancy Bear or Sofacy was traced to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Former GRU) Unit 26165
  • SANDWORM - also known as Black Energy, was tied to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Former GRU) Unit 74455
  • DRAGONFLY - also known as Energetic Bear or Crouching Yeti was identified as the Russian Federal Security Service (FSB) Unit 71330
  • GAMAREDON - also known as Primitive Bear or Armageddon, traced to the Russian Federal Security Service (FSB) in November 2021. The Security Service of Ukraine (SSU) successfully identified individuals behind Gamaredon confirming their ties with FSB
  • NoName057(16) – a hacktivist group that has been targeting NATO and Czech presidential election candidates’ websites recently
  • KILLNET - is a pro-Russian hacktivist group active since at least January 2022 known for its DDoS campaigns against countries supporting Ukraine, especially NATO countries since the Russia-Ukraine war broke out last year.  

During the last few months SpiderLabs has found hacktivist groups expanding their attacks to other countries including Poland, Slovakia, Czech Republic and Denmark targeting government ministries, power plants, banks, transportation, and NATO.

Belarus, which is allied with Russia, has increased its cyberactivity. On Jan. 17, 2023, the groups Infinity and Killnet, the former associated with Belarus, both claimed to have targeted the U.S. Internal Revenue Service last fall. The U.S. Treasury reported at the time that it had thwarted a DDoS attack by Killnet.

One of the earliest attacks, AcidRain, was timed for Russia's physical invasion of Ukraine in February. AcidRain was a targeted attack against modems accessing the Internet through Viasat's satellite network. Viasat is a satellite-based broadband service provider. The attackers gained access to Viasat's management network. They then used it to push the AcidRain malware to satellite modems and wipe those modems of essential software needed to operate and connect to the Internet properly.

Cyber Rules of Engagement

It seems counterintuitive, but the war has written and unwritten rules. For example, Geneva Convention signatories promise to treat prisoners must be treated properly, with no torture, and caring for the wounded. As the war and tactics have evolved over the past year, the conversation turned to what type of cyberattack constitutes an attack that goes too far. 

For cyberwar, there is the Tallinn Manual. Tallinn is an academic, non-binding study on how international law applies to cyber conflicts and cyber warfare.

How cyber activities now taking place in the Ukraine war will be viewed is still in flux.

As we know, crimes usually come before the laws that govern it. Threat actors innovate, and law enforcement has to draft and enact laws that mete out justice for the crime or cybercrimes committed. 

Hybrid warfare – cyber and kinetic attacks being waged simultaneously – is new to the warfare arena and will require organizations worldwide to be on guard to defend against attacks launched in support of either side of the conflict. These attacks may intentionally target non-belligerent entities, but the other possibility is being victimized by an attack that gets out of control and essentially becoming collateral damage.

The best way to stay safe is to ensure your organization is buttoned-down, that “all the doors and windows are locked” and to have a plan and security partner in place to respond if and when an attack occurs.



Latest Trustwave Blogs

The Power of Red and Purple Team Drills in Enhancing Offensive Security Programs

Despite investing in costly security solutions, keeping up with patches, and educating employees about suspicious emails, breaches still occur, leaving many organizations to wonder why they are...

Read More

Balancing Innovation and Security: How Offensive Security Can Help Navigate the Tech Industry’s Dual Challenges

Two of the greatest threats facing technology-focused organizations are their often-quick adoption of new technologies, such as artificial intelligence (AI), without taking security measures into...

Read More

Trustwave Government Solutions (TGS) Salutes New Mexico’s New Cybersecurity Executive Order

New Mexico Governor Michelle Lujan Grisham issued an Executive Order to shore up the state’s cybersecurity readiness and better safeguard sensitive data by conducting a state-wide security assessment...

Read More