OCR of the Document

View the Document >>

Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape

Fog of War How the Ukraine Conflict Transformed the Cyber Threat Landscape 2023 February Table of contents Foreword 2 Section 1 Government-backed attackers 6 Russian government-backed attackers aggressively pursue wartime advantage in cyberspace Section 2 Information Operations About the authors 28 Moscow leverages full spectrum of information operations to shape public perception of war Google’s Threat Analysis Group TAG is responsible for countering threats to Google and our users from government-backed attackers coordinated information operations IO and serious cybercrime networks We apply our intelligence to improve Google’s defenses and protect users Mandiant now part of Google Cloud is a recognized leader in dynamic Section 3 Cybercrime 41 War has split the loyalties of financially motivated attackers cyber defense threat intelligence and incident response services By scaling decades of frontline experience Mandiant helps organizations to defend against and respond to cyber threats Google Trust Safety safeguards Google products against abuse and Conclusion 46 provides trusted and safe experiences for all users 1 Foreword One year ago Russia invaded Ukraine Since then tens of thousands of people have been killed millions of Ukrainians have fled and the country has sustained tens of billions of dollars worth of damage Importantly this marks the first time that cyber operations have played such a prominent role in a world conflict Since the war began governments companies We continue to provide direct assistance to the civil society groups and countless others have Ukrainian government and critical infrastructure been working around the clock to support entities under the Cyber Defense Assistance the Ukrainian people and their institutions At Collaborative — including compromise assess- Google we support these efforts and continue ments incident response services shared cyber to announce new commitments and support threat intelligence and security transformation to Ukraine This includes a donation of 50 000 services — to help the Ukrainian government Google Workspace licenses for the Ukrainian detect mitigate and defend against cyber government and a rapid Air Raid Alerts system for attacks In addition we continue to implement Android phones in Ukraine support for refugees protections for users and track and disrupt businesses and entrepreneurs and measures to cyber threats to help raise awareness among indefinitely pause monetization and significantly the security community and high risk users and limit recommendations globally for a number of maintain information quality Russian state news media across our platforms This level of collective defense — between One of the most pressing challenges however governments companies and security stakehold- is that the Ukrainian government is under near- ers across the world — is unprecedented in scope constant digital attack That’s why one of our It is important then to pause and reflect on this most important contributions to date has been our work and our learnings one year later and share ongoing work to provide cybersecurity assistance those with the global security community to help to Ukraine Shortly after the invasion for example prepare better defenses for the future This report we expanded eligibility for Project Shield our free outlines our analysis of these issues and includes protection against distributed denial of service the following three observations informed by over attacks DDoS so that Ukrainian government two decades of experience managing complex websites and embassies worldwide could stay global security events online and continue to offer their critical services 2 3 First Russian government-backed attackers have engaged Together these observations point to several broader in an aggressive multi-pronged effort to gain a decisive wartime forward looking assessments for the security community advantage in cyberspace often with mixed results for 2023 This includes a significant shift in various groups’ focus towards Ukraine a dramatic increase in the use of destructive attacks on Ukrainian government military and civilian infrastructure a spike in spear-phishing activity targeting NATO countries and an uptick in cyber operations designed to further multiple Russian objectives For example we’ve observed threat actors hack-and-leak sensitive information to further a specific narrative Second Moscow has leveraged the full spectrum of information operations — from overt state-backed media to covert platforms and accounts — to shape public perception of the war These operations have three goals 1 undermine the Ukrainian government 2 fracture international support for Ukraine and 3 maintain domestic support in Russia for the war We’ve seen spikes of activity associated with key events in the conflict such as the buildup invasion and troop mobilization in Russia At Google we’ve worked aggressively across products teams and regions to counter these activities where they violate our policies and disrupt overt and covert information operations campaigns but continue to encounter relentless attempts to circumvent our policies Finally the invasion has triggered a notable shift in the Eastern European cybercriminal ecosystem that will likely have long term implications for both coordination between criminal groups and the scale of cybercrime worldwide Some groups for example have split over political allegiances and geopolitics while others have lost prominent operators This will impact the way we think about these groups and our traditional understanding of their capabilities We’ve also seen a trend towards specialization in We assess with high confidence that Russian government-backed attackers will continue to conduct cyber attacks against Ukraine and NATO partners to further Russian strategic objectives We assess with high confidence that Moscow will increase disruptive and destructive attacks in response to developments on the battlefield that fundamentally shift the balance — real or perceived — towards Ukraine e g troop losses new foreign commitments to provide political or military support etc These attacks will primarily target Ukraine but increasingly expand to include NATO partners We assess with moderate confidence that Russia will continue to increase the pace and scope of information operations to achieve the objectives described above particularly as we approach key moments like international funding military aid domestic referendums and more What’s less clear is whether these activities will achieve the desired impact or simply harden opposition against Russian aggression over time It is clear cyber will now play an integral role in future armed conflict supplementing traditional forms of warfare We hope this report serves as a call to action as we prepare for potential future conflicts around the world At Google we are committed to doing our part to support collective defense and look forward to partnering with others to drive continued progress and help organizations businesses governments and users stay safe online the ransomware ecosystem that blends tactics across actors making definitive attribution more difficult Importantly the war in Ukraine has also been defined by what we expected — but didn’t see For example we didn’t observe a surge of attacks against critical infrastructure outside of Ukraine 4 5 Section 1 Government-backed attackers Russia’s cyber preparations began long before the invasion Russian government-backed attackers ramped up cyber operations beginning in 2021 during the run up to the invasion This led to a 250% increase in Russian phishing campaigns directed against users in Ukraine in 2022 compared to Russian government-backed attackers aggressively pursue wartime advantage in cyberspace a 2020 baseline We attribute this increase to two primary factors 1 some attackers intensified their traditional focus on Ukraine and 2 others shifted their focus towards Ukraine To help counter these efforts we disrupted phishing campaigns against the Ukrainian government and military organizations as well as critical infrastructure media and the information space Users in NATO countries face intensified targeting Since the war began we’ve seen an over 300% increase in Russian phishing Since the start of the war Russian government-backed attackers campaigns directed against users in NATO countries in 2022 compared to a 2020 have aggressively targeted Ukraine and its supporters particularly baseline These efforts may reflect a longstanding Russian strategic priority NATO member countries Based on analysis from across Google to gather better insight into NATO activities but in 2022 they were driven primarily we see a multi-pronged Russian effort to gain a wartime advantage by a Belarusian government-backed group that is closely aligned with Russia through cyberspace This effort includes a range of campaigns designed to improve intelligence collection deploy destructive attacks against victim networks and advance active measures to shape the information environment in Moscow’s favor Waves of destructive malware hit Ukraine Russian Armed Forces’ Main Directorate of the General Staff GRU -sponsored actors have used destructive malware to disrupt and degrade Ukraine’s government and military capabilities In parallel we’ve seen similar attacks on civilian infrastructure in an attempt to undermine the public’s trust in the government’s ability to deliver basic services We observed more destructive cyberattacks A note on threat actor naming conventions Our understanding of these groups is based on a body of technical data that includes infrastructure malware and the broader set of tactics techniques and procedures TTPs threat actors use in their campaigns Other analysts may use different methodologies to assess actor activity There is no single industry standard for naming these actors but we’ve listed aliases where our group names align with others Attribution to the underlying entity behind the group often comes later if at all from clues in the technical data and other sources like media and publicly available government documents It is not uncommon for 6 multiple actors representing distinct sets of technical activity to eventually be attributed to the same ultimate organization similar to the attribution we made to GRU in this paper see the threat actor deep dives We use the term “government-backed attacker” instead of the term “advanced persistent threat” APT to more clearly differentiate these groups from other financially motivated actors discussed later in the paper in Ukraine during the first four months of 2022 than in the previous eight years with a notable spike in activity at the start of the invasion In contrast to NotPetya we’ve seen little evidence of a spillover effect outside Ukraine Russia uses cyber operations for multiple strategic objectives We’ve observed a notable uptick in the intensity and frequency of Russian cyber operations designed to maximize access to victim networks systems and data to achieve multiple strategic objectives For example GRU-sponsored actors have used their access to steal sensitive information and release it to the public to further a narrative or use that same access to conduct destructive cyber attacks or information operations campaigns In this section we outline trends in the threat landscape and then dive deeper into specific Russian government-backed attackers and their behavior in 2022 7 APT Threat Actor Overview frozenbarents frozenlake coldriver frozenvista pushcha summit Aliases Sandworm Voodoo Bear Aliases Aliases Aliases Aliases Aliases Turla Team Snake Uroburos IRIDIUM APT28 SOFACY Fancy Bear STRONTIUM Sednit Callisto Group UNC2589 UNC1151 SEABORGIUM TA446 VENOMOUS BEAR unc4210 Espionage ● ● ● ● ● ● Information Operations ● ● ● — ● — Destruction ● — — ● — — Targeted nations Ukraine Ukraine Ukraine Ukraine Ukraine Ukraine NATO countries NATO countries NATO countries NATO countries NATO countries NATO countries Georgia — South Korea — — — — — — — — — — — — — — — — — Russia — — Australia — Europe — — — — South America — — — South America Middle East Middle East — — — Middle East Central Asia Central Asia — — — — — — — — Primary targets — — Southeast Asia Government Government Government Government Government Government Military and Defense Military and Defense Military and Defense Military and Defense Military and Defense Military and Defense Energy Energy Energy Energy — — Financial Financial — Financial — — — Healthcare — — — — — 8 GOSSAMER BEAR — Heavy Industry Heavy Industry — Heavy Industry High Tech and Telecom High Tech and Telecom — High Tech and Telecom Higher Education Higher Education Higher Education News Media News Media News Media — News Media News Media NGOs NGOs NGOs — NGOs NGOs Shipping and Rail Shipping and Rail — Higher Education Shipping and Rail High Tech and Telecom — Higher Education — — — 9 Figure 1 Understanding the threat landscape phi s hing campaign s by government- backed attacker s ta r g e t s Phishing remains a prominent initial access vector We assess that these attacks were all carried out for government-backed attackers Attackers use by Russian government-backed attackers How- this access to achieve multiple Russian strategic ever in the graphic we also included information objectives such as intelligence collection data on PUSHCHA a closely aligned group from Belarus destruction and information leaks intended This activity is important to capture because it to further Russian national objectives was heavily focused on Ukraine and its neighbors 7000 5000 4000 For more information on activity associated with From 2021-2022 TAG observed government- specific groups see the threat actor deep dives 3000 against a series of targets Figure 1 During that In 2022 Russian government-backed attackers 2000 time we saw a steady drumbeat in phishing targeted users in Ukraine more than any other attacks At the same time we noted several spikes country We attribute this to two primary factors in activity from large campaigns In 2022 for 1 some attackers FROZENBARENTS FROZENLAKE example we saw a 250% increase targeting users intensified their traditional focus on Ukraine and in Ukraine and an over 300% increase targeting 2 others COLDRIVER shifted their focus towards users in NATO countries — both compared to Ukraine While we see Russian government-backed a 2020 baseline These numbers include Gmail attackers focus heavily on Ukrainian government users and accounts with a country code top-level and military entities the campaigns we disrupted domain e g @gov ua also show a strong targeting focus on critical backed attackers conduct phishing campaigns infrastructure utilities and public services and the media and information space FROZENBARENTS FROZENLAKE COLDRIVER FROZENvista Figure 2 top targeted domain s i ua 1 6% From 2021 to 2022 Russia targeted over other 5 1% mil gov ua and military-related 13 8% ukr net 10 0% September – October 2021 Over 11 days FROZENLAKE sends credential phishing emails to over 14K recipients globally March 2021 Russia begins massing troops on the Ukrainian border 6000 April 2021 Phishing campaigns by FROZENVISTA targeting Ukraine February – October 2022 Multiple Russian groups continue elevated activity levels February 24 2022 Russia invades Ukraine In the lulls between Russian activity Belarusian-government backed PUSHCHA is more active 1000 January 2022 Waves of FROZENVISTA phishing targeting Ukraine 400 300 200 100 0 jan feb mar apr may jun jul aug sep oct nov 2021 dec jan feb mar apr may jun jul aug sep oct nov dec 2022 top 1 0 target s   —   ukrainian government and military Ministry of Defense Ministry of Foreign Affairs 150 military and government entities on the gov ua and mil gov ua domains National Agency for Civil Service Targets included Ukrainian military State Agency of Water Resources and diplomatic organizations as well as State Border Guard Service government agencies that manage critical infrastructure civil services Security Service and emergency management Ukrainian Railways gmail com 34 3% Dnipro City Council gov ua 35 1% Verkhovna Rada Parliament Ministry of Justice 0 100 200 300 400 500 ta r g e t s 10 11 Figure 3 government- backed attacker activity targeting u s er s in nato countrie s summit COLDRIVER 0 7% other 2 7% 1 4% frozenvista 2 3% pushcha 15 5% In 2022 Russia increased Based on distinct count of targets in phishing activity FROZENLAKE 77 5% by 250% compared to 2020 Targeting of users in NATO Russian government-backed attackers have long prioritized NATO targets but these attacks have intensified since the runup to the war FROZENLAKE for example launched a massive wave of attacks against NATO targets in September 2021 while At Google we continue to disrupt campaigns PUSHCHA’s campaigns centered on targets in from government-backed attackers Once we Poland and Lithuania in 2022 In addition groups identify malicious websites and domains we add like SUMMIT continue to remain focused on NATO them to Safe Browsing to protect users from targets and others like COLDRIVER have shifted further exploitation Where appropriate we also their focus to European militaries notify Gmail and Workspace users that they were In parallel to the phishing campaigns described above we’ve seen attackers use their access to shape the information environment For example evidence shows that some GRU actors worked together to leak information to hacktivist groups targeting of users in Ukraine countries increased over 300% in the same period targeted by government-backed attackers For additional protections we recommend that users enable Google Account Level Enhanced Safe Browsing and update their devices with the latest software and we’ve also observed at least one threat actor COLDRIVER use their access for a hack-and-leak operation targeting the United Kingdom 12 13 Destructive cyber attacks targeting Ukraine Russian-backed government actors used destructive malware — commonly called “wipers” because they destroy data — to target Ukraine PHASE I Strategic Cyber Espionage and PrePositioning in 2015 2016 and 2017 The NotPetya attack in 2017 caused billions of dollars of damage globally As a result many experts anticipated similar attacks during the war and that the effects would spill over outside Ukraine which largely 2019 - JAN 2022 FIVE PHASES OF RUSSIAN CYBER OPERATIONS DURING THE 2022 WAR IN UKRAINE January - December 2022 SHADYLOOK PAYWIPE SKYFALL did not happen in 20221 observed more destructive cyberattacks in Ukraine during the first four months of 2022 PHASE II Initial Destructive Cyber Operations and Military Invasion FEB – APR 2022 PARTYTICKET T From its incident response work Mandiant NEARMISS NEARTWIST SDELETE peaking around the start of the invasion some of these having multiple variants While the While Mandiant saw significant activity after destructive cyberattacks did achieve significant that period the pace of attacks slowed and widespread disruption initially in some Ukrainian JUNKMAIL appeared less coordinated than the initial wave networks they were likely not as impactful as pre- INDUSTROYER V2 CADDYWIPER SOLOSHRED AWFULSHRED R V2 CADDYWIPE ER SO OLOSH HRE ED A WF FULS SHR RED D in February 2022 Destructive attacks often vious Russian cyberattacks in Ukraine To conduct CADDYWIPER R occurred more quickly after the attacker gained the initial waves of destructive activity Russian or regained access often via compromised actors often employed accesses gained months edge infrastructure Many operations indicated before which were often lost as the attack was an attempt by the GRU to balance competing remediated The willingness to prioritize destructive priorities of access collection and disruption attacks at the cost of persistent access indicates throughout each phase of activity their importance to Russia’s overall strategy in Ukraine or the lack of operational preparation that could have sustained some persistent accesses while burning others during destructive activity PHASE III Sustained Targeting and Attacks MAY - JUL 2022 Mandiant observed at least six unique wipers with PHASE IV Maintaining Footholds for Strategic Advantage AUG – SEP 2022 than in the previous eight years with attacks T PARTYTICKET CADDYWIPER R CADDYWIPER R R CADDYWIPER CADDYWIPER R CADDYWIPER R CADDYWIPER R PHASE V Renewed Campaign of Disruptive Attacks OCT – DEC 2022 CADDYWIPER R R CADDYWIPER CADDYWIPER R DHARMA PRESSTEA RANSOMBOGGS GS  One exception was the cyber attack against the Viasat KA-SAT network hours before the Russian invasion that resulted in a partial interruption of KA-SAT’s satellite broadband service The governments of the UK and US attributed the attack to Russia in order to ”disrupt Ukrainian command and control during the invasion ” The incident also impacted tens of thousands of other fixed broadband customers across Europe and German energy company Enercon said a “massive disruption” of satellite connections in Europe affected the operations of 5 800 wind turbines in central Europe 1   14 Target Industries Government Telecom Financial Media Energy As reported by ESET 15 Threat Actor Deep Dive 2 0 2 2 targeting activity j an feb mar apr may j un j ul aug s ep oct nov dec frozenbarents Aliases Ongoing Sandworm Credential stealing Voodoo Bear campaigns IRIDIUM Turkish drone Media manufacturer organizations Russian Armed Forces’ Staff GRU by exploiting the GRU actors conducting Microsoft Follina IO activity Critical infrastructure Large energy provider The GRU’s most versatile operators do it all Overview In 2022 FROZENBARENTS served as a vivid example Active since at least 2009 primarily of the overlap between different spheres of cyber conducts cyberespionage destructive activity conducting campaigns for intelligence attacks and IO Has previously focused collection destructive network attacks contrib- on Ukraine and works closely with the uting to information operations and even using GRU-associated group FROZENLAKE “hack-for-hire” services to secure initial access to some targets Key campaigns contractors vulnerability Attribution Main Directorate of the General Defense Military FROZENBARENTS campaigns seem designed to 2015 and 2016 advance Russian strategic objectives and respond • Ukraine energy sector to changes in Russian intelligence requirements in Ukraine shipping and trains in Ukraine Suspected frozenbarents ransomware activity in Ukraine and European countries In 2022 groups associated with the GRU served as a vivid example of the overlap between different spheres of cyber activity conducting campaigns for intelligence collection destructive network attacks and contributing to information operations throughout the conflict FROZENBARENTS targeted 2017 a Turkish drone manufacturer whose systems • French elections were used by Ukraine in the early weeks of the • NotPetya 2018 • Olympic Destroyer attacks against Winter Olympic Games • The 2018 operation against the war Russia subsequently disabled the drones Other campaigns have targeted sensitive information like Ukrainian military communications and troop movements Critical Infrastructure TAG detected multiple credential stealing cam- Organization for the Prohibition paigns targeting critical infrastructure likely of Chemical Weapons leveraging persistent malware infections such • Attacks against Georgia in 2018 and 2019 as DarkCrystal RAT In August TAG observed FROZENBARENTS targeting a large energy provider in Ukraine TAG also observed FROZENBARENTS Media and IO In June 2022 TAG observed GRU actors including FROZENBARENTS exploit the Microsoft Follina vulnerability consistent with CERT-UA reporting The campaign primarily targeted media organizations and used compromised government accounts to send malicious links to Microsoft Office doc­uments hosted on compromised domains In the IO space FROZENBARENTS created and disseminated news content including stories published on their own Substack blog This content included conspiracies about Western biological weapons labs in Ukraine The group also appears to be soliciting contributions to a GRU-controlled Telegram channel distributing pro-Russian content targeting logistics organizations — including shipping and trains — in Ukraine and other European countries 16 17 Threat Actor Deep Dive frozenlake Focused on credential phishing campaigns Aliases Throughout the war FROZENLAKE conducted wide- The malware distributed via email attachments APT28 spread phishing campaigns to collect information inside of password protected zip files e g to provide political and military advantage and ua_report zip is a net executable that steals IO relied on opportunistic access through historical cookies and saved passwords from Chrome Edge Our analysis of FROZENLAKE activity suggests compromise to conduct destructive cyber attacks and Firefox browsers The data is then exfiltrated that GRU or other Russian Intelligence Services to a compromised email account may be coordinating with “hacktivist” groups SOFACY Fancy Bear Strontium Sednit Credential harvesting In May 2022 TAG observed FROZENLAKE targeting users in Ukraine with a new variant of malware to shape the information environment Mandiant In March 2022 TAG reported several large creden- discovered FROZENLAKE tools on the networks tial phishing campaigns targeting users of ukr net Attribution a popular email account provider in Ukraine The Russia GRU phishing emails were sent from a large number of Ukrainian victims of wiper malware whose data was quickly leaked by the “hacktivists ” as well as other indicators of inauthentic activity of non-Google compromised accounts and by the moderators and similarities to previous included links to attacker-controlled domains Overview Active since at least 2004 frozenlake conducts cyberespionage against a broad range of targets including governments military technology NGOs media democracy and civil society The group has built and deployed a custom credential GRU information operations In two other campaigns the attackers used newly created Blogspot domains as the initial landing page which then redirected targets to credential phishing pages Google disrupted this activity taking down all detected Blogspot domains This activity resurfaced in late 2022 TAG detected 2 0 2 2 targeting activity j an feb mar apr may j un multiple credential campaigns primarily targeting ukr net users but also gov ua accounts phishing framework and multiple custom implants over the years Multiple destructive Exploited the Microsoft attacks against Key campaigns Targeted Ukrainian 2016 Compromising the US Democratic Ukraine with Ukrainian media company organizations a new variant with Blogspot domains National Committee during the in credential phishing 2016 US national elections campaigns of malware to steal credentials Follina vulnerability to target Ukrainian organizations Credential phishing campaigns targeting ukr net and gov ua users 2014–2018 Indicted for intrusions against the World Anti-Doping Agency WADA j ul the US Anti-Doping Agency a US aug s ep oct nov dec nuclear facility the Organization for the Prohibition of Chemical Weapons OPCW the Spiez Swiss Chemicals Laboratory and other Figure 4 organizations Example of FROZENLAKE credential phishing page Reports that frozenlake collaborating with hacktivist groups 18 19 Threat Actor Deep Dive 2 0 2 2 targeting activity j an feb mar apr may j un j ul aug s ep oct nov dec coldriver Aliases GOSSAMER BEAR US academic Callisto Group research institute SEABORGIUM TA446 Several US-based NGO supporting NGOs and think tanks Military of a Balkans country Three nuclear research Hack-and-leak operation in the UK laboratories in the US in credential stealing campaign Ukraine UK policy think tank Ukraine-based defense contractor Attribution European military Russia NATO Centre of Excellence Overview Active since at least 2015 conducts credential against phishing defense campaigns sector non- governmental organizations NGO s think tanks higher education and journalists The group generally targets current or former high profile individuals COLDRIVER primarily targets NATO countries and shifted to include the Ukrainian government and organizations supporting the war in Ukraine Expanded targeting to Ukraine hack-and-leak campaign targeting UK COLDRIVER a Russian group focused on credential phishing activities typically targets NATO countries In 2022 COLDRIVER expanded their credential phishing campaigns to include Ukraine and shifted focus to more government and military-related targets In addition COLDRIVER conducted a hack-and-leak campaign targeting the UK in July 2022 the first time we’ve seen the group do so COLDRIVER continues to use impersonation accounts to target the personal email addresses of prominent individuals at think tanks and NGOs focused on Ukraine Government and Military March 2022 marked the first time TAG observed COLDRIVER campaigns targeting the military of multiple European countries as well as Ukraine-focused thought leaders COLDRIVER continues to use impersonation accounts to target the personal email addresses of prominent individuals at think tanks and NGOs Figure 5 Example COLDRIVER lure focused on Ukraine As early as February 2022 COLDRIVER targeted a US academic research institute and the activity continued throughout the year when the group targeted an NGO Hack-and-leak In July 2022 a COLDRIVER phishing campaign supporting Ukraine and a UK policy think tank targeted the Proton email accounts of several US nuclear energy sector the attackers subsequently leaked information In August and September 2022 around the time the in an attempt to shape public opinion A website UN sent inspectors to visit Ukraine’s Zaporizhzhia published leaked emails from several leading nuclear power plant in Russian-controlled terri- proponents of Britain’s exit from the European tory COLDRIVER targeted three nuclear research Union Brexit and suggested that they were laboratories in the US in a credential stealing secretly making decisions in the UK prominent figures in the United Kingdom and campaign The campaign created fake login pages for each institution and emailed nuclear scientists in an attempt to steal their passwords a NATO Centre of Excellence In the early stages of the conflict COLDRIVER shifted their targeting to include multiple Ukrainian defense contractors and government organizations as well as US-based NGO s think tanks government officials politicians and journalists 20 21 Threat Actor Deep Dive frozenvista A new probable GRU actor on the scene Before the Russian invasion FROZENVISTA con- Aliases ducted extensive espionage activity in Ukraine UNC2589 particularly in spring 2021 and early 2022 2 0 2 1 targeting activity j an feb mar apr may j un j ul aug s ep oct nov dec Beginning on April 6 2021 just weeks after Russia began massing troops and military equipment Attribution Russia on the Ukrainian border FROZENVISTA sent phishing emails to at least 1 966 unique recipients COVID-19 themed Mass phishing campaigns in Ukraine Over 80% of the targets were Ukrainian phishing campaign targeting Ukraine government and military Among the targets were multiple critical infrastructure operators including Overview multiple municipal water suppliers and one of FROZENVISTA is the main actor be- Ukraine’s largest national oil and gas companies hind mass phishing campaigns TAG On April 8 CERT-UA posted a warning about the observed targeting Ukraine in April campaign reporting that Ukrainian government 2021 and January 2022 In addition bodies were targeted en masse with NATO-themed to mass phishing campaigns deliver- phishing emails that contained links to files with ing malware the group deployed de- embedded malware structive malware against Ukrainian organizations in January 2022 TAG first observed FROZENVISTA in early 2021 when the group sent COVID-19 phishing emails to pharmaceutical companies and government organizations globally 2 0 2 2 targeting activity j an feb mar apr may From January 5 to February 2 2022 just weeks before Russia’s invasion FROZENVISTA conducted another major phishing campaign in several waves Though smaller in scale the January 2022 campaign targeted many — but not all — of the same organizations as the April 2021 mass phishing waves Of the 396 targets TAG observed one-third were government and military email addresses Deployed destructive malware against Ukrainian Ukrainian government government entities and over a quarter were gmail com addresses Multiple waves of phishing The targets once again included critical infrastruc- targeting Ukraine through ture operators including underground gas storage February and energy sectors facilities electrical networks and municipal health services as well as other strategic targets such as agriculture and internet service providers FROZENVISTA also conducted destructive cyber­ j un j ul aug s ep oct nov dec attacks in January 2022 Mandiant assesses that this group tracked as UNC2589 deployed the PAYWIPE also known as WHISPERGATE and SHADYLOOK wipers against Ukrainian government entities in what may have been a preliminary strike Additional operations in January and February Eastern European entities 2022 targeting Ukrainian critical infrastructure as well as Ukraine were also likely preliminary strikes contributing to the war effort 22 23 Threat Actor Deep Dive 2 0 2 2 targeting activity j an feb mar apr may j un j ul aug s ep oct nov dec pushcha Aliases UNC1151 Ukraine Polish and government Credential harvesting Attribution Belarus Overview campaign against Ukrainian military Poland Russia and Ukrainian entities Credential harvesting campaign against New malware Lithuania Germany among Credential others phishing against against Ukraine Ukraine Active since at least 2016 PUSHCHA is a cyberespionage group that has targeted a variety of categories including journalists media and politicians with a focus in Ukraine Lithuania Latvia Poland and Germany The group has also been linked to an influence campaign — known as “Ghostwriter” — that promotes Russian interests While PUSHCHA expanded its traditional Drove the 2022 increase in targeting of NATO targeting to high risk individuals in Ukraine PUSHCHA has maintained a high operational tempo legitimate Polish websites and used them for the group maintained a high operational tempo against eastern European users especially in Poland PUSHCHA compromised throughout the conflict with credential phishing phishing often with redirect chains pointing campaigns against political and defense-related to a handful of previously compromised targets as well as NGOs and organizations assisting websites PUSHCHA seems to compromise Ukrainian refugees These campaigns have primarily websites indiscriminately including websites targeted regional webmail providers using browserin-the-browser phishing on compromised websites As the conflict began TAG observed PUSHCHA conducting credential phishing campaigns against Polish and Ukrainian government and military associated with diff­erent financial industrial Figure 6 and commercial organizations Browser-in-the-browser being used in PUSHCHA credential phishing campaigns Landing pages for credential phishing hosted on compromised sites organizations The campaign contained links leading to compromised websites where the first-stage phishing page was hosted Clicking through redirected the target to an attackercontrolled site that collected credentials PUSHCHA leveraged newly published research to rapidly adopt the ‘browser-in-the-browser’ phishing technique into operations The technique draws a login page that appears to be on the passport i ua domain over top of the page hosted on the compromised site Credentials Phishing campaigns targeting NATO countries have increased over 300% compared to 2020 with much of that increase coming from PUSHCHA a Belarusian government-backed attacker closely aligned with Russia entered in the dialog are posted to an attackercontrolled domain 24 25 Threat Actor Deep Dive summit The war shifts Chinese cyberespionage priorities One of the oldest threat actors keeps their NATO focus Aliases Turla Team Snake Uroburos VENOMOUS BEAR The war caused Chinese government-backed SUMMIT continues to direct campaigns against unc4210 defense and cybersecurity organizations in NATO attackers to shift their focus towards Ukrainian countries In early 2022 the group sent emails that and Western European targets to gather contained a unique link to a DOCX file hosted on information on the conflict attacker-controlled infrastructure Once opened Attribution the DOCX file would attempt to download a unique Russian Federal Security Service PNG file from the same attacker-controlled domain fSB People’s Liberation Army Strategic Support Force PLA SSF In July 2022 the group hosted Android apps on a domain spoofing the Ukrainian Azov Regiment This is the first known instance of SUMMIT dis­ Overview organizations in Ukraine Russia and Central Asia In May 2022 Denial of Service DoS attacks against a set ernment related entities but has also of Russian websites However the ‘DoS’ consists targeted media organizations health- only of a single GET request to the target website care and NGOs amongst others The which we assess is likely not enough to be majority of these targets are located effective The apps were not distributed through in Europe the Middle East Central controlled by the group and disseminated via links prominent campaigns in 2008 they on third-party messaging services We believe targeted the US military with a large- company This targeting continued through December 2022 operational focus on APAC to include targeting Ukrainian and NATO governments Through 2021 and early 2022 BASIN targeted malicious attachments with file names such as ‘Situation at the and that the number of installs was miniscule as Agent BTZ The group is highly so- defense contractors and manufacturers and a Russian logistics European entities with lures related to the Ukrainian invasion and there was no major impact on Android users scale campaign using spyware known TAG identified additional compromises impacting multiple Russian BASIN aliases Temp Hex Mustang Panda expanded their the Google Play Store but hosted on a domain Asia and the US In one of their most to targeting Ukrainian government organizations at the national to target government military logistics and manufacturing is distributed under the guise of performing targeting military defense and gov- shifted from long running campaigns against Russia and Mongolia and regional levels As the war continued CURIOUS GORGE continued tributing Android-related malware The app Active since at least 2006 primarily CURIOUS GORGE alias UNC3742 a group TAG attributes to the EU borders with Ukraine zip’ The targeting of European organizations phisticated and focuses on data theft continued through December and represents a shift from BASIN’s primary Southeast Asian targets 2 0 2 2 targeting activity j an feb mar apr may j un j ul aug organizations in the region 26 oct nov dec Infected selected users in Campaigns against the Baltics targeting defense and cybersecurity s ep Ukraine using Andromeda Android-related malware a malware spread by USB on a domain spoofing the popular among financially Ukrainian Azov Regiment motivated groups 27 Section 2 Information Operations Moscow leverages full spectrum of information operations to shape public perception of war We’ve seen significant changes in the information landscape as Moscow leverages the full spectrum of information operations — from overt state-backed media to covert platforms and accounts — to shape public perception of the war These operations have three goals 1 undermine the Ukrainian government 2 fracture international support for Ukraine and 3 maintain domestic support in Russia for the war We’ve seen spikes of activity associated with key events in the conflict such as the buildup invasion and troop mobilization in Russia At Google we’ve worked aggressively across products teams and regions to counter these activities where they violate our policies and disrupt overt and covert information operations campaigns but continue to encounter relentless attempts to circumvent our detection and enforcement Russian IO focused on domestic audiences The covert Russian IO we’ve disrupted on Google product surfaces primarily focused on maintaining Russian domestic support for the war in Ukraine with spikes of IO activity occurring during the initial buildup invasion and the troop mobilization in Russia IO actors using overt and covert methods Covert messaging and disinformation surrounding Ukraine and the Russian invasion continues to be spread by groups mimicking authentic users and by self-described news entities that covertly tie back to Russian intelligence Google has disrupted overt and covert IO campaigns on Google product surfaces while Mandiant observed notable degrees of covert activity on various social media platforms such as Telegram Resurgence of hacktivism The range of actors involved in covert campaigns spans government-backed actors discussed earlier dedicated IO actors and ideologically-motivated hacktivists The war has triggered an increase in declared hacktivist activity and a rise in the use of hacktivist tactics bringing a renewed and sustained prominence to such activity Russian intelligence connection to hacktivists Investigation of covert IO activity surrounding the war included the identification of “hacktivist” groups suspected to be tied to Russian intelligence services raising the concern that these and others may be functioning as cutouts a longstanding Russian IO tactic Such activity is one component of a pattern of concurrent disruptive attacks espionage and information operations that we have observed — likely the first instance of all three being conducted simultaneously by state actors in a conventional war 28 29 Google disrupted over 1 950 instances of Russian IO activity on our platforms in 2022 j an feb mar apr may 444 j un Responding to the information quality threat from Russian state media j ul The Google Trust Safety team’s response to the the conflict in Ukraine is a result of a planned conflict in Ukraine is part of its larger mission to ‘Great Reset ’ and that Russia is acting in self- safeguard Google products against abuse and defense against Ukraine to ‘de-Nazify’ the provide trusted and safe experiences for all users Ukrainian government and liberate the Donbass aug s ep KRYMSKYBRIDGE 41 KRYMSKYBRIDGE and actors tied by News Front ANNA News to the GRU by KRYMSKYBRIDGE 18 by the IRA 322 dec 127 by the IRA by KRYMSKYBRIDGE and News Front nov 3 7 by the IRA oct by KRYMSKYBRIDGE News Front and others 790 by the IRA KRYMSKYBRIDGE and others KRYMSKYBRIDGE UKR leaks and others 5 by Russian actors 199 by the IRA KRYMSKYBRIDGE and actors tied to the GRU In addition to using covert IO in their attempt to In response to this threat to information quality manage the narrative about the war Russia has Google announced measures in March to used its overt state media apparatus and network indefinitely pause monetization and globally of Kremlin-aligned publishers to target the same block recommendations for Russian state audiences with the same disinformation narratives media across our platforms Trust Safety Some of the key narrative themes Google Trust Safety has observed include claims that the Protecting Information Quality Google announced extraordinary measures to indefinitely pause monetization and globally block recommendations for Russian state media across our platforms has applied these measures to hundreds of sites including the sites of outlets like RT and Sputnik US is operating biolaboratories in Ukraine and Russian state media has reacted to the measures around the world for the purposes of generating against them with tactics more commonly associ- biological weapons that Ukraine’s military is ated with their covert IO campaigns Google Trust using civilians as human shields during combat Safety has observed repeated attempts by that the rise in energy and food prices following RT and other outlets to circumvent these actions by creating a large number of duplicate copies of their sites on new domains and has applied the same actions to these duplicates when detected 30 31 IO Threat Actor Overview Commercial entities conducting covert IO on behalf of state clients IRA and KRYMSKYBRIDGE account internet research agency ira krymskybridge affiliated with russian intelligence Troll farm involved in election interference during the 2016 US elections Russian consulting firm that works with the Russian government Groups Domestic Russian audience Domestic Russian audience Domestic Russian audience for an overwhelming majority of Google takedowns in 2022 due to their higher volume commenting campaigns on YouTube focused Targets on maintaining support in Russia VENTBRIDGE News Front ANNA News UKR Leaks Foreign audience Foreign audience for the war Self-described news entities affiliated with Russian intelligence agencies Content languages on Google surfaces Russian Russian Russian French Ukrainian Arabic Bulgarian Chinese English German Over the last five years TAG has tracked a series of self-described news entities that covertly tie back Google enforcement in 2022 814 987 45 ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● entities have tried to circumvent ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● Google policy enforcement by ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● setting up mirror blog sites having ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● to Russian intelligence such as the Crimea-focused News Front ANNA News and UKR Leaks As Google Instances of activity terminated on our platforms e g YouTube channels blogs AdSense accounts has taken them down these their journalists set up personal channels to re-upload videos and creating new channels with ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● different spellings and variations ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● Narratives we saw from these actors included Russia saving Narratives Pro-Russian Pro-Russian Pro-Russian and NATO were instigators of the Russian President Vladimir Putin Russian military Russia’s actions in Ukraine conflict and Russia was not afraid Russia’s 2014 invasion of Crimea Russia’s actions in Ukraine of or affected by sanctions The Wagner Group’s activity in Ukraine Russia’s recognition of Ukrainian separatist regions Separatist movements in the disputed regions of Ukraine Anti-Ukrainian Anti-Ukrainian Anti-Ukrainian The West Ukrainian President Volodymyr Zelensky Ukraine’s government Ukraine from Nazis that the US Ukrainian politicians Ukraine’s handling of the COVID-19 pandemic 32 The US NATO Pro-Western Ukrainians Ukrainian military 33 Disrupting Russian IO on Google product surfaces TAG’s research and rigorous analysis enables Figure 7 Google teams to make enforcement decisions content language — ru s s ian io in 2 0 2 2 and to disrupt coordinated IO campaigns TAG YouTube and Google Trust Safety track and regularly disable accounts associated with coordinated IO posting content and commenting Examples of this enforcement include disruption 93 1% of YouTube channels blogs AdSense accounts and domains removed from Google News Russian-language content surfaces as we report on a quarterly basis in the TAG Bulletin 6 9% While Russian IO campaigns have three primary Other languages focuses the Russian covert IO we’ve disrupted on Google product surfaces primarily focuses These coordinated IO campaigns either try to Arabic on maintaining Russian domestic support for impersonate legitimate user engagement or act Bulgarian the war in Ukraine The audience appears to be as self-described news entities In the first case Chinese Russian speaking individuals as content from the Internet Research Agency IRA and a Russian English over 90% of the 1 956 instances we disabled for consulting firm we track as KRYMSKYBRIDGE creat- French Russian-attributed IO activity were in Russian ed content on Google products such as YouTube Georgian including commenting and upvoting each other’s videos In the second case self-described news entities affiliated with Russian intelligence services such as ANNA News News Front and UKR Leaks German Turkish Ukrainian published and promoted content Since the invasion the groups tracked by TAG have become moderately more active However the focus of the narratives of the IO campaigns shifted Instead of the previous focus on Russian domestic issues the focus has shifted prominently to topics associated with Ukraine either denigrating the Ukrainian government or praising Russian soldiers and actions in Ukraine 34 35 Threat Actor Deep Dive internet research agency ira and affiliates Shoring up support in Russia for the war praising Wagner Group Attribution The group is financed by Russian oligarch Yevgeny Prigozhin The Shorts are crafted for a Russian domestic Shortly after Russia’s invasion of Ukraine TAG audience praising Russian soldiers in Ukraine and identified several IRA-affiliated news sites like seeking to lift their morale The vast majority of newinform com and slovodel com hosting this content has garnered no views on YouTube ads to drive traffic to the videos The campaign’s TAG also observed IRA-linked accounts publish coordinated narratives on Blogger and then mirror the same content on Ukrainian blogging platform Hashtap In some cases multiple timing was notable because the subject matter mirrored newly topical real world events in Ukraine in a way that portrayed Russia positively Google terminated nine new IRA-linked accounts using Best known for their information operations that sought to sway public opinion during the 2016 US presidential election the IRA has evolved significantly Since the invasion of Ukraine we Overview Focused on both domestic Russian and foreign audiences the IRA is best known for its involvement in election interference during the 2016 US elections The group has focused on narratives supportive of Russia and Prigozhin’s Wagner Group and critical of Ukraine and the West as well as local politicians campaigns Its leverage cross-border local media brands NGOs and PR firms created by Russian shell companies and freelancers to distance themselves from their content Domestically focused campaigns primarily leverage YouTube and Blogger have seen the domestically focused cluster of IRA-related activity shift from a range of domestic Russian political issues to focus almost exclusively on Ukraine and mobilization Several campaigns also promoted the business interests of Russian Figure 10 oligarch Yevgeny Prigozhin the financier of the IRA placing an ad on IRA-controlled news sites to drive traffic to the videos IRA and a propaganda film related to Ukraine Russian domestic focused IO Google regularly disrupts activity by IRA-linked accounts targeting Russian domestic audiences These are often clusters of related accounts that create YouTube channels upload videos and comment and upvote each other’s videos The activity occurs during Russian work hours with narratives focused on Russian domestic issues and typically targeting political dissidents Increasingly Google disrupts Russian IO accounts before they gain traction More recently TAG has seen IRA-linked actors create YouTube Shorts profiles published very similar or near-identical Ads to advertise the film and 44 new IRA-linked content Narratives in the blogs focused on YouTube channels hosting clips the full-length film Russian domestic affairs and stories smearing and related comments Some accounts claimed anti-corruption activist Alexei Navalny and other to be officially affiliated with the film while others opposition politicians presented themselves as fan accounts Amplifying Prigozhin propaganda film This campaign highlights the dual purpose of on Ukraine a number of IRA-linked efforts they promote Prigozhin has funded several movies through both Russia’s interests and Prigozhin’s business a partial ownership stake in the film company interests which are tightly intertwined In effect Aurum LLC These movies have high production Prigozhin is using IO to promote his mercenary value and communicate narratives portraying group which itself is a vehicle for driving Russia’s Russia — especially Russian military and foreign policy agenda in Ukraine and elsewhere mercenaries — in a positive light Figure 8 left Russian video title reads “Correctly says #Putin #special operation #we don’t leave our own #Ukraine #war#warUkraine #denazification” In 2021 they released “Солнцепёк” “Sunlight” or “Blazing Sun” in English which takes place in eastern Ukraine and claims to be a story based on true events from 2014 of Russian mercenaries connected to the paramilitary Wagner Group protecting Russians in Ukraine Figure 9 right against Ukrainian forces The video title reads “PMC Wagner against the Armed Forces of Ukraine” in Russian 36 37 Threat Actor Deep Dive Disruptive and destructive attacks combined with IO krymskybridge Attribution Mandiant identified evidence connecting the A Russian consulting firm that has moderators of these groups to the Russian state the Russian government as a client including timeline analysis of intrusions and leaks Hacktivists or Faketivists Resurgent “hacktivists” conduct DDoS and leaks Overview Focused on domestic audiences from Ukrainian organizations Mandiant has also identified limited links between XakNet Team and the pro-Russia so-called uses comment brigading to support The war has triggered a rise of hacktivism and the “hacktivist” group KillNet and we assess with narratives supportive to Russia and use of hacktivist tactics bringing a renewed and moderate confidence that XakNet and KillNet local Russian politics Since March sustained prominence to such activity Notably have directly coordinated some of their activity 2022 the comments have shifted to this includes multiple groups suspected to be However we note that the two groups appear include narratives critical of Ukraine tied to Russian intelligence services raising the to conduct aligned but separate missions based concern that these and others may be functioning on the observed activity claimed by each of the as cutouts a known Russian IO tactic “hacktivist” groups Public disputes between Russian-language comment brigading KRYMSKYBRIDGE accounted for the most takedowns as part of Google’s efforts to disrupt Russian IO in 2022 Their usual modus operandi is bulk commenting on YouTube videos usually on Russian domestic politics They mainly target the Russian domestic audience and possibly the Russian diaspora as their comments are always in Russian Before the invasion of Ukraine While most of the activity from these “hacktivist” actors was in the form of DDoS attacks they the two groups suggest the groups actually may be separate entities also engaged in data leaks including sharing Formed shortly before the onset of the Russia- the personally identifiable information PII of Ukraine war in late February 2022 KillNet is a self- Ukrainian military government employees and proclaimed pro-Russia hacktivist collective that anyone who opposed the invasion of Ukraine has claimed DDoS attacks and other compromises as well as data from numerous Ukrainian org­ primarily against several European countries anizations that Russian government-backed NATO members and more recently the US attackers compromised and wiped Although aligned with Russian government they rarely strayed from their focus on Russian Mandiant assesses with moderate confidence domestic issues Since early March 2022 that threat actors operating the Telegram however they have shifted entirely to narratives channels XakNet Team Infoccentr and related to Ukraine CyberArmyofRussia_Reborn are coordinating priorities Mandiant has not yet uncovered direct evidence linking KillNet to Russian intelligence their operations with GRU-sponsored FROZENLAKE   APT28 Fronts leaked data from wiper victims within 24 HOURS Suspected False Hacktivist Fronts Leaked Data Likely Stolen from APT28 Wiper Victims after a destructive attack on at least 4 occasions Wiper Incidents Since February 2022 38 16 Identified Data Leaks Technical artifact from APT28 intrusion included in XakNet data leak 39 Section 3 Cybercrime Destructive malware attacks crossover with IO During the war we have observed a pattern of concurrent disruptive attacks espionage and IO — likely the first instance of all three being conducted simultaneously by state actors in a conventional war In a prominent example in March 2022 Mandiant observed wiper activity coinciding with an active IO campaign at the media outlet Ukraine 24 War has split the loyalties of financially motivated attackers Ukrainian Україна 24 On March 16 an informa- Ukrainian President Zelensky delivering that same tion operation targeting Ukraine promoted text On the same day Mandiant identified a wiper a fabricated message alleging Ukraine’s targeting a Ukrainian organization The malware Lines are blurring between financially motivated and government- surrender to Russia via the suspected compro- was configured via a scheduled task to execute backed attackers in Eastern Europe with threat actors changing mise and defacement of the Ukraine 24 website approximately three hours before Zelensky was their targeting to align with regional geopolitical interests and and news ticker in a Ukraine 24 TV broadcast scheduled to deliver a speech to the US Congress government-backed attackers adopting some tactics and services with a written message The message was also delivered through an artificial intelligence AI -generated “deepfake” video impersonating In May 2022 Mandiant observed a Ukrainian local associated with financially motivated actors government organization which was the target of a destructive wiper attack In addition to the wiper attacks the organization also suffered a data leak Cybercrime splits along political lines event during which documents from its network The cybercriminal ecosystem has been disrupted with some groups declaring were released onto Telegram political allegiances others splitting on geopolitical lines and prominent operators shutting down The taboo against attacking Russia has softened Rapid evolution of TTPs Ransomware actors increasingly specialize in one part of the attack chain and rapidly adopt novel TTPs In some cases the targets and tactics of financially motivated actors look more like those of government-backed attackers Projections of ransomware retaliation largely unrealized We did not see an uptick in reported ransomware attacks against critical infrastructure in the US and NATO countries in 2022 as might have been Figure 11 Screenshots from an artificial intelligence AI -generated “deepfake” video of Zelensky stating that Ukraine would surrender to Russia 40 expected after declarations early in the conflict and the prior wave of such attacks in 2021 41 For example the stealer malware Raccoon sus- … the ransomware ecosystem is not immune from geopolitical developments pended activity after its suspected developer fled the Russian invasion of Ukraine and is waiting to be extradited to the US for legal prosecution after his arrest in the Netherlands At the time of the invasion the prominent Conti ransomware group splintered along political and geographical lines Conti declared its support of Russia and threatened to strike the critical infrastructure of nations that took action against Russia Rather than an increase in attacks on critical infrastructure the announcement led to internal divisions within Conti leaks of the group’s internal communications and source code and the eventual shut down of the group In a shift there has been an increase in reported ransomware attacks in Russia Before February Shifts in the ransomware ecosystem 2022 ransomware creators used techniques to We did not see an uptick in reported ransomware avoid targeting the Commonwealth of Independent attacks against critical infrastructure in the US States including hard-coding country names and and NATO countries in response to the conflict checking the system language After the invasion in Ukraine as might have been expected after the hacktivist group NB65 used leaked Conti source declarations of allegiances and of hacktivism early code to target Russian organizations NB65 claims in the conflict Developments over the last two Ransomware remains a profitable and competitive Qakbot and Emotet crafting malicious documents links to the Anonymous hacktivist collective which years may have made critical infrastructure in the underground market Monetizing access to com- using the same document builder service and conducted an “#OpRussia” campaign including West especially in the US a less favorable target panies or networks is not a new concept and initial Bumblebee and BazarLoader embedding their several hack-and-leak operations against Russian One hypothesis is the US response after the 2021 access brokers existed long before the uptick of payload in ISO files sharing metadata and file organizations such as the Russian Central Bank Colonial Pipeline attack and subsequent arrest in targeted ransomware In recent years the ecosys- structure These overlaps complicate and slow In addition a loose group of international and Russia of members of the REvil ransomware gang tem has moved towards specialization with each definitive attribution Ukrainian volunteers dubbed the Ukrainian IT Army deterred financially motivated ransomware affili- have been collaborating with Ukraine's defense ates in 2022 participant in the chain focusing on one aspect and interacting with others as business partners Ransomware continues to be lucrative but financially motivated threat actors are not ministry to defend Ukraine and to target Russian infrastructure and websites A second hypothesis is that increased sanctions We now see faster experimentation with tech- immune from geopolitical developments niques such as new delivery channels and uncon- While ransomware groups continue to be disrup- ed the willingness of Western organizations to pay ventional file formats to increase the success rate tive the ecosystem itself has been disrupted ransoms which by one estimate has led to a 40% of ransomware campaigns Increasingly financial- with some groups declaring political allegiances drop in profits for ransomware groups Financially ly motivated actors borrow successful techniques and prominent operators shutting down motivated threat actors will likely attempt to modify against Russia in the wake of the war have impact- from other campaigns Examples include the mal- their tooling or tactics to distance themselves from ware Zloader and IcedID leveraging malvertising sanctions imposed on Russia as they did after the 2019 sanctions on Evil Corp 42 43 Figure 12 uac - 0 0 9 8 phi s hing campaign s targeting ukraine ta r g e t s key June 19 – 21 TAG disrupted a campaign with more than 10 000 spam emails impersonating the State Tax Service of Ukraine 6000 Ukraine Other 5000 Overlap between financially motivated and government-backed threat actors TAG also sees tactics closely associated with financially motivated threat actors being deployed May 23 Fake Microsoft update campaign targeting wide range of Ukrainian organizations operating in the technology retail and government sectors 4000 3000 May 19 Phishing emails impersonating Starlink and representatives of Elon Musk 2000 in campaigns with targets typically associated with government-backed attackers In September 2022 TAG reported on a threat actor whose activi- 1000 ties overlap with CERT-UA’s UAC-0098 UAC-0098 is a threat actor that historically delivered the IcedID banking trojan leading to human-operated ransomware attacks We assess some members of UAC-0098 are former Conti members repurpos- 0 apr may jun jul 2022 ing their techniques to target Ukraine In early 2022 the attackers shifted their focus to targeting Ukrainian organizations the Ukrainian government and European humanitarian and non-profit organizations The group’s targeting wildly varied from European NGOs to less targeted attacks on Ukrainian government entities organizations and individuals Rather uniquely the group demonstrates strong interest in breaching businesses operating in the hospitality industry of Ukraine going as far as launching multiple distinct campaigns against the same hotel chains This overlap of activity is likely to continue throughout the conflict As recently as December 2022 the Ukrainian CERT reported that a tool used by the Cuba ransomware access brokers dubbed ROMCOM was used to target users of the DELTA military system used by Ukraine’s military Former Conti cyber crime gang members targeted Ukrainian public and private organizations and European humanitarian and non-profit organizations 44 45 Conclusion In this report we outlined Russia’s multi-pronged effort to gain a decisive wartime advantage in cyberspace and use information operations to help shape public perception of the war We also discussed the war’s impact on criminal groups and the scale of cybercrime worldwide Based on these observations we point to several broader forward looking assessments for At Google we’ll continue to work around the clock to protect the safety and security of online users and our platforms We’ll also continue to support organizations before during and after security events In addition we’ll continue to track other threat actors the security community for 2023 We assess with high confidence that Russian government-backed attackers will continue to conduct cyber attacks against Ukraine and NATO partners to further Russian strategic objectives We assess with high confidence that Moscow will increase worldwide to ensure they don’t take advantage of the security community’s focus on the war disruptive and destructive attacks in response to developments on the battlefield that fundamentally shift the balance — real or perceived — towards Ukraine e g troop losses new foreign commitments to provide political or military support etc These attacks will primarily target Ukraine but increasingly expand to include NATO partners We assess with moderate confidence that Russia will continue to increase the pace and scope of information operations to achieve the objectives described above particularly as we approach key moments like international funding military aid domestic referendums and more What’s less clear is whether these activities will achieve the desired impact or simply harden opposition against Russian aggression over time 46 47 This report includes extensive research from dozens of sources and comes in print and digital versions The digital version contains links to relevant sources