Russian invasion of Ukraine sees online forces mobilize as cyberattacks mount

Cyber-assaults on Ukrainian government, military sectors up almost 200% as ‘hacktivists’ and researchers wage war online, say Israeli cyber specialists

Ricky Ben-David is a Times of Israel editor and reporter

Illustrative: Programming scripts on a computer monitor. (Motortion/iStock by Getty Images)
Illustrative: Programming scripts on a computer monitor. (Motortion/iStock by Getty Images)

Russia’s invasion of Ukraine five days ago has mobilized cyberwar forces on both sides as cyberattacks against Kyiv have spiked since last Thursday, say Israeli cybersecurity experts.

Attacks on Ukrainian government sites and the military sector jumped 196% in the first three days of Russia’s attack on the country of 44 million, reported Israeli cybersecurity firm Check Point Software on Monday, while attacks on Russian organizations increased by just 4%.

Lotem Finkelstein, head of Threat Intelligence at Check Point, told The Times of Israel that a 196% rise in attacks “was a huge increase in such a short-term time-frame.” The targets themselves, too — sites of government entities and related organizations — indicate that the attackers are out to specifically damage or destroy Ukrainian government infrastructure, he said.

“The entire conflict is also being played out online. It’s an online war where people are choosing sides and some are actually generating mass attacks. The situation has polarized the cyber community,” he said.

According to research published Monday by Finkelstein and his team, there has been a sharp increase in malicious phishing emails written in the East Slavic languages (Russian, Ukrainian, and Belarusian) since last Thursday when the Russian assault began, compared to data from earlier this month.

A majority of the phishing emails were being directed at Russian recipients from real or spoofed Ukrainian email addresses, the researchers said.

There was also a notable increase in fraudulent emails seeking donations for Ukraine in a bid to dupe people into sending money to falsified funds, they warned in the report.

Refugees fleeing conflict in Ukraine arrive at the Medyka border crossing in Poland, February 28, 2022. (AP Photo/Visar Kryeziu)

Cyber activity surrounding the conflict was surging, said Finkelstein, adding that it was “important to understand that the current war also has a cyber dimension to it, where people online are choosing sides, from the dark web to social media.”

A good part of the cyber attacks is being waged by nation-states. But non-state groups of activists, “hacktivists” (groups of hackers that rally around a cause or ideology), cybercriminals, and white hat researchers are also mounting significant cyber threats, according to separate Check Point research.

“It’s cyberspace, there are no borders, anyone can join in this sphere. In this case, they see what is happening, and people feel the need to pick sides,” said Finkelstein.

Ukraine’s ‘IT army’

Russia’s cyberattacks against Ukraine began before its physical invasion of the country, but Moscow launched a cyber assault on the first day of the conflict, with denial-of-service attacks and destructive malware attacks that also infected computers in neighboring Latvia and Lithuania.

Cyberattacks have been a key tool of Russian aggression in Ukraine since before 2014, when Russia annexed Crimea and hackers tried to thwart elections. They were also used against Estonia in 2007 and Georgia in 2008. Their intent can be to sow panic, confuse and distract.

A computer code is seen on displays in the office of Global Cyber Security Company Group-IB in Moscow, Russia, Oct. 25, 2017. (AP/Pavel Golovkin)

To counter Russian abilities, Kyiv called on global hacktivists and cyber experts to join its international “IT army.” Ukraine’s Minister of Digital Transformation and Vice PM Mykhailo Fedorov launched a situation room on Telegram and tweeted out the link to the forum calling on “digital talents” to join. He said those who sign up will be given “operational tasks.”

“There will be tasks for everyone. We continue to fight on the cyber front. The first task is on the channel for cyber specialists,” he wrote on Saturday.

The Telegram channel of this “army” consists of more than 240,000 members as of Monday evening. It posts lists of Russian targets members should try to breach through cyber vectors (methods of attacks like malware or ransomware) or denial-of-service attacks. These have included Russian government websites, APIs, bank websites, and major governmental companies.

Government websites on both sides have been down for hours in some cases over the past few days, Finkelstein said.

In Ukraine’s cyber corner was also the Anonymous Collective, a group of global hackers, which said it took down the official website of the Kremlin, sites of other government entities, and a number of government media organizations on Saturday including RT. These attacks were followed by additional assaults Sunday and Monday.

Ukrainian soldiers stand guard as people try to leave at the Kyiv train station, Ukraine, Thursday, Feb. 24, 2022. (AP/Emilio Morenatti)

Anonymous also leaked data from the Russian Ministry of Defense website and from weapons manufacturer Tetraedr based in Belarus, a close Moscow ally and from whose border with Ukraine some Russian forces began the offensive.

Finkelstein said all this activity was part of the cyber dimension of this war. “It’s an influence operation, to generate a general atmosphere of ‘nation under attack,'” he said.

Tech companies take action against Russia

As governments across the world responded to the Russian attack by sending funds and weapons to Ukraine and started slapping sanctions on Moscow — even traditionally neutral Switzerland — large tech companies also took some action.

Meta (Facebook) on Friday announced that it would bar Russian state media from running ads and earning revenue on the platform, and Russian authorities responded by restricted access to Facebook. YouTube (owned by Google) also said it would restrict ads for Russian state media, limit video recommendations and suspend access to some Russian channels in Ukraine.

Google itself followed suit and said it won’t allow Russian state media outlets to run ads. Google also blocked certain features of its map service in Ukraine to protect local citizens and troops.

Screen capture of Google Maps showing the Ukrainian capital Kyiv, February 28, 2022. (Google Maps)

Twitter, meanwhile, suspended all advertising in Ukraine and Russia, saying on Friday it took the measure “to ensure critical public safety information is elevated and ads don’t detract from it.” It also faced restricted access in Russia, in response.

Given their immense power and influence, US-based tech giants have been under intense pressure to pick a side regarding Russia’s invasion of Ukraine, at once facing calls to stand against Moscow’s internationally condemned war but also Kremlin retribution for resistance. Since Moscow attacked Ukraine, the besieged nation has urged firms from Apple to PayPal to Netflix to cut Russia off.

The spread of disinformation

Facebook and other big tech companies also indicated they would attempt to clamp down on powerful disinformation campaigns for which the Russian state is known.

Disinformation and misinformation have been an emerging part of Russia’s war arsenal with the shaping of opinion through orchestrated online campaigns fighting alongside actual troops and weapons. Bots and trolls stir up anti-Ukrainian sentiment on networking sites and content platforms like TikTok and state-backed media broadcast partial or false information and visuals.

Russia’s President Vladimir Putin appears on a television screen at the stock market in Frankfurt, Germany, Feb. 25, 2022. (AP/Michael Probst)

Across the internet, there’s been a rapid uptick in suspicious accounts spreading anti-Ukrainian content, according to a report from Cyabra, an Israeli tech company that works to detect disinformation.

Cyabra’s analysts tracked thousands of Facebook and Twitter accounts that had recently posted about Ukraine. They saw a sudden and dramatic increase in anti-Ukrainian content in the days immediately before the invasion. On Valentine’s Day, for instance, the number of anti-Ukrainian posts created by the sample of Twitter accounts jumped by 11,000% compared with just days earlier. Analysts believe a significant portion of the accounts are inauthentic and controlled by groups linked to the Russian government.

“When you see an 11,000% increase, you know something is going on,” said Cyabra CEO Dan Brahmy.

The Russians also use cyberattacks in their information warfare arsenal, said David Warshavski, VP Enterprise security at Sygnia, a Temasek-owned Israeli cybersecurity consulting and incident response firm with client organizations worldwide.

He explained that Russia and state actors started mounting cyberattacks on Ukrainian targets in mid-January that were minimally impactful and mildly successful. “The attacks were not very sophisticated; we haven’t seen the Russians deploy their A-teams yet,” he told The Times of Israel in a phone call Monday.

“The idea is to spread chaos, and fear, so they’re not going to waste precious tools and zero-day vulnerabilities on a loud, noisy campaign. And they don’t need to. If the Russians want to cripple critical infrastructure, they will bombard it,” said Warshavski.

Russia will save the big cyber guns, he added, for destructive campaigns such as 2017’s NotPetya malware, described as the worst cyberattack with global dimensions. Although it was targeted at Ukraine, the malware spread across the world from hospitals to shops to banking multinationals, huge corporations and manufacturers, and cost billions of dollars in losses.

A computer screen cyberattack warning notice reportedly holding computer files to ransom, as part of a massive international cyberattack, at an office in Kiev, Ukraine, June 27, 2017. (Oleg Reshetnyak via AP)

“Russia uses tools of different levels of sophistication for different use cases, and keeps unknown capabilities to be used strategically in reserve,” the company wrote in a post published Monday. “While some of its tools are for espionage, others will be used to spread misinformation or to destroy or manipulate data. We’ve seen that Russian cybercriminals are able to infiltrate networks and remain hidden for months or even years and that they are highly skilled at launching supply-chain attacks.”

Such capabilities are worrying global enterprises and organizations, especially in the West, said Warshavskvi. There is no “cyber apocalypse” just yet, he added, urging people and organizations to “keep calm and stay vigilant.”

But Warshavskvi warned that the current involvement of non-state actors such as hacktivists and freelance hackers on both sides in the crisis could escalate matters into full-on cyber warfare, with some collateral damage.

Agencies contributed to this report.

Most Popular
read more: