Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless

Before this new phase of the agency cyberwar in Ukranian, Roncone and Wolfram point out that the GRU has targeted edge devices. The agency's hackers attempted to create a botnet of hacked firewall devices that was discovered just ahead of Russia's invasion of Ukraine in February, but they were stopped before they could.

According to the analysts at Mandiant, hacking of edge devices used to accelerate the agency's pace of operations and to achieve persistence inside networks that lets the GRU pull off repeated intrusions against the same victims, is only now being seen. Roncone says that the agency has been able to have their cake and eat it too.

The State Services for Special Communications and Information Protection, or SSSCIP, agrees with Mandiant's conclusion that Russia has accelerated its pace of cyber-operations since the beginning of the war. He states that the GRU has come to favor targeting edge devices while other Russian intelligence agencies continue to use phish emails. He says that the cases of repeated wiping of the same organization in quick succession or an espionage operation against the same target are very rare.

Zhora claims that the GRU's switch to a faster operating rhythm shows how the agency's hackers are racing to keep up with the pace of physical war.

They had a lot of opportunities due to the fact that they had a lot of financial resources. They used that time to investigate and develop new technologies. They need more resources to increase the density of their attacks. They still want to be Russia's most destructive agency. With sanctions and difficulties in human resources and infrastructure, their operational limits are much greater. We can see in the tactics they use that they are still looking for new opportunities.

Roncone and Wolfram say that the GRU hackers seem to be struggling to keep up. They saw the hackers back door an email server and set up their command-and-control server in a way that they failed to control it. In another case, they sent the wrong commands to the wiper tool so that it wouldn't wipe the systems it hadinfecting. "It's just the pace and probably a bit of human error that leads to these sorts of 'oopsies,'" says Roncone.

According to Roncone and Wolfram, there is a shift in the hacking methods used by the GRU. In the last month, Mandiant has observed a number of attacks on Ukrainian organizations, including five in June and four last month.