Insights Into Nation-State Tactics: Lessons From Russia's Hybrid War In Ukraine

As the war in Ukraine extends into its second year, Russian threat actors have expanded the scope of their war-related espionage. This is part of a larger trend in which Russia is leveraging hybrid warfare tactics, such as cyber weapons, influence operations, and military force, in an attempt to overrun Ukrainian defenses. 

While most Russia-backed propaganda campaigns aimed at Ukraine have had little impact, Russian state-affiliated cyber and influence actors have not been deterred. These groups continue to seek alternative strategies inside and outside Ukraine. In the first six weeks of this year alone, Microsoft Threat Intelligence analysts found indications of Russian threat activity against organizations in at least 17 European nations. Many of these intrusions targeted the government sector.

By examining the lessons learned from Russian state operations and Ukraine's resilience, security leaders can create a broader playbook for defending against authoritarian aggression in the digital space. 

Moscow has relied heavily on cyber weapons and influence operations to access and conduct attacks on desired targets throughout the duration of its hybrid war. Its methods span a broad range of attack vectors, but three notable trends have emerged over the course of the conflict.

Using Diverse Means To Gain Initial Access

Russian threat actors have leveraged everything from exploiting Internet-facing applications to backdoored pirated software and ubiquitous spear-phishing to gain initial access to targets within and outside of Ukraine.

Seashell Blizzard (formerly Iridium), for example, has backdoored pirated versions of Microsoft Office to gain access to targeted organizations in Ukraine. The actor is also responsible for uploading a weaponized version of Windows 10 to Ukrainian forums, exploiting demand for low-cost versions of the software to gain access to government and other sensitive organizations in Ukraine.

Russian threat actors are also actively abusing technical trust relationships, targeting IT providers to reach more sensitive targets downstream without immediately triggering alerts. Hacker groups Forest Blizzard (formerly Strontium) and Secret Blizzard (formerly Krypton) both attempted to access an IT provider in Poland that counts sensitive sectors among its client base. Midnight Blizzard (formerly known as Nobelium), the same actor behind the SolarWinds intrusion, regularly attempts to compromise diplomatic organizations worldwide and foreign policy think tanks by first compromising cloud solutions and managed services providers that serve those organizations.

Weaponizing 'Fact-Checking' To Spread Kremlin-Aligned Narratives

Russian influence actors will often attempt to gain credibility by using the language and techniques associated with fact-checking to spread false claims. Social media accounts purporting to be fact-checking entities, like the Telegram channel War on Fakes, spread claims of "Ukrainian fakes" and allegedly "debunked" reports of Russian attacks on civilian and critical infrastructure. In reality, these operations attempt to turn the truth on its head and spread Russian propaganda.

Spreading Leaked Information To Target Political Opponents

Pro-Russian actors consistently spread purportedly leaked information online to target political figures and governments supportive of Kyiv. While this is not a new tactic for Russia, hack-and-leak operations have become increasingly prevalent during the war. These operations can be more effective than other types of influence operations because leaks are often difficult to authenticate or debunk, making them an effective tool to amplify existing divisions and tensions by allegedly exposing sensitive information.

Throughout the course of the war, Russia's destructive cyberattacks and influence operations have been used to sporadically amplify military operations in Ukraine. While Kremlin-backed digital operations have not yet successfully deterred Ukrainian resistance or degraded foreign support to Ukraine, there are many indicators we might look for to detect Russian escalation in the digital space. By paying attention to emerging threat intelligence, security leaders can be better prepared to defend against similar attack vectors moving forward.

Read more Partner Perspectives from Microsoft Security.