The military offensive that Russia has launched this week in Ukraine It is preceded by a cyber war that has been active for months. Years, if you take into account that since the invasion of Crimea in 2014 the attacks on the systems of the former Soviet republic have never completely ceased. Silent battles are fought in the digital environment, without shots or deaths, but capable of leaving thousands of people without heating, as happened in Ukraine in 2015; deleting sensitive government data or crashing business computer systems, such as was seen in 2017 with NotPetya. This computer virus, one of the most devastating in history, was originally launched in Ukraine to torpedo institutions in that country and ended up spreading throughout the world.
Cyber warfare is one of the components of the so-called hybrid wars. “It consists of a set of techniques that come to replace the conventional invasion by land. It is difficult to define what instruments we are talking about, but you include everything from cyberattacks or disinformation to the use of immigrants as a weapon, as seen in Belarus”, describes Andrea G. Rodríguez, researcher in emerging technologies at Cidob (Barcelona Center for International Affairs).
Once tanks and missiles enter the scene, what happens on the internet becomes less important. But it can serve to support military actions. “Cyber attacks are part of Moscow’s playbook. They used them in 2008 in Georgia, coinciding with the invasion, and in 2014 in Ukraine to attack energy and communication infrastructures”, Rodríguez points out.
On this occasion, the first warning came on January 14, when Microsoft detected a virus, WhisperGate, which infiltrated several government websites. A few days later, the Texas cybersecurity company specialized in intelligence threats CrowdStrike identified several attempts to sell data allegedly acquired after that coup. The modus operandi of the attack closely resembles that of Voodoo Bear, an organized group of hackers associated with the Russian secret services (FSB).
Last week there were also cyberattacks directed at the websites of the Ukrainian Ministry of Defense, the army and those of state banks. On Thursday, coinciding with the ground invasion by Russia, several Ukrainian government websites stopped working because of a denial of service attack that sought to deepen the feeling of panic of a population that already fears for its life. Just yesterday, the cybersecurity firm CyberArk warned of the danger of Hermetic Wiper, the malware (software malicious) that erases all data from the system it infects, involved in cyberattacks targeting Ukraine’s infrastructure.
“We hope that there will be massive disinformation campaigns by both sides of the conflict and we can be sure that the attackers will use this opportunity to distribute other types of malware”, says Luis Corrons, a security analyst at the antivirus firm Avast. “We can also foresee the possibility of digital weapons being used to attack physical infrastructures through the computers that control them, as happened with Stuxnet,” he adds.
Fuzzy authoring attacks
Known in the industry as APTs (Advanced Persistent Threats), groups like Voodoo Bear are far from being hackers motivated to do evil. They are very well organized, often have hierarchical structures similar to those of companies and, being unofficially supported by governments, have a lot of resources. Enough to put together attack strategies on the same day an important vulnerability is discovered in a system to be attacked (this type of attack, perhaps the most lethal, is known as zero day exploits). Only the secret services of the great powers, such as the US NSA, the different agencies of the Russian GRU or the British MI6, have more capabilities on paper than they do.
The western secret services have serious suspicions that some countries, such as Russia, China, North Korea or Iran, sponsor some of the main APTs. We speak of suspicions because cyberspace is such an elusive environment that it is practically impossible to prove the authorship of a cyberattack with any guarantees. False flag attacks are frequent, in which some APTs pose as others or even as groups of hacktivists. Among the latter stand out anonymousa heterogeneous and unorganized group of hackers who have already declared (cyber) war on Russia.
“Cyber warfare has a great advantage over other tools: if you launch a missile, it will be known where it came from and who built it. In the world of the internet, it is not like that: it is very complicated to know where the attacks come from or who is behind them, ”says Corrons, from Avast. A computer can connect from Barcelona to a server located in Pakistan that passes through another in the Seychelles to send malicious software to Beijing. The trace of the attack dissolves like a drop in the sea.
“The APTs are tracked with clues provided by the intelligence services, sample correlations, particularities of the code, reuse of parts of it or study of the modus operandi”, explains the hacker and cybersecurity analyst Deepak Daswani. It is very difficult to attribute them, but even more so to locate their origin geographically. “The intelligence services of the countries may have information, but they will not show you their evidence and you have to believe it: they may also have an interest in making you dizzy,” adds Corrons.
Another advantage of cyber warfare is that it can be masked as cybercrime: sometimes the APTs themselves launch their attacks in the form of a ransomware (virus for which a ransom is offered). This is what happened, for example, with NotPetya, the virus that attacked the systems of several Ukrainian government agencies in 2017 and later spread throughout the world. “Normally, the ransomware maintains a cryptographic key with which to save infected systems in exchange for money. The bad guys infect you and then ask for a ransom. But in this case there was not,” says Adam Meyers, head of intelligence at CrowdStrike, who has been tracking the activity of some of the main Russian APTs for years.
Considered one of the most successful and costly cyberattacks in history, NotPetya is attributed to Voodoo Bear. This group has a long service record in Ukraine. “The activity has never stopped in recent years. Operations in Russian cyberspace are part of a wide range of tools including operations of influence, information and disinformation; military actions and diplomatic and financial pressures,” says Meyers.
Ukraine, the eternal goal
In May 2014, a month after Russia annexed Crimea, the Voodoo Bear group torpedoed Ukraine’s energy and transportation infrastructure. In the winter of 2015, malicious software shut down several power plants, leaving more than 80,000 people without power (and no option to keep warm). Ukraine accused Russia of being behind the attack. Moscow denied having anything to do with it.
Similar attacks followed the next two years, and in 2017 the ante was upped with the release of highly sophisticated malware. In addition to NotPetya, other viruses were detected, such as FakeCry or BadRabbit, aimed at sabotaging the country’s communications networks. “With these attacks, it was the first time that we detected that they tried to impersonate someone else: a supposed group of hacktivists called FSociety, name taken from the television series mr robot”, describes Meyers.
So far, no cyberattacks have been detected in the rest of Europe that seek to influence the Ukrainian scenario. “There is and will continue to be an increase in cyber warfare in Europe,” says Zac Warren, director of cybersecurity at the US firm Tanium. “Attacks like the one on Oiltanking Deutschland,” he says, referring to the German oil pipeline that was forced to shut down on February 3 after a cyberattack, “will continue to happen.” Although in this case it seems to be cybercrime: its motivation is merely economic.
The ground invasion of Ukraine changes the scenario. According to sources familiar with the situation, the staff of EU institutions related to cybersecurity have been alerted to prepare for cyberattacks in Europe. The EU Agency for Cybersecurity (ENISA) and its counterpart American (CISA) They have already issued alerts so that companies and institutions take extreme precautions in the face of what may be to come. “We will probably see a new wave of cyberattacks in Ukraine aimed at cutting off communications in the country to force the Ukrainian leaders to surrender or leave Kiev,” says Rodríguez, from Cidob.