War brought big spikes in cyberattacks on Ukraine, NATO allies, Google says
The latest analysis of Russia-backed hacking campaigns against Ukraine and its international supporters shows big increases in the number of digital attacks intended to support the Kremlin’s war on the ground.
Russia-linked groups expanded their cyberattacks in Ukraine by 250% last year compared to prewar 2020, while attacks on NATO countries increased by more than 300% over the same period, according to a report released Thursday by Google’s Threat Analysis Group and its Mandiant cybersecurity division.
Russia hoped to gain a wartime advantage through cyberspace by gathering more intelligence, destroying victims' networks and shaping war-related narratives in Moscow’s favor, the report said. Most of these efforts reportedly have had little impact, however, as Ukraine has significantly improved its cyberdefenses and received support from companies around the world, including Google.
But as the war approaches its one-year anniversary on February 24, Russian cyberattacks are only expected to increase, Google said.
“We assess with high confidence that Russian government-backed attackers will continue to conduct cyber attacks against Ukraine and NATO partners to further Russian strategic objectives,” the researchers said.
And as Ukraine continues to make progress on the battlefield, the cyberattacks are likely to become more aggressive, the report said.
So far, Russia failed to achieve its main goal in Ukraine — to capture Ukraine's capital Kyiv and other big cities, including Zaporizhzhia and Kharkiv. The war has likely significantly depleted Russian equipment and manpower reserves, according to the Institute for the Study of War. U.K. Defense Secretary Ben Wallace said Russia could have committed up to 97% of its army to the fight in Ukraine and that its combat effectiveness has decreased by 40%.
Hacker groups targeting NATO
In Ukraine, pro-Russian hackers mostly targeted state and military services, critical infrastructure facilities and the media, the Google report said.
Ukraine's allies, especially NATO members, have also been an important target for the Kremlin-supported attackers.
In a recent Microsoft report on the state of the cyberwar, researchers noted that Russian hackers have focused on governments, especially among NATO members, but have also attacked think tanks, humanitarian organizations, IT companies, and energy and other critical infrastructure suppliers.
A report by the Atlantic Council said that in addition to disrupting and disabling government bodies and vital infrastructure, Russian cyberattacks in Ukraine have also sought to manipulate public opinion and spread malware via compromised email accounts.
Google said that some of the most active hacking groups during the war are Fancy Bear, Turla Team, Callisto Group and Belarussian Pushcha:
• Fancy Bear, or APT28, is responsible for most of the cyberattacks on NATO countries. This group is allegedly controlled by the Russian military intelligence service (GRU) and is also responsible for the attack on the U.S. Democratic National Committee during the 2016 elections and the breach of the World Anti-Doping Agency.
Throughout the war, Fancy Bear conducted widespread phishing campaigns to collect information about its victims, Google said. The group relied on opportunistic access through previous access points to conduct cyberattacks, according to the report.
In May 2022, Fancy Bear targeted users in Ukraine with a new variant of malware to steal credentials. In June, the group launched another campaign targeting users of the ukr.net and gov.ua websites.
• Belarus-backed Pushcha, or UNC1151, mostly targeted NATO members Poland, Latvia, Germany and Lithuania last year. The attackers conducted credential phishing campaigns against political and defense-related targets, as well as NGOs and organizations assisting Ukrainian refugees.
• Callisto Group, also known as Cold River, Seaborgium or TA446 targeted the military of multiple European countries, as well as a NATO Centre of Excellence, U.S.-based NGOs, think tanks, government officials, politicians, and journalists with phishing and hack-and-leak campaigns.
In July 2022, Callisto Group conducted a hack-and-leak operation targeting the U.K. Between August and September 2022, the group also targeted three U.S. nuclear research labs by creating fake login pages for each lab and sending emails to nuclear scientists trying to trick them into giving away their passwords.
• Turla Team is one of the oldest threat actors targeting defense and cybersecurity organizations in NATO countries. The group uses advanced methods and focuses on data theft, the report said.
Shifting priorities
The cyberwar between Ukraine and Russia has triggered “a notable shift” in the global cyber ecosystem, Google said. Hackers have split over political allegiances and geopolitics, changing their priorities and targeting.
Russia’s invasion mostly affected hackers in Eastern Europe but also in China as Chinese government-backed attackers shifted their focus toward Ukrainian and Western European targets to gather information on the conflict.
A China-linked group called Curious Gorge, for example, has moved from long-running campaigns against Russia and Mongolia to Ukrainian government organizations. As the war continued, Curious Gorge also targeted multiple Russian defense contractors and manufacturers and a Russian logistics company.
Another Chinese group, Mustang Panda, expanded its cyberattacks on Ukrainian and NATO governments, shifting from primarily Southeast Asian targets.
Another major change occurred in the global cybercrime ecosystem, Google said: Russia’s cyberwar in Ukraine has blurred lines between financially motivated and government-backed hackers in Eastern Europe. They’ve changed their targeting to align with regional geopolitical interests and adopted some tactics and services associated with financially motivated threat actors.
The former Conti cybercrime gang, for example, targeted Ukrainian public and private organizations and European humanitarian and nonprofit organizations. Hackers are also increasingly experimenting with techniques such as new delivery channels and unconventional file lures to increase the success rate of ransomware campaigns.
Financially motivated actors borrow successful techniques from other campaigns. Examples include the malware Zloader and IcedID leveraging malvertising, Qakbot and Emotet in crafting malicious documents using the same document builder service.
These overlaps complicate and slow definitive attribution, the report said.
Information operations
Russia’s information operations have three goals: to undermine the Ukrainian government entities, to fracture international support for Ukraine and to maintain domestic support in Russia for the war.
Google said it disrupted over 1,950 instances of Russian information activity across its platforms in 2022.
The campaigns primarily focused on maintaining Russian domestic support for the war in Ukraine and were guided by Russian intelligence.
Google found evidence that Russian hacktivists posing as independent and ideologically motivated movements are suspected of having ties to the Russian intelligence services.
Information operations by the Russian Internet Research Agency and Krymsky Bridge groups are responsible for an overwhelming majority of Google takedowns in 2022.
Narratives Google saw from these actors included Russia saving Ukraine from Nazis; that the U.S. and NATO were instigators of the conflict; and Russia was not afraid of or affected by sanctions.
Groups like Ventbridge, News Front, ANNA News and UKR Leaks affiliated with Russian intelligence focused on both Russian and foreign audiences, Google said.
In their information campaigns, Russian groups mostly tried to impersonate legitimate users or act as self-described news entities.
The researchers also saw the connection between Russian destructive malware attacks, espionage and information operations. This is likely “the first instance of all three being conducted simultaneously by state actors in a conventional war,” according to the report.
“We assess with moderate confidence that Russia will continue to increase the pace and scope of information operations, particularly as we approach key moments like international funding, military aid, domestic referendums, and more,” Google said.
“What’s less clear is whether these activities will achieve the desired impact, or simply harden opposition against Russian aggression over time.”
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.