Russian cyber attacks against both Ukraine and its NATO partners will increase, according to new research published Thursday by Google’s Threat Analysis Group.
The report, titled “Fog of War: How the Ukraine conflict transformed the cyber threat landscape,” offered insights involving the Russian invasion from two of Google’s groups — TAG as well as Trust and Safety — and subsidiary Mandiant.
The invasion began last February as an escalation to a conflict that began in 2014 and as part of the invasion Russia has launched numerous major cyber campaigns against Ukraine and its allies. Attacks to date have included misinformation campaigns, attempted attacks against critical infrastructure and more. Google published research in September detailing how former members of the ransomware Conti gang were attacking Ukraine in both financially and politically motivated attacks.
Although the research was primarily dedicated to Russia’s mixed cyber efforts against Ukraine, it also examined ongoing attacks against Ukraine’s NATO partners. NATO, short for the North Atlantic Treaty Organization, is a military alliance that consists of 30 nations, including the United States, France, Canada, the United Kingdom, Italy and others.
Google said it assesses with “high confidence” that Russian-backed attackers will continue its cyber attacks against Ukraine and its NATO partners to further Russia’s objections with the invasion. “These attacks will primarily target Ukraine but increasingly expand to include NATO partners.
One of the main types of cyber attacks Google observed against NATO countries was phishing, particularly spear phishing. Compared to a 2020 baseline, TAG observed an increase of 250% in phishing attacks against Ukraine in 2022 by government-backed attackers. For NATO countries, that figure was over 300%.
“Phishing remains a prominent initial access vector for government-backed attackers,” the report read. “Attackers use this access to achieve multiple Russian strategic objectives, such as intelligence collection, data destruction, and information leaks intended to further Russian national objectives.”
Google’s research mainly focused on five main Russian government-backed threat groups: Sandworm, Fancy Bear, Callisto Group, UNC2589 and Uroburos. A sixth threat group, UNC1151 or PUSHCHA, is based in Belarus. Government-based attacks against NATO countries were led by Fancy Bear (labeled FROZENLAKE by Google) with 77.5% of activity, followed by Pushcha with 15.5% of activity. Google said the former group conducted a “massive wave” of attacks against NATO members, while the latter’s campaigns were centered around members Poland and Lithuania.
In addition to phishing campaigns, TAG observed Russia-backed threat actors launching DDoS attacks and utilizing gained access to leak information to entities like hacktivist groups. For example, Callisto Group (labeled COLDRIVER by Google) launched a hack-and-leak campaign against entities in the United Kingdom and elsewhere.
“March 2022 marked the first time TAG observed COLDRIVER campaigns targeting the military of multiple European countries, as well as a NATO Centre of Excellence,” the report read. “In the early stages of the conflict, COLDRIVER shifted their targeting to include multiple Ukrainian defense contractors and government organizations, as well as U.S.-based NGOs, think tanks, government officials, politicians, and journalists.”
In another example, the threat group “targeted three nuclear research laboratories in the U.S. in a credential stealing campaign” in which they created fake login pages and emailed nuclear scientists in a spear phishing attempt.
Based on TAG’s reporting, the primary goal of Russia’s anti-NATO campaigns appears to be cyberespionage and information operations, such as misinformation campaigns. Google’s report contains extensive research into how Russian-backed entities like the Internet Research Agency are using social media and propaganda to sway public opinion around the world.
Google’s report also noted the invasion of Ukraine led to a shift in the Eastern European cybercriminal ecosystem that researchers believe will have long-term effects. “Some groups, for example, have split over political allegiances and geopolitics, while others have lost prominent operators,” the report said. “This will impact the way we think about these groups and our traditional understanding of their capabilities.” Google did not respond to TechTarget Editorial’s request for comment at press time.
Alexander Culafi is a writer, journalist and podcaster based in Boston.