Google Ukraine presented the “Fog of War” report on the main principles of Russian cyberattacks and the spread of disinformation in 2022, and analyzed how the cybercrime ecosystem in Eastern Europe changed after the full-scale invasion.
According to the report, Russian-backed cybercriminals stepped up as early as 2021 in preparation for an invasion. In 2022, Russia increased targeting of users in Ukraine by 250% compared to 2020. Targeting of users in NATO countries increased by more than 300% during the same period.
Russian hackers attacked Ukrainian users more often than any other country; and were focused on government and military structuresaffecting critical infrastructure, utilities and public services, as well as the media and information space.
The most devastating cyber attacks occurred during the first four months of 2022 (compared to the previous 8 years), and their peak occurred at the beginning of the invasion. Over the summer, the pace of attacks slowed and was less coordinated than the initial wave in February 2022. Destructive attacks often occurred more quickly after an attacker gained or regained access through compromised border infrastructure.
Moscow used the entire range of information operations – from state media to closed platforms and accounts – they were aimed at shaping public acceptance of the war. These operations have three main goals:
- Undermining trust in the Ukrainian authorities;
- Leave Ukraine without international support;
- Strengthen support for Russia in the war within the country.
Surges in the activity of such resources were observed during key events of the war, such as the build-up of military forces, invasion and mobilization in Russia. The covert Russian information operations that prevented Google products were primarily focused on maintaining Russian support for the war in Ukraine—more than 90% of these campaigns were broadcast in Russian.
The intrusion caused notable changes in the Eastern European cybercrime ecosystem. This is likely to have long-term consequences for both the coordination between criminal groups and the scale of cybercrime worldwide.
There has been a trend towards ransomware that combines the tactics of different attackers, making it difficult to determine the ultimate author. Tactics closely associated with financially motivated attackers have also been observed in campaigns with a target that is typically associated with government-sponsored attackers.
The report predicts that Russian hackers will continue to attack Ukraine, and will increasingly intensify cyber attacks on NATO partners, especially in response to events on the actual battlefield (eg, military casualties, new foreign commitments for political or military support, etc.). The same applies to information operations, which will intensify with the approach of international aid.