The cyberwar between russia and Ukraine had started even before russia openly invaded Ukraine. In 2015, russia carried out a massive cyberattack targeting the Ukrainian power grid. Hackers got access to the computer systems at power generation firms in Ukraine by installing malware. This attack affected 225K consumers of electricity in Ukraine.
In 2017, russia started spreading NotPetya virus with the purpose to disrupt the financial system of Ukraine. The Central Intelligence Agency concluded “with high confidence” that the russian GRU was behind this attack. Although NotPetya also affected systems in Denmark, India, and the USA, more than half of the compromised systems were in Ukraine. In 2021, russia-backed hackers attacked Colonial Pipeline, thereby affecting fuel deliveries in the USA. The company was forced to pay a $5M ransom. In January 2022, russia launched a powerful attack targeting Ukrainian government resources and defaced 70 websites.
On 24 February, russia officially declared war on Ukraine. It was the beginning of the biggest war in Europe since the end of World War II. As a response to this act of state terrorism,one of the biggest international hacker groups Anonymous declared war on russia. On 26 February, the Minister of Digital Transformation of Ukraine Mykhailo Fedorov announced the creation of the IT Army of Ukraine that would unite digital talents from worldwide. It was the first time when a top-ranking public official called to carry out cyberattacks against the other country. Since the IT Army does not have any limitations in terms of the physical presence, expertise, education, age, or gender of its participants, it is open to everyone worldwide. Although there are no official statistics on the geographic distribution of cyber fighters participating in this cyberwar, there is no doubt that the IT armies of Ukraine and russia unite fighters from all corners of the world.
Although there were many nation-backed cyberattacks in the past, they did not have a catastrophic impact on victims since tremendous force is required to cause the collapse of a state machine.
russia mostly relies on disinformation campaigns and pushes false narratives around its open aggression against Ukraine. To prevent the spread of true information among citizens, russia has blocked Western social media. Currently, russia is mostly operating in the gray area because it has not launched a catastrophic cyberattack against Ukraine since 24 February. However, there is a risk that there may be incidents underway of which the global community will become aware later.
It is a very dangerous misdiagnosis that russia has neglected cyberattacks against Ukraine. In the hours prior to the invasion, russia attacked a number of important targets in Ukraine including computer systems of government, military, and critical infrastructure sectors. The russian cyber-enabled sabotage also knocked offline the satellite Internet provider KA-SAT which is used by Ukrainian police and military intelligence. russia was also trying to attack the Ukrainian railway system but failed.
The fact that russia has not caused any collapse of the Ukrainian digital infrastructure may be also explained by the underestimation by russian officials of the Ukrainian defense capability including cyber resistance. russia was actively testing the security of Ukrainian sensitive systems during peacetime to lay the groundwork for massive campaigns during wartime. The possible explanation why russia did not attack Ukrainian critical infrastructure in the first days of the war is that it was hoping to use it for its own benefits, suggesting that the war would end in a few days.
When speaking about data leaks, the russian Federal Security Service has probably used the information stolen from the Ukrainian databases to compile kill lists including people who could lead resistance in Ukraine in case of russian victory.
russian hackers also attempted to cause the third massive blackout in Ukraine. The high-voltage electrical substations in Ukraine were targeted by Sandworm hackers via a variation on a piece of malware known as Industroyer or Crash Override. russian hackers tried to leave more than 2M people in Ukraine without electricity but they failed.
At the beginning of April 2022, russia made a powerful DDoS attack against Finland. The country’s websites of the Ministry of Foreign Affairs and the Ministry of Defense were put out of action. Finland is close to becoming a member of NATO and that is why russia is likely to use any means to prevent it. Finland is not physically involved in the war in Ukraine and, thus, russia has started international cyber terrorism. There is a serious risk that any threats emerging from the war in Ukraine may have global repercussions.
russia has also interfered with GPS signals near Finland. France’s civil aviation authority has attributed this interference to russian jamming.
The NATO member Romania has detected a 120 times increase in the rate of malicious cyber activity since the end of February. The same day when Romanian officials met with their French colleagues at a NATO base and condemned the war in Ukraine, one of the largest oil and gas companies in Romania experienced a temporary disruption of operations since a large volume of its data was encrypted.
According to the recent research by Check Point, cyberattacks from Chinese IPs targeting NATO countries have surged by 116% since the russian invasion of Ukraine. Also, last week, the weekly average of cyberattacks sourced from China against NATO countries was 86% higher than the first 3 weeks of the war. Chinese IPs are used both by hackers within China and from abroad. For the last week, the Czech Republic, Denmark, Germany, France, Portugal, and the UK have experienced the biggest surge in Chinese-based cyberattacks.
Also, Chinese hackers were reported targeting Ukrainian websites on 23 February, 1 day prior to the invasion. Thus, it may be the case that China could have been aware of the russian terrorist plans. Although China was also targeting Belarus and russia, these activities were likely made for the purpose of a red flag operation.
Recently, the South Korean government issued a cybersecurity alert against North Korea’s growing cyber threat due to hacking attempts amid the presidential transitional period and the escalating cyber warfare between Ukraine and russia. The cybersecurity threats may be related to the recent spate of ballistic missile launches. South Korea has traditionally supported democracy worldwide and, thus, it is likely to become the target of pro-russian hacker groups.
Soon after the war started, scattered Ukrainian army bases lost data connection as a result of the cybersecurity incident affecting the satellite flying 36 thousand km above Earth. However, the Ukrainian army was prepared for this act of cyber terrorism and quickly moved to other encrypted communications. Ukrainian digital infrastructure is being protected by Cisco, Microsoft, and Google while Ukrainian cybersecurity specialists have been trained by NATO’s experts such as Estonian cyber specialists.
At the beginning of March 2022, the russian cybersecurity firm reported a large spike in DDoS attacks following the russian invasion of Ukraine. It recorded 450 attacks targeting banks and 1,100 attacks against the commercial sector. Also, since 24 February, russian media have been actively covering cyberattacks against russia while, before this date, these media used to cover mostly cyberattacks targeting Ukraine.
On March 29, Moscow issued a statement in which it called the IT Army of Ukraine the new “offensive cyber forces”. According to a russian statement, the country’s industrial sector has experienced the biggest damage. However, this statement just seems to be a distortion of reality since russia may just use it as an explanation for its own cyber offensive campaigns against the West.
According to Cloudflare, russian online media companies were the most targeted industries within russia in Q1 2022 followed by the Internet industry, cryptocurrency, and retail. The majority of HTTPS DDoS attacks that targeted russian companies originated from Germany, the USA, Singapore, Finland, India, Netherlands, and Ukraine. When speaking about the ransom DDoS attacks, their share decreased from 17% in January 2022 to just 3% in March 2022. This is a very visible decline indicating the shift of focus of these attacks. Now they are mostly aimed at causing infrastructure disruptions rather than bringing financial gains. Thus, these figures allow us to suggest that the rapid increase in the number of DDoS attacks targeting russia is attributable to the activities of the IT Army of Ukraine and other pro-Ukrainian groups such as disBalancer.
The next day following the russian invasion of Ukraine, the Ukrainian project disBalancer (DDOS) introduced a special app Liberator allowing every owner of a PC or laptop to run DDoS attacks against russian propaganda websites and digital infrastructure. Users just need to make a few clicks and activate VPN. There are currently 13.5K members in the project’s TG group and more than 3K active users running the app. disBalancer has already downed more than 250 aggressor’s resources and is rapidly moving to the figure 300.
Everyone can support the project by buying its DDOS token. disBalancer will use the received assets to buy new servers for the attacks to make them even more devastating for russia. The goal of the project is to launch the most powerful DDoS attack in history (14.3 Tbps!!!) against Putin’s terrorist state. To this end, 100K users need to run Liberator simultaneously.
disBalancer strongly appeals to everyone who supports Ukraine and strives to destroy russian propaganda: “Download and run Liberator to stop the war. Together we are power!”.