Changes in the cyber sphere since the Russia-Ukraine conflict

In recent years, humanity has witnessed an escalation of tension between Russia and Ukraine, suggesting the proximity of a future outbreak of a conflict on a scale not seen on the European continent for decades

The years between 2014 and 2017 saw several episodes of cyber attacks related to Ukraine's national electricity system and election system, a prelude to future attacks stemming from the current conflict. 

On the cyber level, several DDoS (massive denial of service) attacks took place between 15 and 22 February 2022 on various Ukrainian services, which were temporarily down and affected websites related to the banking, government and military sectors. In the timeline, this would be the tip of the iceberg that develops later. 

From cybercriminal groups, with special mention to those related to ransomware, to hacktivist groups, several action campaigns have been developed that make us understand the importance of the cybernetic plane in this type of scenarios. 

Since 22 February, when the conflict was declared official and the Russian attacks began, the various cyber actors have taken up their positions on the chessboard. 

On the one hand, a series of destructive cyber-attacks took place around 24 February with the proliferation of "Wiper" malware in its various forms (HermeticWiper, IsaacWiper, CaddyWiper, etc.). This type of malicious code has been specifically designed to damage target systems by deleting user data, programs, hard disks and, in some cases, hard disk partition information. Unlike ransomware, Trojans and other common malware variants, wipers do not focus on theft or financial gain, but instead wipe everything in their path for purely destructive purposes. 

Subsequently, on 8 March, the RuRanson campaign, a wiper variant but this time targeting Russia, was observed, so the attackers, of a priori unknown origin, were using this creation against their own enemies. 

Different phishing campaigns targeting Ukraine were also developed to spread malware or generate confusion among citizens, such as the Sunseed Lua campaign, which targeted EU staff and officials working with Ukrainian refugees. 

Subsequently, some cybercriminal groups involved in ransomware attacks, such as CONTI or Lockbit, took a position on the conflict. While Lockbit claimed to have no relationship with any particular state, CONTI initially issued a statement on its blog openly in favour of Russia, which was later modified to be more "correct", but without withdrawing its support for Russia. 

An interesting reaction to this kind of positioning was the leak by an affiliate of the group of all the details of people involved in the criminal collective CONTI, as well as publications about its internal mechanics and other private data, including chat conversations, between 27 February and 1 March. 

Hacktivist groups have also played a role, although this has been more focused on information dissemination than cyber. From the broadcasting of the Ukrainian anthem on Russian TV channels by Anonymous to the hacking of several Russian TV stations to broadcast videos of the current war, including the bombing of residential areas, to the leaking of thousands of files from Roskomnadzor, Russia's media censorship regulator. 

These events took place between 27 February and 11 March, making the first days of the conflict an intense scene of fighting against the Ukrainian invasion. Subsequently, on 23 March, Anonymous again carried out an information exposure campaign, this time against the Nestlé company for continuing to operate in Russia. 

Since then, there have been several attacks of all kinds, against various infrastructures, such as the detection of an alleged interference in the GPS signals of Finnish flights by the Russian Federation that led to the cancellation of flights, or those directed against the Polish government's national payment clearing system, which, although their authorship has not been confirmed, Russia is suspected to be a possible source.

The cyber level has become of particular interest in this type of conflict as a result of the attacks that have emerged during the conflict. However, campaigns to expose information have been the most prominent and widely reported in the media, and have gained particular prominence. 

Concerns about data exposure continue to grow, affecting government agencies, such as the Ukrainian newspaper Pravd, which leaked what appears to be the personal details of 120,000 Russian soldiers fighting in Ukraine, as well as the media, with Anonymous campaigns exposing information about events in Ukraine to Russian citizens via television channels.

Information and disinformation campaigns, as well as fake news, have also become particularly relevant in this field, with the aim of influencing or modifying public opinion on the conflict. 

Not only has the leaking of sensitive data or the exposure of cybercriminal groups such as CONTI been a relatively new development, but information has also been a key element in the struggles of different groups. 

This means that in looking to future events, researchers and analysts need to consider the incalculable value of data as one of the possible weapons to be used in future conflicts.

Therefore, this scenario must be taken into account in future conflicts, as it supports critical infrastructures of the utmost importance for states, whose defences are never sufficient when chains of attacks such as those that have occurred in the current conflict occur. 

Moreover, information becomes critical in this type of event, as confidential data affecting both citizens and companies has been exposed. 

It continues to be a current concern and a space that requires specific defence barriers, which is why special mention continues to be made of continuing to develop all possible mechanisms to raise the level of security as much as possible. 

Ainoa Guillén González, Sec2Crime Cybersecurity Area Coordinator