24 March 2023

Is Russia regrouping for renewed cyberwar?

Clint Watts

As the second year of the Russian war in Ukraine commences, a detailed survey of the cyberattacks used during the first year of the war, and especially new developments we have observed in recent months, provide hints of what the future of this hybrid war may hold.

Since the start of the war, Russia has deployed at least nine new wiper families and two types of ransomware against more than 100 government and private sector Ukrainian organizations. Strong cyber defense partnerships between the public and private sector, and Ukrainian preparedness and resilience, has successfully defended against most of these attacks, but Russian activity continues.

In 2023, Russia has stepped up its espionage attacks, targeting organizations in at least 17 European nations, mostly government agencies. Wiper attacks continue in Ukraine.

We also continue to monitor for the development and deployment of new ransomware variants. As of late November 2022, Microsoft and other security firms identified a new form of ransomware, called “Sullivan”, deployed against Ukrainian targets, in addition to the “Prestige” ransomware Russia deployed in Ukraine and Poland in October 2022. Our analysis suggests that Russia will continue to conduct espionage attacks against Ukraine and Ukraine’s partners, and destructive attacks within and potentially outside Ukraine as was done with Prestige.

The Russian hybrid offensive has also included sophisticated influence operations. For example, Moscow’s propaganda machine has recently taken aim at Ukrainian refugee populations across Europe, trying to convince them that they could be deported and conscripted into the Ukrainian military.

Russia-aligned influence operations have also recently heightened tensions in Moldova. Russian media promoted protests supported by a pro-Russia political party encouraging citizens to demand the government pay for winter energy bills. Another Russia-aligned campaign called “Moldova Leaks” published alleged leaks from Moldovan politicians, just one of a number of hack-and-leak operations aimed at sowing distrust between European citizens and their governments.

These are a few of the insights in a new Microsoft Threat Intelligence report on Russian activity, available here. The report highlights some other important broad trends.


Second, Russian cyberthreat activity has adjusted its targeting and techniques, expanding their accesses in support of intelligence gathering on Ukraine and supporting nations’ civilian and military assets, and prepositioning for destructive attacks in Ukraine and possibly beyond. The development of new forms of ransomware is an example of this but others include using social media to market backdoored, pirated software to Ukrainian audiences that then enables initial access to organizations, and spearphishing campaigns targeting vulnerable on-premise servers in government, IT and disaster response organizations in Europe. Third, there are no geographical boundaries off limits to attempted Russian attacks. Cyberthreat actors with known or suspected ties to Russia’s intelligence services have attempted to gain initial access to government and defense-related organizations not only in Central and Eastern Europe but also in the Americas.

We share this information to prepare our customers and the global community for the spillover risk posed by recent targeting and make recommendations for hardening digital defenses. Microsoft is proud to have supported Ukraine’s digital defense since the start of the Russian invasion and the company’s entire threat intelligence community remains committed to detecting, assessing and protecting against Russian cyberattacks and online provocations as the conflict enters its second year.

No comments: