Russian threat actors have intensified their war-related espionage efforts as the conflict in Ukraine enters its second year. These actions are part of a larger strategy employed by Russia, which combines cyber warfare tactics, influence operations, and military force in an attempt to overpower Ukrainian defenses.
While previous propaganda campaigns backed by Russia had limited impact, state-affiliated cyber and influence actors from Russia remain undeterred. They continue to search for alternative strategies within and outside of Ukraine. Microsoft Threat Intelligence analysts have identified indications of Russian threat activity against organizations in at least 17 European countries, with several intrusions targeting the government sector within the first six weeks of this year alone.
To effectively defend against authoritarian aggression in the digital space, security leaders can learn from the experiences of Russian state operations and Ukraine’s resilience. By examining these lessons, a comprehensive playbook for defense can be created.
Throughout the duration of the hybrid war, Moscow has heavily relied on cyber weapons and influence operations to gain access to desired targets. The methods employed by Russian threat actors encompass a wide range of attack vectors, but three significant trends have emerged during the conflict.
The first trend involves the use of diverse means to gain initial access. Russian threat actors have employed various tactics, including exploiting Internet-facing applications, backdoored pirated software, and spear-phishing. For instance, a group known as Seashell Blizzard has backdoored pirated versions of Microsoft Office to infiltrate targeted organizations in Ukraine. This same actor has also uploaded a weaponized version of Windows 10 to Ukrainian forums, exploiting the demand for low-cost software to gain access to government and sensitive organizations.
Another tactic employed by Russian threat actors is the abuse of technical trust relationships. They target IT providers to gain access to more sensitive targets downstream without triggering immediate alerts. Hacker groups Forest Blizzard and Secret Blizzard have both attempted to access an IT provider in Poland that serves sensitive sectors. Additionally, Midnight Blizzard, previously known as Nobelium and responsible for the SolarWinds intrusion, regularly tries to compromise cloud solutions and managed services providers used by diplomatic organizations and foreign policy think tanks.
The second trend involves the weaponization of “fact-checking” to spread narratives aligned with the Kremlin’s agenda. Russian influence actors often try to gain credibility by using the language and techniques associated with fact-checking to propagate false claims. They may pose as fact-checking entities on social media platforms and spread disinformation to undermine Ukrainian reports of Russian attacks on civilian and critical infrastructure.
Lastly, pro-Russian actors have consistently spread leaked information to target political opponents, especially those supportive of Kyiv. Hack-and-leak operations have become increasingly prevalent during the war. These operations can be more effective than other types of influence campaigns because leaked information is often difficult to authenticate or debunk, making it a powerful tool to amplify existing divisions and tensions by allegedly exposing sensitive information.
Despite Russia’s destructive cyberattacks and influence operations, they have not yet managed to deter Ukrainian resistance or weaken foreign support for Ukraine. However, there are several indicators that can be monitored to detect Russian escalation in the digital space. By staying vigilant and keeping up with emerging threat intelligence, security leaders can enhance preparedness and effectively defend against similar attack vectors in the future.
In conclusion, the war in Ukraine has seen an expansion in Russian threat actors’ war-related espionage efforts, utilizing cyber weapons, influence operations, and military force. Their tactics include diverse means of gaining initial access, weaponizing “fact-checking,” and spreading leaked information. Security leaders can learn from these trends and develop a comprehensive defense playbook to counter authoritarian aggression in the digital space. While Russian operations have not yet achieved their desired outcomes, continuous monitoring and analysis of emerging threats can help ensure enhanced preparedness and resilience moving forward.