Author Topic: Defending Ukraine: Early Lessons from the Cyber War  (Read 1055 times)

girder

  • Boffin
  • *****
  • Posts: 700
    • View Profile
Defending Ukraine: Early Lessons from the Cyber War
« on: June 23, 2022, 07:47:31 PM »
Defending Ukraine: Early Lessons from the Cyber War
Jun 22, 2022

Quote
This report offers five conclusions that come from the war’s first four months:

First, defense against a military invasion now requires for most countries the ability to disburse and distribute digital operations and data assets across borders and into other countries. Russia not surprisingly targeted Ukraine’s governmental data center in an early cruise missile attack, and other “on premise” servers similarly were vulnerable to attacks by conventional weapons. Russia also targeted its destructive “wiper” attacks at on-premises computer networks. But Ukraine’s government has successfully sustained its civil and military operations by acting quickly to disburse its digital infrastructure into the public cloud, where it has been hosted in data centers across Europe. 

...

Second, recent advances in cyber threat intelligence and end-point protection have helped Ukraine withstand a high percentage of destructive Russian cyberattacks. Because cyber activities are invisible to the naked eye, they are more difficult for journalists and even many military analysts to track. Microsoft has seen the Russian military launch multiple waves of destructive cyberattacks against 48 distinct Ukrainian agencies and enterprises. These have sought to penetrate network domains by initially comprising hundreds of computers and then spreading malware designed to destroy the software and data on thousands of others. 

Russian cyber tactics in the war have differed from those deployed in the NotPetya attack against Ukraine in 2017. That attack used “wormable” destructive malware that could jump from one computer domain to another and hence cross borders into other countries. Russia has been careful in 2022 to confine destructive “wiper software” to specific network domains inside Ukraine itself. But the recent and ongoing destructive attacks themselves have been sophisticated and more widespread than many reports recognize. And the Russian army is continuing to adapt these destructive attacks to changing war needs, including by coupling cyberattacks with the use of conventional weapons. 

A defining aspect of these destructive attacks so far has been the strength and relative success of cyber defenses. While not perfect and some destructive attacks have been successful, these cyber defenses have proven stronger than offensive cyber capabilities. This reflects two important and recent trends. First, threat intelligence advances, including the use of artificial intelligence, have helped make it possible to detect these attacks more effectively. And second, internet-connected end-point protection has made it possible to distribute protective software code quickly both to cloud services and other connected computing devices to identify and disable this malware. Ongoing wartime innovations and measures with the Ukrainian Government have strengthened this protection further. But continued vigilance and innovation will likely be needed to sustain this defensive advantage.

Third, as a coalition of countries has come together to defend Ukraine, Russian intelligence agencies have stepped up network penetration and espionage activities targeting allied governments outside Ukraine. At Microsoft we’ve detected Russian network intrusion efforts on 128 organizations in 42 countries outside Ukraine. While the United States has been Russia’s number one target, this activity has also prioritized Poland, where much of the logistical delivery of military and humanitarian assistance is being coordinated. Russian activities have also targeted Baltic countries, and during the past two months there has been an increase in similar activity targeting computer networks in Denmark, Norway, Finland, Sweden, and Turkey. We have also seen an increase in similar activity targeting the foreign ministries of other NATO countries. 

Russian targeting has prioritized governments, especially among NATO members. But the list of targets has also included think tanks, humanitarian organizations, IT companies, and energy and other critical infrastructure suppliers. Since the start of the war, the Russian targeting we’ve identified has been successful 29 percent of the time. A quarter of these successful intrusions has led to confirmed exfiltration of an organization’s data, although as explained in the report, this likely understates the degree of Russian success. 

We remain the most concerned about government computers that are running “on premise” rather than in the cloud. This reflects the current and global state of offensive cyber espionage and defensive cyber protection. As the SolarWinds incident demonstrated 18 months ago, Russia’s intelligence agencies have extremely sophisticated capabilities to implant code and operate as an Advanced Persistent Threat (APT) that can obtain and exfiltrate sensitive information from a network on an ongoing basis. There have been substantial advances in defensive protection since that time, but the implementation of these advances remains more uneven in European governments than in the United States. As a result, significant collective defensive weaknesses remain.

Fourth, in coordination with these other cyber activities, Russian agencies are conducting global cyber-influence operations to support their war efforts. These combine tactics developed by the KGB over several decades with new digital technologies and the internet to give foreign influence operations a broader geographic reach, higher volume, more precise targeting, and greater speed and agility. Unfortunately, with sufficient planning and sophistication, these cyber-influence operations are well positioned to take advantage of the longstanding openness of democratic societies and the public polarization that is characteristic of current times.

As the war in Ukraine has progressed, Russian agencies are focusing their cyber-influence operations on four distinct audiences. They are targeting the Russian population with the goal of sustaining support for the war effort. They are targeting the Ukrainian population with the goal of undermining confidence in the country’s willingness and ability to withstand Russian attacks. They are targeting American and European populations with the goal of undermining Western unity and deflecting criticism of Russian military war crimes. And they are starting to target populations in nonaligned countries, potentially in part to sustain their support at the United Nations and in other venues.

Russian cyber-influence operations are building on and are connected to tactics developed for other cyber activities. Like the APT teams that work within Russian intelligence services, Advance Persistent Manipulator (APM) teams associated with Russian government agencies act through social media and digital platforms. They are pre-positioning false narratives in ways that are similar to the pre-positioning of malware and other software code. They are then launching broad-based and simultaneous “reporting” of these narratives from government-managed and influenced websites and amplifying their narratives through technology tools designed to exploit social media services. Recent examples include narratives around biolabs in Ukraine and multiple efforts to obfuscate military attacks against Ukrainian civilian targets.

...

Finally, the lessons from Ukraine call for a coordinated and comprehensive strategy to strengthen defenses against the full range of cyber destructive, espionage, and influence operations. As the war in Ukraine illustrates, while there are differences among these threats, the Russian Government does not pursue them as separate efforts and we should not put them in separate analytical silos. In addition, defensive strategies must consider the coordination of these cyber operations with kinetic military operations, as witnessed in Ukraine. 

New advances to thwart these cyber threats are needed, and they will depend on four common tenets and — at least at a high level — a common strategy. The first defensive tenet should recognize that Russian cyber threats are being advanced by a common set of actors inside and outside the Russian Government and rely on similar digital tactics. As a result, advances in digital technology, AI, and data will be needed to counter them. Reflecting this, a second tenet should recognize that unlike the traditional threats of the past, cyber responses must rely on greater public and private collaboration. A third tenet should embrace the need for close and common multilateral collaboration among governments to protect open and democratic societies. And a fourth and final defensive tenet should uphold free expression and avoid censorship in democratic societies, even as new steps are needed to address the full range of cyber threats that include cyber influence operations. 

An effective response must build on these tenets with four strategic pillars. These should increase collective capabilities to better (1) detect, (2) defend against, (3) disrupt, and (4) deter foreign cyber threats. This approach is already reflected in many collective efforts to address destructive cyberattacks and cyber-based espionage. They also apply to the critical and ongoing work needed to address ransomware attacks. We now need a similar and comprehensive approach with new capabilities and defenses to combat Russian cyber influence operations. 

Link to full report.