22 May 2022

Cyber Attacks on Ukraine: Not What You Think

Neil J. Rubenking

In the modern world, it makes sense that cyber warfare would coordinate with more traditional “kinetic” warfare. The cyber team knocks out the enemy’s communications just before the boots-on-the-ground team launches an attack, say. However, that’s not what’s happening in Ukraine, according to a research report from Kaspersky’s experts. The near-continuous stream of cyberattacks arrive, for the most part, completely uncoupled from physical attacks, and the quality of the war-fighting code varies wildly.

Wait, Kaspersky?

This report comes from Kaspersky’s Global Research and Analysis Team (GReAT) team. Yes, the same Kaspersky that was recently deemed an “unacceptable risk to the national security of the United States,” banned by Germany’s Federal Office for Information Security, and even dropped from the bug bounty program run by one-time partner HackerOne.

We at PCMag have found it necessary to pull Kaspersky products from our “Best of” roundups, though we still evaluate and report on their capabilities. So why shouldn’t we assume this research report is pure disinformation?

The thing is, the researchers on the GReAT team(Opens in a new window) do their work all over the world. Picking a few at random, I found Sweden, Germany, Australia, and Argentina. Many, perhaps most, of them have worked at other security companies, from Dr. Solomon to McAfee to Symantec. I’ve met some of them personally, and attended their illuminating briefings at Black Hat and other security conferences. Yes, some are clearly Russian nationals. Some are based in Russia. But overall, it’s an international effort, and this group’s research has been well-respected among security experts for many years.
Smart and Not-So-Smart Attacks

The full report on cyber activities in Ukraine(Opens in a new window) is dense with information, but not impossibly technical. For those tempted to skim, it pauses for a point-by-point recap every so often.

One important takeaway is the “vastly disparate degrees of sophistication” in the observed cyberattacks. Picture two guerilla teams aiming to take over a fortified enemy building. One team compromises the security cameras, infiltrates silently, and totally owns the building. The other team flings a few Molotov cocktails through the windows and runs away. Yes, it’s that different.

At the sophisticated end, perpetrators of the HermeticWiper attack craftily acquired a valid certificate to digitally sign their dangerous payload. Once in place, the malware surreptitiously copied itself through networks and then wiped data from its host computer, eliminating the evidence. After defenses went up against HermeticWiper, a much less sophisticated follow-up called IsaacWiper tried to take its place. The report characterizes IsaacWiper as rushed, “as if their operators had been tasked with destroying data at the eleventh hour.”

Amateur attacks go both directions, it’s true. You can find websites offering a chance to enlist your own computer in a DDoS attack on Russian military and resource targets. We don’t advise that you participate, though. In any case, the report didn’t cover attacks against Russia.

Next to No Coordination

In February, an attack on the Viasat network interfered with Ukrainian military communications just as Russia launched a physical attack on Ukraine. As with the HermeticWiper attack, there are no fingerprints, smoking gun, or other hard evidence linking the cyberattack to Russia’s invasion, but Britain, the EU, and the US all blame Russia.

No comments: