Since the outbreak of war in Ukraine, conflict-related cyberattacks have changed focus, from mainly targeting the invaded country to going after its allies in the EU, fresh research by security giant Thales indicates.
Describing the third quarter of 2022 as a “turning point,” Thales said it had tracked “a clear transition from a cyberwar focused on Ukraine and Russia” to a “high-intensity hybrid” conflict spanning Europe.
This evolving cyberwar has seen targets pursued primarily, but not exclusively, in the Baltic and Nordic regions of Europe – that lie in close proximity to Russia – and Poland, which has been at the forefront of providing aid to Ukrainian refugees fleeing the war.
Describing the “new attack geography” that had taken shape during that time, Thales said cyberwar-related attacks on Ukraine had dwindled from around half the total last February, when Russia invaded, to just over a quarter between July and September.
This meant that over the last summer, cyberwar attacks on EU countries were nearly equal in number to those launched against Ukraine – 85 compared to 86. And in the first quarter of 2023, the reversing trend continued, with four in five attacks taking place within the EU, of which Ukraine is not a member.
Commenting on the research findings, Pierre-Yves Jolivet, vice president of cyber solutions at Thales, described how “Europe was dragged into a high-intensity hybrid cyberwar at a turning point in the conflict, with a massive wave of DDoS [distributed denial of service] attacks, particularly in the Nordic and Baltic countries and Eastern Europe.”
He added: “Cyber is now a crucial weapon in the arsenal of new instruments of war, alongside disinformation, manipulation of public opinion, economic warfare, sabotage and guerrilla tactics.”
Jolivet said that in light of the expansion of cyberwar beyond Ukraine’s borders, “Western Europe should be wary of possible attacks on critical infrastructure in the short term if the conflict continues to accelerate.”
Hacktivists and harassers
Thales said about six in ten cyberattacks recorded worldwide since the outbreak of war had been “perpetrated by pro-Russian hacktivist groups, and in particular by Anonymous Russia, KillNet and Russian Hackers Teams.”
Such groups had emerged since the start of the conflict “to mirror the efforts of Ukrainian IT Army hacktivists early in the war.”
These partisan actors used malicious software programs such as the Passion Botnet with the aim of “cyber-harassing countries that support Ukraine.”
Thales added: “This systematic harassment often has a low operational impact but sustains a climate of anxiety among security teams and decision-makers. Their objective is [...] to harass targets and discourage them from supporting Ukraine.”
Described as “independent” and “civilian” in nature, such hacktivists are nevertheless potentially quite highly skilled, flexible, and likely willing to work for free.
“They can be assimilated into a cybercriminal group with specific political objectives and interests, acting out of conviction yet not directly sponsored by any government,” said Thales. “Members of such groups have a broad array of origins, technical skills and backgrounds.”
Intriguingly, in the half year following the outbreak of war such attackers appeared to have narrowed their choice of techniques, tactics and procedures considerably.
“The first quarter of 2022 [...] saw a range of different kinds of attacks, divided more or less equally among data leaks and theft, DDoS attacks, espionage, influence campaigns, intrusion, ransomware, phishing, wiper and infostealer attacks,” said Thales. “Cyber attackers have since favoured DDoS attacks (75%) against companies and governments.”
DDos attacks occur when threat actors remotely hijack computers and force them to overwhelm a target server by bombarding it with multiple requests. As dramatic as such ‘zombie’ attacks might sound, they are frequently regarded as little more than a nuisance and tend to have only temporary repercussions.
More from Cybernews:
Subscribe to our newsletter