Microsoft warns it saw six Russia-aligned, state-sponsored hacking groups launch over 237 cyberattacks against Ukraine starting in the weeks before Russia's February 24 invasion.
Microsoft has released an in-depth report detailing how Russian cyberattacks against Ukraine were "strongly correlated" or "directly timed" with its military operations in the country.
For example, on March 1, several Kyiv-based media companies were struck by destructive and information-stealing malware, which coincided with a missile strike on a Kyiv TV tower on the same day.
Then on March 13, a suspected Russian nation-state actor stole data from a nuclear safety organization, aligning with Russian troops seizing the Chernobyl nuclear power plant and the Zaporizhzhia Nuclear Power plant.
The report takes a closer look at Russia's use of destructive malware during and before the invasion, the first of which was discovered by Microsoft in mid-January and dubbed WhisperGate. The combination of cyber and military points to Russia's hybrid warfare strategy, according to Microsoft.
"Russia's use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians," says Corporate Vice President, Customer Security & Trust, Tom Burt.
According to the report, the day before Russia's military invaded Ukraine, operators linked to the GRU – Russia's military intelligence service – launched destructive wiper attacks on hundreds of systems in Ukrainian government, IT, energy, and financial organizations.
Microsoft detected 37 destructive malware attacks against Ukraine between February 24 and April 8 through eight known destructive malware families, including FoxBlade, which Microsoft found in February, FiberLake, IsaacWiper/HermeticWiper/SonicVote, and CaddyWiper, as well as Industroyer2, aimed at industrial control systems (ICS). In many cases, the malware used the SecureDelete utility to wipe data.
The US government two weeks ago warned of suspected Russian malware called Pipedream that was customized to compromise multiple vendors' ICS equipment. Ukraine officials earlier this month also said they stopped a cyberattack on an energy facility that could have cut power to two million people.
"Known and suspected Russian threat actors deployed malware and abused legitimate utilities 37 times to destroy data on targeted systems. SecureDelete is a legitimate Windows utility that threat actors abused to permanently delete data from targeted devices," Microsoft says in the report.
"More than 40% of the destructive attacks were aimed at organizations in critical infrastructure sectors that could have negative second-order effects on the government, military, economy, and people," Microsoft says.
Additionally, 32% of destructive incidents affected Ukrainian government organizations at the national, regional, and city levels.
The three main Russian military agencies Microsoft identifies in the report are the GRU, SVR (Russia's foreign intelligence service), and the FSB or Federal Security Service. The main methods for initial access were phishing, using unpatched vulnerabilities, and compromising IT service providers.
Microsoft says Russia's cyberattacks appeared to "work in tandem" against targets of military activity. However, it was uncertain whether these were coordinated, centralized or if there was just a common set of understood priorities.
"At times, computer network attacks immediately preceded a military attack, but those instances have been rare from our perspective. The cyber operations so far have been consistent with actions to degrade, disrupt, or discredit Ukrainian government, military, and economic functions, secure footholds in critical infrastructure, and to reduce the Ukrainian public's access to information," Microsoft says.
Burt says following Microsoft's discovery of WhisperGate, it established a secure line of communication with Ukraine officials and has been providing support ever since.
In the lead up to the invasion, Microsoft also observed that Russian cyberattacks were growing increasingly loud and disruptive and usually intensified following diplomatic failures related to the conflict with Ukraine and NATO members.
Burt urged all organizations to take heed of alerts published by the US Cybersecurity and Infrastructure Security Agency (CISA) and other US government agencies due to fears that NATO military support to Ukraine could see Russia's efforts expand beyond Ukrainian targets.
"Given Russian threat actors have been mirroring and augmenting military actions, we believe cyberattacks will continue to escalate as the conflict rages. Russian nation-state threat actors may be tasked to expand their destructive actions outside of Ukraine to retaliate against those countries that decide to provide more military assistance to Ukraine and take more punitive measures against the Russian government in response to the continued aggression," warned Burt.
This article has been updated to correct the name of the author of Microsoft's blog, which was by Tom Burt - Corporate Vice President, Customer Security & Trust.