LAS VEGAS — Russian hackers targeting Ukraine have pivoted away from disruptive attacks and are increasingly focusing on collecting data of use to Russian forces on the battlefield, Victor Zhora, a top Ukrainian cybersecurity official, said during a panel appearance at the Black Hat security conference in Las Vegas.
Some 15 months since Russian forces invaded Ukraine, Zhora has observed “a shift from disruptive and chaotic attacks to more focused activity, cyber espionage and data collection.”
Zhora, the deputy chairman of the State Service of Special Communications and Information Protection of Ukraine, said Ukrainian network defenders recently discovered a Russian operation “targeting our situational awareness system, technical battlefield systems in order to gain information” that “can give them some advantage on the battlefield.”
According to a recent report from the Ukrainian security services, Russian hackers targeted the Android phones used by Ukrainian military personnel for planning and operating combat missions. Using devices captured on the battlefield, Russian hackers attempted to spread malware that targeted configuration information of Starlink satellite terminals — which are a key tool of the Ukrainian military to carry out operations— and backup communication channels.
Ukraine’s security service attributed the operation with high confidence to the Russia’s infamous Sandworm hacking unit.
Zhora said Russian cyber operations target Ukrainian security and defense sectors, logistics, supply chains, service providers are used “not only for impact, but also for intelligence purposes,” but that Ukraine is seeing some success thwarting Russian operations. Ukrainian defenders were able to disrupt the campaign targeting Android devices early due in part to increased collaboration and shared threat intelligence, Zhora said, noting that such intelligence is “crucial” for detecting campaigns before they occur.
Speaking alongside Zhora, Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, said that a memorandum of cooperation between CISA and Ukraine’s SSSCIP “allowed us to really focus on how do we effectively share information, best practices, exercise together, train together, figure out how to hunt for adversary activity.”
While Ukraine has shown great resilience in responding to the Russian invasion on thwarting cyberattacks, the U.S. public is far less resilient in the phase of similar threats, such as the Colonial Pipeline ransomware attack and the Chinese spy balloon that floated over the U.S., she said.
“I don’t see that level of resilience in terms of how we respond to potential threats,” Easterly said. “We should be unified as an American people in the face of these very serious threats.”
Easterly noted that while Russia poses a major threat in cyberspace, the U.S. intelligence community’s annual threat assessment noted that China in the event of a conflict is “almost certainly is capable” of launching disruptive attacks against U.S. pipeline infrastructure as well as rail systems.