A year ago, on February 24, 2022, the Russian Federation launched a full-scale invasion of Ukraine, which has grown into the biggest land war in Europe since World War II, causing tens of thousands of deaths and forcing millions of Ukrainians flee their homes. The invasion, which Moscow calls a “special military operation” seeking the “demilitarization” and “denazification” of Ukraine, was met with a fierce resistance both from Ukraine’s army and the country’s citizens.
The war in Ukraine rages on different levels - on physical battlefield and likewise in cyberspace. Ukraine was the target of Russian cyber operations and cyber enabled information campaigns for years, but after the February invasion Russian attacks significantly intensified. According to Ukraine’s State Service of Special Communications and Information Protection of Ukraine (SSSCIP), Russian threat actors launched over 1,500 cyberattacks against Ukrainian entities.
IT Army of Ukraine
Mere days after the invasion started the Vice Prime Minister of Ukraine and Minister of Digital Transformation of Ukraine Mykhailo Fedorov has called for volunteer hackers worldwide to help mount a defense against Russia's cyberattacks, and thousands answered his call. Thus, the IT Army of Ukraine was born.
Initially, this army was formed without a clearly structured and proven plan, but later it evolved into a hybrid construct that is government-backed but led almost entirely by civilians.
To date, the IT Army consists of two parts: a Telegram channel that as of the time of writing had nearly 200,000 followers, where new Russian targets (primarily civilian) are listed for volunteers to launch coordinated DDoS attack on, and an in-house team likely consisting of Ukrainian defense and intelligence personnel that have been experimenting with and conducting complex cyber operations against specific Russian targets.
In addition, the IT Army also includes an ecosystem comprised of Ukrainian-owned IT companies and people located outside of Ukraine, as well as Ukrainians living in Ukraine working for Western companies. This ecosystem has been continuously creating new tools and guides, identifying new targets, and fulfilling other intelligence support functions to fortify Ukraine’s offensive efforts in cyberspace.
On February 28, 2022, the IT Army breached Moscow’s Stock Exchange website rendering it inaccessible just five minutes after the attack was launched. The IT Army also claims to have taken down the website of Sberbank, the largest bank in Russia. The attack resulted in an interruption of the payment system services, a small loss of funds, but had no major impact.
Ever since it was launched, the IT Army has claimed multiple high-profile Russian victims like Mvideo, a large Russian consumer electronics chain; QIWI, a popular Russian payment service provider; Asna, a network of more than 10,000 pharmacies in Russia; EGAIS, the Russian government’s unified state automated alcohol accounting information system, Gazprombank, one of the main channels for payments for Russian oil and gas; Alfa-Bank, one of Russia's top private lenders; the Central Bank of Russia; VTB bank, the second largest bank in Russia, and others.
The IT Army was also reportedly behind a May 2022 cyberattack on RuTube, a major Russian video hosting platform designed as a Kremlin-friendly rival of YouTube, which rendered the service inoperable for three days. At the time, RuTube called the incident the “largest cyberattack” it had ever seen.
On October 20, the IT Army of Ukraine launched a DDoS attack against Russia’s Federal Tax Service blocking Russian taxpayers from submitting tax forms, retrieving documents, and caused an interruption in communications with the Federal service.
In January 2023, the IT Army announced it had gained access to a 1.5 GB archive belonging to the Russian energy giant Gazprom. The archive is said to contain 6,000 files related to financial and economic activities.
In cooperation with other hacktivist groups around the globe like Anonymous and Poland-based Squad 303, the IT Army hacked Russia’s Davos meeting causing a delay in Russia’s President Vladimir Putin opening address for more than an hour, released military plans, and interrupted Russia’s central television news with their own dispatches from the war.
According to Georgii Dubynskyi, Ukraine’s deputy minister of digital transformation, the IT army has executed cyberattacks on over 8,000 Russian resources, successfully targeting the defense industry and countering disinformation campaigns by state-sponsored outlets.
During his speech to G20 in November 2022 Ukrainian President Volodymyr Zelensky said that the IT Army has successfully stopped more than 1,300 Russian cyberattacks.
Russia’s digital warfare
Ukraine has been the constant target of Russian cyberattacks since 2014, when the Kremlin unilaterally annexed the Crimean Peninsula, prompting Kyiv to strengthen the country’s cyber defense.
According to the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), Ukrainian cyber defenders detected and analyzed more than 1,500 cyberattacks launched by threat actors against Ukraine since Russia had unleashed war on the country.
As a precursor to the military onslaught, the first major cyberattack took place in mid-January 2022, more than a month before Russian troops crossed Ukraine’s borders. The cyber assault targeted more than 20 Ukrainian government institutions. Around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the Security and Defense Council, were attacked. On February 15, another cyberattack took down multiple government and bank services, including the website of the Ukrainian Defense Ministry and the Armed Services as well as two large Ukrainian banks, Privatbank and Oschadbank.
A separate destructive cyberattack occurred around the same time, first spotted on January 13. Malware was installed on devices belonging to “multiple government, non-profit, and information technology organizations” in Ukraine. While the malware, dubbed “WhisperGate”, was disguised as ransomware, it lacked a recovery feature, indicating an intent to simply destroy files instead of encrypting them for ransom.
According to a recent Google TAG’s report, Russian state-backed threat groups increased their hacking attempts against Ukraine last year by 250% compared with 2020, with Ukraine’s ministries of Defense, Foreign Affairs and the National Agency for Service being among the top targets. The observed campaigns were focused not only on Ukrainian government and military entities, but also on critical infrastructure, utilities and public services, and the media and information space.
Most experts expected Russia to unleash sophisticated disruptive attacks like the infamous 2017 NotPetya ransomware campaign, or December 15 power grid cyberattack. Indeed, security researchers observed at least six unique strains of wiper malware (malware designed to destroy data), some of which had multiple variants, but the attacks, by and large, had no lasting impact.
In April 2022, Sandworm, a Russia-linked advanced persistent threat group (APT) believed to be a unit of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU), targeted an unnamed energy provider in Ukraine with Industroyer2 - a new variant of the infamous Industroyer malware the group used in a 2016 cyberattack with the goal of cutting power supply in Ukraine.
In the April case, Sandworm (aka Quedagh, Voodoo Bear, TEMP.Noble, Iron Viking, G0034, Electrum, TeleBots, Iridium, Blue Echidna, Frozenbarents) made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine. In addition to Industroyer2, Sandworm used several destructive malware families including CaddyWiper, Orcshred, Soloshred and Awfulshred.
A few months later, Sandworm used a previously unknown wiper called “NikoWiper” in an attack targeting energy sector in Ukraine. More recently, another wiper, dubbed “SwiftSlicer,” has been discovered that was used by the Sandworm military hackers in an attack against a Ukrainian organization.
Russia’s offensive against Ukraine combines kinetic military operations and cyberattacks on Ukrainian civilian infrastructure, which could equate to war crimes because they directly impact Ukrainian civilians.
According to SSSCIP’s chief digital transformation officer Victor Zhora, Ukrainian authorities are gathering evidence of cyberattacks linked to military strikes to share with the International Criminal Court (ICC) in the Hague, in an effort to support potential prosecutions into Russia's actions. Case in point, in July 2022, Russian hackers targeted the infrastructure of DTEK Group, Ukraine's largest energy holding company, at the same time as a terrorist missile attack on the Kryvorizka thermal power plant.
Similar coordinated activity was observed in Odesa, Lviv, and Mykolaiv, where shelling was supported with cyberattacks on local authorities, websites, or on local internet service providers.
In addition to attacking government bodies and vital infrastructure, Russia’s digital warfare in Ukraine have also sought to manipulate public opinion and spread malware via compromised email accounts, as well as disrupt media outlets, with the most recent example being a January 2023 Sandworm attack on the National Information Agency “Ukrinform,” where the hackers deployed at least five wiper strains, including CaddyWiper and Awfulshred.
There’s also been several ransomware campaigns throughout last year attributed to Russian hackers that deployed never-before-seen ransomware strains like RansomBoggs (Sandworm), Prestige (Iridium aka DEV-0960), and Somnia (FRwL aka Z-Team and UAC-0118).
Most of destruction-motivated cyber campaigns reported over the Russia-Ukraine war were linked by cybersecurity researchers to GRU. At the same time, multiple Russia-nexus cyber operations were aimed at gathering strategic intelligence related to the conflict.
Such operations were notably conducted by FSB-operated (Armageddon/Gamaredon, Calisto and Turla) or SVR intrusion groups (APT29/Nobelium), targeting multiple sectors as diplomacy, logistics, NGOs, NATO-related entities, or strategic research.
Some Russian hacker groups “intensified” their ongoing attacks on Ukraine over the course of 2022, while others, such as ColdRiver (aka Callisto Group, Seaborgium, TAG-53), shifted their focus toward Ukraine.
The Armageddon APT (also known as Gamaredon, Trident Ursa, UAC-0010, Primitive Bear, or Shuckworm) is considered one of the major threats to Ukraine. Active since at least 2014, the group is believed to be linked to Russia’s Federal Security Service and is one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine. The threat actor uses phishing emails for malware distribution and provides access to compromised networks and intelligence to other cybercriminals.
Despite the significant levels of cyber operations coming from both Russia and Ukraine, the world's first large-scale cyberwar doesn’t incorporate new “types of weapons” in existing cyberspace, but rather uses previously known techniques. However, Russia’s war in Ukraine offers valuable lessons for other military cyber commands who can use this insight to develop strategies that could be helpful in future armed conflicts.