Russia’s War Against Ukraine Driving Evolution of Cyber Warfare

By:

Age: 2 days

(Source: Wikimedia Commons, compiled by the Jamestown Foundation)

Executive Summary:

  • The war in Ukraine is leading both Moscow and Kyiv to engage in increased cyberattacks that are destructive to both infrastructure and civilian lives from meddling with energy networks to manipulating people into committing violent acts.
  • Ukraine has conducted a large-scale call center fraud operation targeting Russia, particularly older and more gullible Russian citizens, which is forcing the Russian state to increase surveillance on communication networks. 
  • Over two years of fighting has increasingly blurred the lines between state and non-state cyber actors, creating a working relationship between criminal hacking groups and official intelligence organizations.

The war in Ukraine is being fought not only in trenches but increasingly in cyberspace. State-sponsored hackers and hacktivist groups are actively fighting on both sides of the conflict. The lines between the two groups can often blur. Some members of state security agencies are taking advantage of this opportunity to moonlight as members of loosely knit hacktivist networks, and cyber actors are coordinating their activities over the Internet. One example of this phenomenon is Ukraine’s Information Technology (IT) Army. Within three days of Russia’s invasion, Ukrainian Minister of Digital Transformation Mykhailo Fedorov called for the creation of a volunteer IT army that would coordinate activities over Telegram against Russian targets (2Plus2, February 29). The IT Army allows any volunteer to join and distributes free tools for conducting cyberattacks over the Internet. The group has had some success performing distributed-denial-of-service attacks against Russian companies and infrastructure. Members have been using tens of thousands of network devices to overwhelm target Internet infrastructure with connection requests, most recently leading to interruptions in service for Mir, Russia’s national payment system (Habr, June 20). The increased use of cyber warfare and collaboration between state entities and hacktivist networks demonstrates a changing landscape in the future of war that will soon be difficult for international security networks to control.

In parallel with the growing ties between state and non-state hackers, cyberattacks are becoming more frequent and more destructive. Russia demonstrated a willingness to engage in destructive cyberattacks as relations between the two countries soured in the 2010s, most infamously targeting the Ukrainian power grid in the winter of 2015 (Epravda.com.ua, January 6, 2016).

The war has also increased the use of malware capable of destroying data, often deployed against civilian infrastructure. In December 2023, Kyivstar, Ukraine’s largest telecommunications company, was targeted with such malware in an attack likely performed by Russian state-sponsored hackers. The attack led to mass interruptions in both telephone and Internet services that took weeks to remediate (Kommersant, December 14, 2023). Vast quantities of data were destroyed in the attack, which Kyivstar described as “catastrophic.” 

The Ukrainian side responded in kind. In April, a group called “Ukrainian Blackjack,” which the Ukrainian press has linked to the country’s security services, responded to the Kyivstar attacks. The group targeted servers in a Russian data center used by several leading Russian companies and defense conglomerates, destroying 300 terabytes of data (Nv.ua, April 8). Ukrainian hackers have also aggressively targeted any public figures in Russia linked to the war effort, succeeding in breaching the emails of leading Russian politicians and high-ranking military officers. These have included high-ranking Duma member and Putin confidant Alexander Babakov and Semyon Bagdasarov, a policymaker focusing on Russia’s relations with Central Asia and the Middle East. Bagdasarov’s leaked emails detailed plans to work with Iran on sanctions avoidance (Telegraf, April 5, 2023). Another hacking group, KibOrg, has received notice for stealing vast amounts of client data from Russian companies, including auto insurers and Alfa Bank, often leaking the data to the general public (Vazhnyie Istorii, June 4). 

The increasing use of cyberattacks has been mirrored by an increase in cybercrime emanating from Ukraine and targeting Russian citizens. Large-scale call centers now operate in Ukraine, conducting continuous fraud calls against Russian subscribers to trick them into transferring money or personal information (RIA Novosti, August 8, 2023). In one particularly attention-grabbing attack in the summer of 2022, Ukrainian fraudsters reportedly convinced a Russian pensioner into setting a car belonging to the deputy chief of the Russian General Staff on fire. Other older Russians have been convinced to throw Molotov cocktails at Russian military recruitment centers (Media.zona, April 27, 2023). 

Sberbank, Russia’s state-owned bank, investigated one call center that was seized when Russian forces entered the Ukrainian city of Berdyansk in April 2022. The call center was located directly across from an office belonging to the Ukrainian Security Service, employed 300 people, and had the personal information of over 20 million Russian citizens in its databases (Sberbank, accessed July 2). Even if only a few fraudulent calls are successful, the scale and profits earned have been impressive. Sberbank estimates that up to 3,000 such centers exist in Ukraine, generating between $1.5 billion and $2 billion in annual revenue.

The lax policies of Russian law enforcement toward the country’s cybercriminal underground created a thriving environment for Ukrainian fraudsters. These fraudsters have been able to sell access to Russian government databases containing personal information and perform cryptocurrency transactions to move the money out of Russia. The activity led to a crackdown on Russian law enforcement suspected of selling such information to illicit actors. The Russian Minister of Internal Affairs announced a comprehensive investigation to identify members of the security services who had sold data underground (TASS, April 19, 2023). 

The scale of Ukrainian cybercrime has provided Moscow with additional justification to bolster its internal communications surveillance systems, under the auspices of detecting fraudulent phone calls. Russia’s communications authority, Roskomnadzor, received 1.54 billion rubles ($17.6 million) to create a national monitoring system (Cnews, August 31, 2022). The phenomenon is also being used as an excuse to rush the integration of the occupied regions of Ukraine into Russia’s telecommunications systems and SORM, the communications surveillance system (Radio Svoboda, August 10, 2023).  

These trends pose long-term challenges for international security. Ukraine’s wartime tolerance of cybercrime targeting Russia may be difficult to dismantle in a postwar scenario, especially given the value of such expertise in the region’s cybercriminal underground. These attacks highlight the increasingly blurred lines between state cybersecurity structures and hackers, particularly in wartime situations where the need for expertise outweighs the risks of collaborating with non-state entities. The war is likely a precursor to the future of 21st-century warfare, as interstate conflict opens up new avenues for cyberattacks that can target both military and civilian infrastructure.