Nation-State Actors in the Russo-Ukrainian War

Written by our Work Experience Student – Charles Procyshyn ?

Nation-state actors aggressively target and gain access to public and private sector networks to compromise, steal, change or, destroy information. They may be part of a state apparatus or receive direction, funding or technical assistance from a nation-state. The Russo-Ukrainian War was the first major conflict involving large-scale cyber operations.??

A cyber campaign was launched by Russia shortly before the invasion in 2022. A huge increase in exploits on the first day was shown in reports with the intent to disrupt and overwhelm Ukrainian defences. Russia sought to disrupt services and install malware on Ukrainian networks. They used phishing, denial of service, and software vulnerabilities for this attack. The primary targets were Ukrainian government websites, energy and telecom service providers, financial institutions and media outlets. This was a wide-ranging attack that used the full suite of Russian cyber capabilities to disrupt Ukraine, but it was unsuccessful.?

The disruption of the Viasat Inc’s KA-SAT satellite was Russia’s most significant cyberattack. This did not provide a military advantage to Russia, but it did create significant damage that spread beyond Ukraine.??

Most of these attacks have been performed by Russian government entities – chiefly the GRU, Russia’s military intelligence service. In a few cases, proxy groups (such as the leading ransomware group Conti) were also involved. In one reported instance, a Brazilian hacker group supportive of Russia attacked Ukrainian universities. All of these hacking efforts seem to have been poorly coordinated with Russian military actions in Ukraine.?

While Russian military forces attacked Ukraine, at least six Russian Advanced Persistent Threat (APT) actors and other unattributed threats conducted destructive attacks, espionage operations, or both. Some of the Russian cyber threat actors that have executed operations against Ukrainian targets are as follows:?

GRU:?

• Unit 26165/STRONTIUM (aka APT 28/Fancy Bear) – Data Theft and Phishing (military targets)?
• Unit 74455/IRIDIUM (aka Sandworm) – Destruction: FoxBlade wiper; CaddyWiper, Industroyer2?
• DEV-0576 (aka Cadet Blizzard) – Data Theft, Influence Operations and Destruction: WhisperGate wiper?

SVR:?

• NOBELIUM (aka UNC2452/2652) – Password Spray and Phishing (Ukrainian and NATO member diplomatic targets)?

FSB:?

• ACTINIUM (aka Gamaredon) – Phishing and Data Theft?
• Unit 71330/BROMINE (aka EnergeticBear) – Data Theft?
• KRYPTON (aka Turla) – Reconnaissance and Phishing?

Tracked malware families used for destructive activity include:??

• WhisperGate/WhisperKill?
• FoxBlade aka Hermetic Wiper?
• SonicVote aka HermeticRansom?
• CaddyWiper?
• DesertBlade?
• Industroyer2?
• Lasainraw aka IsaacWiper?
• FiberLake aka DoubleZero?

WhisperGate, FoxBlade, DesertBlade and CaddyWiper are all files that overwrite data and render machines unbootable. FiberLake is a .NET capability being used for data deletion. SonicVote is a file encryptor sometimes used in conjunction with FoxBlade. Industroyer2 specifically targets operational technology to achieve physical effects in industrial production and processes.?

To conclude, for many years, Russia has been using nation-state actors to target Ukraine. This increased significantly in the months before and during the war. Their main target was to disrupt and overwhelm the Ukrainian defences. Nation-state actors have used multiple types of malware and cyber techniques against Ukraine. Due to the whole world becoming more technologically advanced, cyberattacks will become more frequent and damaging. In my opinion,? cyberattacks will be used more frequently in future wars as countries store vital data on their network. Due to these cyberattacks, it is vital that people familiarise themselves with the risks if they don’t fully protect their online data/systems.??