By James Pearson and Christopher Bing
(Reuters) – Ahead of Russia’s invasion of Ukraine, Western intelligence agencies warned of potential cyberattacks which could spread elsewhere and cause “spillover” damage on global computer networks.
While there has been little evidence of spillover to date, the cyberwar in Ukraine rages on. The following is an overview of how the conflict has unfolded in cyberspace: EARLY DAYS
In 2021, groups aligned with Russian security services began laying the groundwork for a military incursion, according to Microsoft.
The company said suspected Russian cyber actors gained access to the networks of several different Ukrainian energy and IT providers in late 2021. Some of these targets were later hit in 2022 with destructive computer viruses that deleted data and disabled computers.
BEFORE THE INVASION
There were a flurry of cyber operations against Ukrainian targets in the weeks ahead of Russia’s invasion on Feb. 24.
In January, researchers discovered destructive malware called WhisperGate circulating in Ukraine.
WhisperGate closely mirrored a 2017 Russian cyberattack against Ukraine, known as NotPetya, that similarly destroyed data on thousands of local computer systems.
After WhisperGate’s discovery, a spate of distributed denial of service (DDoS) attacks briefly knocked Ukrainian banking and government websites offline. The DDoS flood was later attributed to Russia by Britain and the United States.
Then, days before the invasion, cybersecurity researchers discovered more data-wiping malware in Ukraine.
Slovakian cybersecurity firm ESET said it found new wipers which were engineered months prior. The discovery indicated that Russia’s hackers knew tensions between the Kremlin and Kyiv would soon escalate.
Britain’s National Cyber Security Centre (NCSC) said on Tuesday that Russian Military Intelligence was “almost certainly” behind the Whispergate malware. WAR STARTS
In the early hours of Feb. 24, as Russian forces entered eastern Ukraine, hackers crippled tens of thousands of satellite internet modems in Ukraine and across Europe.
The modems provided internet to thousands of Ukrainians. It remains one of the biggest publicly known cyberattacks to have taken place in the conflict.
The attack, against a network controlled by U.S. satellite firm Viasat, caused a “really huge loss in communications” at the outset of the war, senior Ukrainian cybersecurity official Victor Zhora said.
Britain and the European Union attributed the digital blitz against Viasat’s network to Russia on Tuesday. Britain’s Foreign Office said Russia was behind the operation, citing “new UK and U.S. intelligence,” without elaborating. HYBRID WAR
After the invasion, Russian hackers compromised several important Ukrainian organizations, including nuclear power companies, media firms and government entities, according to Microsoft.
Though it is difficult to track the goals of each hack, one notable incident happened on Mar. 1, when a missile strike against Kyiv’s TV tower coincided with widespread destructive cyberattacks on Kyiv-based media.
Days later, Microsoft detected a Russian group on the networks of an unnamed Ukrainian nuclear power company, just as Russia’s military occupied the Zaporizhzhya nuclear power station – the largest of its kind in Europe.
Senior U.S. national security officials say Moscow is now combining Russia’s cyber and military forces.
“We have seen the Russians having an integrated approach to using physical and cyberattacks, in an integrated way, to achieve their brutal objectives in Ukraine,” senior White House cybersecurity official Anne Neuberger told a conference. INDUSTROYER On April 12, Zhora, ESET and Ukraine’s computer emergency response team said in a series of statements that an elite Russian hacking team known as Sandworm, which attacked Ukraine’s power grid in 2015, had attempted days earlier to cause another blackout in the country. The hackers, reportedly part of Russia’s military intelligence agency, designed a piece of malware named Industroyer 2, which could manipulate equipment in electrical utilities to control the flow of power.
Industroyer 2 had been deployed on an unnamed electrical substation that provides power to roughly 2 million locals, Ukrainian officials said. While the attack failed, Zhora said, the “intended disruption was huge.”
HACKTIVISM As war broke out, Ukraine called on hacktivists to help the country defend itself from Russia.
Since then, a steady stream of unnamed, anonymous hacktivists from both sides have taken to social media claiming to have conducted successful intrusions into either Russian or Ukrainian targets.
In some cases, the hacktivists have posted screenshots or caches of documents to prove their claims, but their actions have proven difficult to verify or measure, researchers say.
Russian government agencies and companies seemingly affected by the Ukraine-allied hacktivists have declined to comment.
(Reporting by James Pearson in London and Christopher Bing in Washington, Editing by William Maclean)
