Relentless Russian Cyberattacks on Ukraine Raise Important Policy Questions


SECTOR 2022 — Toronto — The first shots in the Russia-Ukraine cyberwar were fired virtually on Feb. 23, when destructive attacks were launched against organizations the day before Russian military troops moved into Ukraine. Microsoft was figuratively “there,” observing the developments — and its researchers were immediately concerned.

The tech giant happened to have pre-positioned sensors within various public and private networks in-country, installed in conjunction with Ukrainian incident-recovery teams in the wake of previous cyberattacks. They were still functioning, and picked up a wide swathe of concerning, snowballing activity as the Russian army amassed on the border.

“We saw attacks against at least 200 different government systems starting to run in different areas that we detected in Ukraine,” said John Hewie, national security officer at Microsoft Canada, taking the stage at SecTor 2022 this week in Toronto, in a session titled “Defending Ukraine: Early Lessons from the Cyber War.”

He added, “We also had already established a line of communication with senior Ukrainian officials across government and also organizations in Ukraine — and we were able to share threat intelligence back and forth.”

What emerged from all that intel initially was that the wave of cyberattacks was targeting government agencies, before moving on to the financial sector, then the IT sector, before specifically zeroing in on data centers and IT companies that support government agencies in the country. But that was just the beginning.

Cyber-Warfare: Threatening Physical Harm

As the war went on, the cyber-picture worsened, because critical infrastructure and systems used to support the war effort ended up in the crosshairs.

Soon after the onset of the physical invasion, Microsoft found that it was also able to correlate cyberattacks in the critical infrastructure sector with kinetic events. For example, as the Russian campaign moved around the Donbas region in March, researchers observed coordinated wiper attacks against transportation logistics systems used for military movement and the delivery of humanitarian aid.

And targeting nuclear facilities in Ukraine with cyber activity to soften a target prior to military incursions is something that Microsoft researchers have seen consistently throughout the war.

“There was this expectation that we were going to have a big NotPetya-like event that was going to spill into the rest of the world, but that didn’t happen,” Hewie noted. Instead, the attacks have been very tailored and targeted at organizations in a way that constrained their scope and scale — for example, using privileged accounts and using Group Policy to deploy the malware.

“We’re still learning, and we’re trying to share some information around the scope and scale of the operations that have been involved there and how they’re leveraging digital in some meaningful and troubling ways,” he said.

A Cornucopia of Dangerous APTs on the Field

Microsoft has consistently reported on what it’s seen in the Russia-Ukraine conflict, largely because its researchers felt that “the attacks that were going on there were being vastly underreported,” Hewie said.

He added that several of the players targeting Ukraine are known Russia-sponsored advanced persistent threats (APTs) that have been proven to be extremely dangerous, from both an espionage perspective as well as in terms of the physical disruption of assets, which he calls a set of “scary” capabilities.

“Strontium, for instance, was responsible for the DNC attacks back in 2016; they’re well known to us in terms of phishing, account takeover — and we’ve done disruption activities to their infrastructure,” he explained. “Then there’s Iridium, aka Sandworm, which is the entity that is attributed to some of the earlier [Black Energy] attacks against the power grid in Ukraine, and they’re also responsible for NotPetya. This is a very sophisticated actor actually specializing in targeting industrial control systems.”

Among others, he also called out Nobelium, the APT responsible for the SolarWinds-borne supply chain attack. “They have been engaged in quite a bit of espionage against not just Ukraine, but against Western democracies supporting Ukraine throughout the course of this year,” Hewie said.

Policy Takeaways from the Russia-Ukrainian Cyber-Conflict

Researchers don’t have a hypothesis for why the attacks have remained so narrow, but Hewie did note that the policy ramifications of the situation should be seen as very, very broad. Most importantly, it’s clear that there is an imperative to establish norms for cyber-engagement going forward.

This should take shape in three distinct areas, starting with a “digital Geneva Convention,” he said: “The world is developed around norms for chemical weapons and landmines, and we should be applying that to appropriate behavior in cyberspace by nation-state actors.”

The second piece of that effort lies in harmonizing cybercrime laws — or advocating that countries develop cybercrime laws in the first place. “That way, there are fewer safe harbors for these criminal organizations to operate with impunity,” he explains.

Thirdly, and more broadly speaking, defending democracy and the voting process for democratic countries has important ramifications for cyber, because it allows defenders to have access to appropriate tools, resources, and information for disrupting threats.

“You’ve seen Microsoft doing active cyber-operations, with the backing of creative civil litigation, with partnership with law enforcement and many in the security community — things like Trickbot or Emotet and other types of disruption activities,” according to Hewie, all made possible because democratic governments don’t keep information under wraps. “That’s the broader picture.”

Another takeaway is on the defense side; cloud migration should begin to be seen as a critical piece of defending critical infrastructure during kinetic warfare. Hewie pointed out that the Ukrainian defense is complicated by the fact that most of the infrastructure there is run on-premises, not in the cloud.

“And so as much as they’re probably one of the best countries in terms of defending against Russian attacks over a number of years, they are still mostly doing the stuff on-premises, so it’s like hand-to-hand combat,” Hewie said. “It’s quite challenging.”