Illustration by Alex Castro / The Verge
New reports have emerged of hacking campaigns linked directly and indirectly to Russia’s war in Ukraine, with the stories shedding more light on an opaque element of the invasion: cyberwarfare. Many experts predicted that Russia would launch significant cyber attacks in Ukraine, shutting down the country’s electrical grid for example. But while large-scale operations have not materialized, reports of smaller forays are beginning to emerge.
On Monday, Google said it had uncovered widespread phishing attacks targeting Ukrainian officials and Polish military. Security outfit Resecurity Inc also shared evidence of a coordinated hacking campaign targeting US firms that supply natural gas (a commodity that has become critical as Western sanctions bite down on Russian energy exports). In both cases, attacks could be linked to groups associated with Russia and its allies.
Google’s Threat Analysis Group (TAG) said the phishing campaign targeted users of UkrNet, a Ukrainian media company, as well as “Polish and Ukrainian government and military organizations.” Attacks were carried out by groups including Belarusian outfit Ghostwriter and Russian threat actor Fancy Bear. The latter group is associated with Russian military intelligence agency GRU, and was responsible for the 2016 Democratic email hacks.
“Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter,” wrote Google’s Shane Huntley in a blog post. “This activity ranges from espionage to phishing campaigns. We’re sharing this information to help raise awareness among the security community and high risk users.”
The campaign targeting US natural gas firms successfully infiltrated more than 100 computers belonging to employees and former employees. As reported by Bloomberg News, motives for the operation are unknown, but Resecurity described the work as “pre-positioning” — hacking machines to prepare for a larger operation of some sort.
The attacks began two weeks before the invasion of Ukraine, and securing a foothold in US gas suppliers would certainly offer plenty of opportunities for geopolitical leverage. As European nations have sought to wean themselves off Russian natural gas as part of a range of economic sanctions, energy firms in the United States have stepped up their supply, making the US the world’s top provider of liquefied natural gas or LNG.
Resecurity CEO Gene Yoo told Bloomberg he thought the attack had been carried out by state-sponsored hackers but did not speculate on who that might be. Bloomberg itself notes that one of the hackers involved had ties to attacks carried out by Fancy Bear (though under its moniker Strontium, as given by Microsoft’s security research team).