Study by Kaspersky shows cyberwarfare in Ukraine conflict

Kaspersky’s experts examine cyberspace actions related to the Ukrainian crisis in the most recent study, examining their significance in light of the ongoing conflict and their influence on the cybersecurity industry. This article is a part of the Kaspersky Security Bulletin (KSB), a yearly collection of forecasts and investigative reports on significant changes in the cybersecurity industry.

2022 was marked by a 20th-century-style military conflict – that brought uncertainty and some serious risks. Several cyber events that took place during the conflict turned out to be very significant.

Prepared by Kaspersky researchers within the annual Kaspersky Security Bulletin, tracks every stage of the armed conflict in Ukraine, the events that have taken place in cyberspace and how they correlated with on-the-ground operations.

Before the military conflict began, major spikes and signs were seen in cyber warfare. On February 24, 2022, a large wave of wiper and pseudo-ransomware attacks hit Ukrainian entities without discrimination. After the initial wave, the wiper and ransomware attacks reduced significantly with a few being reported. Groups who were ideologically motivated and showed themselves in the attack now are inactive.

On February 24, Europeans relying on the ViaSat-owned satellite faced major internet access disruptions. This “cyber-event” started around 4h UTC, less than two hours after the Russian Federation publicly announced the beginning of a “special military operation” in Ukraine. The ViaSat sabotage once again demonstrates cyberattacks are a basic building block for modern armed conflicts and may directly support key milestones in military operations.

There is no proof that the cyberattacks were a part of planned military operations on either side as the conflict has progressed.

However, some main characteristics defined the 2022 cyber confrontation:

•         Hacktivists and DDoS attacks: The conflict in Ukraine has created a breeding ground for new cyberwarfare activity from various groups including cybercriminals and hacktivists, rushing to support their favourite side. Some groups such as the IT Army of Ukraine or Killnet have been officially supported by governments and their Telegram channels include hundreds of thousands of subscribers. While the attacks performed by hacktivists had relatively low complexity, the experts witnessed a spike in DDoS activity during the summer period – both in the number of attacks and their duration: in 2022, an average DDoS attack lasted 18.5 hours – almost 40 times longer compared to 2021 (approx. 28 minutes).
  
•         Hack and leak: Since the start of the conflict, increasingly sophisticated attacks have increased and attempted to divert media attention with hack-and-leak operations. Such attacks entail infiltrating a company and posting its internal data publicly, frequently through a dedicated website. Since not all machines have internal data that is valuable to release, this is substantially more challenging than a straightforward defacing procedure.
•         Poisoned open source repositories, weaponizing open source software: As the conflict drags on, popular open source packages can be used as a protest or attack platform by developers or hackers alike. The impact of such attacks can extend wider than the open-source software itself, propagating in other packages that automatically rely on the trojanized code.
•         Balkanization: When vendors stop providing support for products or leave the market, security updates are probably the biggest problem. As a result, many western companies are leaving the Russian market after the conflict in Ukraine broke out in February 2022, leaving their users in a precarious situation when it comes to receiving security updates or support.

Costin Raiu, Director of Global Research & Analysis Team at Kaspersky said “From February 24, 2022, onwards, we’ve been puzzled with a question, if cyberspace is a true reflection of the conflict in Ukraine, it represents the pinnacle of a real, modern “cyberwar”. By going through all the events that followed military operations in cyberspace, we witnessed an absence of coordination between cyber and kinetic means, and in many ways downgraded cyber-offence to a subordinate role. Ransomware attacks observed in the first weeks of the conflict qualify as distractions at best. Kinetic attacks using missiles and unmanned aerial vehicles have once again proven to be a more effective method of targeting infrastructure than cyberattacks. Nevertheless, collateral damage and cyber risks have grown for organizations in nearby countries due to the conflict, requiring advanced defensive measures more than ever.”