Jump to content

2024 Ukrainian cyberattacks against Russia

From Wikipedia, the free encyclopedia

In 2024, cyber-specialists working as part of the Main Directorate of Intelligence of the Ministry of Defence of Ukraine (HUR) and the Security Service of Ukraine (SBU) initiated several cyberattacks on Russian technology and infrastructure, including attacks on Russia's banking sector, Russian internet providers, regional and municipal administration web resources, Russian airports, several Russian state institutions, and private companies. The operations were conducted as means to impede Russian military operations and uncover classified documents that could be taken into account by the Armed Forces of Ukraine during the Russian invasion of Ukraine, as well as to destabilize Russia's institutions. Cyberattacks began to intensify in scope in June and July 2024.[1][2]

Background

[edit]

Russian–Ukrainian cyberwarfare is a component of the confrontation between Russia and Ukraine since the Revolution of Dignity in 2013-2014. Russian cyberweapon Uroburos had been around since 2005.[3] However, the first attacks on information systems of private enterprises and state institutions of Ukraine were recorded during mass protests in 2013. In 2013, Operation Armageddon, a Russian campaign of systematic cyber espionage on the information systems of government agencies, law enforcement, and defense agencies, began, thought to help Russia on the battlefield.[4] Between 2013 and 2014, some information systems of Ukrainian government agencies were affected by a computer virus known as Snake / Uroborus / Turla.[4] In February–March 2014, as Russian troops entered Crimea communication centers were raided and Ukraine's fibre optic cables were tampered with, cutting connection between the peninsula and mainland Ukraine. Additionally Ukrainian Government websites, news and social media were shut down or targeted in DDoS attacks, while cell phones of many Ukrainian parliamentarians were hacked or jammed.[4][5] Ukrainian experts also stated the beginning of a cyberwar with Russia.[6]

Cybersecurity companies began to register an increase in the number of cyberattacks on information systems in Ukraine. The victims of Russian cyberattacks were government agencies of Ukraine, the EU, the United States, defense agencies, international and regional defense and political organizations, think tanks, the media, and dissidents.[4] As of 2015, researchers had identified two groups of Russian hackers who have been active in the Russian-Ukrainian cyber war: the so-called APT29 (also known as Cozy Bear, Cozy Duke) and APT28 (also known as Sofacy Group, Tsar Team, Pawn Storm, Fancy Bear).[4]

Attacks

[edit]

January

[edit]

In mid-January, the Ukrainian HUR reported that volunteer BO Team hackers employed by the ministry deleted 280 servers and 2 petabytes of data from Planet, a state space hydrometeorology research center in the Far East that aided the Russian military and fifty other state agencies with gathering and analyzing satellite imaging and data. According to HUR, the cyberattack cost Russia approximately US$10 million in damages, which included a destroyed supercomputer and its software, together costing US$350,000 with Western sanctions greatly complicating its replacement. The attack also impacted warehouses and the center building of the research center, including its humidification, air conditioning, servers, and emergency power supply. Further attacks on a Russian Arctic station on Bolshevik Island "completely cut off" its connection with Russian networks.[7]

February

[edit]

On February 4, HUR's official Telegram channel reported that they accessed an electronic document management system called "bureaucrats", and exposed detailed information about high-ranking Russian military personnel and specialists. The ministry also said that they found a wide array of classified documents, specifically mentioning documents belonging to Russian Deputy Defense Minister Timur Ivanov. The hack resulted in the HUR recovering sensitive information that included Russian army orders, reports, and instructions that were circulating among over 2,000 military units within Russia's defense ministry that could be analyzed by the Armed Forces of Ukraine. The hackers sarcastically thanked Russian Defense Minister Sergei Shoigu's inadvertent role in facilitating the cyberattack's success.[8]

HUR hackers were also able to target Russian military software used to modify commercial DJI drones for military applications, shutting down servers responsible for Russia's "friend or foe" identification system, preventing troops from accessing the server for drone operations. The cyberattack also prevented troops from configuring control panels, transmitting video feeds to command posts, and operating drones using computer interfaces, forcibly grounding several drone fleets and halting operations.[9]

April

[edit]

In April, the HUR cooperated with the BO Team hacker group to target Interregional TransitTelecom (MTT), a subsidiary of MTS, one of Russia's largest telecom companies, after gaining comprehensive access to MTT's network equipment. The HUR reported that the attack destroyed critical software and configuration files, leading to severe internet disruptions throughout Russia that affected major cities such as Moscow and St. Petersburg, requiring workers to physically access and re-connect equipment to fix the outages.[10]

Attacks on communication company Moskollector by the SBU shut down 87,000 alarm sensors used for sewage monitoring and control throughout the Moscow metropolitan area, destroying "70 servers and at least 90 terabytes of company data, emails, backup copies and contracts" in the process.[11]

June

[edit]

In early June, HUR cyber operatives conducted a widespread attack on various Russian government websites, including those of key ministries such as the ministries of Justice, Defense, Information Technology and Communications, Finance, Internal Affairs, Industry and Energy, and Emergency Situations.[12] The disruptions extended to civilian services, with local reports indicating several wedding cancellations due to system outages. Attacks on the United Aircraft Company (UAC), Russia's primary advanced aircraft manufacturer, impacted its operations and caused its website to be rendered inaccessible for an extended period. HUR reported that its primary method of cyberattack was by using distributed denial-of-service (DDoS) attacks.[13][14]

On June 12, coinciding with Russia Day, Ukrainian hackers targeted the online systems of multiple Russian airports, causing flight disruptions.[12] Targeted airports included Yuzhno-Sakhalinsk's airport, Moscow Domodedovo Airport, and Saratov's Gagarin Airport, delaying flights mainly destined for Sochi, Bodrum, and Moscow. The attack also forced airplanes to divert to Samara and Ulyanovsk. Prior to the attack, cyber-specialists accessed the official website server of the Stavropol Region's State Duma, adding a banner containing the phrase "Hold on, we will liberate you!" and depicted Red Square bearing Ukrainian flags, shortly before targeting the airports.[15]

Shortly after on June 14, the HUR cooperated with the BO Team hacker group to attack Russian municipal web resources, primarily targeting the Ulyanovsk regional administration's digital infrastructure. The attack resulted in considerable damage to the administration's IT systems, where two hypervisors and communication devices were reportedly disabled, while ten virtual machines and one personal computer were destroyed. Additionally, the operation led to the erasure of approximately 20 terabytes of data. Prior to the main assault, the hackers engaged in a phishing campaign that targeted other local government bodies, courts, and members of the public.[16]

As part of the operation, the attackers published a fabricated order on the Ulyanovsk administration's website. This false directive, attributed to Mayor A.E. Boldakin, called for public demonstrations. The infiltration also provided the BO Team access to sensitive documents, including reports on military recruitment practices. These documents reportedly referred to Ulyanovsk residents reported for "bypassing of candidates for military service" as "targeted individuals".[16]

On June 26, Russian-occupied Crimea's largest internet providers were targeted by intense cyberattacks.[12]

July

[edit]

In July 2024, Ukrainian intelligence services reportedly launched a major cyberattack against several Russian technology-based sectors. The attacks started on July 15, when HUR cyber-specialists worked with a community of hackers to target roughly one hundred Russian web resources to erase their internal data, picked based on their involvement with Russian agencies involved with Russia's invasion of Ukraine.[2] Affected webpages were shut down and replaced with a picture of a bloody, decapitated pig head colored with Russia's flag next to an axe bearing the flag of Ukraine, with the phrase "404 Russia not found" listed.[17]

A larger operation was initiated on July 23 by the Main Intelligence Directorate of Ukraine's Ministry of Defense, which targeted financial institutions it stated were involved in funding military activities against Ukraine. By July 27, the attack's impact became severe and widespread. Customers of several major Russian banks were unable to withdraw cash from ATMs, with credit and debit cards being blocked upon use. The cyberattack affected various aspects of Russia's virtual banking infrastructure, which included freezing of payment systems and mobile banking applications, banking portal outages, and breaches into the databases of several major banks which included Dom.RF, Alfa-Bank, Raiffeisen Bank, VTB Bank, Rosbank, Gazprombank, RSHB Bank, Sberbank, iBank, and Tinkoff Bank. The attacks also targeted public transportation systems, popular Russian social networks and internet platforms, and caused service interruptions for multiple large Russian telecom and internet providers including MegaFon, Tele2, Beeline, and Rostelecom.[1][2][18]

A source from the Ukrainian intelligence stated that the attack was "gaining momentum" and implied escalations in attacks.[1][2]

Russia acknowledged the cyberattacks as being initiated by "politically motivated hackers".[2]

See also

[edit]

References

[edit]
  1. ^ a b c Dirac, Jeremy (2024-07-27). "Ukraine Hacks ATMs Across Russia in Ongoing Massive Cyberattack". Kyiv Post. Retrieved 2024-07-27.
  2. ^ a b c d e Zakharchenko, Kateryna (2024-07-24). "HUR Hackers Shut Down Russian Banks and Internet Providers". Kyiv Post. Retrieved 2024-07-27.
  3. ^ "Invisible Russian cyberweapon stalked US and Ukraine since 2005, new research reveals". CSO. 10 March 2014. Archived from the original on 2022-01-18. Retrieved 2022-01-17.
  4. ^ a b c d e Jen Weedon, FireEye (2015). "Beyond 'Cyber War': Russia's Use of Strategic Cyber Espionage and Information Operations in Ukraine". In Kenneth Geers (ed.). Cyber War in Perspective: Russian Aggression against Ukraine. Tallinn: NATO CCD COE Publications. ISBN 978-9949-9544-5-2. Archived from the original on 2016-08-16. Retrieved 2016-05-10.
  5. ^ Gertz, Bill. "Inside the Ring: Cybercom's Michael Rogers confirms Russia conducted cyberattacks against Ukraine". The Washington Times. Archived from the original on 2021-06-02. Retrieved 2020-07-21.
  6. ^ "Russian Electronic Warfare in Ukraine: Between Real and Imaginable - Jamestown". Jamestown. Archived from the original on 2017-05-26. Retrieved 2017-05-27.
  7. ^ Struck, Julia (2024-01-24). "HUR Reports Cyberattack on Russian State Satellite Data Processing Center". Kyiv Post. Retrieved 2024-07-28.
  8. ^ "HUR Hacks Russian Defense Ministry, Gets Access to Classified Documents". Kyiv Post. 2024-03-04. Retrieved 2024-07-28.
  9. ^ "HUR Initiates Cyberattack on Russian Drone Control Programs". Kyiv Post. 2024-02-08. Retrieved 2024-07-28.
  10. ^ "Ukrainian Hackers Launch Cyberattacks on Subsidiary of Major Russian Telecom". Kyiv Post. 2024-04-28. Retrieved 2024-07-27.
  11. ^ "Ukrainian Hackers Launch Cyberattacks on Moscow Sewage System". Kyiv Post. 2024-04-10. Retrieved 2024-07-27.
  12. ^ a b c Zakharchenko, Kateryna (2024-06-26). "HUR Cyberattack Hits Russian Internet Providers in Occupied Crimea". Kyiv Post. Retrieved 2024-07-27.
  13. ^ "Ukrainian Intelligence Behind Hacks on Russian Companies, Institutions". Kyiv Post. 2024-06-05. Retrieved 2024-07-27.
  14. ^ Mukhina, Olena (2024-06-27). "HUR hackers attack Russian internet providers in occupied Crimea". Euromaidan Press. Retrieved 2024-07-28.
  15. ^ Zakharchenko, Kateryna; Dolomanzhy, Karina (2024-06-12). "HUR Hackers Score Cyber-Hit on Russian Airports, Cause Flight Delays". Kyiv Post. Retrieved 2024-07-27.
  16. ^ a b Zakharchenko, Kateryna; Dolomanzhy, Karina (2024-06-14). "HUR Hacks into Russia's Ulyanovsk City Administration's Website". Kyiv Post. Retrieved 2024-07-27.
  17. ^ "Ukrainian intelligence 'hacks Russian websites, replaces homepages with pig head pictures'". The Kyiv Independent. 2024-07-16. Retrieved 2024-07-28.
  18. ^ "Ukraine targets major Russian banks in cyberattack". tvpworld.com (in Polish). Retrieved 2024-07-28.