Almost a year has passed since Russia’s full-scale invasion of Ukraine, and we continue to see cyber operations play a prominent role in the war. To better understand the role of cyber threats, Google presented the
Fog of War report on how the war in Ukraine changed the cyber threat landscape, which was created based on the analysis of the Google Threat Analysis Group (TAG), Mandiant and the Google Trust & Safety team. The report covers new findings and retrospective information on government-backed attackers, information operations (IOs), and threat actors in the cybercriminal ecosystem. It also includes detailed analyzes of threat actors, using the example of specific campaigns in 2022.
Association for the support of Ukraine
Since the beginning of the war, governments, companies, civil society unions and countless other activists have been working around the clock to support the Ukrainian people and their institutions. Google supports these efforts and continues to announce new commitments and support for Ukraine. This includes providing 50,000 Google Workspace licenses to the government, a rapid air alert system for Android smartphones in the region, support for refugees, businesses and entrepreneurs, as well as measures to suspend monetization indefinitely and limit coverage of Russian state media.However, one of the most pressing problems is that the Ukrainian government is almost constantly under digital attacks. Shortly after the invasion, Google expanded the availability of
Project Shield, a free protection against distributed denial of service (DDoS) attacks, so that Ukrainian government websites and embassies around the world could stay online and continue to offer critical services.The company continues to provide direct assistance to the Ukrainian government and critical infrastructure entities through the
Cyber Defense Assistance Collaborative platform , including compromise assessment, incident response services,
joint cyber threat intelligence and security transformation services to identify and mitigate and defend against cyber attacks. In addition, Google continues to implement
protections for users, monitor and destroy cyber threats to increase awareness among the community and users, and to maintain the quality of information.This level of collective protection between governments, companies and security stakeholders around the world is unprecedented in scope. The company shares its findings with the global security community to help prepare better defenses for the future.
1. Attackers backed by the Russian government have made an aggressive, multi-pronged effort to gain a decisive military advantage in cyberspace, often with mixed results.
This includes a significant shift in the focus of various groups to Ukraine, a dramatic increase in the use of destructive attacks against the Ukrainian government, military and civilian infrastructure, a surge in phishing activities targeting NATO countries, and an increase in cyber operations aimed at several Russian objectives. For example, we’ve seen hackers hack and leak sensitive information to promote a particular narrative.
Attackers backed by the Russian government stepped up cyber operations starting in 2021 in preparation for the invasion. In 2022, Russia increased its targeting of users in Ukraine by 250% compared to 2020. Targeting of users in NATO countries increased by more than 300% during the same period.
In 2022, attackers supported by the Russian government attacked more users in Ukraine than in any other country. Although we see that these attackers focus largely on the Ukrainian government and military structures; the campaigns we stopped also demonstrate a focus on critical infrastructure, utilities and public services, and the media and information space.
In its incident response work, Mandiant saw more disruptive cyberattacks in Ukraine in the first four months of 2022 than in the previous eight years, with attacks peaking at the start of the invasion. Despite significant activity after this period, the pace of attacks slowed and was less coordinated than the initial wave in February 2022. In particular, destructive attacks often occurred more quickly after an attacker had gained or regained access, often through compromised border infrastructure. Many operations testify to the attempt of the Main Directorate of the General Staff of the Russian Armed Forces (GRU) to balance the sometimes competing priorities of access, collection and destruction at each stage of activity.
2. Moscow used the full spectrum of information operations — from openly state-backed media to closed platforms and accounts — to shape public perception of the war.
These operations have three objectives:
- To undermine the Ukrainian government
- Break international support for Ukraine
- Strengthen support for Russia in the war inside the country
We have seen spikes in activity associated with key events in the war, such as the build-up, invasion and mobilization in Russia. At Google, we are actively working across products, teams, and regions to counter this activity that violates our policies and disrupt overt and covert information operations, but we continue to face ongoing attempts to circumvent our policies.
The covert Russian information operations we prevented in Google products focused primarily on maintaining Russian support for the war in Ukraine, with over 90% of these campaigns in Russian.
3. The intrusion caused a marked change in the Eastern European cybercrime ecosystem, which is likely to have long-term consequences for both the coordination between criminal groups and the scale of cybercrime worldwide.
Some groups have split over political allegiances and geopolitics, while others have lost top operators, which will affect how we think about these groups and our traditional understanding of their capabilities. We’re also seeing a trend towards specialization in the ransomware ecosystem, which combines the tactics of different attackers, making it difficult to definitively identify the ultimate author. The war in Ukraine is also defined by what we expected but did not see – for example, we did not see a surge in attacks on critical infrastructure outside of Ukraine.TAG also observes tactics closely associated with financially motivated attackers being used in targeted campaigns that are typically associated with government-sponsored attackers. In September 2022, TAG reported
an attacker whose activity is similar to the
UAC-0098 group , which is historically associated with the IcedID banking trojan, leading to human-driven ransomware attacks. We believe that some members of UAC-0098 are former members of the Conti group who are repurposing their methods to attack Ukraine.
- Google estimates with a high degree of confidence that attackers with the support of the Russian government will continue to conduct cyber attacks against Ukraine and NATO partners in order to achieve Russia’s strategic goals.
- The company is convinced that Moscow will increase its destructive attacks in response to events on the battlefield that fundamentally change the balance of power – real or probable – in Ukraine (for example, military casualties, new commitments of foreign countries in terms of political or military support, etc.). These attacks will primarily be aimed at Ukraine, but will increasingly extend to NATO partners.
- Experts believe that Russia will continue to increase the pace and scale of information operations to achieve the above goals, especially as it approaches such key milestones as international funding, military aid, internal referendums, etc. What is less clear is whether this activity will achieve the desired effect, or simply increase resistance to Russian aggression over time.
It is clear that information technology will continue to play an integral role in future armed conflicts, complementing traditional forms of warfare, and we hope that this report will serve as a call to action in preparing for what lies ahead. Google is committed to contributing to the collective defense and looks forward to working with others to further develop and help organizations, companies, governments
and users stay safe online.