Preparing for a Russian cyber offensive against Ukraine this winter

Microsoft has warned in its report to Russia boost cyberattack on Ukraine and its allies throughout the winter.

In recent months, cyberthreat actors affiliated with Russian military intelligence have launched destructive wiper attacks against energy, water and other critical infrastructure organizations’ networks in Ukraine as missile strikes knocked out power and water supplies to civilians across the country. Russian military operators also expanded destructive cyberactivity outside Ukraine to Poland, a critical logistics hub, in a possible attempt to disrupt the movement of weapons and supplies to the front.

Meanwhile, Russian propaganda seeks to amplify the intensity of popular dissent over energy and inflation across Europe by boosting select narratives online through state-affiliated media outlets and social media accounts to undermine elected officials and democratic institutions. To date, these have had only limited public impact, but they foreshadow what may become broadening tactics during the winter ahead.

First, we can expect a continuation of Russia’s cyber offensive against Ukrainian critical infrastructure. We should also be prepared for the possibility that Russian military intelligence actors’ recent execution of a ransomware-style attack – known as Prestige – in Poland may be a harbinger of Russia further extending cyberattacks beyond the borders of Ukraine. Such cyber operations may target those countries and companies that are providing Ukraine with vital supply chains of aid and weaponry this winter.

Second, we should also be prepared for cyber-enabled influence operations that target Europe to be conducted in parallel with cyberthreat activity. Russia will seek to exploit cracks in popular support for Ukraine to undermine coalitions essential to Ukraine’s resilience, hoping to impair the humanitarian and military aid flowing to the region. The good news is that, when equipped with more information, a media-savvy public can act with awareness and judgment to counter this threat.

"Combined missile and cyber strikes focus on destruction of civilian infrastructure"

As Russia retreated from formerly occupied territory in Ukraine in late October, the Kremlin unleashed new missile and drone strikes against Ukrainian cities and the energy and transportation infrastructure that supports them. Missile barrages cut power to more than 10 million Ukrainians and left up to 80% of Kyiv’s population without running water.[2] The intent to inflict suffering on Ukraine’s civilians has been clear, and was effectively acknowledged by Russian officials.[3]

Notably, these recent missile strikes have been accompanied by cyberattacks on the same sectors, perpetrated by a threat group – known at Microsoft by the element name IRIDIUM and by others as Sandworm – associated with Russia’s military intelligence service, the GRU. The repeated temporal, sectoral and geographic association of these cyberattacks by Russian military intelligence with corresponding military kinetic attacks indicate a shared set of operational priorities and provides strong circumstantial evidence that the efforts are coordinated, as reflected in the timelines below.

*The timeline above shows the trend of complementary missile and destructive cyberattacks aimed at civilian infrastructure in Ukraine through October.* (Source: Microsoft)

This tactic of targeting civilian infrastructure has been in play since the beginning of the conflict. Of the roughly 50 Ukrainian organizations that Russian military operators have hit with destructive wiper malware since February 2022, 55% were critical infrastructure organizations, including in the energy, transportation, water, law enforcement and emergency services, and health care sectors.

The information in the chart above is based on destructive wiper staging on Ukrainian networks that Microsoft has observed or has awareness of from incident response and partner relationships. The activity occurred between February 23 and mid-October this year. (Source: Microsoft)

"Russian cyberattacks extend outside Ukraine"

Russian cyber strikes extended outside Ukraine in October, when IRIDIUM deployed its novel Prestige ransomware against several logistics and transportation sector networks in Poland and Ukraine.[8] This was the first war-related cyberattack against entities outside of Ukraine since the Viasat KA-SAT attack at the start of the invasion.[9]

The Prestige event in October may represent a measured shift in Russia’s cyberattack strategy, reflecting a willingness by Moscow to use its cyberweapons against organizations outside Ukraine in support of its ongoing war. Since Spring 2022, Microsoft has observed that IRIDIUM and suspected Russian state operators have targeted transportation and logistics organizations across Ukraine in probable attempts to collect intelligence on or disrupt the flow of military and humanitarian aid through the country. But these recent attacks in Poland suggest that Russian state-sponsored cyberattacks may increasingly be used outside Ukraine in an effort to undermine foreign-based supply chains.

The deployment of Prestige ransomware reflects a Russian military interest in the transportation sector that has persisted since the spring. Although IRIDIUM had access to the network of one of the impacted organizations in May, the actor only began to prepare for and deploy the destructive malware at the outset of the Ukranian counteroffensive, when disruptions to Ukraine’s supply chains may have been perceived as more urgent. (Source: Microsoft)

"Cyber-enabled influence operations seek to fuel real-world discord across Europe"

This winter, European populations seeking to keep warm amid energy shortages and heightened inflation will likely be targeted by Russian attempts to stir up and potentially mobilize grievances through cyber-enabled influence operations.