From critical infrastructures, through government agencies to private businesses: experts identify unprecedented coordination between the military attacks and Russia’s cyberattacks. “This is a hybrid war,” say executives at the Microsoft company that helps Ukraine defend itself. After Russia used ransomware in Poland, the company fears that the cyber attacks will expand to other countries in the winter and is monitoring China’s activity with concern
The first global cyber war
The Russian invasion of Ukraine has so far claimed tens of thousands of victims , displaced millions of residents from their homes and sent the region into a whirlwind whose consequences are well felt around the world . But alongside the horrors we have seen in previous wars, this war has a new motif: an unprecedented correlation between military attacks and cyber attacks. “Hybrid war” the experts call it.
“Throughout human history there has been technological progress in every significant war,” says Microsoft Vice President Tom Brett, who is coordinating the technology giant’s efforts to help Ukraine in the cyber arena. “In the First World War it was the airplane, which made it possible to look at things from above and conduct air battles. In the Second World War it developed into a shocking ability to wreak havoc. Today we are in the first world cyber war. This is what we are seeing in Ukraine – a hybrid war in which cyber attacks and coordinated military attacks are happening at the same time “.
This coordination has been happening since the first days of the fighting. On March 1, for example, Russia announced its intentions to destroy Ukrainian targets that spread disinformation and launched a missile at a TV tower in Kiev . At the same time, Russian hackers attacked a major broadcaster in Ukraine. On March 2, the activity of Russian hackers was detected in the network of the nuclear energy company in Ukraine. A day later, the Russian army took over the largest nuclear power plant of that company.
According to Brett, who serves as Microsoft’s vice president of cyber defense and trust, coordination between military and cyber attacks has increased in recent months. Thus, while the Russian army began to focus on attacking infrastructure in the field of energy and electricity, in an attempt to put pressure on the Ukrainian government for the winter, cyber attacks against that exact sector were registered. “The military attacks were more successful than the cyber attacks, but we saw that there was coordination,” says Brett. “At the same time as military attacks intended to harm the water supply, including the bombing of a critical dam, we have seen many cyber attacks in the water sector. We have been seeing military attacks and cyber attacks in the transportation and logistics sectors for some time, clear military targets.”
The Russian cyber attack on Ukraine was launched even before the first shots were fired in the military conflict. As early as January, at a time when efforts to prevent a Russian invasion reached a standstill, MSTC, Microsoft’s cyber threat intelligence center, noticed that several government agencies and private sector organizations in Ukraine had been attacked with the Wiper malware, which aims to delete information.
“At that point in time, we contacted two Ukrainian government officials in the field of cyber defense, and created an encrypted communication channel so that we could quickly share intelligence information about cyber threats with Ukraine,” Brett says. In retrospect, it turned out that the attack in January was just a prelude: on February 23, the day before the invasion, Russia attacked about 200 different networks in Ukraine with a damaging Wiper. “Since then,” says Brett, “we have been providing Ukraine with intelligence on cyber threats 24/7.”
“I spent two months of my life glued to a chair after the Russian invasion, doing nothing but working on cyber activity related to that,” says John Lambert, Microsoft’s vice president of research and cyber defense. “In January-February we built deep partnerships with Ukraine. We had intelligence, we knew where attacks were happening, in some cases with incredible accuracy, but that information is useless if you can’t get it into the hands of the people who will do something with it. We worked to build channels of mutual trust with officials government in Ukraine. Every time we saw Russian cyber activity against targets in Ukraine, we passed that information to the Ukrainian government. This cooperation continues to this very day, every day we pass information to them.”
The Ukrainians, Mahmia Brett, are doing a “fantastic job” in stopping the Russian cyber attacks: “In some cases we provide them with the information before the attack takes place, so they can stop it. In other cases we help them identify the attacker in their network, isolate him and remove him out, as well as restore their systems if there was information theft. The Ukrainians are very good at this restoration.”
What is the connection between a metal shop and war?
Along with the attempts to damage critical infrastructures and government agencies, a significant part of the Russian attacks were aimed at organizations from the private sector. “In war, every resource becomes a war resource,” reminds Lambert. “There were targets that we didn’t understand why they were being attacked, for example a metal products store. If you go to its website today, you will see that it produces obstacles against tanks. There are many more examples, for example CCTV cameras. If you want to know where there is movement of people And soldiers, this is an important military goal.”
One of the significant challenges that Microsoft faced was reaching those civil bodies that were attacked to provide them with help. “It wasn’t clear if the government could even contact them in the middle of a war,” Lambert recalled. “If you were to ask me how often we manage to get information into the hands of someone in the IT or security department of some business in Ukraine, I would say – maybe 10%. People have been displaced from their cities, checking emails is probably not a top priority for them. But in 90 % of the cases we were able to contact someone in these organizations, and some of them were able to take action against the attacks.”
Microsoft’s assistance is critical for Ukraine. The company’s extensive global reach, both as a cloud service provider and as a software and security service provider, allows it to receive a huge amount of signals from networks around the world. 43 trillion signals per day, to be exact. According to Itzik Tsalaf, the director of Microsoft’s national information security in Israel, this is very valuable information, which allows the cyber people to derive important insights into the activities of malicious actors such as those acting on behalf of Russia. “The telemetry that goes between Russia and Iran, for example, has different characteristics than the one that goes between Russia and Israel,” he explains. “By analyzing these signals we can produce maps of relationships and identify anomalies.”
According to a report published by Microsoft in April, at least seven Russian attack groups were involved in cyber activity against Ukraine before the war. At least some of them are still active today. Iridium (also known as Sandworm), Strontium and DEV-0586 are subordinate to Russia’s military intelligence (GRU). , and they focus on destructive attacks, phishing, information theft, and influence campaigns; Novalium , which operates under Russia’s Foreign Intelligence Service (SVR), engages in password spraying and phishing; Actinium , Bromine , and Krypton operate under the Russian Security Service (FSB), and are behind campaigns of phishing, information theft and intelligence gathering.
The group that is considered the most advanced and sophisticated is Iridium. “We know they are very skilled,” says Brett. “The wiper they used on the first day against Ukraine is damaged, they are now in its seventh or eighth generation, and they continue to update it in an attempt to bypass the defenses that Ukraine uses.” Iridium is also the reason why Microsoft issued a warning at the beginning of this month that Russia may step up its cyber warfare this winter, and possibly even expand it outside of Ukraine.
In October, the Iridium hackers first used a ransomware called Prestige against companies in the field of logistics and transportation in Poland, after using it against similar companies in Ukraine. “It is a malware that encrypts data, and does not delete it like the wiper attacks we saw in Ukraine,” explains Brett. “Sometimes it is accompanied by a demand for ransom, but they have no intention of getting money, right? The goal is to cause damage and make data disappear through encryption instead of deletion.”
The use of ransom instead of normal damage may have several technical reasons, but according to Brett it also provides Russia with room for denial: “We suspect that the reason is that they do not want the world to know that they are escalating their attacks outside of Ukraine. For us, this is a step up in the cyber component of the hybrid war – if They are ready to do this in Poland in the field of transportation, will they carry out such attacks more widely outside of Ukraine during the winter?”
Tom Brett, vice president of Microsoft: “There are countries in the world where media outlets that publish Russian propaganda are the most popular, more than BBC, more than CNN. People believe it’s real”
Despite the step up, Microsoft admits that so far Russia’s cyberattacks have not been very sophisticated, and its hackers mainly exploit known security weaknesses. “You don’t need to bring your most specialized tools when you can exploit unpatched vulnerabilities,” explains Lambert. “We saw Russian actors trying to find vulnerable systems that were simply not updated.” However, the cyber community advises not to underestimate Russia’s cyber capabilities; She may have simply decided not to pull out the heavy guns for now.
The propaganda front
Microsoft also closely monitors Russia’s attempts to influence public opinion, and sometimes notices coordination between the cyber attacks and its moves on social networks. “The most sophisticated player in this field, by a large margin, is the Russians,” says Brett. “They have been doing it for a long time, they have traditional means of communication, they have social networks, they have influencers and they have very sophisticated processes for building and distributing the propaganda stories they want to put out.”
Although Russian propaganda is not particularly widely distributed in Europe and the US (although according to Brett, there has been a huge jump in exposure to it since the beginning of the war), it is particularly popular in the southern hemisphere of the planet. According to him, “there are countries in the world where media outlets publish Russian propaganda They are the most popular, more than the BBC, more than CNN, more than any other news source. People believe it’s real.” He mentions, among other things, false claims published about Ukrainian laboratories for the development of biological weapons or about a Nazi militia operating on the Ukraine-Russia border: “I believe there are more countries that believe these stories than countries that think they are not true.”
“You can’t sit on the sidelines when something like this happens”
Microsoft’s stance on Ukraine’s side is not self-evident. Already in the first days of the war, the technology giant stopped sales in Russia and helped the Ukrainian government transfer some of its information to the cloud quickly and for free, in order to save it from the hands of the Russian army. So far, Microsoft has provided Ukraine with $400 million worth of support, and the New York Times has already compared its involvement in Ukraine to carmaker Ford’s enlistment in World War II, when its production lines were dedicated to building tanks instead of cars. It should be noted that other technology companies, including Amazon and Google, have also provided aid to Ukraine in the past year.
According to Lambert, the decision to side with Ukraine was simple: “It was the first time a cyber power went to war and used cyber against a country of 40 million inhabitants. You cannot sit on the sidelines when something like this happens. We gave it priority from the beginning, and there is also a humanitarian aspect here. Every Whoever could help came to help.”
Unlike other companies and some governments, Microsoft has not shied away from pointing out Russia explicitly as being behind cyber attacks against Ukraine. According to Brett, despite Microsoft’s business activities in Russia, “we decided as a company that we are willing to take risks and be very public about what we see in the cyber field. In most cases, or almost all, we have attributed cyber attacks to countries long before other countries were ready to do so. Although we have recently seen coalitions of governments that attribute attacks to countries a little faster than in the past, but it is still done hesitantly.”
Brett mentions that Brad Smith, the president of Microsoft, already spoke five years ago about the need to draft a digital Geneva Convention that would establish rules for cyber warfare. “Some governments in the West didn’t like the idea,” Brett points out, “but I think people are changing their minds and starting to realize that we need more international treaties and agreements to set rules about what countries can do in cyberspace, because the number of cyber conflicts is increasing, and we’re seeing the potential impact that this has to do with the digital ecosystem.”
The Secret Library of China
The war in Ukraine in the last year raised the fear that Beijing would draw inspiration from Moscow and decide to invade Taiwan , which it sees as an island over which it has a right to sovereignty. A cyber war in Taiwan, Brett estimates, will look different compared to what is currently happening in Ukraine. “One thing we see that differentiates Chinese players from other players is that they tend to use zero-day vulnerabilities (weaknesses that are unknown to the software manufacturer, and therefore almost impossible to defend against – YM) as their penetration vector more frequently than other countries. About a year and a half ago they passed legislation that requires any organization that discovers a zero-day vulnerability to report it to the Chinese government. They are building huge databases, and we believe they are building libraries of zero-day vulnerabilities. If China gets involved in hybrid warfare, I believe we will see much more use of such weaknesses in its attacks.”
Will Microsoft protect Taiwan as it protects Ukraine? “If we see a government that is under attack, we do what we can to protect it,” explains Brett, “but doing it simultaneously in several geographic areas is challenging, even with the resources that Microsoft has. Therefore, I cannot guarantee that we will do exactly the same things in Taiwan if it is attacked.”