Tracking Cyber Operations and Actors in the Russia-Ukraine War

Before Russia invaded Ukraine on February 24, outside observers expected cyber attacks to play a large role in the conflict. Despite Russia’s strong cyber capabilities, however, there has been relatively little visible action against Ukrainian systems via cyberattacks. There are several reasons Russia hasn’t launched large-scale cyberattacks, including the higher efficacy of kinetic attacks and difficulties in planning and executing massive cyberattacks on a short timeline. Ukraine has pursued a unique strategy in cyberspace, attempting to mobilize international sentiment and create an army of cybersecurity professionals to attack military and critical infrastructure targets in Russia. A more complete understanding of the cyber aspect of the Russian invasion of Ukraine is probably not possible until after the conflict ends, but as a start the authors offer an accounting of observed actors operating in the conflict, along with major cyber operations taken by each side. 

Pro-Russia 

Russian DDoS campaign 

Russia launched a series of distributed denial of service (DDoS) attacks against Ukrainian websites in early February. The attacks targeted Ukrainian banking and defense websites, and were reportedly launched by the Russian military intelligence agency, GRU. The attacks came as tensions heightened between Ukraine and Russia. 

Russia has continued to launch DDoS attacks intermittently, and, in the first week of March, Russian groups were found using DanaBot, a malware-as-a-service platform, to launch DDoS attacks against Ukrainian defense ministry websites. It is unclear who these groups are and whether they are connected to the Russian government. 

WhisperGate 

Wiper malware, dubbed WhisperGate by Microsoft, was placed on Ukrainian systems on January 13, 2022. The wiper was designed to look like ransomware and offered victims what appeared to be a way to decrypt their data for a fee, although in reality the malware wiped the system. The wiper was found on systems throughout Ukraine, including the Foreign Ministry and networks used by the Ukrainian cabinet. The two wipers used in WhisperGate bear similarities to the NotPetya wiper which hit Ukraine and several large multinational companies in 2017. 

HermeticWiper 

Cybersecurity companies detected a new set of wiper attacks on February 23, 2022, which were dubbed HermeticWiper (alternatively known as FoxBlade). Several other pieces of malware were deployed alongside HermeticWiper, including a worm that was used to spread the wiper. The wiper spread beyond the borders of Ukraine and may have affected some systems in Baltic countries. HermeticWiper appears to have some similarities with previous campaigns launched by the Russian-sponsored group Sandworm.  

IsaacWiper 

Russia launched a wiper, dubbed IsaacWiper, against Ukrainian government systems, coinciding with the Russian invasion of Ukraine on February 24, 2022. The attacks were launched just after the HermeticWiper attacks and appeared more targeted than the HermeticWiper attacks. The affected organizations had been compromised long before the wiper’s deployment.  

UNC1151

Ukraine government officials suspect Belarusian threat actor UNC1151 of conducting a cyberattack targeting over 70 government websites on January 14. Hackers defaced the websites, posting threatening messages including “be afraid and expect the worst,” in advance of Russian troops crossing the border into Ukraine. The attack is suspected to have been a distraction from more destructive attacks. 

On March 7, UNC1151 was detected installing a publicly available backdoor, MicroBackdoor, onto Ukrainian government systems. The attack vector and exact agencies targeted remain unknown.

UNC1151 was also detected in early March launching a phishing campaign against the Ukrainian and Polish governments and militaries, although it is unclear if they managed to penetrate any networks.

Targeting of Ukrainian Military in Phishing Attempts 

On February 25, Ukraine’s Computer Emergency Response Team accused Belarusian state-sponsored hacking group UNC1151 of attempting to hack the email accounts of its military personnel in a mass phishing attack. Once the hackers infiltrated military personnel’s accounts, they leveraged the compromised address books to send more malicious emails. UNC1151 is also potentially connected to another phishing campaign using compromised Ukrainian military emails to target European government personnel aiding Ukranian refugees with SunSeed malware. 

APT28

The Russian threat actor APT28 has engaged in a credential phishing campaign targeting users of the popular Ukrainian media company UKRNet. It appears that the campaign was suspended after it was detected by Google's Threat Analysis Group (TAG).

CaddyWiper

Security researchers detected a new wiper targeting Ukrainian systems on March 14. The wiper does not share significant code similarities with other malware analyzed by the researchers. The wiper was designed to inflict damage while still preserving access to the affected network. 

Gamaredon

Russian APT Gamaredon was found spreading the LoadEdge backdoor among Ukrainian organizations on March 20. The backdoor allows Gamaredon to install surveillance software and other malware onto infected systems.

Viasat Outage

Satellite internet provider Viasat was hit by a cyberattack which caused wide-ranging communications outages throughout Ukraine on February 24, the same day Russian forces invaded the country. Viasat is still working to restore service to affected parts of the country almost three weeks after the attack occurred. Ukrainian officials have said the attack caused, "a huge loss in communications in the very beginning of the war," and the National Security Agency (NSA) has announced a probe into the hack.

Double Zero

Ukraine CERT-UA released an alert about a new wiper variant, dubbed DoubleZero, being used to target Ukrainian entities. The wiper campaign was first observed March 17, 2022, when threat actors used phishing attacks to deliver the malware which overwrites content and deletes Windows registries before shutting down the infected system.

Pro-Ukraine 

Anonymous 

The group Anonymous, a decentralized group of hacktivists, “declared war” against the Russian state on March 1, and the group claimed to have disabled sites run by Russian state-owned media. Anonymous appears to have targeted pro-Russia media outlets several times over the past two weeks. Anonymous also claimed to have hacked several major Russian broadcasters, including state-run television channels Russia 24, Channel 1, Moscow 24, and streaming services Wink and Ivi. Programming on these services was interrupted by clips from the war in Ukraine.  

On March 10, Anonymous announced it had breached the systems of Roskomnadzor, the Russian agency responsible for monitoring and censoring media. The group leaked over 360,000 files, including guidance on how to refer to the invasion of Ukraine.

IT Army of Ukraine 

Ukrainian efforts in cyberspace have made use of volunteer groups coordinated through social media and Telegram channels. The IT Army of Ukraine is perhaps one of the largest efforts by the Ukrainian government to coordinate the actions of hacktivists. The IT Army has functioned by posting important targets to a Telegram channel with hundreds of thousands of members, while individuals or groups use the details provided to launch attacks against the specified targets. The IT Army targeted the websites of several Russian banks, the Russian power grid and railway system, and have launched widespread DDoS attacks against other targets of strategic importance. The bulk of Ukrainian cyberpower appears to be stemming from the IT Army. 

Hackers targeted the Russian state-owned aerospace and defense conglomerate Rostec with a DDoS attack on its website. Rostec blamed the incident on Ukrainian "radicals,” likely part of the IT Army, and claimed it has faced consistent attacks since late February.

Belarusian Cyber Partisans attacks on train systems 

The Belarusian Cyber Partisans, a group who launched cyberattacks in January on Belarusian train systems in protest of Russian troop deployments in the country, appears to have continued its campaign against Belarusian railways in February. The attacks took down websites used to purchase tickets and may have encrypted data on switching and routing systems, although it was unclear as to the scale and severity of the attacks beyond website takedowns. 

RURansom Wiper 

The emergence of the RURansom wiper on March 1, 2022, represents one of the first uses of a wiper by pro-Ukrainian hacktivists, and may portend a new phase in the ongoing cyber campaign against Russia. Despite the name, RURansom functions as a wiper, and offers victims no opportunity to pay to have their systems decrypted. The malware appears to check victim’s systems for a Russian IP address, and if it doesn’t find one, the malware halts execution. The malware creators also appear to be actively releasing new versions of the wiper, and it may only grow more potent over time.  

Kyle Fendorf is the research associate for the Digital and Cyberspace Program at the Council on Foreign Relations. 

Jessie Miller is the intern for the Digital and Cyberspace Program at the Council on Foreign Relations.