Kaspersky experts observed significant signs and spikes in cyber warfare in the days and weeks pre-dating military conflict in Ukraine. The cybersecurity solutions company saw a massive wave of pseudo-ransomware and wiper attacks indiscriminately affecting Ukrainian entities on Feb. 24, 2022.
According to Kaspersky, some of these attacks were highly sophisticated. However, the volume of wiper and ransomware attacks quickly subsided after the initial wave, with a limited number of notable incidents subsequently reported. The latest analysis is a part of Kaspersky Security Bulletin (KSB), an annual series of predictions and analytical reports on key shifts within the cybersecurity world.
“From February 24 onwards, we’ve been puzzled with a question, if cyberspace is a true reflection of the conflict in Ukraine, it represents the pinnacle of a real, modern ‘cyberwar’,” Costin Raiu, director of Global Research & Analysis Team at Kaspersky, said in a media advisory. “Ransomware attacks observed in the first weeks of the conflict qualify as distractions at best. Kinetic attacks using missiles and unmanned aerial vehicles have once again proven to be a more effective method of targeting infrastructure than cyberattacks. Nevertheless, collateral damage and cyber risks have grown for organizations in nearby countries due to the conflict, requiring advanced defensive measures more than ever.”
According to the report, Europeans relying on the ViaSat-owned satellite faced major internet access disruptions on that date. This “cyber-event” started around 4h UTC, less than two hours after the Russian Federation publicly announced the beginning of a “special military operation” in Ukraine. The ViaSat sabotage once again demonstrates cyberattacks are a basic building block for modern armed conflicts and may directly support key milestones in military operations.
Types of cyberattacks
As the conflict has evolved, there is no evidence that the cyberattacks were part of coordinated military actions on either side. However, there are some main characteristics that defined the 2022 cyber confrontation:
Hacktivists and DDoS attacks. The conflict in Ukraine has created a breeding ground for new cyber warfare activity from various groups including cybercriminals and hacktivists, rushing to support their favorite side. Some groups such as the IT Army of Ukraine or Killnet have been officially supported by governments and their Telegram channels include hundreds of thousands of subscribers. While the attacks performed by hacktivists had relatively low complexity, the experts witnessed a spike in DDoS activity during the summer period — both in number of attacks and their duration: in 2022, an average DDoS attack lasted 18.5 hours — almost 40 times longer compared to 2021 (approximately 28 minutes).
Hack and leak. The more sophisticated attacks attempted to hijack media attention with hack-and-leak operations, and have been on the rise since the beginning of the conflict. Such attacks involve breaching an organization and publishing its internal data online, often via a dedicated website. This is significantly more difficult than a simple defacing operation, since not all machines contain internal data worth releasing.
Poisoned open source repositories, weaponizing open source software. As the conflict drags on, popular open-source packages can be used as a protest or attack platform by developers or hackers alike. The impact of such attacks can extend wider than the open-source software itself, propagating in other packages that automatically rely on the Trojanized code.
Fragmentation. Following the start of the Ukraine conflict in February 2022, many western companies are exiting the Russian market and leaving their users in a delicate position when it comes to receiving security updates or support – and the security updates are probably the top issue when vendors end support for products or leave the market.
“By going through all the events that followed military operations in cyberspace, we witnessed an absence of coordination between cyber and kinetic means, and in many ways downgraded cyber-offense to a subordinate role,” Kaspersky said.