From Missiles To Malware: Microsoft Bares Defending Ukraine In Cyber War Against Russia

While the ongoing conflict between Russia and Ukraine has claimed many lives and properties on ground, another invisible war is manifesting between the belligerents. In many ways, this modern-day classic war has shown that geopolitical clashes are not just fought with bullets and missiles anymore.

According to a comprehensive report titled “Defending Ukraine: Early Lessons from the Cyber War” released by Microsoft (NASDAQ: MSFT), the war’s early cyber battles offer essential insights into the nature and future of digital warfare. The report highlights how Russia’s cyber strategy extends beyond physical borders and requires an unprecedented level of collective defense involving both public and private sectors.

“Countries wage wars using the latest technology, and the wars themselves accelerate technological change. It’s therefore important to continually assess the impact of the war on the development and use of technology,” said Brad Smith, President and Vice Chair of Microsoft.

The first cyber shots

Although the Russian military invasion of Ukraine officially began on February 24, 2022, the first offensive actions were taken in cyberspace hours earlier. On February 23, a sophisticated cyberweapon known as “Foxblade” targeted Ukrainian computer systems, marking the beginning of a coordinated cyber onslaught. This attack was detected by cybersecurity experts in Redmond, Washington, illustrating the global reach and implications of modern cyber warfare.

Russia’s cyber strategy against Ukraine comprises three distinct yet interconnected components: destructive cyberattacks within Ukraine, network penetration and espionage aimed at allied governments outside Ukraine, and extensive cyber influence operations designed to sway global public opinion. These multifaceted efforts demonstrate the complexity and scope of cyber warfare, which transcends traditional geographic and political boundaries.

Early lessons

A critical lesson from the Ukrainian conflict is the importance of dispersing digital operations. Before the invasion, Ukraine’s digital infrastructure was centralized within its borders, making it vulnerable to physical and cyber attacks.

Recognizing this, Ukraine’s Parliament amended its Data Protection Law on February 17, 2022, allowing government data to be transferred to the public cloud. This strategic move enabled the relocation of crucial data to data centers across Europe, with significant support from tech companies like Microsoft.

Mykhailo Fedorov, Ukraine’s Minister of Digital Transformation, emphasized the urgency in saying that an early target of Russian missile attacks was a Ukrainian government data center. The swift move to the cloud is said to have helped mitigate these impacts.

Microsoft contributed $107 million in technology services to support this effort, ensuring that Ukraine’s digital infrastructure remained operational despite physical attacks.

Recent advancements in cyber threat intelligence and endpoint protection have also been pivotal in defending against Russian cyberattacks. Microsoft’s Threat Intelligence Center (MSTIC) has observed numerous waves of destructive attacks targeting 48 Ukrainian agencies and enterprises. These attacks aimed to penetrate networks by compromising initial computers and spreading malware designed to destroy software and data.

The sophistication of Russian cyber tactics has evolved since the 2017 NotPetya attack, with current attacks being more targeted and confined to Ukrainian networks. Enhanced AI-driven threat intelligence has enabled quicker identification and neutralization of malware, providing robust defenses against ongoing cyber threats.

As a coalition of countries rallied to support Ukraine, Russian intelligence agencies intensified their espionage efforts, targeting 128 organizations in 42 countries. These efforts focused on government agencies, humanitarian organizations, IT companies, and critical infrastructure suppliers, particularly in NATO member states.

Smith noted the challenges: “Russia’s intelligence agencies have extremely sophisticated capabilities to implant code and operate as an Advanced Persistent Threat (APT). There have been substantial advances in defensive protection since that time, but the implementation of these advances remains more uneven in European governments than in the United States. As a result, significant collective defensive weaknesses remain.”

Russian cyber influence operations have become increasingly sophisticated, leveraging digital technologies to spread false narratives globally. These operations target multiple audiences: the Russian population to sustain support for the war, the Ukrainian population to undermine morale, Western populations to disrupt unity, and nonaligned countries to influence international opinion.

Distribution of digital operations

The war in Ukraine underscores the importance of digital resilience. Moving digital operations to the cloud has been vital for Ukraine, ensuring that government functions could continue despite physical attacks on data centers. This strategy contrasts with pre-war norms, where data was centralized within national borders.

Smith commented on this shift: “The key to a country’s digital resilience in wartime is the ability to quickly move data outside the country while still connecting to and relying on it for a government’s digital operations.”

Prior to the war, Ukraine’s public sector data was stored on servers within the country, vulnerable to missile attacks. The decision to move data to the cloud was a crucial step in maintaining government operations amid ongoing conflict. Over 90 chief digital transformation officers across the Ukrainian government collaborated with Microsoft to transfer critical digital operations to the cloud within ten weeks.

The war in Ukraine has pitted offensive cyber capabilities against advanced defensive measures. Russian tactics have included targeted phishing, wiper malware designed to destroy data, and software designed to spread malware across network domains. Despite the sophistication of these attacks, Ukraine’s defenses, bolstered by improved cyber threat intelligence and endpoint protection, have largely withstood these assaults.

Microsoft’s MSTIC detected the initial launch of the “Foxblade” malware on February 23, targeting 19 government and critical infrastructure entities across Ukraine. This marked just the beginning, as multiple attempts followed, employing eight distinct malware programs against 48 different Ukrainian agencies and enterprises. These sophisticated attacks were designed to penetrate network domains and spread malware, causing widespread destruction.

Cyber espionage outside Ukraine

Destructive cyberattacks represent only one facet of Russia’s cyber warfare strategy. Russian intelligence agencies have ramped up network penetration and espionage activities, targeting governments, NGOs, and critical infrastructure organizations in 42 countries outside Ukraine. Microsoft’s detections reveal that 49% of these targets are government agencies, with significant focus on NATO members.

Russia’s espionage efforts have been particularly concentrated on the United States, Poland, and the Baltic countries, where critical military and humanitarian aid logistics are coordinated. MSTIC found that 29% of these intrusions were successful, with a quarter leading to confirmed data exfiltration.

In addition to destructive attacks and espionage, Russian agencies are conducting sophisticated cyber influence operations to support their war aims. These operations involve spreading false narratives to various target audiences, aiming to manipulate public opinion and policy. Russian influence operations are targeting four main audiences:

  1. Russian Population: To sustain support for the war by portraying Ukraine’s military as responsible for the conflict.
  2. Ukrainian Population: To undermine confidence in Ukraine’s ability to withstand Russian attacks.
  3. Western Populations: To diminish unity and deflect criticism of Russian military actions.
  4. Nonaligned Countries: To garner support at international venues like the United Nations.

Russian cyber influence operations have been increasingly effective, leveraging AI and analytics to pre-position false narratives online. For instance, narratives around biolabs in Ukraine were pre-positioned in late 2021 and strategically amplified as Russian tanks crossed the border.

Microsoft’s AI for Good Lab has developed a Russian Propaganda Index (RPI) to monitor the spread of Russian state-controlled narratives. This index revealed a 216% increase in Russian propaganda spread in Ukraine and an 82% increase in the United States after the war began.

The global reach of Russian cyber influence operations is evident in the analysis of propaganda spread in New Zealand and Canada. In New Zealand, RPI numbers spiked in December 2021, exceeding figures for Australia and the United States. This spike coincided with an increase in public protests in Wellington, suggesting a correlation between propaganda dissemination and social unrest.

In Canada, RPI data showed a significant rise in Russian propaganda consumption starting January 18, 2022, peaking on February 5. This surge preceded the arrival of a large convoy of protestors in Ottawa, indicating the influence of cyber operations on public demonstrations.

Microsoft’s data identified that four of the five most widely read propaganda stories in Canada during this period focused on COVID-related protests, reflecting the broader strategy of exploiting societal divisions.

Strategic response to Russian cyber threats

The report emphasizes the need for a coordinated and comprehensive strategy to counter Russian cyber threats, built on four pillars: detection, defense, disruption, and deterrence.

  1. Detection: Enhancing capabilities to detect cyber threats using advanced AI and analytics tools. Microsoft’s acquisition of Miburo Solutions aims to expand its threat detection and analysis capabilities.
  2. Defense: Strengthening democratic defenses, supporting traditional journalism, and improving public awareness. This includes initiatives to support local journalism, combat deepfakes, and promote media literacy.
  3. Disruption: Increasing transparency and disrupting foreign influence operations by providing accurate information. Microsoft plans to publish regular reports on Russian cyber influence operations, aiming to expose and counteract false narratives.
  4. Deterrence: Ensuring accountability for cyberattacks through multilateral and multistakeholder actions, building on international norms and laws. Collaborative efforts like the European Commission’s Code of Practice on Disinformation and the Paris Call for Trust and Security in Cyberspace are vital to this strategy.

“The war in Ukraine provides not only lessons but a call to action for effective measures that will be vital to the protection of democracy’s future,” Smith concludes.

Information for this briefing was found via the sources mentioned. The author has no securities or affiliations related to this organization. Not a recommendation to buy or sell. Always do additional research and consult a professional before purchasing a security. The author holds no licenses.

Leave a Reply