WASHINGTON – For weeks after the war broke out in Ukraine, US officials wondered what weapon it seemed to be missing: Russia’s mighty cyber arsenal, which most experts expected would be used during the opening hours of an invasion to power Ukraine’s power grid. off, fry his cell phone system and cut off President Volodymyr Zelensky from the world.
None of that happened. But in a new study released by Microsoft on Wednesday, it’s now clear that Russia has used its A-team of hackers to carry out hundreds of much more subtle attacks, many of which coincide with incoming missiles or ground attacks. And it turned out that, as in the ground war, the Russians were less skilled and the Ukrainians better defenders than most experts expected.
“They brought in destructive efforts, they brought in espionage efforts, they brought in all their best actors to focus on this,” said Tom Burt, who oversees Microsoft’s investigation of the largest and most complex cyberattacks exposed. are through its global networks. But he also noted that while “they had some success,” the Russians got a strong defense from the Ukrainians who blocked some of the online attacks.
The report adds considerable subtlety to understanding the early days of the war, when the shelling and troop movements were apparent, but the cyber operations were less visible — and harder, at least right away, to blame on key Russian intelligence.
But it is now becoming clear that Russia used hacking campaigns to aid its ground campaign in Ukraine, linking malware to missiles in several attacks, including on TV stations and government agencies, according to Microsoft research. The report highlights Russia’s continued use of cyberweapons, confusing early analyzes that suggested it had not played a prominent role in the conflict.
“It’s been a brutal cyber war that paralleled, and in some cases directly supported, the kinetic war,” said Mr. Burt. Hackers affiliated with Russia carried out cyber attacks “daily, 24/7 since hours before the physical invasion began,” he added.
Microsoft was unable to determine whether the Russian hackers and its forces had only been given similar targets to pursue or had actively coordinated their efforts. But Russian cyber-attacks often struck within days — and sometimes within hours — of on-site activity.
In the weeks leading up to the invasion until March, at least six Russian nation-state hacking groups launched more than 237 operations against Ukrainian companies and government agencies, Microsoft said in its report. The attacks were often designed to destroy computer systems, but some were also designed to gather intelligence or spread misinformation.
While Russia routinely relied on malware, espionage and disinformation to advance its agenda in Ukraine, it appeared that Moscow was trying to limit its hacking campaigns to stay within Ukraine’s borders, Microsoft said, perhaps in an effort to prevent NATO countries become involved in the conflict.
The attacks were sophisticated, with Russian hackers often making minor changes to the malware they used to evade detection.
“It’s definitely the A team,” said Mr. Burt. “They’re basically all the major actors of the nation-state.”
Still, Ukrainian defenders were able to fend off some of the attacks, having become accustomed to fending off Russian hackers after years of online break-ins in Ukraine. At a news conference on Wednesday, Ukrainian officials said they believed Russia had applied all of its cyber capabilities to the country. Still, Ukraine managed to fend off many of the attacks, she added.
Microsoft has described several attacks that appeared to exhibit parallel cyberactivity and ground activity.
On March 1, Russian cyber-attacks hit media outlets in Kiev, including a major broadcast network, using malware aimed at destroying computer systems and stealing information, Microsoft said. That same day, rockets destroyed a TV tower in Kiev, knocking some stations out of the sky.
The incident showed Russia’s interest in controlling the flow of information in Ukraine during the invasion, Microsoft said.
War between Russia and Ukraine: important developments
A group affiliated with the GRU, a Russian military intelligence agency, hacked into the network of a government agency in Vinnytsia, a city southwest of Kiev, on March 4. campaign, carried out phishing attacks on military officials and regional government employees in order to steal passwords for their online accounts.
The hacking attempts have been a linchpin for the group, which typically focuses its efforts on national offices rather than regional governments, Microsoft said.
Two days after the phishing attempts, Russian missiles hit an airport in Vinnytsia, damaging air traffic control towers and a plane† The airport was not close to ground fighting at the time, but there was some Ukrainian military presence.
Russian hackers and troops appeared to be working together again on March 11, when a government agency in Dnipro was targeted by destructive malware, according to Microsoft, while government buildings in Dnipro were hit by strikes.
Parallels also emerged between Russian disinformation campaigns spreading false rumors about developing biological weapons in Ukraine and attacking nuclear facilities in Ukraine. In early March, Russian troops captured the Zaporizhzhya nuclear power plant, Europe’s largest nuclear power plant. During the same period, Russian hackers were working to steal data from nuclear power organizations and research institutions in Ukraine, which could be used to further spread disinformation, Microsoft said.
One of the groups, which is affiliated with the Russian Federal Security Service and has historically targeted companies in the energy, aerospace and defense sectors, was able to steal data from a Ukrainian nuclear safety organization between December and mid-March, according to Microsoft.
Towards the end of March, Russian hackers began to shift their focus to eastern Ukraine, as the Russian military began to reorganize troops there. Little is known about Russian-backed hacking campaigns that took place in April, as investigations into many of those episodes continue.
“Ukrainians themselves have been better defenders than expected, and I think that’s the case on both sides of this hybrid war,” said Mr Burt. “They’ve done a good job both defending themselves against the cyber-attacks and recovering from them when they’re successful.”