Russia's dreaded cyberwarriors seem to be struggling in Ukraine - Action News
Home WebMail Friday, November 22, 2024, 02:03 PM | Calgary | -10.4°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
Politics

Russia's dreaded cyberwarriors seem to be struggling in Ukraine

Russia's military attack on Ukraine met a decisive reversal outside Kyiv and is now struggling to gain ground in the country's southeast. Its cyberwar on Ukrainian assets isn't faring any better. Did the world overestimate Moscow's hacker legions the way it did its army?

Russia's hackers like its military may not be quite as fearsome as the world thought

Russian President Vladimir Putin looks on during the Victory Day military parade in Moscow on May 9, 2022. Russia's celebration was marred by the news that its online TV schedule page had been hacked another sign that Russia's cyberwar in Ukraine hasn't been going all that well. (Mikhail Metzel/Sputnik/Kremlin Pool Photo/The Associated Press)

One day after Russian tanks broke through Ukrainian border posts on February 24, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a rare "Shields Up" alertwarning that "every organization large and small must be prepared to respond to disruptive cyber activity."

The expectation was that Russia would attack not only Ukrainebut also Ukraine's western allies.

For some reason, that hasn't really happened in a big way.

"We haven't seen anything that we can directly attribute to Russia turning its sights to Canada," Sami Khoury, head of the Canadian Centre for Cyber Security, told CBC News. "There's been probably spillover effectsin some cases, but we haven't seen anything that is directly targeted at the Canadian infrastructure or Canadian ecosystem."

Instead, Russia has found itself being hacked in one instancewith embarrassing results that surelymust have marred President Vladimir Putin's Victory Day extravaganza.

As RuTube, Russia's version of YouTube, was takendown by hackers,YouTubeitself remainedonline in Russia and continuedsharing videos demonstratingUkraine'sdominance of the information space in thiswar.

Hacktivist groups such as Network Battalion 65 have stolen reams of emails and data from Russian government and corporate sites.In March, for the first time ever, more Russian email credentials were leaked online than those of any other nation.

The Kalush Orchestra from Ukraine appear on stage after winning the 2022 Eurovision Song Contest in Turin, Italy, May 15, 2022. (Yara Nardi/Reuters)

Russian hackers even failed to disruptvoting in the Eurovision Song Contest. (Ukraine won.)

Just asRussia's armoured divisions entered this conflict with a fearsome reputation that turned out to be wildly overblown, the reach of Moscow'scyber legions may have been overestimated. And just as Russia's war has diminished the reputation of Russian arms, it might alsolead to a reassessment of nations' relative strengths in the virtual world.

Fearing the worst

Ukraine had every reason to expect the worst. Online attacks have been happening there since warbegan in 2014.

A Russian "persistent threat group" known as Sandworm was behind a December 2015 attack on the Ukrainian electrical grid that caused widespread power outages.

A year later, in December 2016,the Ukrainian financial system wastargetedbythe Black Energy malware attack which also causedpower cuts in Kyiv.

Then in June 2017, the same group struck again with apowerful new malware called Petya, causing chaos at government ministries, forcing banks to close, jamming telecom networksand again disrupting Ukraine's electrical grid. Airports and railways were affectedand Chernobyl's radiation monitoring system went offline.

Ukrainian and western officials blamed the attacks on Russia's GRU (main intelligence directorate) and SVR (foreign intelligence service).

Last year, Ukraine's SBU security service reported it had "neutralized" an average of four cyberattacks per day.

So it was widely assumed that an army of bots would act as vanguard for any real invasion by attemptingto cut power and communications, clog transportation linksand generally sow confusion.

Russia did trysomething modest along those lines.

Alaptopscreendisplays a warning message in Ukrainian, Russian and Polish that appeared on the official website of the Ukrainian Foreign Ministry after a massive cyberattack on January 14, 2022. (Valentyn Ogirenko/Illustration/Reuters)

In mid-January, a cyberattack hit about 70 Ukrainian government websiteshours after talks between Russia and NATO failed to produce the concessions the Kremlin was hoping for.

"All information about you has become public, be afraid and expect the worst," said a pop-up screen message. "This is for your past, present and future."It repeated familiar Kremlin tropes about Nazis and persecution of Russian-speakers.

In addition to hitting government and military sites, the distributed denial of service (DDOS) attacks also targeted two banks, shutting down ATMs and credit card transactions.

Hack and attack

Russia launched another cyberattack on Ukraine on the day of the invasion with a piece of malware called Hermetic Wiper that targeted hard drives.

Last week, the Canadian government accused the Russian military of having "directly targeted the Viasat KA-SAT satellite Internet service in Ukraine" in February.The U.K. government says the attack also hit collateral targets such as central European wind farms.

But the trains continued to run and the Ukrainian government continued to function. The attack was much less damaging than the 2007 attack on Estonia, or the attacks that preceded the 2008 invasion of Georgia.

Ukrainian servicemen get ready to fight Russian forces in Ukraine's Luhansk region on Feb. 24, 2022. Russia launched a cyberattack to accompany its invasion. (Anatolii Stepanov/AFP/Getty Images)

Ali Dehghantanha, Canada Research Chair in Cybersecurity and Threat Intelligence at the University of Guelph, saidRussia may have underused itsoffensive cyber capabilities because it was confident of a swift military victory.

But Ukraine is also better defended after years of successive attacks, he added.

"Because of their previous story with Russia," saidDehghantanha, "going back to the time of the conflict in Crimea, Ukraine with the support of Western allies did a very good job in protecting its physical infrastructure this time."

Western involvement

Those western partners include Canada's digital counter-espionage agency, the Communications Security Establishment.

"While we can't speak about specific operations, we can confirm that CSE has been tracking cyber threat activity associated with the current crisis," the CSE's Ryan Foreman told CBC News.

"CSE has been sharing valuable cyber threat intelligence with key partners in Ukraineand continues to work with the Canadian Armed Forces in support of Ukraine."

CSE also has to worry about Canada's own assets, of course.

A message demanding money appears on the monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank in Kyiv after Ukrainian institutions were hit by a wave of cyber attacks on June 27, 2017. (Valentyn Ogirenko/Reuters)

For years, major cyberattacks on North American assetshave been landing with some regularity. CISA has compiled a long list of American online assets it sees as coveted targets for Russia's disruption and theft operations, including "COVID-19 research, governments, election organizations, health care and pharmaceutical, defence, energy, video gaming, nuclear, commercial facilities, water, aviation, and critical manufacturing."

"Russia has significant cyber capabilities and a demonstrated history of using them irresponsibly. This includesSolarWinds cyber compromise,COVID-19 vaccine development,Georgia's democratic processand NotPetya malware," Foreman told CBC.

Shotgun tactics

Dehghantanhasaidstate-sponsored hackers are now shifting away from building the most sophisticated malware to employing more of ascattergun approach one that involves installing simpler backdoors into a wide range of less well-defended infrastructure targets.

"Before 2020, we saw a lot of effort on building the best malware or the best wiper or the best exploits," he said."The issue is, if your opponent discovers that malware, they know a lot about you, about your capabilities, all your investments.

"So if you come with the most advanced malware, it may take you two or three years of research and development. But from the moment it's deployed and you start causing the impact, it takes them only a couple of weeks to address it."

Hacktivists on the battlefield

DehghantanhasaidRussian actors have had some success in the emerging field of "social cybersecurity,"where hackers behave more like hacktivists.

"The cost of building fake content that looks very convincing to the wider public is quite low these days," he said. "And I am seeing a quick shift in the activities of the hacking groups in that direction. Instead of trying to impact the capital infrastructure or the IT infrastructure, we can impact the human beings and achieve the same result."

An example of such a "fake hacktivist" attack would bea disinformation campaign designed to sow panic in a particular village or district.

"They try to impact on that micro level,"Dehghantanhasaid.

Ukraine also has warned that it may not have felt the full effects of Russian hacking yet.

The country's top cyber official Victor Zhora said recently that Russia stole Ukrainian government data to give itsforces a list of targets for arrest or murderin the occupied zones. He said hefears that data is already being used.

Underbelly remains soft

Canada remains vulnerable, saidDehghantanha"especially the soft bellies of critical infrastructure like water treatment systems, the agricultural sector, any single supply chainand, of course, pipelines."

More and more, hostile actors have been seeding malware in advance with a view to attacks months or years in the future. DehghantanhasaidCanada should tighten its requirements for private companies that manage critical infrastructure.

The Pickering nuclear plant east of Toronto on August 18, 2003. Power infrastructure is considered a key target for cyberattacks by hostile actors. (Kevin Frayer/The Canadian Press)

"We need to change our policy from blacklisting to whitelisting, which means instead of telling you that you cannot install A, B and C, and anything else is allowed, we need to say you can only work with A, B and C and nothing else is allowed," he said.

"There is no way, no resources for the nation to monitor everything. So it is better that we just limit ourselves to specific suppliers, to a specific product that we know."

Balance can shift quickly

Foreman said the CSEis in constant contact "with Canadian critical infrastructure partners via protected channels," beyond what is seen in its public advisories.

"Now is the time to take defensive action and be proactive," he added.

That means isolating critical systems from the internet, creating and testing backups and testing manual controls to ensure critical systems still function when networks fail, he said.

Dehghantanhasaidhe's reluctant to downplay the threat posed by Russia merelybecause it has underwhelmed in Ukraine.

"The cyber war is not like a balance where you can say that I have bigger guns or more airplanes, so I am superior. It is not the case at all here," he said.

"You could have just ten fantastic cyber attackers that could build an exploit and get access to that critical infrastructure, and they make a significant change."