At least 5 APTs are believed involved with attacks linked to ground campaigns & designed to damage Ukraine’s digital infrastructure.
Cyber-attacks against Ukraine have been used strategically to support ground campaigns, with 5 state-sponsored advanced persistent threat (APT) groups behind attacks that started in Feb. suggests research published by Microsoft on Wed. It is thought that the APTs involved in the campaigns are state sponsored by Russia.
Digital Assets
Other just published reports also provide insight into the wave of cyber-attacks against Ukrainian digital assets by APTs with ties to Russia.
Microsoft researchers thinks 6 separate Russia-aligned threat players conducted 237 cyber operations that resulted in threats to civilian welfare & attempted to conduct dozens of cyber-espionage attacks against Ukrainian targets.
Russia is believed to be using cyber-attacks in a type of “hybrid war”, according to a blog post by Tom Burt, Corporate VP of Customer Security & Trust at Microsoft. That links “with its kinetic military operations targeting services & institutions crucial for civilians,” he stated.
Critical Life Services
“The attacks have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information & critical life services on which civilians depend & have attempted to shake confidence in the country’s leadership,” Burt wrote.
Meanwhile, researchers at Computer Emergency Response Team of Ukraine (CERT-UA) have been doing analysis of their own on the cyber-attacks that have been harassed the country in the lead up to & during the war.
Double the Number
The agency observed that it recorded 802 cyber-attacks in the 1st quarter of 2022 alone, more than double the number for the same period last year, which was 362.
Conducting those attacks are mainly 5 known Russia or Belarus-sponsored APTs, CERT-UA outlined. Those groups are Armageddon/Garmaredon, UNC1151, Fancy Bear/APT28, AgentTesla/XLoader & Pandora hVNC/GrimPlant/GraphSteel.
‘Hybrid’ War
Microsoft security teams have been working closely with Ukrainian Govt. officials as well as both govt. & private-enterprise cyber-security staff, to identify & remediate threat activity against Ukrainian networks, researchers stated.
Russia seems to have been preparing for the land conflict with Ukraine in cyber-space about a year before the war began, or since Mar. 2021, according to the report.
In the lead up to the ground conflict & the subsequent invasion, threat groups with known or suspected ties Russia “continuously developed & used destructive wiper malware or similarly destructive tools on targeted Ukrainian networks at a pace of 2 to 3 incidents a week,” researchers found.
40 Attacks
“From Feb. 23 to April 8, we saw evidence of nearly 40 discrete destructive attacks that permanently destroyed files in 100s of systems across dozens of organisations in Ukraine,” they wrote.
Before that, in Jan., Microsoft identified a Master Boot Record (MBR) wiper attack that it named WhisperGate targeting Ukraine to permanently disrupt organisations across the country & paint it as a failed state.
Wipers are the most destructive of malware types because they permanently delete & destroy data and/or systems, causing great financial & reputational damage to victims.
From late Feb. to mid-March, another series of wiper attacks using malware called HermeticWiper, IsaacWiper & CaddyWiper targeted organisations in the Ukraine as Russia commenced its physical invasion.
Critical Infrastructure
In its latest report, Microsoft outlined that more than 40% of the destructive attacks against Ukraine were aimed at organisations in critical infrastructure sectors that could have negative 2nd-order effects on the govt., military, economy & the country’s people.
Also, 32% of destructive incidents affected Ukrainian Govt. organisations at the national, regional & city levels.
“Acknowledging that there is ongoing activity that we cannot see, we estimate there have been at least 8 destructive malware families deployed on Ukrainian networks, including one tailored to industrial control systems (ICS),” researchers wrote.
Destructive Malware
”If threat actors can maintain the current pace of development & deployment, we anticipate more destructive malware will be discovered as the conflict continues.”
The report includes a specific timeline of attacks & the malware used in the earliest weeks of the attack to support Russia’s military activities. In addition to the wipers previously mentioned, other malware deployed in the attacks includes: FoxBlade, DesertBlade, FiberLake, SonicVote & Industroyer2.
Frequent Offenders
After CERT-UA’s revelation of the top ATPs attacking Ukraine in cyberspace, research firm Recorded Future’s The Record took a deeper look into each other to examine its affiliations & methods.
Armageddon/Garmaredon is an aggressive threat player that has been targeting Ukraine since 2014 & is backed by the Russian Federal Security Service (FSB).
During the Russian war on Ukraine the group has used phishing attacks to distribute malware, most recently new variants of the “Backdoor.Pterodo” malware payload, according to researchers.
UNC1151 is a Belarus-aligned hacking group who has been active since 2016 & has previously targeted govt. agencies & private organisations in Ukraine, Lithuania, Latvia, Poland & Germany, as well as attacked Belarusian dissidents & journalists, researchers observed, citing research from Mandiant.
Micro Backdoor
Since Russia attacked Ukraine UNC1151 the group has been linked to the defacement of multiple Ukrainian Govt. websites as well as spearphishing campaigns targeting the email & Facebook accounts of Ukrainian military personnel to spread the Micro Backdoor malware.
Fancy Bear/APT 28 is a well-known & prolific actor active since 2017 & backed by Russia’s military intelligence service (GRU).
The politically motivated group has been linked to activity aiming to influence elections in the European Union & the US as well as attacking sporting authorities connected to the 2020 Tokyo Olympic Games.
During Feb. 24, the day Russia attacked Ukraine, ‘Fancy Bear’ gained access to US satellite communications provider Viasat’s KA-SAT network in Ukraine, leaving many Ukrainians without internet access & communication capability at the critical time when attacks began, researchers commented.
‘Agent Tesla’
Russian threat players have used the Agent Tesla & XLoader malwares since at least 2014 & 2020, respectively; both have been used in high-profile attacks. During Russia’s invasion of Ukraine, one malicious email campaign targeting Ukrainian state organisations used XLoader as its payload, while a phishing campaign targeting Ukrainian citizens spread AgentTesla,, researchers commented.
Pandora hVNC/GrimPlant/GraphSteel function as downloaders & droppers under the umbrella term “Elephant Framework,” or tools that are written in the same language & used to target govt. organisations through phishing attacks, researchers stated.
In 2 separate malicious phishing campaigns in Mar., they were used against Ukrainian targets to steal sensitive information from govt. officials, among others, they explained.
History of Cyberattacks
In Mar., Kaspersky’s Global Research & Analysis Team (GReAT) outlined its’ tracking of current & past cyber-attacks in Ukraine.
“The number of cyber-attacks in Ukraine will increase during the next 6 months. While most of the current attacks are of low complexity – such as DDoS or attacks using commodity & low-quality tools – more sophisticated attacks exist also, & more are expected to come,” Kaspersky researchers wrote.
“Current complex activities include the employment of Hermetic Wiper, which stands out due to its sophistication, as well as the Viasat ‘cyber event’ – the partial network outage that impacted internet service for fixed broadband customers in Ukraine & elsewhere on the European KA-SAT network that affected over 30,000 plus terminals in Europe,” the Kaspersky report concluded.
