Russia has in 2023 stepped up its espionage attacks, targeting organizations in at least 17 European nations, mostly government agencies. Wiper malware attacks continue in Ukraine. The Russian hybrid offensive has also included sophisticated influence operations including targeting Ukrainian refugees, Clint Watts, general manager of Microsoft’s Threat Analysis Centre, writes presenting a cyber threats report.
“Since the start of the war, Russia has deployed at least nine new wiper families and two types of ransomware against more than 100 government and private sector Ukrainian organizations. Strong cyber defense partnerships between the public and private sector, and Ukrainian preparedness and resilience, has successfully defended against most of these attacks, but Russian activity continues.”
A new form of ransomware, called “Sullivan”, has been deployed against Ukrainian targets, in addition to the “Prestige” ransomware Russia deployed in Ukraine and Poland in October. “Our analysis suggests that Russia will continue to conduct espionage attacks against Ukraine and Ukraine’s partners, and destructive attacks within and potentially outside Ukraine as was done with Prestige”, Watts writes.
“The Russian hybrid offensive has also included sophisticated influence operations. For example, Moscow’s propaganda machine has recently taken aim at Ukrainian refugee populations across Europe, trying to convince them that they could be deported and conscripted into the Ukrainian military.”
“Russia-aligned influence operations have also recently heightened tensions in Moldova. Russian media promoted protests supported by a pro-Russia political party encouraging citizens to demand the government pay for winter energy bills. Another Russia-aligned campaign called “Moldova Leaks” published alleged leaks from Moldovan politicians, just one of a number of hack-and-leak operations aimed at sowing distrust between European citizens and their governments.”
The report says other important broad trends are:
- Moscow’s hybrid war in Ukraine has not gone to plan. Robust engagement by Ukrainian and international network defenders and a Ukrainian population hardened against Russian propaganda efforts have denied the Kremlin the quick victory it expected.
- Russian cyberthreat activity has adjusted its targeting and techniques, expanding their accesses in support of intelligence gathering on Ukraine and supporting nations’ civilian and military assets, and prepositioning for destructive attacks in Ukraine and possibly beyond.
- The development of new forms of ransomware is an example of this but others include using social media to market backdoored, pirated software to Ukrainian audiences that then enables initial access to organizations, and spearphishing campaigns targeting vulnerable on-premise servers in government, IT and disaster response organizations in Europe.
- There are no geographical boundaries off limits to attempted Russian attacks. Cyberthreat actors with known or suspected ties to Russia’s intelligence services have attempted to gain initial access to government and defense-related organizations not only in Central and Eastern Europe but also in the Americas.