A year after Russia invaded Ukraine, the war continues, including its digital component. An ever-evolving component that has implications for the future of cybersecurity around the world. Because according to cybersecurity experts from Google, the war in Ukraine has notably upset the ecosystem of cybercriminals in Eastern Europe and changed the way ransomware attacks take place.
“Ransomware continues to be lucrative, but money-seeking hackers are not immune to geopolitical developments,” says a new report, compiled by Google’s Threat Analysis Group (TAG), Mandiant (the cybersecurity company that is now part of Google Cloud) and Google Trust & Safety.
“The lines are blurring between attackers with financial motivations and those backed by governments in Eastern Europe,” the report says, “with hackers altering their targeting to align with regional geopolitical interests, and attackers supported states adopting certain tactics and services associated with financially motivated actors.”
As alliances shift, it is no longer taboo for cybercriminals to go after Russian targets, the report also notes. Google experts say the war has also accelerated a trend of “specialization” in the ransomware ecosystem, making it harder to pinpoint the culprits.
Furthermore, the report notes that “the war in Ukraine was also defined by what we expected – but did not see”. Specifically, there has been no upsurge in critical infrastructure attacks, which is surprising given how commonplace ransomware threats are.
Political divisions
According to Google’s report, the war has divided the Eastern European cybercriminal network. Some groups have declared political allegiances, while others have followed geopolitical lines, and other prominent ransomware groups have shut down.
For example, at the start of the war, the Conti ransomware group declared its support for Russia and threatened to strike at the critical infrastructure of nations that would act against Russia. This has led to divisions within the group, according to leaks of its internal communications and source code, Google says. Rather than step up their attacks as he threatened, the group stopped.
Furthermore, the Raccoon thieving malware suspended its activities after its alleged developer fled the invasion of Ukraine. He was arrested in the Netherlands and is awaiting extradition to the United States.
The war has also encouraged cybercriminals to attack Russian targets.
“Prior to February 2022, ransomware creators used techniques to avoid targeting the Commonwealth of Independent States, including hard-coding country names and checking system language,” the report said.
“After the invasion, the hacktivist group NB65 used leaked Conti source code to target Russian organizations. NB65 claims ties to the hacktivist collective Anonymous, which ran a ‘#OpRussia’ campaign, including several hack-and-leak against Russian organizations such as the Russian Central Bank.”
Meanwhile, the so-called “Ukrainian IT Army” collaborated with the Ukrainian Ministry of Defense to defend Ukraine and target Russian infrastructure and websites.
Change of tactics
The war has also led to a change in tactics among ransomware groups. First, ransomware campaigns associated with government-backed attackers use tactics typically associated with financially motivated hackers – and vice versa.
Additionally, ransomware attackers are increasingly specializing in one part of the “attack chain”, according to the report, while working with other “business partners”.
During the war, attackers also experimented more with new techniques, like new distribution channels and unconventional file formats. Financially motivated attackers are also quick to borrow successful techniques from other criminals, making it more difficult to track down their perpetrators.
Retaliation not carried out
Google’s report examines why there was no increase in ransomware attacks on critical infrastructure during the war, “as might have been expected after the statements made at the start of the conflict and the previous wave of such attacks in 2021”.
One of the theories put forward by Google is that the US response to the Colonial Pipeline attack in 2021, and the subsequent arrest in Russia of members of the REvil ransomware gang, may have deterred financially motivated ransomware gangs. .
Google also posits that sanctions against Russia may have impacted Western organizations’ willingness to pay ransoms.
In addition to the disruption of the criminal ecosystem in Eastern Europe, the report analyzes two other aspects of the digital warfront: First, it notes that “attackers backed by the Russian government have engaged in an effort aggressively, on multiple fronts, to gain a decisive wartime advantage in cyberspace, with often mixed results.”
In 2022, Russia increased targeting of users in Ukraine by 250% compared to 2020, while targeting of users in NATO countries increased by more than 300%.
The report also analyzes Russia’s robust use of “information operations,” which includes everything from openly state-backed media to secret platforms and accounts, to shape public perception of the war.
In the end, the report concludes: “It is clear that cybernetics will now play an essential role in future armed conflicts, in addition to traditional forms of warfare.” The report, according to its authors, aims to serve “as a call to action as we prepare for possible future conflicts around the world.”
Source: “ZDNet.com”