Cyber Standoff: 51 Groups Tied to Russia-Ukraine War Attacks

Ukrainian Official: Country Hit by Over 1,600 'Major Cyber Incidents' This Year
Experts discuss the tactics, techniques and motivations of dozens of different threat actor groups and fallout for other nations.

A crowded field of 51 different threat groups active in the Russia-Ukraine cyber conflict has led to digital attacks in more than two dozen nations so far - albeit concentrated in Ukraine, where hackers look to sow "chaos and confusion" on and off the battlefield, says Ukraine's deputy head of cyber defense.

Kyiv has fended off more than 1,600 "major cyber incidents" since January, an average of seven attacks a day, says Victor Zhora, deputy head of Ukraine's State Service of Special Communications and Information Protection, in an exclusive interview with Information Security Media Group.

The nonprofit CyberPeace Institute reports that keyboard combatants reacting to Russia's ongoing invasion of its southern neighbor are a combination of nation-state groups, hacking collectives and cybercriminal groups. Kyiv is also working with cyber-vigilantes to supplement its cyberspace activities.

It's easy to distinguish between the collectives and the nation-state groups, Zhora says. Collectives such as KillNet primarily engage in DDoS attacks and openly recruit new members over social media outlets such as Telegram. Nation-state adversaries work covertly and try to avoid attribution.

"When we're talking about serious and well-planned operations that require a lot of human resources and technically advanced tools and financial resources, obviously they will be organized in stealth mode in order to gain as much effect and impact on our infrastructure as possible," Zhora says.

Zhora adds that most attacks appear to be "opportunistic and rather chaotic," chasing vulnerabilities rather than following a coordinated strategy.

"But every day, we are waiting for new attacks," he says, "and we monitor our networks, critical information infrastructure, state information resources every 24 hours, expecting new strikes in the cyber role from Russian side."

In this video, cybersecurity analysts and researchers from around the world tell Information Security Media Group about how the conflict has expanded beyond the war zone, including:

  • The tactics, techniques and motivations of the various threat groups;
  • Fallout from cyberattacks against dozens of other nations;
  • Key attack vectors and the industries that will likely be targeted as the cyberwar escalates.
Based on publicly available information, the war has spawned 338 cyberattacks. DDoS is the weapon of choice for hacking collectives.

Global Field of Adversaries

Cyber incidents motivated by the Russian invasion affecting non-combatant countries have intensified over the past five months, driven primarily by the entrance of dozens of hacktivists groups, such as the pro-Ukrainian Anonymous collective and pro-Russian counterpart KillNet.

Based on publicly available information, the CyberPeace Institute says out of 338 known attacks and cyber operations since January, 114 attacks targeted Ukraine, 102 targeted Russia and 104 targeted the rest of the world. Of the 51 hacking groups identified in the conflict, 13 new groups have emerged in the past month, according to the institute's research. The institute is a Geneva-based group that focuses on the civilian casualties of cyberattacks.

"I remind people all the time: You're on a conflict zone, a battlefield, as long as you're logged in and plugged in," says Chase Cunningham, chief security officer for Ericom Software.

Ukraine's cybersecurity defenses have been under assault since 2014, the year of the Maidan Revolution and Moscow's first assault against the Donbas region and seizure of Crimea. Resultant cyber conflict has assumed global dimensions, not least when Russian hackers unleashed NotPetya malware. Although intended to target Ukrainian systems, it quickly spread throughout the world, causing $10 billion in damages and becoming the single most costly cyberattack.

Researchers say two strains of wiper malware detected this year in Ukraine bear similarities to NotPetya. Technical signatures indicate these wipers were created by multiple groups.

Pro-Russia Groups

The 2022 cyberwar began Jan. 14 with the hacking of 70 Ukrainian websites, which posted the message "be afraid and wait for the worst" before they were taken down. Targets included the Ukraine Ministry of Foreign Affairs, the Cabinet of Ministers, and the Security and Defense Council. Russia's full-scale invasion in February sparked a more intensive round of attacks, including wipers, hack-and-leak incidents and cyberespionage targeting government services, satellite communications, financial, energy and media industries.

"The targets of these attacks that are being committed, both by state and nonstate actors in the context of the conflict, are actually going far beyond the targeting of military objectives," says Emma Raffray, a senior cyber data analyst at CyberPeace Institute.

Hacktivist groups are responsible for most known attacks. Some are jumping to Russia's defense by targeting NATO and pro-Ukraine countries. KillNet, a group of pro-Russia hackers recruited over Telegram, has conducted 31 DDoS attacks since January, according to the CyberPeace Institute.

Five national security agencies in April released a joint advisory warning that Russian state-sponsored cyber actors could compromise networks, look for ways to maintain long-term interest and potentially disrupt industrial processes by hacking operational technology. The agencies named 13 groups affiliated the Russian Federal Security Service and GRU Main Special Service Center.

Nation-state attackers include Sandworm, known for targeting the Ukrainian power grid, and Fancy Bear, a cyberespionage group known for hacking the U.S. Democratic National Committee during America's 2016 presidential election. One group, UNC1151, is tied to Belarus and linked to the GhostWriter campaign aimed at disseminating pro-Russia propaganda in the Baltics and NATO countries.

Pro-Russia groups include newly formed collectives such as KillNet and seasoned state-sponsored groups that are attacking multiple industries across 27 countries.

Pro-Ukraine Groups

Anonymous, the oldest and most well-known collective, has conducted defacements, hack-and-leak operations and other attacks against the Russian government, businesses and the media.

Anonymous has hacked Russian government and business networks and leaked millions of pages of documents, which researchers say could take years to comb through. At the same time, some Anonymous hacks appear to be glorified pranks. Collective members hijacked surveillance video feeds inside the Kremlin, halted online ticket sales to Russian cinemas and hacked an electric vehicle charging station to display pro-Ukrainian messages and declare in Russian, "Putin is a dick----."

Meanwhile, the IT Army of Ukraine - a group of volunteer hackers recruited by the Ukrainian government - hijacked several Russian TV channels and interrupted alcohol distributors for three days with DDoS attacks. The group, formed after the Ukrainian Vice Prime Minister Mykhailo Fedorov in February called for cyberattacks against a list of Russian organizations, conducts offensive cyberwarfare operations and supports defensive activities in Ukraine.

Another threat actor, Network Battalion 65 - known as NB65 - is using the leaked Conti ransomware code to attack Russia. Its 23 victims include the Russian space agency and a state-owned media company. The group has pledged to donate any ransom proceeds in support of Ukraine. The Belarusian Cyber Partisans, formed in 2020 amid election upheavals in that country, disrupted railway services in Belarus to slow the deployment of Russian troops.

Pro-Ukraine groups are targeting Russia and Belarus with DDoS, hack-and-leak and propaganda-related operations.

Spillover Attacks

Government security agencies are warning the public and private sectors to prepare for attacks. As Western sanctions against the Russian economy take hold, the number of threat actors attacking NATO countries is expected to grow.

"You could see every day law-abiding Russians out of work or with limited work with a skill that they could use as a freelancing ransom actor - a zone that's already flooded right now and really hurting America's businesses," says U.S. Rep. Eric Swalwell, D-Calif. "We could see three or four or five times as many people in the space because they just need to feed their family."

Ukraine cyber defense official Zhora says governments and private sector companies need to continue to work together and share information.

"Ukraine wants to bring our experience from this war, from getting prepared, from continuing being resilient, to our partners to contribute to the global cybersecurity ecosystem," Zhora says.

Pro-Russian attackers have focused on targets in NATO countries and the Baltic states.

About the Author

Cal Harrison

Cal Harrison

Editorial Director, ISMG

Harrison helps ISMG readers gain new perspectives on the latest cybersecurity trends, research and emerging insights. A 30-year veteran writer and editor, he has served as an award-winning print and online journalist, mass communication professor and senior digital content strategist for DXC Technology, where he led thought leadership, case studies and the Threat Intelligence Report for the Fortune 500 firm's global security, cloud and IT infrastructure practices.

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.