The Brief History of Russian Cyberattacks Against Ukraine and the Risks they Pose to the West

Cybersecurity Cyberwar Cyberwarrior Hacking SCADA Hacking

Welcome back, my cyber warriors!

As the war in Ukraine rages on, it’s important to keep in mind that this war didn’t begin in February of this year, but rather it has been simmering for almost a decade. Ever since the people of Ukraine overthrew their despotic Russian puppet in 2014, the Russians have been incessantly attacking the Ukrainian people and their institutions. Before we take a look at the Russian cyber attacks against Ukraine, let’s take a brief moment to look at the recent history of Ukraine.

It’s always a difficult task to summarize 100 years of history in a few paragraphs, but here goes my feeble attempt. Please bear with me and forgive my omissions in the interest of brevity.

The Last 100 Years of Ukrainian History in a Nutshell

In 1922, Ukraine was a one of the founding republics of the Soviet Union (the Soviet Union grew out of the Russian Revolution of 1917). It suffered genocide under Stalin and lost 6-8 million people from a mass starvation engineered by the Soviet state. When Nikita Khrushchev became head of the Soviet Communist party in 1954, he looked favorably upon Ukraine and the Ukrainian people as he had been the head of the Ukrainian Communist Party. He transferred parts of traditional Russia to the Ukraine republic. This included the Crimean Peninsula (Crimea was captured by the Catherine the Great in 1781 from the Turks). This expanded the Ukraine republic and Crimea remained part of the Soviet Union until it’s disintegration in 1991. When the Soviet Union disintegrated, Ukraine then suffered a decade of economic deprivation with the economy shrinking by over 10% per year.

From 1994-2004, Leonid Kuchma was the President of Ukraine. His presidency was marked by corruption and scandals. As a result, he chose to not run again and two leading candidates battled it out for the presidency, Victor Yanukovych and Viktor Yushchenko (for those of us in the west, these two names are so similar that it is difficult to keep them straight). The former, Yanukovych, was closely linked to Putin, while the latter, Yushchenko, wanted to bring Ukraine closer to the West. At the risk of oversimplification, I will refer to them as the Russian-linked, Yanukovych, and the Western-linked Yushchenko. The Russian-linked candidate, Yanukovych, won a close election but the opposition and objective election observers claimed fraud and irregularities in the election. This led to the Orange Revolution which took place from November 2004 to January 2005. The Orange Revolution was a series of protests and political events that challenged the rigged election of Yanukovych.

Eventually, the Supreme Court of Ukraine ruled the election null and void in February 2005. After another runoff election, Western-linked, Yushchenko, became president.

When the next election took place in 2010, the leading candidates for the presidency were Yushchenko ,Yanukovych and Yulia Tymoshenko. Yushkenko and Tymoshenko had been allies during the Orange Revolution but the two became bitter rivals during the 2010 election.

In an election marked by widespread corruption and fraud, Russian-linked, Victor Yanocovych, was elected prime minister. Yanocovych had close ties to Putin and the Kremlin and was reputed to be the favorite of Putin (his Ukraine election campaign manager,Paul Manafort, was Trump’s 2016 Presidential election campaign manager. Coincidence?). As he imprisoned his rival, Yulia Timoshenko, and moved to limit freedoms and draw Ukraine closer to Russia, the Ukrainian people revolted and he was impeached by parliament in 2014. Yanocovych fled Ukraine to Russia where he still resides under the protection of Putin. Soon thereafter, Russia invaded Ukraine and took control of Crimea and Donbas. Then, the cyber attacks began.

In February 2019, Ukraine amended its constitution in ways that would ease it’s integration into Europe. In April 2019, a former comedian/actor of Jewish descent, Volodymyr Zelenskyy, was overwhelmingly elected president of Ukraine with 73% of the vote. Zelenskyy continued the movement of Ukraine away from Russia and further integration into the rest of Europe.

On February 24, 2022, Russia invades Ukraine.

Major Russian Cyber Attacks against Ukraine in Recent Years

To give you some perspective on the cyber war element, here are the major events in the last 10 years. There have been so many Russian attacks against Ukraine in recent years it is difficult to trim this list to just a few. Most of the most serious attacks have taken place after the mass protests in 2013-2014 that led to the ouster of Yanocovych.

ATM’s Attacked with Ploutus

In February 2014, ATM’s belonging to one of the largest Ukrainian banks were hacked. The ATM’s had been loaded with cash on Friday and were empty by Monday. Gangs employed by Russia and its separatists in Ukraine, simply emptied the cash. Reportedly, the malware Ploutus was used in the attack. Ploutus is capable of deactivating and bypassing traditional antivirus systems.

BlackEnergy3

The BlackEnergy3 attack was a sophisticated attack against the Ukrainian electricity grid. Blackenergy3 was actually reconstituted malware that had previously been used for DDoS attacks. The malware relied upon social engineering to enter the corporate network of the electric utility (it used an email address that appeared to come from a Ukrainian government official) taking advantage of a MS Word vulnerability (MS-2014-4144). The attackers (Sandworm, a hacker group within the Russian GRU)) then used mimikatz to gather credentials that were used to compromise the Human Machine Interface (HMI) into the SCADA network. They then disconnected 30 substation breakers that created the blackout. For more on BlackEnergy3,click here.

CrashOveride (aka Industroyer)

CrashOveride was the first malware specifically designed to attack electric grids (BlackEnergy3 was originally a DDoS tool and morphed into social engineering tool to gain access to the Human Machine Interface (HMI) of the electrical grid). It was used against Ukraine in the December 17, 2016 transmission substation attack.

SCADA/ICS systems use a multitude of protocols and almost no two systems are alike, making attacks even more challenging. There is, nevertheless, a unifying protocol meant to translate the multiple protocols, known as OPC. CrashOveride used OPC to communicate to the various modules in the electrical substation.

CrashOveride caused the open breakers on remote terminal units (RTU) to enter an infinite loop. This causes the circuit breakers to remain open even when the operators attempted to shut them down.

Petya and NotPetya

Petya was a ransomware attack propagated by email attachments in 2016. In 2017, after the release of the NSA’s EternalBlue by the ShadowBrokers, this malware was repurposed using EternalBlue to gain access to the operating system. Researchers named the new ransomware, NotPetya, to distinguish it from Petya. This attack was focused on Ukraine but quickly spread throughout the world causing billions of dollars of damage to systems. Many have called it the most costly malware in history. NotPetya is a case study in how malware targeted to one nation or sector, can wreak havoc worldwide. The NSA should also be held responsible– in part–for this destruction.

NotPetya portrayed itself as ransomware but even after the victims paid the ransom their files were still unrecoverable. The Russian GRU hacking group known as Sandworm is the likely culprit.

Paralysis of Treasury Department of Ukraine

Like most state owned treasuries, the Ukrainian Treasury makes periodic payments to both individuals and businesses. On December 6, 2016, Ukraine’s Treasury, Ministry of Finance, and pension fund were knocked offline for two days, delaying payments to a variety of entities. It appears that this was coordinated DDoS attack against these government departments.

Hermetic Wiper

Just as the war began in February 2022, a number of organizations in Ukraine were hit with an attack known as Hermetic Wiper. This is a sophisticated piece of malware that deletes and corrupts files including fragmenting the files making it very difficult to reconstruct in a recovery. It was primarily targeted to the financial, agriculture, emergency response, and energy sector.

Industroyer and CaddyWiper

The Russian state-sponsored hacking group known as Sandworm, attempted once again to takedown the Ukrainian electrical grid on April 12, 2022. This attack attempted to take down a large Ukrainian energy provider by disconnecting its electrical substations with a new variant of the Industroyer2 malware for industrial control systems (ICS) and a new version of the CaddyWiper data destruction malware.

The threat actor used a version of the Industroyer ICS malware customized for the target, high-voltage electrical substations. This malware then tried to erase the traces of the attack by executing CaddyWiper and other data-wiping malware families tracked as Orcshred, Soloshred, and Awfulshred for Linux and Solaris systems.

Summary

The Ukrainian people have rejected the tyrannical policies of Putin and his puppets and are paying a heavy price. Ever since Ukraine rejected the Putin puppet as their prime minister, Russia has been hammering their economy and institutions non-stop. This must stop. Unfortunately, Putin only respects power. That is why WE must act.