Russia’s invasion of Ukraine has fundamentally altered the character of cybercrime, according to a new report. Research released by security company Recorded Future found that the collision of the countries’ military cybersecurity agencies, as well as between various state-sponsored cybercriminal and hacktivist elements, has made cybercrime more dangerous, far-reaching and unpredictable.
The researchers warned that cybersecurity agencies across Europe and North America need to possess greater awareness of the threat posed by the accelerated development of cyberweapons in the Russo-Ukrainian conflict. “The history of cyber threats has shown us time and time again that we cannot rely on historical attack data to predict future threats,” explains Marcus Fowler, CEO at Darktrace Federal. “The risk of Russian retaliation is real, pervasive, and cannot be underestimated.”
At the start of the war, says the report, the distinction between the activities of state-sponsored hackers and their criminal counterparts was clearer. State-sponsored advanced persistent threat (APT) actors were acting on behalf of services within the Russian government. Meanwhile, financially motivated ransomware-as-a-service (RaaS) gangs were working under the protection of the Russian government, but with their own financial interests.
A year on from Russia’s invasion, however, and the lines between the two have blurred significantly. ‘Immediately following the Russian full-scale invasion of Ukraine, threat groups began to publicly declare allegiance,’ said the Recorded Future report. This, in turn, caused several cybercriminal gangs such as Conti to destabilise, with their groups suddenly becoming legitimate targets for retaliation by Ukrainian cybersecurity specialists and allied hacktivist groups. Some members of Russian cybercriminal gangs also appear to have experienced attacks of conscience. ‘Several likely Russia-based threat groups have had internal leaks since February 24 2022,’ including gangs like LockBit, Conti, Yanluowang, URSNIF and Solaris.
This did not prevent the same gangs from paying special attention to attacking Ukrainian civilians. A recent report from Google’s Threat Analysis Group (TAG) found that cybercriminal organisations increased their targeting of users in Ukraine by 250% since 2020, while also ramping up their attacks against citizens in Nato member states by more than 300% in the same period (though how effective these have proven is debatable).
They have been aided in this campaign by the Russian state. According to the same Google’s TAG report, Russia’s military intelligence agency, the GRU, has repeatedly used destructive malware to degrade Ukrainian defences and civilian infrastructure, the latter in a bid to ‘undermine the public’s trust in the government’s ability to deliver basic services.’
Hacktivism has also flourished in the conflict zone and beyond, on both sides. Groups like the pro-Moscow gang Killnet – which ‘declared war’ on ten countries, mostly Nato allies, in May – have been pitted against the ‘IT Army of Ukraine,’ which published its own target list to its followers in an attempt to solicit the aid of third-party threat actors. The group now has approximately 200,000 followers, according to the Recorded Future report.
Other hacktivist groups have followed suit, including a new version of Anonymous specifically organised to support the Ukrainian war effort. According to Recorded Future, the group comprises threat actors including Network Battalion 65, AgainstTheWest, v0g3lSec, DoomSec, SHDWSec, and GhostSec, among others.
Involvement with the war on all sides has forever muddied the waters of attribution and even motivation inside the cybercrime landscape, explains Mark Fowler, senior vice president for strategic engagements and threats at Darktrace. Now, says Fowler, “It’s not as simple as attributing all cyber campaigns to nation-state actors. While they do have state-sponsored offensive capabilities, there is a wider, blurry circle of criminal gangs that are loyal to Russia and use cyberattacks as a way to carry currency within that regime.”
As a result, it has now become impossible for defenders to distinguish between attacks committed by nation-state actors and those by non-sponsored criminals. “Recent attacks launched by groups such as Killnet, though limited in their operational impact, have not failed to dominate global headlines and be associated quickly with the Russian state.”
The only way forward from here is to define what cybercrime has become, and come to an international accord – something that will take time, explains Fowler. “The discussion begins with us asking ‘what is an act of cyber war?’,” he says, “and should end with us asking, ‘At what point do we consider kinetic response to cyber operations that cause physical destruction?’.”