When Russia invaded Ukraine on Feb. 24, 2022, there was a lot of discussion on how the war would be both cyber and kinetic. A year later, the consensus seems to be that while there was a lot of cyberattack activity, it wasn’t as destructive as many had feared. That was partly due to various governments and security companies helping to identify and block attacks.
Between February 2022 and February 2023, an average of 10% of all online traffic to Ukraine was mitigations of potential attacks, Cloudflare said in its analysis of the Russian invasion’s impact on Ukrainian Internet. Cloudflare protected Ukrainian Web applications by filtering and monitoring HTTP traffic to block malicious attacks, including distributed denial-of-service (DDoS) attacks.
On Oct. 29, DDoS attack traffic constituted 39% of total traffic to Cloudflare’s Ukrainian customers.
The company shared a graph showing the daily percentage of application layer traffic to Ukraine that Cloudflare mitigated as potential attacks using its Web application firewall (WAF). In early March, 30% of all traffic was mitigated. After a fairly quiet summer, attack activity ticked back up in early September, during the Ukrainian counteroffensive in east and south Ukraine.
More specifically, 14% of total traffic from Ukraine was mitigated as potential attacks, while 10% of total traffic to Ukraine was mitigated as potential attacks in the past 12 months.
Mitigated application-layer threats blocked by Cloudflare’s WAF were 105% higher on Monday, Feb. 28, 2022 — four days after the invasion — compared to the Monday before, Feb. 21, 2022. By Mar. 8, that figure was 1,300%.
What Came Out of ‘Shields Up’
In anticipation of Russian cyberattacks against Ukrainian targets and against organizations in countries allied with Ukraine, the US Cybersecurity and Infrastructure Security Agency (CISA) urged organizations to share information that could help mitigate threats. “Every organization — large and small — must be prepared to respond to disruptive cyber incidents,” CISA said.
While sharing threat intelligence indubitably helped, the nature of the attacks were also less sophisticated or destructive than feared.
Cisco Talos researchers have been monitoring critical infrastructure customers to identify threats and remediate attacks. While there were a lot of concerns about destructive malware, what Talos is seeing — and blocking — a lot of is credentials harvesting, says Nick Biasini, Cisco Talos head of outreach. Attackers are not resorting to highly sophisticated tactics, but are rather employing mundane and recognizable methods to try to gain access to networks and accounts, he says.
Impact on Critical Infrastructure
Cloudflare’s analysis of Ukraine’s Internet traffic shows peaks and drops in usage corresponding with military activity. For example, the city of Chernihiv had a significant drop in traffic the first week of the war and residual traffic by mid-March, with traffic picking up after the Russian retreat in early April, Cloudflare noted. In the fall, Russian military units started targeting Ukrainian critical infrastructure, causing widespread power outages and Internet blackouts. Some of these strikes caused as much as a 50% decrease in Internet traffic, according to Cloudflare’s analysis. The disruptions often lasted only a day or two, “further emphasizing the ongoing impact of the conflict on Ukraine’s infrastructure,” Cloudflare noted.
“Throughout the rest of the year and into 2023, Ukraine has continued to face intermittent Internet disruptions,” Cloudflare wrote.
Ripple Effects Around the World
Security leaders in East Asia are carefully watching how the war between Russia and Ukraine unfolds, as a lot of the geopolitical tensions and rhetoric are similar to the long-simmering situation between China and Taiwan. Organizations are “wondering what kind of disruptive attacks to expect” and how the war in Ukraine could affect the Taiwan situation, says Mihoko Matsubara, chief cybersecurity strategist at NTT. There has already been some activity, although it has been of the “cyber nuisance” variety, rather than destruction, Matsubara says. East Asian companies are already seeing DDoS attacks, defacements, and disinformation campaigns, she says.
Matsubara was careful to not downplay the seriousness of the attacks, as they are still disruptive to organizations. NTT has also seen some wiper attacks used to disrupt humanitarian aid efforts, which may be a harbinger of activities to come.
Bad Actors Get Political
Cybercriminals have been expressing their own opinions — and political allegiances — about the war. For example, Coalition’s latest Cyber Threat Index report dug into attacks against databases exposed to the Internet. Coalition observed a total of 264,408 IP addresses running MongoDB instances in 2022, and a total of 68,423 of them — or 26% — were compromised. Coalition found a handful of compromised MongoDB servers where the attackers renamed the databases to SLAVA_UKRAINI, or “Glory to Ukraine!”
“Threat actor activity is often shaped by fluctuations in economic conditions,” noted the team from Kroll’s Cyber Risk practice in the latest Threat Landscape report. “Due to the continued market volatility across the globe and the ongoing war on Ukraine, it is likely that the unstable circumstances in which attackers thrive will persist in 2023.”