Long before Russia decided to invade Ukraine on Thursday, February 24, the concern was already there: it was to be expected that any military operation launched on the ground by the Kremlin would be coupled with an online offensive. . The European Union therefore deployed, two days before the Russian invasion, a monitoring team and response ready to defend Ukrainian critical technical infrastructure against potential inclinations from its neighbor or its allies. Same vigilance among French counterparts: “Current international tensions, particularly between Russia and Ukraine, can sometimes be accompanied by effects in cyberspace that must be anticipated”, warned the National Information Systems Security Agency (Anssi) on Saturday. As for the United States, their agency responsible for cybersecurity is still at a high level of alert : “Strengthen your defenses” (“Shields up”) does it continue to intimate to national companies.
In practice, however, no major cyberattacks against Ukrainian critical infrastructure have been observed, and we are currently witnessing a chaos of claims of unverifiable hacks and operations whose scope is extremely difficult to assess.
The most serious threat came from malware spotted on the night of February 23-24, shortly before the launch of the Russian military invasion. Nicknamed “HermeticWiper”, due to the signature of its digital certificate referring to a small Cypriot company (who denies any involvement), this virus is designed to erase the contents of infected computers.
According to Bloomberg, at least three Ukrainian entities, including the Ministry of Internal Affairs, were affected by this wiper (data destruction software), a source telling the US press agency that data had been exfiltrated from the computer network of this ministry before the malware deleted data. Several companies specializing in computer security have also observed the coupled use of HermeticWiper with fake ransomware. The ransom note, released by multiple researchers, does not match any signatures left by the major known groups in operation. The attack has not yet been attributed precisely, knowing that wipers and fake ransomware can be used to “clean up” the traces of a prior cyber espionage operation.
“IT Army”
Since then, the Ukrainian Minister of Digital Transition, Mykhailo Fedorov, announced the creation of a “Computer Army of Ukraine”. It is actually a Telegram group which has been broadcasting a list of targets since Saturday, encouraging its more than 150,000 members to carry out denial of service (DDoS) attacks against the sites of Russian companies such as Gazprom and against media and government sites. The channel also released a guide to mass flagging the YouTube accounts of several Russian TV channels. The initiative is also aimed at foreign nationals who wish to participate in these attacks. The real impact of these calls for computer attacks is impossible to estimate, but seems to be more akin to a communication operation by the Ukrainian government than to the pursuit of strategic objectives.
Opposite, a group suspected of acting in agreement with Belarusian interests, nicknamed UNC1151, was accused Friday by the Ukrainian authorities of carrying out a phishing campaign targeting in particular soldiers, but also a certain number Belarusian media.
At the same time, groups with questionable credibility, such as Internet users claiming to gravitate around the Anonymous nebula, have claimed responsibility for actions whose veracity is currently difficult to establish, such as hacking into Russian television channels to broadcast Ukrainian songs there. The GhostSec group, often described as close to Anonymous, for its part claimed on Telegram, on the night of Saturday to Sunday, to have hacked several Russian government sites. As for the major cybercriminal group Conti, suspected of operating from Russia, it claimed on Friday on its official website fully support the Russian government, before taking a step back by refuting any alliance with the government, while continuing to threaten Western entities. Over the weekend, databases presented as linked to Russian interests and hacked by hackers supporting Ukraine were put online, but we were unable to verify the authenticity of the data or their importance.
propaganda war
The digital skirmishes carried out in recent days remain very far from having a scale comparable to other attacks carried out in Ukraine by pro-Russian groups or groups linked to the Russian state in recent years. In 2017, the country was the first to bear the brunt of the NotPetya malware, which the majority of experts attribute the creation and use to Russia. This wiper-type malware began by paralyzing public services in Ukraine and thousands of businesses, banks, supermarkets and even gas stations, before spreading to other countries, including Russia, causing a total equivalent of 10 billion dollars of damage. More recently, Microsoft had discovered malware in mid-January targeting the infrastructure of official Ukrainian sites.
The attacks and claims of recent days seem all the more incidental as the Russian military means deployed on the ground are significant. The number of victims of this violent conflict is currently very difficult to assess – a report published on Saturday by the Ukrainian Minister of Health reported 198 civilian deaths, including three children, while Russia has no the hour communicated no loss. Moreover, while announcements by non-state groups or denial of service attacks by sympathizers are highly publicized, they do not say anything about potential more sensitive and discreet activities carried out by Russia as well as by Ukrainian services or allied countries.
From this dump of actions with more or less credible claims, however, emerges a reality: that of an intense propaganda war on social networks. The manipulated images and attempts to influence Russians observed for weeks now respond to a continuous stream of messages and images aimed at underlining the courage and resilience of the Ukrainian people, as well as trying to undermine the morale of the attackers. A site where images of dead and captured Russian soldiers are compiled has thus been put online and Ukrainian official accounts constantly broadcast messages and videos praising the effectiveness of the national army against the invader.
For its part, Russia has not hesitated in recent days to take very strict censorship measures against its media, or to engage in a showdown with Facebook to try to force the social network to stop moderating messages. published by Russian state media. As if Russia considered that the conflict, very widely denounced by the overwhelming majority of countries in the world, will have to be played out as much in the control of information as in carrying out cyberattacks on Ukrainian territory.
Our selection of articles on the Ukrainian crisis