Russian cyber attacks on Ukraine: What we know so far

A mockup image depicting a fractured relationship between Ukraine and Russia with cracks appearing across both flags
(Image credit: Getty Images)

The conflict in Ukraine is a landmark one, not just because of its scale or longevity, but because of the dual fronts on which it is being fought. It's thought to be the first example of a war fought both kinetically - on the ground with the guns and artillery - and in cyber space.

It represents a new frontier in warfare and international combat, with novel attacks being coordinated each day and the emergence of vigilante support groups on both sides showing the effectiveness of hacktivism.

Experts were monitoring indicators of a potential war for months before Russia officially declared it had begun invading Ukraine but now, there are no indicators to suggest an end is in sight and fears mount over the conflict potentially acting as a pilot for more deadly cyber wars in the future.

Destructive wiper malware

One of the earliest and most devastating cyber attacks conducted by Russia in the war was the use of a wiper malware which was later dubbed Hermetic Wiper by security researchers. Cyber security research organisation ESET said that it observed data showing wiper malware had been deployed on “hundreds of machines” in Ukraine in the days after initially tracking the incident. The research group said data from the observed malware sample indicated that it may have been created in December 2021. The finding supported the thinking that Russia may have been planning the attack for months.

ESET said further investigations revealed that the attackers had likely taken control of the Active Directory server in victim machines. The wiper malware appeared to have been dropped via the default domain policy, it said.

Cisco Talos' analysis concluded that Hermetic Wiper starts by enumerating the system's physical drives and corrupting the first 512 bytes to destroy the master boot record, ensuring the PC will not function properly, even if the malware failed part-way through its process. The program will then analyse the individual partitions, disable the Volume Shadow Copy Service, and then deploy different destructive mechanisms depending on the drive type: FAT or NTFS Various housekeeping files will also be targeted, it will then wait for all sleeping threads to complete before rebooting the machine to complete the wiping process, the researchers said.


The challenge of securing the remote working employee

The IT Pro Guide to Sase and successful digital transformation


Wiper malware was one of the key trends expected to define cyber warfare in 2022, as outlined by Maya Horowitz, director of threat intelligence and research products at Check Point, speaking to IT Pro in January.

“In some cases, especially around hacktivists, they don’t really want to invest in doing all of the encryption [involved in ransomware], it’s just easier to ruin the machines, not being able to restore them,” she said.

“Wipers are also very relevant when it comes to hacktivists and we’re seeing more cyber hacktivists these days, so we’ll probably see more wipers as well.”

Malware aplenty

Destructive wiper malware was used against Ukraine in the first few months of the conflict but since the initial scourge, there have not been any significant developments in its use - or they simply have not been made public.

That isn’t to say that malware hasn’t been integral to Russia’s strategy in cyber space, though. Most recently, the US Cyber Command warned of 20 new strains of malware found to be targeting systems in Ukraine, supplementing the myriad DDoS attacks, phishing attempts, and other tactics deployed against Ukraine.

The swathe of malware strains was discovered through the increased intelligence-sharing efforts between Ukraine and the US on matters related to cyber security. With fears that Russia may be using the ongoing conflict as a means to creating a ‘blueprint’ to succeed in a cyber war, allied nations will consider every analysis of Russia’s strategy important to preventing hostile nations from prevailing in future battles.

Phishing has been a core pillar of Russia’s cyber offensive throughout the conflict and it continues to be a platform through which it attempts to infect targets with malware. Cyber security company Mandiant revealed recently that the malware strains identified by Ukraine and the US Cyber Command are often dropped through phishing attacks - operations run by what it believes to be two threat groups: UNC1151 and UNC2589.

Mandiant believes that UNC1151 is linked to the Belarusian government - one with close ties to Russia. UNC2589 is thought to be taking orders from the Russian government, with most of its efforts being targeted against Ukraine and Georgia since its inception in 2021, and it has also been attributed as the main actor behind the destructive wiper malware.

The types of lures used in the two groups’ phishing campaigns vary but have been typically themed around evacuation warnings, wages, and anti-virus messages, Mandiant said. Malware dropped as a result then goes on to harvest files, steal credentials, remotely execute files, and capture keystrokes and screenshots, among other capabilities.

Distributed denial of service attacks

The abuse of distributed denial of service (DDoS) attacks is perhaps the most common form of cyber attack observed in the war, still to this day. Intital reporting on the conflict suggested a number of Ukrainian government departments have been hit by distributed denial of service (DDoS) attacks over the course of several weeks, with an additional surge occurring weeks later. Cloudflare stepped in to provide DDoS protection to the nation's public services and said the peak of the activity occurred in January. These were just the start of a barrage of attacks that would ultimately be led by hacktivists on either side.

Cloudflare data seen by IT Pro revealed inconsistent increases in traffic against Ukraine starting from December and eventually peaking on 22 January 2022. The traffic into Ukraine was around twice as high between December 2021 and January 2022 compared to October-November 2021, and around four times more than during the same period a year earlier.

The DDoS attacks on Ukraine's public services followed a number of incidents that occurred between 15-16 February, which saw the Ukrainian banking sector targeted with similar denial of service attacks. The UK’s Foreign, Commonwealth & Development Office (FCDO) and National Cyber Security Centre (NCSC) later officially attributed the attacks to the Russian Main Intelligence Directorate (GRU), saying it was “almost certainly involved”.

“The attack showed a continued disregard for Ukrainian sovereignty. This activity is yet another example of Russia’s aggressive acts against Ukraine,” said an FCDO spokesperson at the time.

An example of hacktivist groups using DDoS attacks to stymie the enemy is the IT Army of Ukraine - a standout pro-Ukraine group, the type of which we have not seen before. Assembled through the Telegram messaging platform, the group has hundreds of thousands of members who take instructions from group leaders on a daily basis. These instructions include IP addresses of Russian targets and the easy-to-use tools to launch coordinated DDoS attacks using the entire group's computational resources. The type of target varied wildly from day-to-day but all industries in Russia have been targeted multiple times throughout the war.

The group was formed shortly after a senior Ukrainian Defence Ministry official was thought to have instructed a private sector cyber security partner to rally groups of ethical hackers to launch an offensive against Russia in cyber space, on behalf of the Ukrainian government, according to a Reuters report. Enthusiastic ethical hackers based in Ukraine were allegedly asked to enrol in the initiative via a Google Docs form, listing their areas of expertise and professional preferences.

They would then be separated into teams dedicated to attack and defence, the latter of which would be charged with protecting critical infrastructure – a key concern following Russia's 2015 attack on Ukraine, which cut power to hundreds of thousands of Ukrainian nationals.

The Ukrainian Center for Strategic Communications tweeted: "the Supreme Commander-in-Chief of the Armed Forces of Ukraine gave orders to inflict the maximum losses to the aggressor", shortly after the invasion was confirmed.

Damage beyond borders

Allied cyber security experts were warning from the outset of the conflict that the cyber attacks could become so powerful that the aftershocks may be felt outside of Ukraine.

Those predictions came true earlier this year after Russia’s attack on Viasat, which took place merely hours before the war officially started, spilt over into the rest of Europe.

Individuals experienced internet issues and outages throughout the continent and wind farms in neighbouring countries were also reported to be affected. It was the first major attack in the war and one that ultimately set the tone for the following months of shocking warfare - the first example of a war fought both kinetically and in cyber space.

Hacktivism: Attacks on public services

Another recurring theme of the war is the repeated attempts from both Russia and Ukraine to disrupt public services and broadcasting in the opposing country.

Ukraine, or actors pledging allegiance to Ukraine, initially saw the most success in the early weeks, as Belarus’ rail network was hacked at a time when Russia was reportedly sending troops and weaponry via rail to the Ukrainian border from inside Belarus. Hackers claimed to have encrypted a large proportion of the railway’s servers and destroyed its backups, but ultimately did little to slow the mobilisation of Russian forces.


Introducing IBM Security QRadar XDR

A comprehensive open solution in a crowded and confusing space


Weeks later, long-standing hacking group Anonymous claimed to have breached a number of Russian television networks, replacing scheduled news coverage with genuine footage from the war inside Ukraine. This attack was conducted out of fear that Russia was misleading its people over the true nature of and context around its decision to invade Ukraine. Hacktivists' attempts to stifle Russian disinformation, while deemed noble by many onlookers, were soon criticised by some experts who said the attacks were perhaps having the opposite effect. Russian civilians could instead perceive the forceful attempts to feed them alternative information as a reinforcement of the behaviours the Russian government warned them about.

Most recently, Russia struck back, in kind. It was reported in late July that Ukrainian radio network TAVR Media experienced a cyber attack, during which pro-Russia actors hijacked broadcasts to falsely communicate that Ukrainian president Volodymyr Zelenskyy was in a critical condition following an illness. The president was quick to reassure the nation that it wasn’t the case and reportedly reminded listeners that he was 44 years old and not the “elderly” 70 years - the age of Russia’s leader Vladimir Putin.

Historical learnings

Chester Wisniewski, principal research scientist at Sophos, discussed similar events that have occurred in the past and what they may indicate about how the future of this cyber warfare will unfold.

Wisniewski said Russia’s experience with DDoS dates back to 2007, when it launched such attacks on Estonia after the country moved a statue commemorating the Societ Union’s liberation of Estonia from the Nazis to a less prominent location, an act which sparked protests in Moscow.

Russia also carried out DDoS attacks in 2008 against Georgia before it invaded a region in the country, he said. Russia’s telltale method of operations were once again visible in the attacks in the war's opening few weeks, according to Wisniewski, who added that the attacks were also unlikely to stop any time soon.

“Regardless of whether things continue to escalate, cyber operations are sure to continue,” he said. “Ukraine has been under a constant barrage of attacks with varying degrees of peaks and troughs since Viktor Yanukovych was deposed in 2014.

“False flags, mis-attribution, disrupted communications, and social media manipulation are all key components of Russia’s information warfare playbook. They don’t need to create a permanent cover for activities on the ground and elsewhere, they simply need to cause enough delay, confusion and contradiction to enable other simultaneous operations to accomplish their objectives.”

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.