The military offensive that Russia has launched this week in Ukraine is preceded by a cyber war that has been active for months. Years, if you take into account that since the invasion of Crimea in 2014 the attacks on the systems of the former Soviet republic have never completely ceased. Silent battles are fought in the digital environment, without shots or deaths, but capable of leaving thousands of people without heating, as happened in Ukraine in 2015, of eliminating sensitive government data or of collapsing the computer systems of companies, such as was seen in 2017 with NotPetya. This computer virus, one of the most devastating in history, was originally launched in Ukraine to torpedo institutions in that country and ended up spreading throughout the world.
Cyber warfare is one of the components of the so-called hybrid wars. “It consists of a set of techniques that come to replace the conventional invasion by land. It is difficult to define what instruments we are talking about, but you include everything from cyberattacks or disinformation to the use of immigrants as a weapon, as has been seen in Belarus”, describes Andrea G. Rodríguez, researcher in emerging technologies at Cidob (Barcelona Center for International Affairs).
Once tanks and missiles enter the scene, what happens on the internet becomes less important. But it can serve to support military actions. “Cyber attacks are part of Moscow's playbook. They used them in 2008 in Georgia, coinciding with the invasion, and in 2014 in Ukraine to attack energy and communication infrastructures”, Rodríguez points out.
On this occasion, the first warning came on January 14, when Microsoft detected a virus, WhisperGate, which infiltrated several government websites. A few days later, the Texas cybersecurity company specialized in intelligence threats CrowdStrike identified several attempts to sell data allegedly acquired after that coup. The modus operandi of the attack closely resembles that of Voodoo Bear, an organized group of hackers associated with the Russian secret services (FSB).
Last week there were also cyberattacks directed at the websites of the Ukrainian Ministry of Defense, the army and those of state banks. On Thursday, coinciding with the ground invasion by Russia, several Ukrainian government websites stopped working due to a denial of service attack that sought to deepen the sense of panic of a population that already fears for its life. Just yesterday, the cybersecurity firm CyberArk warned of the danger of Hermetic Wiper, the malware (malicious software) that erases all data from the system it infects, involved in cyberattacks aimed at Ukraine's infrastructure.
“We expect massive disinformation campaigns from both sides of the conflict, and we can be sure that attackers will take advantage of this opportunity to distribute other types of malware,” says Luis Corrons, a security analyst at antivirus firm Avast. "We can also foresee the possibility of digital weapons being used to attack physical infrastructures through the computers that control them, as happened with Stuxnet," he adds.
Fuzzy authoring attacks
The western secret services have serious suspicions that some countries, such as Russia, China, North Korea or Iran, sponsor some of the main APTs. We speak of suspicions because cyberspace is such an elusive environment that it is practically impossible to prove the authorship of a cyberattack with any guarantees. False flag attacks are frequent, in which some APTs pose as others or even as groups of hacktivists. Among the latter, Anonymous stands out, a heterogeneous and unorganized group of hackers who have already declared (cyber) war on Russia.
“Cyber warfare has a great advantage over other tools: if you launch a missile, it will be known where it came from and who built it. In the world of the internet, it is not like that: it is very complicated to know where the attacks come from or who is behind them, ”says Corrons, from Avast. A computer can connect from Barcelona to a server located in Pakistan that passes through another in the Seychelles to send malicious software to Beijing. The trace of the attack dissolves like a drop in the sea.
“The APTs are tracked with clues provided by the intelligence services, sample correlations, particularities of the code, reuse of parts of it or study of the modus operandi”, explains the hacker and cybersecurity analyst Deepak Daswani. It is very difficult to attribute them, but even more so to locate their origin geographically. "The intelligence services of the countries may have information, but they will not show you their evidence and you have to believe it: they may also have an interest in making you dizzy," adds Corrons.
Another advantage of cyber warfare is that it can be masked as cybercrime: there are times when APTs themselves launch their attacks in the form of ransomware (a virus for which a ransom is offered). This is what happened, for example, with NotPetya, the virus that attacked the systems of various Ukrainian government agencies in 2017 and later spread throughout the world. “Typically, ransomware maintains a cryptographic key with which to save infected systems in exchange for money. The bad guys infect you and then ask for a ransom. But in this case there was not," says Adam Meyers, head of intelligence at CrowdStrike, who has been tracking the activity of some of the main Russian APTs for years.
Considered one of the most successful and costly cyberattacks in history, NotPetya is attributed to Voodoo Bear. This group has a long service record in Ukraine. “The activity has never stopped in recent years. Russia's cyberspace operations are part of a wide range of tools including influence, information and disinformation operations; military actions and diplomatic and financial pressures,” says Meyers.
Ukraine, the eternal goal
In May 2014, a month after Russia annexed Crimea, the Voodoo Bear group torpedoed Ukrainian energy and transportation infrastructure. In the winter of 2015, malicious software shut down several power plants, leaving more than 80,000 people without power (and no option to keep warm). Ukraine accused Russia of being behind the attack. Moscow denied having anything to do with it.
Similar attacks followed the next two years, and in 2017 the ante was upped with the release of highly sophisticated malware. In addition to NotPetya, other viruses were detected, such as FakeCry or BadRabbit, aimed at sabotaging the country's communications networks. “With these attacks, it was the first time that we detected that they tried to impersonate someone else: an alleged group of hacktivists called FSociety, a name taken from the television series Mr Robot,” describes Meyers.
So far, no cyberattacks have been detected in the rest of Europe that intend to influence the Ukrainian scenario. "There is and will continue to be an increase in cyber warfare in Europe," says Zac Warren, director of cybersecurity at the US firm Tanium. “Attacks like the one on Oiltanking Deutschland”, he says in reference to the German oil pipeline that was forced to interrupt its activity on February 3 after a cyber attack, “will continue to happen”. Although in this case it seems to be cybercrime: its motivation is purely economic.
You can follow EL PAÍS TECNOLOGÍA on Facebook and Twitter or sign up here to receive our weekly newsletter.