Off-the-shelf ransomware is spurring a new era in the Ukraine war
Experts agreed Russian forces could be overwhelmed, forced to use less sophisticated tools to meet the regime's demands
Commercial ransomware is expected to be used more frequently by Russian hackers in attacks against Ukrainian targets.
As the conflict persists, cyber security experts agreed that easy-to-obtain criminal ransomware tools are likely to feature more and more by Russia-aligned hackers.
Russia’s military intelligence service, the GRU, is expected to keep evolving as the war enters its second year.
It has already modified the tools it uses in cyber attacks, moving away from wormable wipers to single-use versions known as “pure wipers”.
Russia was attributed to the wiper attacks on Ukrainian targets at the start of the war and experts believe that new, discardable alternatives such as CaddyWiper are expected to become more popular.
Such wipers are “easy to change and manipulate quickly, and can be built and launched without draining significant resources from the traditional development ecosystem that supports cyber attacks”, the report from European Cyber Conflict Research Initiative (ECCRI) read.
The report, commissioned by the UK’s NCSC, was based on discussions held at an invite-only workshop in February 2023, which was attended by cyber threat intelligence practitioners, academics, and officials from key governments and international institutions.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Walking the line: GitOps and Shift Left security
Scalable, developer-centric supply chain security solutions
A shift towards embracing commercial ransomware has been observed since October 2022, workshop attendees said, with most agreeing they expect the trend to continue.
“The ability to bootstrap criminal capabilities to provide new attack opportunities will prove increasingly important, as operator burnout threatens to become a real challenge for Russia,” read the report, which was published in time for the NCSC’s CYBERUK event this week.
On the use of wipers, experts were torn over why more sophisticated tools are unlikely to be deployed.
Most agreed that single-use wipers are likely to be the tool of choice for the near future, but why that is the case divided them.
Some believe that the GRU does not have the resources to develop a complex wiper malware at this point in the conflict, while others thought it may be stockpiling more advanced tools for other conflicts or objectives.
Threat intelligence organizations have reported the use of at least 16 wipers by Russia throughout the conflict, but only one - HermeticWiper - was self-propagating (wormable).
HermeticWiper was spotted infecting hundreds of machines in Ukraine in the early stages of the war, and researchers noted that it appeared to be first created in December 2021, more than a year earlier, potentially indicating how long Russia had been planning its cyber capabilities for the conflict.
Praise for Ukraine and the private sector
The report highlighted the “incredible resilience and determination” of the Ukrainian people and the nation’s systems, after fending off a large number of cyber attacks from Russia and Russia’s supporters.
It also noted that private companies “have indeed been the major players in this conflict” and that the profound shift in responsibility should be recognized by the public.
For example, some participants said major tech firms are de facto political actors given the degree of cyber intelligence to which they have access, and the political influence that has.
Industry reports were also said to be influential on public perceptions of government policy and overall attitudes toward threat actors themselves.
Away from the telemetry and intelligence cyber security companies provide, for example, on a broader level the report highlighted the impact of private companies withdrawing from Russia following the invasion.
It also highlighted the discrepancy in technological financial aid provided by the public and private sectors.
Using two examples announced within days of each other back in November 2022, the UK’s Foreign, Commonwealth & Development Office (FCDO) said it would be providing £6.5 million worth of aid through its Ukraine Cyber Programme.
By contrast, Microsoft said it donated $400 million in total, providing its services to Ukraine free of charge, including cyber security protection and cloud computing costs.
The UK has contributed hundreds of millions in humanitarian aid, however, and billions in military assistance.
“Several participants argued that while private industry may want to act altruistically, this kind of behavior is ultimately not sustainable over the long run,” the report concluded.
“In Ukraine, private companies shared a remarkable degree of unity of purpose with government actors; in other situations, this may not be the case. Industry actors need to protect their own interests, which often diverge from government incentives.
“Private sector actors are also limited in how they can respond in times of crises – they can’t print money or raise taxes, and thus need to look out for their long-term sustainability.”
Security Minister Tom Tugendhat said that the UK would evaluate the report’s findings and apply the learnings it offered.
“Putin’s illegal war isn’t just being fought on the ground. Ukraine’s protectors are also defending their country against unprecedented cyber attacks on a digital battlefield,” he said.
“This report has shone an important spotlight on a different kind of hostility which the Ukrainians have responded to with exceptional resilience and determination.”
Inside Russia’s cyber capability
Russia is long known for its active role in carrying out offensive operations in cyber space.
But the GRU has been operating at a vastly higher operational tempo since the beginning of the invasion and one “that is much higher than anything previously seen,” the report noted.
Previously seen as a reckless force in cyber space, Russia has afforded the GRU more responsibilities in recent years and some believe it is fraught with in-fighting despite its perceived importance.
Experts believe that the GRU is, at times, trying to prove its worth with the high volume of attacks, and that it ‘has a point to prove’ to the Russian regime to show it can be trusted as a professional and measured unit in cyber operations.
Workshop attendees with insights on the matter said there are different units within the GRU and that while some are disciplined and well-drilled, others operate without a truly professional framework.
“Participants agreed that in terms of targeting decisions for cyber operations, nothing seems to be off limits for the GRU, “ the report read. “The GRU is not concerned with international humanitarian law (IHL) or other international law; rather, GRU targeting is driven by leadership demands.
“Participants generally agreed that if asked to do so, the GRU would not hesitate to target a non-governattendeesmental organization (NGO) or even a hospital in a cyber operation. However, some noted that the GRU may avoid such targets because of fears of possible escalation with NATO.”
Russia’s combination of cyber attacks and kinetic operations has been a hallmark of the war, but the experts disagreed with the idea that the two have been coordinated strategically throughout the conflict.
The use of HermeticWiper at the start of the invasion was almost certainly timed strategically, but other attacks, like wipers used against utility companies as Ukrainian counteroffensives ramped up, led to split analyses.
Some said these attacks made use of intrusions that were achieved months earlier, suggesting Russia held off exploiting them for a strategic advantage.
Others disagreed, saying that the attacks seemed more opportunistic, but used strategically.
The overall conclusion was that wiper use is expected to continue, but we may never truly understand how strategic Russia’s cyber attacks in the war have been, or will be in the future.
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.