From consumer drones dropping makeshift grenades made with 3D-printed parts, to civilians signing up to be part of a global DDoS botnet – the conflict between Ukraine and Russia is proving to be anything but a repeat of wars we have seen throughout history. Though somewhat clear battlefronts are being drawn and typical two-sided conflict is occurring – a secondary digital battle is being fought constantly in cyberspace. When the conflict started, it became immediately apparent that the fronts in cyberspace were as opaque and vague as they come. If you manage IT systems in any way, this should concern you. Unless you live in a country that has remained neutral in this conflict (though not even Switzerland did that this time), you might already be in the crosshairs.
Though the statement “civilians signing up to be part of a global botnet” sounds unreal and requires a mental double-take – that is precisely what happened in the conflict’s early months. As a reaction to Russia’s naval bombardment of ‘Snake Island’ and the response given to the Russians by Ukrainian soldiers, “russianwarshipgof***yourself[dot]club” was born. This website uses the computer of anyone visiting the site to send requests to an extensive list of Russian state-owned websites to DDos them. This new self-sign-up botnet proved incredibly effective in the short term, bringing down multiple sites, including “en.kremlin.ru” and “government.ru.”
Actions like this may have brought down some government sites on both sides, but they certainly fanned the flame of what can only be called cyber warfare. On 9 May 2022, 5EYES released a joint cybersecurity advisory (Alert Code:AA22-110A), alerting organisations to Russian state-sponsored and criminal cyber threats to critical infrastructure. Organisations in Australia were warned they “should urgently adopt an enhanced cyber security posture” in response.
These were not idle warnings; Microsoft determined that 237 attacks from Russia or Russian-backed actors had occurred between 2 February 2022 and 8 April 2022. This included 38 attacks that irreversibly destroyed files in hundreds of systems in dozens of Ukrainian organisations.
The prominent malware families utilised in these assaults include WhisperGate, HermeticWiper (also known as FoxBlade or KillDisk), HermeticRansom (SonicVote), IssacWiper (Lasainraw), CaddyWiper, DesertBlade, DoubleZero (FiberLake), and Industroyer2.
WhisperGate, HermeticWiper, IssacWiper, and CaddyWiper have all been designed to erase data and render machines unbootable, while DoubleZero can delete large-scale data. DesertBlade was found infecting the systems of broadcasting companies in Ukraine, continuing the Russian historical tradition of deactivating, or destroying public media. SonicVote is used as a cover-up for intrusions by disguising them as ransomware attacks. Industroyer2 is a significant threat to operational technology networks and industrial production processes.
For Australians, this seemed too far away to care. That was until they had one of the most noted cyber-attacks in Australia’s history—the Medibank insurance hack. The Australian public has repeatedly heard that some obscure company has lost records to a cyber-attack and thought little about it. That was brought into context when the Australian government asserted that Russian-backed attackers were releasing the personal medical information of over 10 million citizens, including HIV results and rehab bookings.
The conflict between Ukraine and Russia has demonstrated the real-world impact of cyberwarfare on critical infrastructure and individuals’ private information. The attacks on organisations and infrastructure have been persistent and devastating, with new and old malware causing significant widespread damage. The global community must take cybersecurity seriously and adopt an enhanced posture to protect against state-sponsored and criminal cyber threats. As cyberwarfare evolves, individuals and organisations must remain vigilant and proactive in protecting their networks and data.