February 24, 2023 marks one year since Russia invaded Ukraine, starting a conflict that has killed more than 8,000, injured more than 13,300, and displaced more than 14 million people in the past year, according to the UN. Physical warfare between Ukraine and Russia has been accompanied by cyberwarfare between the two countries. This blog post focuses on cyberwar, particularly what we can learn from the past year.
Observations
Attacks primarily target government agencies and critical infrastructure
The majority of Russian attacks over the past year targeted military and government agencies and critical infrastructure, especially telecommunications providers and energy companies. Other attacks were more broadly targeted at companies and individuals in Ukraine and their allies throughout the world. Meanwhile, the majority of Ukrainian attacks were targeted at Russian government institutions, with attacks focused on taking down Russian websites, disrupting financial services, and disrupting misinformation campaigns.
Phishing is the primary infiltration technique used for the majority of attacks
The most common infiltration technique used in the cyberwar has been phishing, with both sides using targeted spear phishing campaigns, often accompanied by file-based exploits or other malicious payloads. Phishing is popular in cyberwar because it is simple, low-risk, effective, and versatile. A well-crafted and targeted phishing message delivered via messaging app, SMS, email, social media, or another channel can be used against practically any type of target. After a successful phish, attacks typically focus on espionage or sabotage.
Espionage and sabotage are the primary objectives
In cyberwar, espionage and sabotage are the primary objectives. In the past year, espionage has typically taken the form of RATs and infostealers, while sabotage has typically taken the form of DDoS attacks, ransomware, and wipers. Throughout the year, many Russian wipers emerged to target Ukraine, including WhisperGate, HermeticWiper, IsaacWiper, and others. One recent ransomware attack used a new ransomware family, Prestige, to target logistics and transportation sectors in Ukraine and Poland.
15% of attacks target other nations, primarily allies
While approximately 85% of attacks have been targeted at individuals or organizations within Russia or Ukraine, the remaining 15% have been targeted primarily at allies throughout the world. Like the attacks within Russia and Ukraine, attacks on targets in other nations have also targeted critical infrastructure and government agencies.
The most significant breakout attack of the Russo-Ukrainian war happened in 2017 with NotPetya, a Russian wiper targeted at Ukraine that ended up infecting systems throughout the world, including companies Maersk and Merck, and causing an estimated $10 bill