Russia’s invasion of Ukraine not only involves military action, but an elaborate state-sponsored hacking campaign as well – and a new report from cyber analytics firm CyberCube has found that related cyberwarfare efforts have swelled since the start of the war.
CyberCube’s new report, “Ukraine Cyber War Update,” is a follow-up to the company’s previous report “War in Ukraine creates a fundamental shift in the cyber threat landscape.” The new report noted that although Russia has employed cyberwarfare tactics to complement its military activity on the physical battleground during its invasion, the nation has also taken the opportunity to direct its hackers against Ukraine’s allies.
Citing findings from Microsoft, the new report found that since the start of the war, there were Russian-affiliated network intrusion efforts launched against 128 different targets in 42 countries outside of Ukraine. The past six months have also seen a steady increase of cyberattacks from Russian-speaking ransomware gangs that have openly pledged allegiance to Moscow, and they have largely targeted US and European businesses, said CyberCube.
It was observed that in the US, the cyberattacks were typically directed at large multibillion dollar companies that are not necessarily critical infrastructure – care was taken by the Russian attackers not to disrupt “high-value” targets as not to elicit a response that could lead to war. Meanwhile, Russian threat actors have targeted European energy companies to undermine those countries’ efforts to stop relying on Russian oil. CyberCube said that Germany was a particular target for Russian hackers, as it was the second largest importer of Russian oil behind China.
Russian threat actors have also moved away from using ransomware in favor of wiper malware, the report found; the latter does not hold encryption-locked computer systems at ransom, but instead is designed to destroy data. The Russian APT group Sandworm had previously deployed the malware Industroyer against Ukraine’s electricity power grids in 2016, but a new variant called Industroyer2 was detected in April 2022 when incident responders managed to foil a cyberattack on the Kyiv
North transmission substation. This attack type, said CyberCube, is clearly seeing a resurgence, and Russia has been observed as deploying a more targeted wiper malware approach over the past six months.
CyberCube came to the following conclusions in its report:
- The creation of a sovereign Russian internet could lead to greater confidence that attacks can be carried out without consequences.
- In response to this pattern of increased cyber activity, re/insurers and brokers need to take proactive measures to manage their exposures.
- Lloyd’s recently introduced a requirement that all standalone cyberattack policies must exclude liability for losses arising from state-backed attacks. CyberCube believes this mandate will help reduce uncertainty and enable more insurers to participate with confidence, based on a clearer understanding of what is covered, and what is excluded.