Microsoft Threat Report: How Russia’s War on Ukraine Is Impacting the Global Cybersecurity Community

Russia's war on Ukraine has entered a new phase. Based on cyber threat and malign influence activity that Microsoft observed between March and October of last year, Russian threat actors appear to be digging in and seizing on war fatigue by leveraging propaganda and cyber influence operations to diminish support for Ukraine and sow discord among its global allies.

Some of these threat actions include leaning into cyber espionage operations against the Ukrainian military and its foreign supply lines, as well as targeting Ukrainian allies in Europe and the US. Microsoft has also observed widespread influence operations designed to erode trust, increase polarization, and threaten democratic processes. 

As the conflict stretches on, it's important to stay on top of these threat trends. Russian forces are relying more on conventional weapons to inflict damage in Ukraine, but cyber and influence operations remain an urgent threat to the security of computer networks and civic life within Ukraine's allies in the region, NATO, and globally. By sharing this information across the broader security ecosystem, we can drive increased awareness of current threat vectors and enhance collective cyber defenses. 

Read on to learn more about a trio of trends Microsoft has uncovered from its own threat intel and analysis.

Russia Deploys Deep Bench of Hacktivist Fronts to Amplify Kremlin Actions

This past summer, Microsoft observed hacktivist personas on Telegram-spread messages that attempted to justify military assaults on civilian infrastructure in Ukraine. These same personas also focused on distributed denial-of-service (DDoS) attacks against Ukraine's allies abroad. These techniques align with additional reports Microsoft released on other legitimate or pseudo hacktivist groups with suspected connections to Russian military intelligence (GRU), which showcased how these groups worked to amplify Moscow's displeasure with adversaries and exaggerate the number of pro-Russia cyber forces.

For example, Microsoft has identified three hacktivist groups — Solntsepek, InfoCentr, and Cyber Army of Russia — that regularly interact with Seashell Blizzard, a Russian state-sponsored threat actor affiliated with the GRU. Seashell Blizzard appears to have a short-term relationship with these hacktivist groups, based on the hacktivists' temporary spikes in alleged cyber capability coinciding with Seashell Blizzard attacks. Periodically, Seashell Blizzard launches a destructive attack for which Telegram hacktivist groups publicly claim credit. The hacktivists then go back to the low-complexity actions they usually conduct, such as DDoS attacks. 

By monitoring how Russian hacktivist groups intersect with nation-state actors, we can gain additional insights into both entities' operational tempo and the ways their activities complement each other's goals. 

Kremlin-Affiliated Actors Favor Mix of Techniques to Blend In, Evade Detection

Russian threat actors are known to use a variety of techniques to gain initial access and establish persistence on targeted networks. 

For example, Midnight Blizzard infiltrates cloud environments using a blend of password spraying, credentials acquired from third parties, believable social engineering campaigns via Teams, and abuse of cloud services. Threat actor Aqua Blizzard successfully integrates HTML smuggling in initial access phishing campaigns to reduce the likelihood of detection by antivirus signatures and email security controls. 

Seashell Blizzard, on the other hand, has been observed exploiting perimeter server systems, such as Exchange and Tomcat servers, and simultaneously leveraging pirated Microsoft Office software harboring the DarkCrystalRAT backdoor to gain initial access. The backdoor allowed the actor to load a second stage payload we call Shadowlink, a software package masquerading as Microsoft Defender that installs the TOR service on a device and gives the threat actor surreptitious access via the TOR network. TOR stands for the Onion Routing project and is an open source privacy network that enables anonymous Web browsing.

Russian Influence Actors Likely Targeting Key Elections in 2024

Finally, Microsoft assesses that key political contests, such as the upcoming US presidential election, are likely to be significant targets for Russia-affiliated influence actors moving into 2024. We believe that these actors may use video media and artificial intelligence (AI)-enabled content, among other tactics, to try to turn the political tide away from elected officials who champion support for Ukraine.

Microsoft is working across multiple fronts to protect our customers in Ukraine and worldwide from these multifaceted threats. Under our Secure Future Initiative, we are integrating advances in AI-driven cyber defense and secure software engineering, with efforts to fortify international norms to protect civilians from cyber threats. We are also deploying resources along a core set of principles to safeguard voters, candidates, campaigns, and election authorities worldwide, as more than 2 billion people prepare to engage in the democratic process over the next year.

As we work to support Ukrainian forces in their resistance against Russia's invasion, we believe that sharing this information is critical in encouraging continued vigilance against threats to the integrity of the global information space. By coming together as a global cyber community, we can better strengthen collective defenses and safeguard democratic norms.

— Read more Partner Perspectives from Microsoft Security