CYBER OPERATIONS ASSOCIATED WITH THE UKRAINE-RUSSIA CONFLICT: AN OPEN-SOURCE ASSESSMENT

Russia’s invasion of Ukraine on 24 Feb 2022 was preceded by warnings from the US, UK, and others, of an impending attack by the Russian forces massed along Ukraine’s eastern and northern borders.  These warnings were unprecedented in that they were explicit and were asserted to be the results of analysed intelligence operations.  However, if these warnings were meant to deter Russia from carrying out its stated plans, then they failed quite abjectly.

With the extent of offensive cyber capability available to Russia,[1] it was expected that this would be a major contributor to the outcome of the war, over and above the kinetic ones being undertaken by Russia.[2]  It was also assumed that any offensive cyber operation involving the deployment of destructive malware would spill over to other countries and organisations as had been observed in the behaviour of malware such as Stuxnet[3] and NotPetya[4], the latter being assessed to have originated in Russia and targeting Ukraine.  These experiences led to the  intuitive belief that in a hyper-connected society, it would be naïve to expect that offensive cyber operations would remain confined solely to their intended targets.  Yet, this is precisely what appears to have happened thus far.  While there is extensive evidence of offensive cyber operations being carried out by both sides in the present conflict, there is little evidence, as yet, of any spill-over of these to areas beyond the conflict zone.

While the dissemination of propaganda through a variety of media is very much an aspect of Information Warfare as a whole, this paper will focus on cyber aspects and will attempt to collate and analyse existing open-source information available on the use of cyber capability, by both, Russia and Ukraine.

Russian Cyber Operations

Russia has long held the view that the Internet poses a danger to the sovereignty of the nation.  Particularly, the open exchange of information that renders borders obsolete has been considered an anathema to Russian thinkers.[5]  This view is, of course, divergent from the basic concept of the Internet, which was envisaged to enable the unfettered exchange of information.  It is this very spread of information which Russia perceives as posing a threat to its society as well as the State, and consequently, the exercise of sovereignty over the resultant ‘national internet’, is a key security concern of the Russian Stare.

This sort of understanding of cyberspace and the unacceptability of the risk of its unfettered use, has manifested itself in Russia attempting to disconnect from the rest of world.  Regulations on the Internet in Russia described publicly as the Sovereign Internet Law,[6] which was passed by the Russian parliament in November of 2019, permits, among other aspects, the Russian Government to partition Russia from the rest of the Internet.  In tests running over a month from 15 Jun 2021, Russia did, indeed, disconnect its Internet infrastructure from the rest of world.[7]   While the results of this disconnect are still not clear, it certainly does confirm Russian intentions to control online discourse.

As is the case with most countries, Russia, too, acknowledges the importance of information operations to steer the narrative among its adversaries.  Comments by its former Chief of General Staff and other senior officials to the Russian Parliament in February of 2017[8] indicates a firm belief that victory obtained through information operations is, at present, seen to be even more important than that resulting from the use of traditional weapons, especially if the former significantly degrades the enemy’s morale, discrediting its leadership, and undermining its military and economic potential.

In the opinion of this author, it is this feeling of isolation and a narrative of victimisation by the West that has driven Russia to develop extensive offensive cyber capabilities that routinely target its presumed enemies.  Of course, most countries with advanced cyber capability are also believed to possess these capabilities.  Russia, however, is among very few countries that are known to actively encourage non-governmental entities to carry out cyber attacks against other private organisations.  Most malware known to be authored by Russian attack groups do have the capability to determine the location of the impacted systems and leave them alone if they happen to be Russian.

Some known Russian entities involved in cyber operations during the current conflict and in the past include the following[9]:

The Russian Federal Security Service (FSB).  The successor to KGB, the FSB is known to have conducted cyber operations against energy companies in the West.  Attack groups associated with FSB have been named Berserk Bear, Crouching Yeti, Dragonfly, and Energetic Bear, by global security organisations[10]. 

Russian Foreign Intelligence Service (SVR).[11]  The SVR is known to operate an Advanced Persistent Threat (APT) group, known variously as APT29, COZY BEAR, CozyDuke, Dark Halo, Nobelium, etc.  The known targets of this group include critical infrastructure organisations.  Their most well-known attack was one that used the SolarWinds Orion software to infiltrate a large number of US organisations.[12]

Russian General Staff Main Intelligence Directorate.  The GRU’s 85th Main Special Service Centre has operated an APT group that targets governmental organisations, research institutes, and critical infrastructure organisations.  The group is known as Unit 26165 and by security organisations as APT28, Fancy Bear, Strontium, Group 74, etc.[13]

GRU’s Main Centre of Special Technologies.  GTsST, or Unit 74455, is an APT group that has operated since at least 2009 and has targeted a variety of critical infrastructure organisations, including those in the Energy, Transportation Systems, and Financial Services Sectors.  The group is also known as Sandworm, Iron Viking, BlackEnergy, and Voodoo Bear.  The primary distinguishing characteristic of the group is its use of techniques aimed at causing disruptive or destructive effects at targeted organisations using Distributed Denial of Service (DDoS) attacks, or wiper malware.[14]  Some of the more prominent destructive attacks attributed to this group include the cyberattack against Ukrainian energy-distribution companies in December of 2015[15] and the destructive NotPetya attack of June, 2017.[16]

Apart from these State organisations involved in offensive cyber operations, there are other Russia-based groups that either operate with official patronage or are tolerated by the authorities.  These Russia-aligned cybercrime groups pose a threat to critical infrastructure organisations primarily through their deployment of ransomware through which cyber actors remove victim access to data (usually via encryption), potentially causing significant disruption to operations, and conducting DDoS attacks against websites.  The more prominent of these groups include:

The Gamaredon Group.[17]  This group has been active since 2013 at least and has targeted individuals believed by them to be involved with the Ukrainian government in one capacity or another.  The group uses Russian web-hosts to distribute their malware.  In November 2021, the Security Service of Ukraine made a public announcement that attributed Gamaredon to the Federal Security Service of the Russian Federation (FSB).[18]

Venomous Bear.[19]  Also known as the Turla Group, Venomous Bear has historically targeted governments aligned with the North Atlantic Treaty Organization (NATO), defence contractors, and other organisations of intelligence value.  Venomous Bear is known for its unique use of hijacked satellite internet connections for command and control (C²).  It is also known for the hijacking of other non-Russian State-sponsored APT actor infrastructure.

Conti Ransomware Group.[20]  Conti is amongst the most professional of the organised crime-groups and it possesses dedicated subgroups akin to departments in a traditional business.  Just a day after the Russian invasion of Ukraine, the Conti Ransomware Group announced its support of the Russian government, on their website,[21] although this support was toned down subsequently.

Destructive Cyber Attacks Targeting Ukraine During the Current Conflict.  Although large scale cyber attacks against countries and organisations assisting Ukraine have not yet materialised, there has been no dearth of these operations against Ukrainian organisations and systems.  Destructive cyber attacks have the capacity to render systems inoperable.  Wiper malware[22] is the weapon of choice here.  Russia is reported to have used these attacks since the beginning of the current conflict.[23]  These attacks are chronologically tabulated below:

 

Ser	Date/Time Period	Attack Description	Attribution
1.	13 Jan 2022	WhisperGate malware designed to wipe the contents of hard disks of Ukrainian Foreign Ministry, as also some IT organisations.[24]	Initially attributed by Microsoft to nation-state threat actor designated DEV-0586.  Later attributed to GRU’s Main Centre of Special Technologies (aka Sandworm)
2.	Early Feb	DDoS attack against Ukrainian banking and defence websites.[25]	Russian Main Intelligence Directorate (GRU)
3.	23 Feb 2022	HermeticWiper (similar to WhisperGate).  Targets the Ukrainian government’s IT, energy, and financial sectors.[26]	Sandworm group
4.	24 Feb 2022	IsaacWiper carried out similar actions to HermeticWiper and WhisperGate, but bearing no resemblance to either.  Its targets are Ukrainian organisations that were not affected by earlier attacks.[27]	No specific attribution, however, the composition of the malware and targets attacked point to the involvement of Russian agencies.
5.	14 Mar 2022	CaddyWiper is another wiper malware that bears no relations to earlier wipers[28].	No specific attribution, however, the composition of the malware and targets within Ukraine point to the involvement of Russian agencies.
6.	12 Apr 2022	Industroyer2, a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.  An earlier version was launched against Ukrainian power grid in December of 2016.[29]	Sandworm group

Attack on Viasat Satellite Internet Communications.  To coincide with the commencement of the Russian attack on Ukraine on 24 Feb 2022, a deliberate cyber-attack caused disruption of Viasat’s KA-SAT satellite broadband service in Europe.[30]  The attack, which rendered almost 30,000 modems physically inoperable,[31] impacted not only users in Ukraine but also much of Europe, including wind turbines operated by German energy company Enercon.

Social-Engineering-Based Attacks.  Social engineering attacks[32] have been used in the majority of successful data breaches and penetrations.  This high success rate is due to a simple fact – these attacks target human behaviour and not IT systems. The purpose of these attacks is to gain usernames and passwords associated with critical systems.  Attackers are no longer hacking into systems.  They are logging in.  Given this high rate of success, it is widely presumed that almost all attacks in the current conflict originated with a social-engineering-based attack.  For instance:

• During the initial stage of the current conflict, Ukraine accused the Belarusian State-sponsored hacking group UNC1151 of attempting to hack the email accounts of its military personnel in a mass phishing attack.[33] Once the attackers infiltrated the email accounts of at least some military personnel, they leveraged the compromised address books to send more malicious emails.
• The threat actor APT28, attributed to Russia’s GRU, has engaged in a credential phishing campaign, targeting users of the popular Ukrainian media company UKRNet[34].
• Mustang Panda,[35] a China-based threat actor, has been targeting European entities with lures related to the Ukrainian invasion. This is a departure from this group’s normal targets based in Southeast Asia.  The compromise chain includes decoy documents that are frequently updated and relate to events in Europe and the war in Ukraine.
• Google has reported[36] multiple DDoS attacks against the Ukrainian Ministries of Foreign Affairs and Internal Affairs, as well as against services such as Liveuamap, which are designed to help people find information.
• The Russian APT, Gamaredon, was found spreading the LoadEdge backdoor among Ukrainian organisations.[37] The backdoor allows Gamaredon to thereafter install surveillance software and other malware onto infected systems.

Ukrainian Cyber Operations

 While there is widespread information about Russian cyber attacks targeting Ukrainian organisations, there is relatively little news about the outcomes of any cyber-attacks targeting Russian assets.  There are two reasons for this.  The first is the extensive coverage given by Ukraine, which has been amplified by Western governments and media outlets that are at odds with Russia.  The second has been the success achieved by Ukraine in fending-off Russian cyberattacks, publicly claiming this success, and hence gaining an upper edge in the ongoing psychological warfare.

Ukraine has very effectively leveraged the outrage expressed by several Western countries, highlighting attacks on civilian infrastructure, and emphasising the humanitarian crises generated by the exodus of Ukrainian refugees.  There are obvious comparisons with other conflicts and their coverage in the Western media.  However, the information warfare aspects are heavily in favour of Ukraine precisely because of a near total clampdown on news inside Russia and therefore, lack of any credible inputs regarding the success or otherwise of Ukrainian offensive cyber operations.  What little is known of these attempts have come to us from the individuals or groups that are involved in this effort.

As far as cyber-attacks go, there appears to be an ongoing ‘crowd-sourced’[38] supplementary effort from Ukraine.  The official Ukrainian government efforts are focused on defence of their networks.  However, this has not stopped them from reaching out to the hacker community in carrying out offensive operations against Russia.[39]

Some of the other notable efforts aiding Ukraine on the cyber front include the following:

• Ukraine’s IT Army. Ukraine’s deputy prime minister and minister for digital transformation, Mykhailo Fedorov, announced the creation of a volunteer cyber army, the IT Army.[40]  The IT Army has functioned by posting important targets to a Telegram channel, while individuals or groups use the details provided to launch attacks against the specified targets.  The IT Army targeted the websites of several Russian banks[41], the Russian power grid and railway system, and has launched widespread DDoS attacks[42] against other targets of strategic importance.
• Anonymous. A decentralized group of hacktivists, Anonymous, “declared war” against the Russian State on 01 March 2022, and the group claims to have disabled sites run by Russia’s State-owned media.[43]  Anonymous appears to have targeted pro-Russia media outlets several times over the past few weeks.  It also claimed to have hacked several major Russian broadcasters,[44] including State-run television channels.
• Belarusian Cyber Partisans. The Belarusian Cyber Partisans, a group that launched cyberattacks in January on Belarusian train systems in protest against Russian troop deployments in the country,[45] appears to be continuing its campaign.  The attacks took down websites used to purchase tickets and may have encrypted data on switching and routing systems, although the scale and severity of the attacks beyond website-takedowns[46] remains unclear.
• RURansom Wiper. The emergence of the RURansom wiper on 01 Mar 2022, represents one of the first uses of a wiper by pro-Ukrainian hacktivists, and may portend a new phase in the ongoing cyber campaign against Russia.  Despite its name, RURansom functions as a wiper, and offers victims no opportunity to pay to have their systems decrypted.  The malware appears to check victim-systems for a Russian IP address, and if it doesn’t find one, the malware halts execution.  The malware creators also appear to be actively releasing new versions of the wiper, and it may grow far more potent over time.[47]

Support from Security Organisations.  Microsoft[48] and the Slovakia based ESET[49] have been proactively providing support to the Ukrainian organisations that have been attacked.  For instance:

• Microsoft security teams have worked closely with Ukrainian government officials and cybersecurity staff at government organisations and private enterprises to identify and remediate threat activity against Ukrainian networks. Microsoft has also reported on Russia-aligned threat groups that were pre-positioning for conflict as early as March 2021, when threat actors that had sporadically targeted Ukraine in the past started to conduct more actions against organisations inside or allied with Ukraine.  Microsoft has also announced the suspension of all new sales of products and services in Russia.
• ESET security researchers have been at the forefront of analysing the destructive wiper malware targeting Ukrainian institutions. The company continues to provide technical support to Ukrainian organisations that come under cyber attack and has offered a free upgrade to higher versions of their products.  ESET has also stopped sales of its products and services in Russia and Belarus.

Implications of Cyber Operations on the Rest of the World

Both players in the current conflict have used the digital media to propagate their own view of the ongoing conflict.  The Western media has largely sided with the Ukrainian projection of it being the innocent victim of an unjust conflict inflicted by Russia.  While official Ukrainian efforts have been focused on defending their own networks, they have, nevertheless, actively encouraged private efforts aimed at offensive actions against Russian organisations.  In the opinion of many experts, Russia’s formidable offensive cyber-capability has not been unleashed to the extent that was expected[50].

Even though the spill-over effect of offensive cyber-attacks[51] has not yet been observed, it remains a significant risk, because past experience has been that malware variants do not remain restricted to their intended targets.  Stuxnet, WannaCry, and NotPetya, all spread well beyond the original targets.  As a case in point, NotPetya, a malware designed to target Ukrainian organisations, caused damage worth US $300 million to Maersk, a shipping company based in Denmark.[52]  Given that the US and EU have banded together in support of Ukraine, the scope of a broadening of the cyberwar can hardly be ruled out and present large-scale cyber-skirmishes could well become global due to the spill-over effect.

Ukraine’s crowd-sourced cyber army encompasses the entire spectrum of cyber capabilities.  On one end there are established cyber-security companies such as Microsoft and ESET, and on the other, there is a loose collective of hackers whose skills may not quite be up to the mark.  It is understood that many so called “script kiddies[53]” have also answered the call and joined-up.  Script kiddies have at their disposal a large number of effective, easily downloadable programs capable of breaching computers and networks.  The danger in using this amorphous group of hacktivists is that because they tend to run hacking tools without fully understanding how they work, they might accidentally damage unintended targets, or prompt counterattacks by technologically superior nation-state hackers.

While there have been more than a hundred cyber-attacks in Ukraine since Russia’s invasion, in most cases, their effect has been psychological.  As such, according to a number of experts, these will not decide the outcome of the war.[54]  In this hybrid war, with its mix of cyber and conventional weapons, it has been made amply clear that offensive cyber operations can at best be used in a supporting role and ultimately, it is still remains “boots on the ground” that will win the battle.[55]

The dilemma of using cyber weapons to disrupt enemy facilities that rely on information technology is that this will also blind the attacker who then loses the ability to monitor the enemy.  Due to its low capital investment, cyber warfare is normally the preferred option of a nation that does not possess advanced conventional weaponry, and by corollary, it is most effective against an adversary that has advanced information technology components enabling the various functions of the country.  However, a technologically advanced nation would also be expected to possess a robust IT defence.  Therefore, the effect of cyber warfare can never be decisively predicted while planning offensive operations.

The most effective component of information warfare in the present campaign by both sides has been in the use of media to spread information, and at times, disinformation.  Obfuscation is one of the oldest tactics in a conflict when actors in a war flood a civilian population with misleading information.  Its effect is largely psychological, but nevertheless effective.  With its rapid dissemination of information regarding the Ukrainian version of events, stories of atrocities committed by Russian soldiers and almost daily briefings to world leaders and assemblies by the President himself, Ukraine presently has the upper hand.[56]

Conclusion

Russia’s invasion of Ukraine has been a hybrid war from the start; a mix of conventional military strategy – traditional “boots on the ground” – and a slightly more unconventional, digital or cyberwar.  There is enough evidence that the preparations for deploying cyber weapons against Ukraine began well before the start of the actual operations in Feb 2022.  There have been repeated attacks using destructive malware on Ukrainian critical infrastructure that have been attributed to Russian entities.  Almost all of these attacks have been thwarted by the Ukrainians, aided by US and EU based cyber security companies, who have helped in the detection and containment of these attacks.

In the present conflict, Ukraine, too, has used offensive cyber operations against targets in Russia, although this effort is largely the result of private citizens rather than a government-driven one.  The effects of these efforts are not readily apparent due to the present paucity of information emanating from Russia.

While cyber warfare has been with us for some time now and although most technically advanced nations do possess offensive cyber capability, its use is still limited in effecting the overall outcome of a conflict.  These limitations notwithstanding, psychological aspects of information warfare do affect civilian morale especially in times of tension and this aspect has been effectively used by both sides in the present conflict, albeit with Ukraine having won the battle for sympathy across much of the world.

***********

About the Author:

Commander Subhash Dutta is a former Indian Naval Officer and Adjunct Fellow at the National Maritime Foundation. His research focuses upon cyber issues.   Cdr Dutta can be contacted at subhash.dutta@sequretek.com 

Endnotes:

[1] Julia Voo et al, “National Cyber Power Index 2020”, Belfer Centre for Science and International Affairs, Sep 20202.

https://www.belfercenter.org/publication/national-cyber-power-index-2020

[2] Colin Demarest, “Blue, Yellow and Gray Zone: The Cyber Factor in Ukraine”, C4ISRNET, 14 Mar 2022.

https://www.c4isrnet.com/cyber/2022/03/14/blue-yellow-and-gray-zone-the-cyber-factor-in-ukraine/

[3] Wikipedia, s.v. “Stuxnet”, last modified 24 Apr 2022, 12:56, https://en.wikipedia.org/wiki/Stuxnet

[4] Wikipedia, s.v. “Petya and NotPetya”, last modified 17 Apr 2022, 20:42, https://en.wikipedia.org/wiki/Petya_and_NotPetya

[5] Press release, “Russian Federation Armed Forces’ Information Space Activities Concept”, Ministry of Defence of the Russian Federation, 22 Dec 2011.

https://eng.mil.ru/en/science/publications/more.htm?id=10845074@cmsArticle

[6] Alena Epifanova, “Deciphering Russia’s Sovereign Internet Law”, DGAP, 16 Jan 2020.  https://dgap.org/en/research/publications/deciphering-russias-sovereign-internet-law

[7] Alexander Marrow, “Russia Disconnects from Internet in Tests as it Bolsters Security – RBC Daily”, 22 Jul 2021.

https://www.reuters.com/technology/russia-disconnected-global-internet-tests-rbc-daily-2021-07-22/

[8] Press release, “Shoigu Spoke About the Tasks of the Information Operations Troops”, RIA Novosti, 22 Feb 2017.

https://ria-ru.translate.goog/20170222/1488617708.html?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wapp

[9] CISA Alert AA22-110A, “Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure”, Cybersecurity and Infrastructure Security Agency, 20 Apr 2022.

https://www.cisa.gov/uscert/ncas/alerts/aa22-110a

[10] “MITRE ATT&CK Framework Groups”, MITRE, 12 Oct 2021. https://attack.mitre.org/versions/v10/groups/G0035/

[11] MITRE ATT&CK Framework Groups, “APT29” MITRE, 16 Oct 2021. https://attack.mitre.org/versions/v10/groups/G0016/

[12] Press release, “Russia: UK Exposes Russian Involvement in SolarWinds Cyber Compromise”, UK Foreign, Commonwealth & Development Office, 15 Apr 2021.

https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise

[13] Wikipedia, s.v. “Fancy Bear”, last modified 19 Apr 2022, 12:03, https://en.wikipedia.org/wiki/Fancy_Bear

[14] MITRE ATT&CK Framework Groups, “Sandworm Team”, MITRE, 14 Apr 2022. https://attack.mitre.org/groups/G0034/

[15] Kim Zetter, “Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid”, Wired, 03 Mar 2016.

https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

[16] Press release, “Russian Military ‘Almost Certainly’ Responsible for Destructive 2017 Cyber Attack”, UK National Cyber Security Centre, 14 Feb 2018.

https://www.ncsc.gov.uk/news/russian-military-almost-certainly-responsible-destructive-2017-cyber-attack

[17] Anthony Kasza and Dominik Reichel, “The Gamaredon Group Toolset Evolution”, Unit 42 Paloalto Threat Research, 27 Feb 2017.

https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution/

[18] Press release, “SSU Identifies FSB Hackers Responsible for Over 5000 Cyber-attacks against Ukraine”, Security Service of Ukraine, 04 Nov 21.

https://ssu.gov.ua/en/novyny/sbu-vstanovyla-khakeriv-fsb-yaki-zdiisnyly-ponad-5-tys-kiberatak-na-derzhavni-orhany-ukrainy

[19] MITRE ATT&CK Framework Groups, “Turla” MITRE, 27 Aug 2021. https://attack.mitre.org/versions/v10/groups/G0010/

[20] Mitre ATT&CK Framework Software, “Conti”, MITRE, 21 Jun 2021. https://attack.mitre.org/versions/v10/software/S0575/

[21] Trend Micro Research, “Cyberattacks are Prominent in the Russia-Ukraine Conflict”, Trend Micro, 03 Mar 2022.

https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html

[22] Wikipedia s.v. “Wiper (malware)”, last modified 03 Apr 2022, 16:25, https://en.wikipedia.org/wiki/Wiper_(malware)

[23] Kyle Fendorf and Jessie Miller, “Tracking Cyber Operations and Actors in the Russia-Ukraine War”, Council on Foreign Relations, 24 Mar 2022.

https://www.cfr.org/blog/tracking-cyber-operations-and-actors-russia-ukraine-war

[24] Blog post, “Destructive Malware Targeting Ukrainian Organizations”, Microsoft Threat Intelligence Center, 15 Jan 2022. https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/

[25] Press release, “UK Assesses Russian Involvement in Cyber-attacks on Ukraine”

UK Foreign, Commonwealth & Development Office, 18 Feb 2022. https://www.gov.uk/government”/news/uk-assess-russian-involvement-in-cyber-attacks-on-ukraine

[26] Juan Andrés Guerrero-Saade, “HermeticWiper New Destructive Malware Used In Cyber Attacks on Ukraine”, Sentinal Labs, 23 Feb 2022. https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/

[27] Press release, “Ukraine Hit by Destructive Attacks Before and During the Russian Invasion with HermeticWiper and IsaacWiper”, ESET Research, 01 Mar 2022.

https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-ukraine-hit-by-destructive-attacks-before-and-during-the-russian-invasion-with-hermet/

[28] Michael Dereviashkin, “New Analysis: The CaddyWiper Malware Attacking Ukraine”, Morphisec blog post, 05 Apr 2022.

https://blog.morphisec.com/caddywiper-analysis-new-malware-attacking-ukraine

[29] Patrick Howell O’Neill, “Russian Hackers Tried to Bring Down Ukraine’s Power Grid to Help the Invasion”, MIT Technology Review, 12 Apr 2022.

https://www.technologyreview.com/2022/04/12/1049586/russian-hackers-tried-to-bring-down-ukraines-power-grid-to-help-the-invasion/

[30] Raphael Satter, “Satellite Outage Caused ‘Huge Loss in Communications’ at War’s Outset -Ukrainian Official”, Reuters news report, 15 Mar 2022.

https://www.reuters.com/world/satellite-outage-caused-huge-loss-communications-wars-outset-ukrainian-official-2022-03-15/

[31] Press release, “KA-SAT Network Cyber Attack Overview”, Viasat, 30 Mar 2022.

https://www.viasat.com/about/newsroom/blog/ka-sat-network-cyber-attack-overview/

[32] Wikipedia s.v. “Social engineering (security)”, last modified 28 Apr 22, 12:30,

https://en.wikipedia.org/wiki/Social_engineering_(security)

[33] Catalin Cimpanu, “Ukraine says Belarusian Hackers are Targeting its Military Personnel”, The Record, 25 Feb 2022.

https://therecord.media/ukraine-says-belarusian-hackers-are-targeting-its-military-personnel/

[34] Elizabeth Montalbano, “Russian APTs Furiously Phish Ukraine”, Threat Post, 09 Mar 2022. https://threatpost.com/russian-apts-phishing-ukraine-google/178819/

[35] Mitre ATT&CK Framework Groups, “Mustang Panda”, MITRE, 11 Apr 2022. https://attack.mitre.org/groups/G0129/

[36] Shane Huntley, “An Update on the Threat Landscape”, Google Threat Analysis Group, 07 Mar 2022.

https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/

[37] Charlie Osborne, “Ukraine Warns of Invisimole Attacks Tied to State-Sponsored Russian Hackers”, ZD Net, 21 Mar 2022. https://www.zdnet.com/article/ukraine-warns-of-invisimole-attacks-tied-to-state-sponsored-russian-hackers/

[38] Wikipedia s.v. “Crowdsourcing”, last modified 30 Apr 22, 12:14, https://en.wikipedia.org/wiki/Crowdsourcing

[39] Joel Schectman et al, “Ukrainian Cyber Resistance Group Targets Russian Power Grid, Railways” Reuters, 02 Mar 2022. https://www.reuters.com/technology/ukrainian-cyber-resistance-group-targets-russian-power-grid-railways-2022-03-01/

[40] Matt Burgess, “Ukraine’s Volunteer ‘IT Army’ Is Hacking in Uncharted Territory”, Wired, 27 Feb 2022.

https://www.wired.com/story/ukraine-it-army-russia-war-cyberattacks-ddos/

[41] Thomas Brewster, “Moscow Exchange, Sberbank Websites Knocked Offline—Was Ukraine’s Cyber Army Responsible?”, Forbes, 28 Feb 2022. https://www.forbes.com/sites/thomasbrewster/2022/02/28/moscow-exchange-and-sberbank-websites-knocked-offline-was-ukraines-cyber-army-responsible/

[42] Sergiu Gatlan, “Russia Shares List of 17,000 IPs Allegedly DDoSing Russian Orgs”, Bleeping Computer, 05 Mar 2022. https://www.bleepingcomputer.com/news/security/russia-shares-list-of-17-000-ips-allegedly-ddosing-russian-orgs/

[43] Chris Morris, “Hacker Collective Anonymous Declares War on Russia”, Fortune, 01 Mar 2022.  https://fortune.com/2022/03/01/anonymous-declares-cyber-war-on-russia/

[44] Carmela Chirinos, “Anonymous Claims it Hacked into Russian TVs and Showed the True Devastation of Putin’s Ukraine Invasion”, Fortune, 08 Mar 2022.  https://fortune.com/2022/03/07/anonymous-claims-hack-of-russian-tvs-showing-putins-ukraine-invasion/

[45] Peter Dickson, “Cyber Partisans Target Russian Army in Belarus Amid Ukraine War Fears”, Atlantic Council, 26 Jan 2022.  https://www.atlanticcouncil.org/blogs/belarusalert/cyber-partisans-target-russian-army-in-belarus-amid-ukraine-war-fears/

[46] Ryan Gallagher, “Belarus Hackers Allegedly Disrupted Trains to Thwart Russia”, Bloomberg, 28 Feb 2022.  https://www.bloomberg.com/news/articles/2022-02-27/belarus-hackers-allegedly-disrupted-trains-to-thwart-russia

[47] Jaromir Horejsi and Cedric Pernet, “New RURansom Wiper Targets Russia”, Trend Micro, 08 Mar 2022.  https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html

[48] Brad Smith, “Digital Technology and the War in Ukraine”, Blog post by Microsoft President, 28 Feb 2022.  https://blogs.microsoft.com/on-the-issues/2022/02/28/ukraine-russia-digital-war-cyberattacks/

[49] Press Release, “UA Crisis – ESET Response Centre”, ESET, 08 Mar 2022.  https://www.eset.com/int/ua-crisis/

[50] Sean Lyngaas, “Russia’s Cyber Offensive Against Ukraine has been Limited so far”, CNN, 12 Mar 2022.  https://edition.cnn.com/2022/03/12/europe/russia-ukraine-war-cyber-attacks/index.html

[51] K V Kurmanath, “Russia-Ukraine War Could Spill Over to Cyber Space”,  The Hindu Business Line, 25 Feb 2022.  https://www.thehindubusinessline.com/info-tech/russia-ukraine-war-could-spill-over-to-cyber-space/article65084334.ece

[52] Adam Bannister, “When the Screens went Black”, Portswigger, 09 Dec 2019.  https://portswigger.net/daily-swig/when-the-screens-went-black-how-notpetya-taught-maersk-to-rely-on-resilience-not-luck-to-mitigate-future-cyber-attacks

[53] Nancy R Mead et al, “Security Quality Requirements Engineering (SQUARE) Methodology”, Carnegie Mellon University, Nov 2005: 56,  https://doi.org/10.1184/R1/6583673.v1

[54] Stuart Madnick, “What Russia’s Ongoing Cyberattacks in Ukraine Suggest About the Future of Cyber Warfare”, Harvard Business Review, 07 Mar 2022.  https://hbr.org/2022/03/what-russias-ongoing-cyberattacks-in-ukraine-suggest-about-the-future-of-cyber-warfare

[55] Doron Tamir, “Cyberattacks Don’t Win Wars”, Defense News, 13 Apr 2022.  https://www.defensenews.com/opinion/commentary/2022/04/13/cyberattacks-dont-win-wars/

[56] Sara Brown, “In Russia-Ukraine War, Social Media Stokes Ingenuity, Disinformation”, MIT Sloan School, 06 Apr 2022.  https://mitsloan.mit.edu/ideas-made-to-matter/russia-ukraine-war-social-media-stokes-ingenuity-disinformation