Microsoft calls upon Ukrainian organizations to prepare for a Russian cyber offensive this winter
Microsoft identified that, in the wake of Russian battlefield losses to Ukraine, Moscow has intensified its multi-pronged hybrid technology approach to pressure the sources of Kyiv’s military and political support, domestic and foreign. The approach has included destructive missile and cyber strikes on civilian infrastructure in Ukraine, cyberattacks on Ukrainian and now foreign-based supply chains, and cyber-enabled influence operations. The attacks are primarily intended to undermine the U.S., European Union (EU), and NATO political support for Ukraine, and to shake the confidence and determination of Ukrainian citizens.
Bearing these factors in mind, Microsoft believes that recent trends suggest that the world should be prepared for several lines of potential Russian attacks in the digital domain throughout the winter.
“First, we can expect a continuation of Russia’s cyber offensive against Ukrainian critical infrastructure,” Clint Watts, general manager for digital threat analysis center at Microsoft, wrote in a company blog post. “We should also be prepared for the possibility that Russian military intelligence actors’ recent execution of a ransomware-style attack—known as Prestige—in Poland may be a harbinger of Russia further extending cyberattacks beyond the borders of Ukraine. Such cyber operations may target those countries and companies that are providing Ukraine with vital supply chains of aid and weaponry this winter.”
Watts added that secondly, “we should also be prepared for cyber-enabled influence operations that target Europe to be conducted in parallel with cyber threat activity. Russia will seek to exploit cracks in popular support for Ukraine to undermine coalitions essential to Ukraine’s resilience, hoping to impair the humanitarian and military aid flowing to the region. The good news is that, when equipped with more information, a media-savvy public can act with awareness and judgment to counter this threat.”
The post further identified that as Russia retreated from formerly occupied territory in Ukraine in late October, the Kremlin unleashed new missile and drone strikes against Ukrainian cities and the energy and transportation infrastructure that supports them. “Missile barrages cut power to more than 10 million Ukrainians and left up to 80% of Kyiv’s population without running water. The intent to inflict suffering on Ukraine’s civilians has been clear, and was effectively acknowledged by Russian officials,” it added.
“Notably, these recent missile strikes have been accompanied by cyberattacks on the same sectors, perpetrated by a threat group—known at Microsoft by the element name IRIDIUM and by others as Sandworm—associated with Russia’s military intelligence service, the GRU,” Watts wrote. “The repeated temporal, sectoral, and geographic association of these cyberattacks by Russian military intelligence with corresponding military kinetic attacks indicate a shared set of operational priorities and provides strong circumstantial evidence that the efforts are coordinated.”
Microsoft’s research of IRIDIUM shows a history of destructive attacks against Ukraine’s critical energy infrastructure that dates back nearly a decade. Following Russia’s annexation of Crimea in 2014, IRIDIUM launched a series of wintertime operations against Ukrainian electricity providers, cutting power to hundreds of thousands of citizens in 2015 and 2016. The group’s pursuit of destruction in Ukraine spread globally in 2017 with the NotPetya attack, which inflicted $10 billion of damage to companies including international firms such as Maersk, Merck, and Mondelēz, and underscores the risk of this actor’s operations to the global digital ecosystem.
Watts said that the wave of Russian destructive cyberattacks that began on February 23, and subsequent destructive attacks against Ukrainian targets in support of the Russian war effort have been the responsibility of IRIDIUM. “In October, IRIDIUM’s destructive attacks against Ukrainian critical services networks spiked, after two months of little to no wiper activity.”
As the Ukrainian counteroffensive progressed and winter approached, Microsoft observed that IRIDIUM deployed Caddywiper and FoxBlade wiper malware to destroy data from networks of organizations involved in power generation, water supply, and the transportation of people and goods, according to Watts. “The predominant focus was on the Kyiv region, as well as the southern and central-eastern regions of the country, where the physical conflict has been the most intense,” he added.
Watts identified that the tactic of targeting civilian infrastructure has been in play since the beginning of the conflict. “Of the roughly 50 Ukrainian organizations that Russian military operators have hit with destructive wiper malware since February 2022, 55 percent were critical infrastructure organizations, including in the energy, transportation, water, law enforcement and emergency services, and health care sectors,” he added.
In most instances, threat actors have deployed wipers against the business networks of the targeted critical infrastructure organizations. However, operational technology (OT) networks are also vulnerable. For example, IRIDIUM attempted to inflict severe damage on energy production in April by targeting the industrial control systems (ICS) of a Ukrainian energy provider.
“Quick action by CERT-UA and international partners thwarted the attack, but the risk of future ICS attacks that would disrupt or destroy the productive capacity of Ukrainian power or water infrastructure is high,” according to Watts.
Russian cyber strikes extended outside Ukraine in October when IRIDIUM deployed its novel Prestige ransomware against several logistics and transportation sector networks in Poland and Ukraine. This was the first war-related cyberattack against entities outside of Ukraine since the Viasat KA-SAT attack at the start of the invasion.
The Prestige event in October may represent a measured shift in Russia’s cyberattack strategy, reflecting a willingness by Moscow to use its cyberweapons against organizations outside Ukraine in support of its ongoing war. Since Spring 2022, Microsoft has observed that IRIDIUM and suspected Russian state operators have targeted transportation and logistics organizations across Ukraine in probable attempts to collect intelligence on or disrupt the flow of military and humanitarian aid through the country.
“But these recent attacks in Poland suggest that Russian state-sponsored cyberattacks may increasingly be used outside Ukraine in an effort to undermine foreign-based supply chains,” according to Watts.
Noting that IRIDIUM’s success in the Prestige destructive attack was limited, Watts added that early customer notifications and rapid response along with local incident responders in Poland reportedly helped contain the attack’s impact to less than 20 percent of one targeted organization’s network. However, while the destructive impact was limited, IRIDIUM almost certainly collected intelligence on supply routes and logistics operations that could facilitate future attacks.
Perhaps in part because the impact was successfully limited by the defenders and responders in this instance, the international outcry against this new extension of the hybrid war beyond the borders of Ukraine has been muted. Nevertheless, this attack highlights the continued risk of Russian destructive cyberattacks on European organizations which directly supply or transport humanitarian and military assistance to Ukraine.
Watts assesses that in the coming months, European nations will likely be subjected to a range of influence techniques tailored to their populations’ concerns about energy prices and inflation more broadly. “Russia has and will likely continue to focus these campaigns on Germany, a country critical for maintaining Europe’s unity and home to a large Russian diaspora, seeking to nudge popular and elite consensus toward a path favorable to the Kremlin,” he added.
Strong connections between Kremlin-affiliated ideologues and Germany’s far-right will likely be leveraged both online and offline in campaigns targeting German audiences with hardline narratives on the war in Ukraine as well as criticism of the government’s handling of the energy crisis, according to Watts.
Related
