Cyber Attacks against Ukraine turned to NATO Countries in Sep 2022

• Estonia, Poland and Denmark saw increases of 57%, 31%, and 31%, respectively
• UK and the US saw increases of 11% and 6%, respectively

One year after the beginning of the Russian Ukrainian War, Check Point Research (CPR) marked September 2022 as a turning point for cyber-attacks related to the Russia-Ukraine war. Since then, weekly cyber-attacks against Ukraine decreased by 44%, while cyber-attacks against NATO countries increased by nearly 57% in some cases. CPR lists wipers, multi-pronged attacks and hacktivism as key trends and forces as factors in the pivot.

• Cyber-attacks against Russia saw a steady increase of 9% since September 2022
• Estonia, Poland and Denmark saw increases of 57%, 31%, and 31%, respectively
• UK and the US saw increases of 11% and 6%, respectively

Check Point Research (CPR) cites September 2022 as a turning point for cyber-attacks related to the Russian-Ukrainian war. When looking back, CPR noticed a difference in cyber-attacks when comparing the periods of March – September 2022 and October 2022 – February 2023. Cyber-attacks against Ukraine decreased, while cyber-attacks against NATO countries increased sharply.

The numbers:

• 44% decrease in average number of weekly attacks per organization against Ukraine, from 1,555 attacks to 877
• 9% increase in the average number of weekly attacks per organization against Russian Federation, from 1,505 to 1,635
• Increases in cyber-attacks against NATO countries
  • Estonia, Poland and Denmark saw increases of 57%, 31%, and 31%, respectively
  • UK and the US saw increases of 11% and 6%, respectively

Key trends observed:

• Rise of wipers

CPR also saw the perception of wiper malware, which disrupts the operations of targeted systems, take a major transformation because of the war. Previously, wipers were rarely used. Over the past year however, wipers have become a much more frequently deployed mechanism as part of escalated conflicts, and not only in Eastern Europe.

The start of the Russian-Ukrainian war saw a massive increase in disruptive cyberattacks carried out by Russian-affiliated threat actors against Ukraine. On the eve of the ground invasion in February, three wipers were deployed: HermeticWiper, HermeticWizard and HermeticRansom. Another attack was directed at the Ukrainian power grid in April, using a new version of Industroyer, the malware that was used in a similar attack in 2016. In total, at least nine different wipers were deployed in Ukraine in less than a year. Many of them were separately developed by various Russian intelligence services and employed different wiping and evasion mechanisms.

The Russia-affiliated hacktivist group From Russia With Love (FRwL) deployed Somnia against Ukrainian targets. CryWiper malware was deployed against municipalities and courts in Russia. Inspired by these events, wiper activity spread to other regions. Iranian affiliated groups attacked targets in Albania, and a mysterious Azov ransomware, which is in fact a destructive data wiper, was spread across the world.

• Multi-pronged cyber attacks

Reviewing the attacks against Ukraine, some of the offensive cyber actions were intended to cause general damage and disrupt civilian daily life and morale, while other attacks were more precisely aimed, and intended to achieve tactical objectives, and were coordinated with the battle. The Viasat attack, which was deployed hours before the ground invasion of Ukraine, was designed to interfere with satellite communications that provide services to military and civil entities in Ukraine. The attack used a wiper called AcidRain and was tailored to destroy modems and routers and cut off internet access for tens of thousands of systems. Another example of a tactical coordinated attack occurred on March 1. Additionally, when the Kyiv TV tower was hit by Russian missiles that halted the city’s television broadcasts, a cyberattack was launched to intensify the effects.

Tactical high-precision cyberattacks require preparation and planning. The prerequisites include gaining access to the targeted networks and often the creation of customized tools for different stages of the attack. Much like in the kinetic battle, evidence suggest that the Russians did not prepare for a long campaign. The characteristics of the cyber operations, which in the early stages included precise attacks with clear tactical objectives, like the attack on Viasat which changed since April. The deployment of multiple new tools and wipers that was characteristic of the initial stages of the campaign was later mostly replaced with rapid exploitations of detected opportunities, using already known attack tools and tactics like Caddywiper and FoxBlade. These attacks were not intended to act in concert with tactical combat efforts, but rather, inflict physical as well as psychological damage on the Ukrainian civilian population across the country.

CPR data shows that a gradual, but major decline in the number of attacks per gateway in Ukraine has started in the third quarter of 2022. On the flip side, there was a significant increase in the attacks against NATO members. While the increase in the attacks against the UK and the US since September are slim, 11% and 6% respectively, the increase against some of the EU countries that are in-escalated hostility towards Russia, like Estonia, Poland and Denmark are much sharper at 57%, 31% and 31% respectively. This shows a shift in the modus operandi and the priorities of Russia, and Russia affiliated groups, in cyber area, whose focus then switched from Ukraine, to the NATO countries that support Ukraine.

• Hacktivism

Ukraine’s establishment and management of the “IT Army of Ukraine”, an army of volunteer IT specialists, has transformed hacktivism. Previously characterized by loose cooperation between individuals in ad hoc collaboration, new-hacktivist groups tightened their level of organization and control, and now conduct military-like operations. This new mode of operation includes recruitment and training, tool sharing, intelligence and target allocation, and more. Anti-Russian hacktivist activity continued throughout the year affecting infrastructure, financial and governmental entities.

Check Point Research data shows that the attack against organizations in Russia have significantly increased since September 2022, especially against the government and the military sectors in Russia.

Sergey Shykevich, Threat Intelligence Group Manager at Check Point Research said: “We see a change in the direction of cyber-attacks at a specific point during the war. Starting the third quarter of 2022, we see a decline in the attacks against Ukraine, while also seeing increases in the attacks against certain NATO countries. We see the deployed efforts especially against specific NATO countries that are more hostile to Russia. Some of those attacks are malware attacks, and some of those are focused on information operations around specific political, geo-political and military events.”