Statement by Christian Have, CTO, LogPoint
The discovery of destructive malware in Ukraine is an obvious sign of the escalation of the conflict in cyberspace.
Christian Have, CTO at LogPoint
The most recent attacks targeted government servers and the deactivation of websites. This was a psychological game to frighten and frighten the Ukrainian population. The use of ransomware-like malware without a recovery option that erases hard drives is a new category. However, according to previous reports, it is not destructive for critical infrastructure or the country’s defense capability.
Equating these activities with cyberwar or advanced attacks is foolish. No government services were interrupted, communication with the public continued through other channels, mainly through the government’s Facebook pages. And even if these attacks have news value, they are only a temporary nuisance. From the Russian point of view, this is a relatively inexpensive measure with little damage, which would not entail a harsh reaction. Nevertheless, it is sending a clear signal about its cyber capabilities, doing well in the headlines – and possibly exerting pressure to reach a new agreement in the ongoing political talks.
One fear is that the attacks we’ve seen recently may be obscuring something else, such as collecting login credentials in preparation for a later major attack. For example, the attacker could have collected login data and then deactivated the website when the operational goal was achieved. This tactic has already been used by Belarusian threat actors suspected of involvement in the attacks in Ukraine. They have previously used login-collecting domains to spoof legitimate webmail providers, general login pages, and the legitimate websites of their targets.
While the origin of the attacks has not yet been clarified, Russian cyber capabilities are well established, especially under the umbrella of the Russian Foreign Intelligence Service (Slushba vneschnei raswedki, SVR) with notable APT campaigns such as APT 29, Cozy Bear and the Dukes. We know that the Russian Federal Security Service (FSB) has expanded its remit to include foreign intelligence operations and offensive cybersecurity operations, with at least one well-known FSB team focused on penetrating energy sector networks.