The real story behind Russia-Ukraine cyber wars
“Russian president is likely to use cyber attacks as a form of retaliation against our country for its action to counter Russias incursion in Ukraine.”
– President of USA, Joe Biden at Business Roundtable quarterly meeting, March 2022
“In March 2022, hackers associated with Russian IP addresses have been scanning the network of 5 US energy companies and 18 US companies in other sectors like defence and financial services, hunting for zero day( still undiscovered ) vulnerabilities to execute disruptive and destructive cyber activity. “
“We will unleash full wrath of world hackers, key components of your Government (Russian)would be hijacked. Websites of Duma ,Ministry of Defence, State control tv R.com and of Russian stock exchange have already been taken down.”
– Hacker collective, the Anonymous, sympathetic to Ukraine, March 2022
Welcome to the scary world of new age hybrid warfare where cyber attacks are sine-qua-non to any military exercise.
Ever wondered what following hacker groups have in common?
-FancyBear, SandWorm, Conti,Turla; all Russian and allegedly responsible for hacking Presidential elections in Ukraine and launching ‘NotPetya’ attacks causing mayhem on critical infrastructure of Ukraine.
– Groups like Bureau 121, The Lazarus group owing allegiance to North Korea and allegedly responsible for 2016 Bangladesh National Bank cyber heist of more than USD 90 million, launching WannaCry worldwide ransomware attacks (for more information on WannaCry ransomware attacks kindly refer to the author‘s column dated February 24 2022), hack on Sony pictures in November 2014 for allegedly mocking supreme leader of North Korea wherein Lazarus hacker Park Jin Hyok was held responsible and put on FBI wanted list, though North Korea denies his existence.
– Hacker groups IRGC(Islamic Revolutionary Guard Corps),owing allegiance to Iran and infamous for iconic cyber attacks against Aramco oil refinery in Saudi Arabia rendering more than 30,000 computers useless.
– MI5, MI6, GCHQ(Government communication headquarter) of UK, capable of tapping data flowing through underground sea cables i.e. approximately 25% of global data.
– Unit 8200 of Israel allegedly launched world‘s most sophisticated cyber-attack Stuxnet to stymie Iran‘s nuclear ambitions.
– PLA unit 61486, APT 31, APT 41, StonePanda, RedEcho groups affiliated to China and as per report in New York Times, allegedly responsible for sensational power outage in Mumbai, a city of 20 million people, wherein trains were shut down and stock market closed, while hospitals had to switch to emergency power to keep ventilators running amid Covid outbreak. This happened while Chinese and Indian troops clashed in remote Galwan Valley, bashing each other to death with clubs and rocks.
The common thread running through all the aforesaid hacker groups is that they are all allegedly ‘elite nation state actors’ : Hacker collectives churning out bespoke malware to attack critical infrastructure of adversary states. With the support of nation states, they launched cyber attacks with incredible sophistication to emaciate critical infrastructure like power plants, banking systems, nuclear plants, transportation systems of inimical regimes in order to ‘soften’ them before launching an all-out physical military campaign on the ground. They have also earned the moniker ‘Advanced Persistent Threat (APT) actors.
Operation Olympic games
It was early 2010, the furrows on the brows of Israeli authorities and NSA officials of USA had deepened. Iran was behaving like a rogue state, it was rapidly developing nuclear offensive capabilities, masquerading them as civil nuclear energy facilities. It had stopped cooperating with International Atomic Energy Agency, IAEA and closed its nuclear fuel enrichment plants to inspection.
Israel knew a nuclearised Iran would tilt the balance of power in the region and the very existence of tiny Jew state would be jeoparadised. Full-scale preparations had begun to modify missiles and bomb Iran’s nuclear facilities. This could have spawned a massive war culminating into major loss of life. In spite of such massive risks, Israel knew that Iran has to be stopped for the sake of its own survival.
Just in the nick of time, a Eureka moment dawned, when allegedly the technology advisor to Israel prime minister, in consultation with the chief scientist in NSA instead decided to launch operation Olympic games.
An operation to design and deploy the world’s most sophisticated cyber weapon called Stuxnet(name derived from keywords in its code), without firing a bullet. Stuxnet discovered by scientist Serjey Ulasen and its propagation studied first by cyber security firm ‘VirusBlockAda’, was the most sophisticated piece of malware ever discovered and its effects ingenious and terrifying. It opened the Pandora’s box of the state actors’ executed cyber warfare.
Stuxnet sabotaged Uranium nuclear fuel enrichment facility in Netanz, Iran, which was highly fortified and airgapped ,i.e. not connected to internet.
The chief Nuclear Physicist of Pakistan, Dr AQ Khan, had sold the centrifuges for enrichment of uranium to Iran and their operation was studied meticulously by researchers in Mosad and NSA. Accordingly, bespoke Stuxnet was curated. It is speculated that external contractors, overcame the air-gapping by introducing Stuxnet via USB flash drive in Siemens’ Programmable Logic Controllers PLCs, which are small computers that control industrial automation in practically all sectors including airlines, power plants, water purification plants, nuclear plants etc.
Cyber sabotage of PLCs can bring a whole nation down to its knees. This was the beginning of hybrid warfare and launch of the state of the art digital weapon, equipped with immense speed, precision and agility, sans any ground troops. Incredibly, in just a few minutes, zombie centrifuges started to spin at supersonic speeds, tearing themselves apart. Stuxnet’s baptism by fire, ensured for the first time, irreversible physical damage due to a cyber weapon leading to complete derailment of Iran‘s nuclear programme.
Stuxnet proved to be Iran‘s nightmare, which gave a death blow and was the sole reason why Iran, till date, could not become an acclaimed nuclear weapon state.
The story behind Russia Ukraine cyber wars
-In 2014, Russia annexed Crimea, which was part of erstwhile Ukraine. It was followed by Russia backed insurgency in Eastern Ukraine, which has resulted in more than 20,000 deaths till date. The year marked the beginning of full blown cyber-war between Russia and Ukraine, continuing till today when Ukraine has become the epicentre of full-scale Russian invasion.
– In 2014, it is reported that Russian state hackers attacked the Ukrainian Central Election Commission computer systems to rig the Presidential elections. The Election Commission’s compromised computer systems prior to recovery, displayed landslide victory to Ultra – Nationalist – Right winger, Mr Yarrosh, showing that he secured 37% votes, though in reality he got just 1%. The Russian channel 1 bulletin was quick to declare Yarrosh victorious by exactly the same numbers. Significantly, the hacked election results were foiled and Moderate candidate with 79% vote share was finally declared victorious.
– Winter was in its full fury in December 2015, it was difficult to survive without warmth induced by air-conditioners in subzero conditions on the eve of Christmas in Kiev, the capital city of Ukraine. It is speculated that APT state collective SandWorm introduced malware BlackEnergy in the computer systems of power plants in Kiev. Lo and behold, militaristic use of cyber-weapon BlackEnergy started remotely switching of the substations, plunging large parts of Kiev into wintry, eerie darkness. 2.3 lac Ukrainians faced extreme chill for six hours and over 30 of them succumbed .
It was established that SandWorm conducted attacks from computers with IP addresses originating from Russia in such a brazen way that the IP address were not even masked. KillDisk, a secondary malware wiped off the entire data including the list of clients and their outstanding payments. It is pertinent to note that September 12, 2020, power outage in Mumbai also had all the tell-tale signs of cyber sabotage and the 14 Trojan Horses or hidden malware discovered during an official enquiry revealed that they belonged to the same family of malware as BlackEnergy, which caused the Ukrainian power outage.
– Another power plant cyber sabotage occurred in Kiev in December 2016, when another malware ‘Industroyer’, ensured 20% of Kiev faced blackout for over six hours.
– Another litany of powerful cyber attacks swamped Ukraine in June 2017. An incarnation of ‘Petya’ ransomware, which was renamed as ‘NotPetya’ afflicted computer systems of wide spectrum of Ukraine organisation, banks, defence ministry, leading newspapers, electricity firms, health services et cetera.
NotPetya utilised ‘eternal blue’ exploit in Microsoft Windows operating system and multiplied exponentially causing widespread mayhem by encrypting data and large computer files were entirely wiped off.
Consequently, Radiation monitoring station at Chernobyl nuclear plant went off-line. Similarly, International Airport, Railways and Central Bank were all massively crippled. It was indeed a full-fledged, well planned and surgically executed multi-theatre hybrid war launched to cause atrophy in defence capabilities of Ukraine.
Corporations like Vodafone, Kyivstar, Kyiv Metro, Maersk, WPP, FedEx, Saint Gobain had to shut down operations. As an illustration, owing to shut down of Maersk, one of the biggest shipping companies of the world, thousands of ships with millions of containers were left stranded in the high seas.
The ‘NotPetya’ attacks allegedly caused catastrophic loss of USD 10 billion to the economy with losses of USD384 million to Saint Gobain alone. A piquant observation vis-a-vis ‘NotPetya’ attacks,allegedly caused by APT FancyBear group was that they were masqueraded as ransomware attacks demanding ransom of paltry USD 300 in bitcoins, but in reality they infiltrated admin level protocols and totally wiped out data and crippled computers.
The origin of ‘NotPetya’ attacks is believed to be from compromised auto update system of highly popular tax accounting software ‘Medoc’. No sooner than a client updated the Medoc, NotPetya totally devastated the networked computers.
As a retaliation in March 2022, the vice prime minister of Ukraine declared the formation of Ukrainian IT army, with two lakh recruits with the aim to “stymie Russian propaganda, disinformation campaign and disrupt digital infrastructure of Russia”. This has spawned a full blown hybrid war. International hacker collective – the ‘Anonymous’ came in support of Ukrainian government against the tyrannical invasion and claimed to have launched a no-holds-barred cyber-attack on critical infrastructure of Russia.
No wonder, Moscow stock exchange website was down, Sberbank’s website was knocked off and even Conti hackers group’s, sympathetic to Russia, systems were hacked. As a counter attack, in March 2022, Ukrainian foreign affairs website was hacked and a scary message flashed on it, which read “Ukrainians be afraid and expect worse”. Just a week ago, FBI had declared four Russian hackers as wanted with reward of USD 10 million each, for targeting nuclear and electrical plans in 135 countries and attempting to cause physical damage by cyber weapons.
State actor cyber attacks are being preferred as they cost very little, are easier to carry out, provide deniability, laced with scarce diplomatic repercussions. Stuxnet attack proved pathbreaking and states quickly realised that cyber attacks can be utilised to achieve political, commercial and military goals.
However, the APT groups blur the distinction between criminal organisations and government authorities. The state cyber-actors are presently being deployed for:
– Espionage , culling out corporate secrets, technological advances and political intelligence.
– Attacking critical infrastructure to diminish defensive capabilities.
– Spreading disinformation to bring down credibility and influence public opinion.
– Testing capabilities of adversaries.
It is imperative that cyber security is acknowledged as prominent parameter of national security else the day is not far when cyber military weapons may derail trains,poison water supplies, cripple power grids or even set off nuclear missiles.
Facebook Twitter Linkedin Email
Views expressed above are the author’s own.