The first cyber warfare against Ukraine that is considered to be related to the current conflict with Russia was a “fake” ransomware attack on Jan. 13, 2022 – a ransomware attack with no ransom. The set of malware tools used, ‘WhisperGate’, is designed to look like ransomware but has no recovery feature. The attackers instead used the ransomware’s encryption to cause as much destruction as possible with no possibility of recovering data.
The next day on January 14th, hackers posted the message “be afraid and wait for the worst” on about 70 Ukrainian government websites. The messages were immediately taken down and the websites were restored, but forensic investigators believe that the hackers purposely limited the initial damage and installed a more destructive trigger that will fire later.
A laptop showing the message left by attackers on the Ministry of Foreign Affairs of Ukraine in Ukrainian, Russian, and Polish – image courtest of NPR(National Public Radio).
February 15th saw the beginning of three DDoS attacks that brought down several Ukrainian banking websites, mobile apps, and ATMs. According to ComputerWeekly, the malware was compiled in October of 2021, suggesting that this cyber attack may be part of a larger operation. In March, network traffic experts noticed that Ukrainian civilians were being bombarded with significantly more phishing emails than usual.
Critical infrastructure related to natural resources has been a major target of cyber warfare related to this conflict, but these attacks have not all been regionally focused on Ukraine. For example, some sources are reporting that a “pre-positioning” campaign of cyber attacks targeting USA natural gas producers began about two weeks before the invasion of Ukraine. These tactics show what critical infrastructure organizations worldwide could be doing to protect critical services from disruption by cyber attack.
- Segment the network into zones so that attackers cannot move easily within the OT environment and threats can’t spread
- Lock down endpoints to be unable to run programs that are not on a trust list, blocking malware from executing
- Secure vulnerabilities in legacy assets with virtual patching – attackers can exploit vulnerabilities in a variety of ways including using them as illicit onramps to work site networks