2024 Ukrainian cyberattacks against Russia

Last updated

In 2024, cyber-specialists working as part of the Main Directorate of Intelligence of the Ministry of Defence of Ukraine (HUR) and the Security Service of Ukraine (SBU) initiated several cyberattacks on Russian technology and infrastructure, including attacks on Russia's banking sector, Russian internet providers, regional and municipal administration web resources, Russian airports, several Russian state institutions, and private companies. The operations were conducted as means to impede Russian military operations and uncover classified documents that could be taken into account by the Armed Forces of Ukraine during the Russian invasion of Ukraine, as well as to destabilize Russia's institutions. Cyberattacks began to intensify in scope in June and July 2024. [1] [2]

Contents

Background

This section is an excerpt from Russo-Ukrainian cyberwarfare § History.[ edit ]

Russian–Ukrainian cyberwarfare is a component of the confrontation between Russia and Ukraine since the Revolution of Dignity in 2013-2014. Russian cyberweapon Uroburos had been around since 2005. [3] However, the first attacks on information systems of private enterprises and state institutions of Ukraine were recorded during mass protests in 2013. In 2013, Operation Armageddon, a Russian campaign of systematic cyber espionage on the information systems of government agencies, law enforcement, and defense agencies, began, thought to help Russia on the battlefield. [4] Between 2013 and 2014, some information systems of Ukrainian government agencies were affected by a computer virus known as Snake / Uroborus / Turla. [4] In February–March 2014, as Russian troops entered Crimea communication centers were raided and Ukraine's fibre optic cables were tampered with, cutting connection between the peninsula and mainland Ukraine. Additionally Ukrainian Government websites, news and social media were shut down or targeted in DDoS attacks, while cell phones of many Ukrainian parliamentarians were hacked or jammed. [4] [5] Ukrainian experts also stated the beginning of a cyberwar with Russia. [6]

Cybersecurity companies began to register an increase in the number of cyberattacks on information systems in Ukraine. The victims of Russian cyberattacks were government agencies of Ukraine, the EU, the United States, defense agencies, international and regional defense and political organizations, think tanks, the media, and dissidents. [4] As of 2015, researchers had identified two groups of Russian hackers who have been active in the Russian-Ukrainian cyber war: the so-called APT29 (also known as Cozy Bear, Cozy Duke) and APT28 (also known as Sofacy Group, Tsar Team, Pawn Storm, Fancy Bear). [4]

Attacks

January

In mid-January, the Ukrainian HUR reported that volunteer BO Team hackers employed by the ministry deleted 280 servers and 2 petabytes of data from Planet, a state space hydrometeorology research center in the Far East that aided the Russian military and fifty other state agencies with gathering and analyzing satellite imaging and data. According to HUR, the cyberattack cost Russia approximately US$10 million in damages, which included a destroyed supercomputer and its software, together costing US$350,000 with Western sanctions greatly complicating its replacement. The attack also impacted warehouses and the center building of the research center, including its humidification, air conditioning, servers, and emergency power supply. Further attacks on an Russian Arctic station on Bolshevik Island "completely cut off" its connection with Russian networks. [7]

February

On February 4, HUR's official Telegram channel reported that they accessed an electronic document management system called "bureaucrats", and exposed detailed information about high-ranking Russian military personnel and specialists. The ministry also said that they found a wide array of classified documents, specifically mentioning documents belonging to Russian Deputy Defense Minister Timur Ivanov. The hack resulted in the HUR recovering sensitive information that included Russian army orders, reports, and instructions that were circulating among over 2,000 military units within Russia's defense ministry that could be analyzed by the Armed Forces of Ukraine. The hackers sarcastically thanked Russian Defense Minister Sergei Shoigu's inadvertent role in facilitating the cyberattack's success. [8]

HUR hackers were also able to target Russian military software used to modify commercial DJI drones for military applications, shutting down servers responsible for Russia's "friend or foe" identification system, preventing troops from accessing the server for drone operations. The cyberattack also prevented troops from configuring control panels, transmitting video feeds to command posts, and operating drones using computer interfaces, forcibly grounding several drone fleets and halting operations. [9]

April

In April, the HUR cooperated with the BO Team hacker group to target Interregional TransitTelecom (MTT), a subsidiary of MTS, one of Russia's largest telecom companies, after gaining comprehensive access to MTT's network equipment. The HUR reported that the attack destroyed critical software and configuration files, leading to severe internet disruptions throughout Russia that affected major cities such as Moscow and St. Petersburg, requiring workers to physically access and re-connect equipment to fix the outages. [10]

Attacks on communication company Moskollector by the SBU shut down 87,000 alarm sensors used for sewage monitoring and control throughout the Moscow metropolitan area, destroying "70 servers and at least 90 terabytes of company data, emails, backup copies and contracts" in the process. [11]

June

In early June, HUR cyber operatives conducted a widespread attack on various Russian government websites, including those of key ministries such as the ministries of Justice, Defense, Information Technology and Communications, Finance, Internal Affairs, Industry and Energy, and Emergency Situations. [12] The disruptions extended to civilian services, with local reports indicating several wedding cancellations due to system outages. Attacks on the United Aircraft Company (UAC), Russia's primary advanced aircraft manufacturer, impacted its operations and caused its website to be rendered inaccessible for an extended period. HUR reported that its primary method of cyberattack was by using distributed denial-of-service (DDoS) attacks. [13] [14]

On June 12, coinciding with Russia Day, Ukrainian hackers targeted the online systems of multiple Russian airports, causing flight disruptions. [12] Targeted airports included Yuzhno-Sakhalinsk’s airport, Moscow Domodedovo Airport, and Saratov's Gagarin Airport, delaying flights mainly destined for Sochi, Bodrum, and Moscow. The attack also forced airplanes to divert to Samara and Ulyanovsk. Prior to the attack, cyber-specialists accessed the official website server of the Stavropol Region's State Duma, adding a banner containing the phrase “Hold on, we will liberate you!” and depicted Red Square bearing Ukrainian flags, shortly before targeting the airports. [15]

Shortly after on June 14, the HUR cooperated with the BO Team hacker group to attack Russian municipal web resources, primarily targeting the Ulyanovsk regional administration's digital infrastructure. The attack resulted in considerable damage to the administration's IT systems, where two hypervisors and communication devices were reportedly disabled, while ten virtual machines and one personal computer were destroyed. Additionally, the operation led to the erasure of approximately 20 terabytes of data. Prior to the main assault, the hackers engaged in a phishing campaign that targeted other local government bodies, courts, and members of the public. [16]

As part of the operation, the attackers published a fabricated order on the Ulyanovsk administration's website. This false directive, attributed to Mayor A.E. Boldakin, called for public demonstrations. The infiltration also provided the BO Team access to sensitive documents, including reports on military recruitment practices. These documents reportedly referred to Ulyanovsk residents reported for "bypassing of candidates for military service" as "targeted individuals". [16]

On June 26, Russian-occupied Crimea's largest internet providers were targeted by intense cyberattacks. [12]

July

In July 2024, Ukrainian intelligence services reportedly launched a major cyberattack against several Russian technology-based sectors. The attacks started on July 15, when HUR cyber-specialists worked with a community of hackers to target roughly one hundred Russian web resources to erase their internal data, picked based on their involvement with Russian agencies involved with Russia's invasion of Ukraine. [2] Affected webpages were shut down and replaced with a picture of a bloody, decapitated pig head colored with Russia's flag next to an axe bearing the flag of Ukraine, with the phrase "404 Russia not found" listed. [17]

A larger operation was initiated on July 23 by the Main Intelligence Directorate of Ukraine's Ministry of Defense, which targeted financial institutions it stated were involved in funding military activities against Ukraine. By July 27, the attack's impact became severe and widespread. Customers of several major Russian banks were unable to withdraw cash from ATMs, with credit and debit cards being blocked upon use. The cyberattack affected various aspects of Russia's virtual banking infrastructure, which included freezing of payment systems and mobile banking applications, banking portal outages, and breaches into the databases of several major banks which included Dom.RF, Alfa-Bank, Raiffeisen Bank, VTB Bank, Rosbank, Gazprombank, RSHB Bank, Sberbank, iBank, and Tinkoff Bank. The attacks also targeted public transportation systems, popular Russian social networks and internet platforms, and caused service interruptions for multiple large Russian telecom and internet providers including MegaFon, Tele2, Beeline, and Rostelecom. [1] [2] [18]

A source from the Ukrainian intelligence stated that the attack was "gaining momentum" and implied escalations in attacks. [1] [2]

Russia acknowledged the cyberattacks as being initiated by "politically motivated hackers". [2]

See also

Related Research Articles

Information warfare (IW) is the battlespace use and management of information and communication technology (ICT) in pursuit of a competitive advantage over an opponent. It is different from cyberwarfare that attacks computers, software, and command control systems. Information warfare is the manipulation of information trusted by a target without the target's awareness so that the target will make decisions against their interest but in the interest of the one conducting information warfare. As a result, it is not clear when information warfare begins, ends, and how strong or destructive it is.

Cyberterrorism is the use of the Internet to conduct violent acts that result in, or threaten, the loss of life or significant bodily harm, in order to achieve political or ideological gains through threat or intimidation. Emerging alongside the development of infomration technology, cyberterrorism involves acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet by means of tools such as computer viruses, computer worms, phishing, malicious software, hardware methods, and programming scripts can all be forms of internet terrorism. Some authors opt for a very narrow definition of cyberterrorism, relating to deployment by known terrorist organizations of disruption attacks against information systems for the primary purpose of creating alarm, panic, or physical disruption. Other authors prefer a broader definition, which includes cybercrime. Participating in a cyberattack affects the terror threat perception, even if it isn't done with a violent approach. By some definitions, it might be difficult to distinguish which instances of online activities are cyberterrorism or cybercrime.

<span class="mw-page-title-main">Cyberwarfare</span> Use of digital attacks against a state

Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic warfare.

Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of cyber-dissidents and other active measures. According to investigative journalist Andrei Soldatov, some of these activities were coordinated by the Russian signals intelligence, which was part of the FSB and formerly a part of the 16th KGB department. An analysis by the Defense Intelligence Agency in 2017 outlines Russia's view of "Information Countermeasures" or IPb as "strategically decisive and critically important to control its domestic populace and influence adversary states", dividing 'Information Countermeasures' into two categories of "Informational-Technical" and "Informational-Psychological" groups. The former encompasses network operations relating to defense, attack, and exploitation and the latter to "attempts to change people's behavior or beliefs in favor of Russian governmental objectives."

Cyberwarfare is the use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of information systems for strategic or military purposes. As a major developed economy, the United States is highly dependent on the Internet and therefore greatly exposed to cyber attacks. At the same time, the United States has substantial capabilities in both defense and power projection thanks to comparatively advanced technology and a large military budget. Cyber warfare presents a growing threat to physical systems and infrastructures that are linked to the internet. Malicious hacking from domestic or foreign enemies remains a constant threat to the United States. In response to these growing threats, the United States has developed significant cyber capabilities.

Cyberwarfare by China is the aggregate of all combative activities in the cyberspace which are taken by organs of the People's Republic of China, including affiliated advanced persistent threat (APT) groups, against other countries.

Cyberwarfare is a part of Iran's "soft war" military strategy. Being both a victim and wager of cyberwarfare, Iran is considered an emerging military power in the field.

<span class="mw-page-title-main">2017 Ukraine ransomware attacks</span> Series of powerful cyberattacks using the Petya malware

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

<span class="mw-page-title-main">Russo-Ukrainian cyberwarfare</span> Informatic component of the confrontation between Russia and Ukraine

Cyberwarfare is a component of the confrontation between Russia and Ukraine since the Revolution of Dignity in 2013-2014. While the first attacks on information systems of private enterprises and state institutions of Ukraine were recorded during mass protests in 2013, Russian cyberweapon Uroburos had been around since 2005. Russian cyberwarfare continued with the 2015 Ukraine power grid hack at Christmas 2015 and again in 2016, paralysis of the State Treasury of Ukraine in December 2016, a Mass hacker supply-chain attack in June 2017 and attacks on Ukrainian government websites in January 2022.

Ghostwriter, also known as UNC1151 and Storm-0257 by Microsoft, is a hacker group allegedly originating from Belarus. According to the cybersecurity firm Mandiant, the group has spread disinformation critical of NATO since at least 2016.

<span class="mw-page-title-main">2022 Ukraine cyberattacks</span> Attack on Ukrainian government and websites

During the prelude to the Russian invasion of Ukraine and the Russian invasion of Ukraine, multiple cyberattacks against Ukraine were recorded, as well as some attacks on Russia. The first major cyberattack took place on 14 January 2022, and took down more than a dozen of Ukraine's government websites. According to Ukrainian officials, around 70 government websites, including the Ministry of Foreign Affairs, the Cabinet of Ministers, and the National and Defense Council (NSDC), were attacked. Most of the sites were restored within hours of the attack. On 15 February, another cyberattack took down multiple government and bank services.

Morozovsk is an air base of the Russian Aerospace Forces as part of the 4th Air and Air Defence Forces Army, Southern Military District.

<span class="mw-page-title-main">IT Army of Ukraine</span> Ukrainian cyberwarfare volunteer group

The IT Army of Ukraine is a volunteer cyberwarfare organisation created at the end of February 2022 to fight against digital intrusion of Ukrainian information and cyberspace after the beginning of the Russian invasion of Ukraine on February 24, 2022. The group also conducts offensive cyberwarfare operations, and Chief of Head of State Special Communications Service of Ukraine Victor Zhora said its enlisted hackers would only attack military targets.

<span class="mw-page-title-main">Attacks in Russia during the Russian invasion of Ukraine</span> Reported cross-border incidents in Western Russia

There have been attacks in mainland Russia as a result of the Russian invasion of Ukraine, which began on 24 February 2022. The main targets have been the military, the arms industry and the oil industry. Many of the attacks have been drone strikes, firebombing, and rail sabotage. The Ukrainian intelligence services have acknowledged carrying out some of these attacks. Others have been carried out by anti-war activists in Russia. There has also been cross-border shelling, missile strikes and ground raids from Ukraine, mainly in the Belgorod, Kursk and Bryansk oblasts. Several times, Ukrainian-backed armed groups have launched incursions from Ukraine into Russia, captured border villages and battled the Russian military. While Ukraine has supported these ground incursions, it has denied direct involvement.

<span class="mw-page-title-main">Crimea attacks (2022–present)</span> Part of the Russian invasion of Ukraine

Beginning in July 2022, a series of explosions and fires occurred on the Russian-occupied Crimean Peninsula, from where the Russian Army had launched its offensive on Southern Ukraine during the Russian invasion of Ukraine. Occupied since 2014, Crimea was a base for the subsequent Russian occupation of Kherson Oblast and Russian occupation of Zaporizhzhia Oblast.

Akhtubinsk is military base, which belongs to Russian aviation research and testing military institution 929th State Flight Test Centre named for V. P. Chkalov located at Akhtubinsk, Astrakhan Oblast, Russia.

This timeline of the Russian invasion of Ukraine covers the period from 1 December 2023 to 31 March 2024.

This timeline of the Russian invasion of Ukraine covers the period from 1 April 2024 to the present day.

In Q2 of 2013, Akamai Technologies reported that Indonesia topped China with a portion 38 percent of cyber attacks, an increase from the 21 percent portion in the previous quarter. China was at 33 percent and the US at 6.9 percent. 79 percent of attacks came from the Asia Pacific region. Indonesia dominated the attacking to ports 80 and 443 by about 90 percent.

References

  1. 1 2 3 Dirac, Jeremy (2024-07-27). "Ukraine Hacks ATMs Across Russia in Ongoing Massive Cyberattack". Kyiv Post. Retrieved 2024-07-27.
  2. 1 2 3 4 5 Zakharchenko, Kateryna (2024-07-24). "HUR Hackers Shut Down Russian Banks and Internet Providers". Kyiv Post. Retrieved 2024-07-27.
  3. "Invisible Russian cyberweapon stalked US and Ukraine since 2005, new research reveals". CSO. 10 March 2014. Archived from the original on 2022-01-18. Retrieved 2022-01-17.
  4. 1 2 3 4 5 Jen Weedon, FireEye (2015). "Beyond 'Cyber War': Russia's Use of Strategic Cyber Espionage and Information Operations in Ukraine". In Kenneth Geers (ed.). Cyber War in Perspective: Russian Aggression against Ukraine. Tallinn: NATO CCD COE Publications. ISBN   978-9949-9544-5-2. Archived from the original on 2016-08-16. Retrieved 2016-05-10.
  5. Gertz, Bill. "Inside the Ring: Cybercom's Michael Rogers confirms Russia conducted cyberattacks against Ukraine". The Washington Times. Archived from the original on 2021-06-02. Retrieved 2020-07-21.
  6. "Russian Electronic Warfare in Ukraine: Between Real and Imaginable - Jamestown". Jamestown. Archived from the original on 2017-05-26. Retrieved 2017-05-27.
  7. Struck, Julia (2024-01-24). "HUR Reports Cyberattack on Russian State Satellite Data Processing Center". Kyiv Post. Retrieved 2024-07-28.
  8. "HUR Hacks Russian Defense Ministry, Gets Access to Classified Documents". Kyiv Post. 2024-03-04. Retrieved 2024-07-28.
  9. "HUR Initiates Cyberattack on Russian Drone Control Programs". Kyiv Post. 2024-02-08. Retrieved 2024-07-28.
  10. "Ukrainian Hackers Launch Cyberattacks on Subsidiary of Major Russian Telecom". Kyiv Post. 2024-04-28. Retrieved 2024-07-27.
  11. "Ukrainian Hackers Launch Cyberattacks on Moscow Sewage System". Kyiv Post. 2024-04-10. Retrieved 2024-07-27.
  12. 1 2 3 Zakharchenko, Kateryna (2024-06-26). "HUR Cyberattack Hits Russian Internet Providers in Occupied Crimea". Kyiv Post. Retrieved 2024-07-27.
  13. "Ukrainian Intelligence Behind Hacks on Russian Companies, Institutions". Kyiv Post. 2024-06-05. Retrieved 2024-07-27.
  14. Mukhina, Olena (2024-06-27). "HUR hackers attack Russian internet providers in occupied Crimea". Euromaidan Press. Retrieved 2024-07-28.
  15. Zakharchenko, Kateryna; Dolomanzhy, Karina (2024-06-12). "HUR Hackers Score Cyber-Hit on Russian Airports, Cause Flight Delays". Kyiv Post. Retrieved 2024-07-27.
  16. 1 2 Zakharchenko, Kateryna; Dolomanzhy, Karina (2024-06-14). "HUR Hacks into Russia's Ulyanovsk City Administration's Website". Kyiv Post. Retrieved 2024-07-27.
  17. "Ukrainian intelligence 'hacks Russian websites, replaces homepages with pig head pictures'". The Kyiv Independent. 2024-07-16. Retrieved 2024-07-28.
  18. "Ukraine targets major Russian banks in cyberattack". tvpworld.com (in Polish). Retrieved 2024-07-28.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.