In 2022, Russia invaded Ukraine, and many hypothesized that this would be the world's first true cyber war. There were several theories surrounding the advancement of offensive and defensive techniques, and an idea that the frontier of cyberwar would be an equal counterpart to the physical frontier on Ukraine's borders - the first true "hybrid war". Many researchers also feared the knock-on effect this would have on other countries, who may not be able to keep up with the rate of advancement of offensive tools for espionage and disruption.

The Russia-Ukraine War

Whiteblueocean has been observing cyberwarfare in Russia and Ukraine since long before the war broke out. In 2022, we published several articles providing insight to the techniques and capabilities used by both nation states against each other, as well as the role of independent political entities, other politically affiliated nation states and state actors, and the role of hacktivists.

Two years later, and in retrospect, consensus is building around the idea that offensive cyber operations, particularly those used by Russia against Ukraine, have not been as effective as originally feared. Although a large uptick in cyberattacks was observed leading up to the invasion, and in the following weeks, these have declined significantly. Further, we have not seen significant technological advancement in the tools used to perpetrate attacks - though, we have seen a stalwart defence, particularly on the side of Ukraine and its allies. Attacks against Ukrainian infrastructure are ongoing: in recent news, several utilities companies came under attack by Russian-linked Sandworm, though these attacks have not proven particularly innovative and, in terms of influencing the outcome of the war, have not yet proven effective.

The physical war itself has also been relatively stagnant. Widespread use of mines and minefields has slowed advancement in either direction, mirroring the poor efficacy of cyberattacks leveraged by either nation. And another way in which the cyber-frontier mirrors the physical, is in the bolstered resilience of either nation's populace in the face of disinformation and phishing campaigns. Likened to the air raids of the second world war, this technique, ideated to demoralise and disorientate the general populace, has only provoked anger and scrutiny. Russia has only succeeded in making ordinary Ukrainian people more resilient towards cyberattacks.

The Israel-Palestine War

The Israel-Palestine war, on both frontiers, differs greatly from the Russia-Ukraine war. Besides acts of hacktivism, there is no evidence of an uptick of offensive cyberoperations prior to the war. In fact, the main perpetrator of state-affiliated cybercrime against Israel prior to the war was Iran, which accounted for approximately 80% of all government-backed phishing activity against Israel in the 6 months prior to the war. In fact, Iranian threat groups and state actors such as Moses Staff, Pink Sandstorm, Grey Sandstorm, Peach Sandstorm, Mint Sandstorm, and so on, have conducted the vast majority of attacks against Israel, and against US interests in the region. These groups are variably linked to the Islamic Revolutionary Guard Corps and to Iran’s Ministry of Intelligence and Security (MOIS).

The techniques employed by these threat groups are, also, not revolutionary.

Mint Sandstorm, for example, engaged in spear-phishing attacks against researchers and university professionals covering Middle-Eastern affairs. While they may have been targeting these high-profile individuals due to interest in data that they may have, analysis of the malicious files that were delivered by these phishing attempts reveal them to be backdoors, allowing the attacker to remotely perform actions on the victim's device, and not just exfiltration tools.

Microsoft postulates that these phishing attempts might have provided Iranian state actors the ability to cause reputational damage to their victims, however, it is also likely that attackers might seek to assume control of their online accounts as a means of grandstanding.

Simultaneously, we have observed Iranian groups boasting about infiltrating surveillance networks and cameras, many of which are on separate, more vulnerable networks (and have also provided poor fields of view over the supposed targets) - Iranian threat groups are using these infiltrations falsely as evidence of a more severe internal breach, likely as part of a propaganda campaign. It follows that the purpose of these phishing campaigns might also be to raise the profile of Iran's cyber operations and to dissuade political affiliation with Israeli interests.

Interestingly, there is little evidence to show collaboration between Iranian state actors and Hamas. Unlike Iranian actors, Hamas is shown to have little involvement in the cyberattacks made against Israel prior to the terrorist attack on October 7th, however, were in the immediate aftermath involved in mass phishing and spyware campaigns.

Cyberattacks waged by Russia against Ukraine immediately after the breakout of war tended to precede or coincide with ground attacks; this same pattern has not been observed in the Israel-Palestine war. Further, there has not been the same level of attacks made against state infrastructure. The skillsets of Iranian groups and of Hamas seem much more biased towards social engineering and espionage, and they have not been so successful in their efforts to cause widespread network disruption.

Russian Attacks against NATO

Russian attacks against NATO targets, especially those deemed mission-critical to their invasion of Ukraine, have exhibited some interesting adaptations. While the invasion beginning in 2022 did bring about many such cyberattacks, Finland joining NATO in 2023, and Sweden in 2024, have also prompted a series of attacks from Russian state actors, and from pro-Russian hacktivist groups.

Two hacktivist groups, NoName and Killnet, have been continuously disrupting Finnish infrastructure for several years since the nation's first condemnation of the Russian invasion, leveraging huge botnets to bring down services often for days at a time. As well as Finland, these groups have targeted a wide number of European nations voicing support for Ukraine, including the French Senate and National Assembly, multiple Italian government and parliament IT systems including Ministries of Transport and Foreign Affairs, the transport regulator and Bologna Airport, and several other European organisations including multiple Danish banks. These Russian DDoS groups often collaborate, and organise their attacks on the messaging service Telegram, and advertise DDoS-As-A-Service offerings on underground forums.

In addition, Russia has also been jamming GPS signals in certain key regions - particularly Baltic Sea, the Black Sea and the Mediterranean, using military-grade electronic warfare systems such as the "Pole 21". Finland has been disproportionately affected, due to GPS jamming also having been observed close to their border with Russia. A speech by Ukrainian president Zelensky, addressing Finland and the support they have provided, was also the target of a DDoS attack. A large number of flights have been affected - though this GPS jamming does not disrupt the aircraft's internal navigation systems, it can cause issues for agricultural vehicles and other devices that rely on accurate GPS for automation or navigation.

Adapting to the Evolving Cyberwarfare Landscape

The state of cyberwarfare, although predicted to experience a rapid technological advancement due to the Russia-Ukraine conflict, has not changed significantly over the past two years. Some new trends include the use of directed-energy weapons to disable GPS signals, and the widespread use of DDoSing, particularly by pro-Russian hacktivists, however, with regards to malware and other malicious code designed to disrupt state architecture, the techniques employed have not significantly changed since the onset of the war in 2022.

WhiteBlueOcean will continue to observe trends in cybercrime and cyberwarfare around the world, which we will use to enrich our prevention and remediation advice. Check our blog periodically to stay informed on global cybercrime trends, and best protect yourself and your business.

Sources

https://www.stimson.org/2024/false-alarms-role-of-cyber-operations-in-the-russia-ukraine-war/
https://carnegieendowment.org/2024/02/05/russia-s-countervalue-cyber-approach-utility-or-futility-pub-91534
https://en.wikipedia.org/wiki/Islamic_Revolutionary_Guard_Corps
https://en.wikipedia.org/wiki/Ministry_of_Intelligence_(Iran)
https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
https://medium.com/@penquestr/42-million-ransom-spree-north-korea-ai-cyber-attacks-cyber-news-beat-55126e86812e
https://blog.google/technology/safety-security/tool-of-first-resort-israel-hamas-war-in-cyber/
https://en.wikipedia.org/wiki/Charming_Kitten#2022_HYPERSCRAPE,_APT_data_extraction_tool_(2021)
https://medium.com/@cybercrimeblogs/cyber-conflict-erupts-amid-israel-hamas-clash-c08910ddb347
https://medium.com/@hostcoinindia/the-israel-palestine-conflict-in-cyberspace-a-new-frontier-of-warfare-360315486353

The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.