One year after Russia invaded Ukraine, the war continues — including an ever-evolving digital component that has implications for the future of cybersecurity around the world. Among other things, the war in Ukraine has upended the Eastern European cybercriminal ecosystem, according to cybersecurity experts from Google, shaking up the way ransomware attacks are playing out.
“Ransomware continues to be lucrative, but financially motivated threat actors are not immune from geopolitical developments,” says a new report, compiled by Google’s Threat Analysis Group (TAG), Mandiant (the cybersecurity firm that’s now a part of Google Cloud), and Google Trust & Safety.
ALSO: Russian hackers’ lack of success against Ukraine shows that strong cyber defences work
“Lines are blurring between financially motivated and government-backed attackers in Eastern Europe,” the report says, “with threat actors changing their targeting to align with regional geopolitical interests, and government-backed attackers adopting some tactics and services associated with financially motivated actors.”
As alliances change, it’s no longer taboo for cybercriminals to go after Russian targets, the report notes. Meanwhile, the war has also accelerated a trend towards “specialization” in the ransomware ecosystem, Google’s experts say, making it more difficult to pin down guilty parties.
On top of all that, the report notes “the war in Ukraine has also been defined by what we expected — but didn’t see.” Specifically, there was no surge in attacks against critical infrastructure, which is surprising given the commonality of ransomware threats.
Political splits
The war has splintered the Eastern European cybercriminal network, Google’s report says. Some groups have declared political allegiances, while others have along geopolitical lines and other prominent ransomware groups have shut down.
For instance, at the start of the war, the ransomware group Conti declared its support of Russia and threatened to strike the critical infrastructure of nations that took action against Russia. That led to divisions within the group, according to leaks of its internal communications and source code, Google says. Rather than ramping up attacks as it threatened, the group shut down.
Additionally, the stealer malware Raccoon suspended activity after its suspected developer fled the invasion of Ukraine. He was arrested in the Netherlands and is waiting to be extradited to the US.
The war has also emboldened cybercriminals to go after Russian targets.
“Before February 2022, ransomware creators used techniques to avoid targeting the Commonwealth of Independent States, including hard-coding country names and checking the system language,” the report says. “After the invasion, hacktivist group NB65 used leaked Conti source code to target Russian organizations. NB65 claims links to the Anonymous hacktivist collective, which conducted an ‘#OpRussia’ campaign, including several hack-and-leak operations against Russian organizations such as the Russian Central Bank.”
Meanwhile, the so-called “Ukrainian IT Army” has collaborated with Ukraine’s defense ministry to defend Ukraine and to target Russian infrastructure and websites.
Changing tactics
The war has also prompted a shift in tactics among ransomware groups. First, ransomware campaigns associated with government-backed attackers are using tactics typically associated with financially-motivated hackers — and visa versa.
Additionally, ransomware attackers are increasingly specializing in one part of the “attack chain,” the report says, while working with other “business partners.”
During the war, attackers have also experimented more with novel techniques like new delivery channels and unconventional file formats. Financially-motivated attackers have also been quick to borrow other criminals’ successful techniques, which makes it harder to determine who’s behind them.
Retaliation unrealized
Google’s report considers reasons why there wasn’t an uptick in ransomware attacks against critical infrastructure during the war, “as might have been expected after declarations early in the conflict and the prior wave of such attacks in 2021.”
One theory Google puts forward is that the US response to the 2021 Colonial Pipeline attack, and the subsequent arrest in Russia of members of the REvil ransomware gang, may have deterred financially-motivated ransomware gangs.
Google also postulates that sanctions against Russia may have impacted Western organizations’ willingness to pay ransoms.
Along with the disruption of the Eastern European criminal ecosystem, the report analyzes two other aspects of the digital warfront: First, it notes that “Russian government-backed attackers have engaged in an aggressive, multi-pronged effort to gain a decisive wartime advantage in cyberspace, often with mixed results.”
In 2022, Russia increased targeting of users in Ukraine by 250% compared to 2020, while targeting of users in NATO countries increased over 300%.
The report also analyzes Russia’s robust use of “information operations,” which includes everything from overt state-backed media to covert platforms and accounts, to shape public perception of the war.
All told, the report concludes, “It is clear cyber will now play an integral role in future armed conflict, supplementing traditional forms of warfare.” The report, its authors said, aims to serve “as a call to action as we prepare for potential future conflicts around the world.”
