Microsoft: Russian cyberattacks for the war against Ukraine began in March 2021

Microsoft published detailed report on cyberattacks accompanying Russia’s hybrid war against Ukraine. The report also shows how the company helped protect the Ukrainian people and organizations.

“We believe it’s important to share this information so that policymakers and the public around the world know what’s occurring, and so others in the security community can continue to identify and defend against this activity. All of this work is ultimately focused on protecting civilians from attacks that can directly impact their lives and their access to critical services,” the report states. 

Enemy activity began shortly before the invasion. Microsoft has noted that at least six individual Russian agents have launched more than 237 operations against Ukraine. These included destructive attacks that threatened the well-being of the civilian population, as well as attacks with espionage and intelligence.

The attacks were aimed not only at government systems, but also at Ukrainians’ access to reliable information and critical services trying to undermine the country’s leadership. The company also mentions limited espionage activity involving other NATO countries and disinformation.

It turned out that Russian cyberattacks are related to physical military operations. For example, on March 1, a large-scale cyber attack on a Ukrainian TV and radio broadcaster began. On the same day, the Russian military announced its intention to destroy Ukrainian “disinformation” targets and launched a missile strike on a TV tower in Kyiv.

“On March 13th, during the third week of the invasion, a separate Russian actor stole data from a nuclear safety organization weeks after Russian military units began capturing nuclear power plants sparking concerns about radiation exposure and catastrophic accidents. While Russian forces besieged the city of Mariupol, Ukrainians began receiving an email from a Russian actor masquerading as a Mariupol resident, falsely accusing Ukraine’s government of “abandoning” Ukrainian citizens.

The destructive attacks we’ve observed – numbering close to 40, targeting hundreds of systems – have been especially concerning: 32% of destructive attacks directly targeted Ukrainian government organizations at the national, regional and city levels. More than 40% of destructive attacks were aimed at organizations in critical infrastructure sectors that could have negative second-order effects on the Ukrainian government, military, economy and civilians,” said Microsoft.

Actors engaging in these attacks are using a variety of techniques to gain initial access to their targets including phishing, use of unpatched vulnerabilities and compromising upstream IT service providers. These actors often modify their malware with each deployment to evade detection.

The report contains a detailed schedule of Russian cyber operations. It is clear from him that enemy agents began preparing for war in March 2021. As troops began advancing to the border with Ukraine, Microsoft noticed attempts to gain access to targets that could inform the enemy of Ukraine’s military and foreign partnerships.

By mid-2021, agents were targeting supply chain participants in Ukraine and abroad to also gain access to systems in NATO countries. In early 2022, destructive malware attacks against Ukrainian organizations began. After the invasion, Russian cyberattacks were aimed at achieving military strategic and tactical goals. Microsoft notes that this could only be part of the destructive activity directed at Ukraine.

Microsoft’s security teams work with Ukrainian government officials and cybersecurity experts. After the company found malware in more than 10 networks in Ukraine in January this year, Microsoft warned the Ukrainian government and established a secure line of communication to respond quickly to such attacks.

“Given Russian threat actors have been mirroring and augmenting military actions, we believe cyberattacks will continue to escalate as the conflict rages. Russian nation-state threat actors may be tasked to expand their destructive actions outside of Ukraine to retaliate against those countries that decide to provide more military assistance to Ukraine and take more punitive measures against the Russian government in response to the continued aggression,” Microsoft warns.

The company noted that Russian agents are showing interest or are already conducting operations against organizations in the Baltic States and Turkey. Therefore, all warnings issued by CISA and other US government agencies, as well as official cybersecurity experts from other countries, should be taken seriously.

Public institutions and critical infrastructure enterprises should take special measures to protect themselves from attacks. The report published specific recommendations for organizations that could be targeted by Russian agents, and technical information for the cybersecurity community.