Russian hacking operations target Ukrainian law enforcement

Russian military cyber operations in the first half of 2023 focused on targeting Ukrainian law enforcement agencies to gather information about Ukrainian investigations into war crimes and counter-intelligence efforts against Russian spies and collaborators, Ukraine’s top cyber defense organization said in a report released Monday.

The report comes against a backdrop of what officials in Kyiv describe as a move toward intelligence operations in Russian hacking activity. “From the beginning of this year we observe a shift in disruptive cyber operations to data collection, cyber intelligence and influence operations,” Victor Zhora, a top Ukrainian cyber defense official, told reporters on Tuesday.

The State Service of Special Communications and Information Protection of Ukraine — a civilian organization tasked with investigating cyberattacks and defense of critical infrastructure and other government organizations — said in its report that Russian military commanders are directing cyber units to gather information that includes “evidence, intelligence, and arguments that could be used for criminal proceedings against spies, specific individuals, institutions, or organizations in Russia, potentially leading to sanctions or other actions.”

The cyber operations are also designed to help Russians arrested in Ukraine avoid prosecution and move them back to Russia, the agency said in its report. The report’s release comes on the heels of revelations that the International Criminal Court at The Hague, which investigates and prosecutes war crimes, had its computer system hacked by unknown perpetrators.

Russia appears to be increasingly integrating its cyber operations into its overall war effort, with Russian operations in the first half of 2023 seeking to assess the impact of kinetic military operations, such as missile and drone strikes, according to the SSSCIP.

The organization described a “notable” trend of Russian-state hackers repeatedly targeting the same organizations, faster data exfiltration in response to improved Ukrainian detection and remediation abilities and persistent attacks on Ukrainian media organizations.

Cyber incidents identified by the SSSCIP rose 123% in the first half of this year compared to the second half of 2022, according to the report. The number of critical incidents, the rate of malware distribution via email and incidents targeting the energy sector are all down significantly, however, likely in part due to improved Ukrainian defenses.

Russian state hackers “appear to be using less sophisticated tactics,” the agency said, as part of a “spray and pray approach, while Ukraine’s defense of its infrastructure has markedly improved compared to six months ago.” Nevertheless, the agency noted, Russian hackers have “still managed to achieve some success in cases involving attempts at wiping data or other destructive operations.”

In January 2023, for example, the Russian hacktivist persona CyberArmyofRussia Reborn released data purportedly from Ukrinform, a Ukrainian news agency, the report noted. In that case the attackers claimed to have “burned” the organization’s “entire network infrastructure.” Ukrainian investigators determined that five strains of wiper malware had been used in the attack and attributed the operation to a group it tracks as UAC-0082, which is known more widely as Sandworm and is believed to be one of the Russian military’s most enduring and impactful hacking units.

UAC-0010, Ukraine’s designation for another group linked to the Russian Federal Security Service (FSB) and tracked widely as Gamaredon, exhibited a notable increase in activity over the first half of 2023 compared to the second half of 2022, according to the report. Ukrainian officials attribute the increase to an expansion of manpower, including “the infusion of new talent from Russia’s abundant pool of skilled individuals, and the mobilization of IT professionals from the private sector to serve in the military.”

The group “demonstrated an explicit interest” in Ukrainian law enforcement operations, the report said, accounting for roughly 54% of its detected activity. “This group has a huge human resource and applies primitive methods that nonetheless are quite resultative,” the report notes.

Given the overall targeting patterns and observations over the last six months, Ukrainian officials expect increased attacks on software supply chain developers, a continued and bigger shift to espionage and attempts at avoiding detection, more complex attack chains and continued Russian government encouragement of so-called “patriotic” hackers “who could easily become cyber-criminal threat actors/ransomware operators in the future,” according to the report.