Microsoft released a timeline of nearly 250 cyber operations from six separate Russian-aligned threat groups since the waning days before Russia began its physical assault. Microsoft also detailed cyber operations dating back almost a year in preparation for the physical attack.
"Threat groups with known or suspected ties to the GRU have continuously developed and used destructive wiper malware or similarly destructive tools on targeted Ukrainian networks at a pace of two to three incidents a week since the eve of invasion," Microsoft wrote in its report. "From Feb. 23 to April 8, we saw evidence of nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine."
Microsoft said that Russian groups known to target Ukraine began a dramatic uptick in those activities in March of 2021, about a year before the late February 2022 physical invasion of the country. The early breaches were "aimed at securing persistent access for strategic and battlefield intelligence collection or to facilitate future destructive attacks," said Microsoft.
In early 2021, as Russia began to assemble troops on the Ukrainian border, Russia began phishing campaigns against Ukrainian interests rallying support for the country. By the middle of the year, Russian groups began laying breaching IT vendors servicing Ukraine and NATO to leverage for supply chain attacks. Throughout 2021, 93% of Russian attempts to breach Microsoft accounts were targeted at NATO member states.
In 2021, Gamaredon targeted Ukrainian military leaders and humanitarian workers. APT 28 targeted defense-related organizations in Ukraine and a then unknown group that would later launch the Whispergate wiper against Ukraine just before the invasion, established access in Ukrainian energy and IT firms that were later targets of attacks. Those groups alongside Turla, Energetic Bear and all would establish persistent footholds in Ukranian "defense, defense industrial base, foreign policy, national and local administration, law enforcement, and humanitarian organizations." Nobellium, the group known for the Solarwinds breaches in late 2020, phished NATO-state targets after beginning the year targeting Ukrainian interests,drumming up support for the country as Russia amassed troups at the boarder.
MIcrosoft noted several instances when kinetic military actions were timed with cyber support. A missile attack on a Kyiv TV tower came a day after the compromise of one Kyiv media company and the same day as widescale destructive attacks on Kyiv media groups. The takeover of the largest nuclear power station in Ukraine came the same time as lateral movement through the networks of energy companies. Russia breached the government networks of Vinnytsia two days before the physically taking the Vinnytsia airport, and a destructive implant was placed on Dnipro government systems the same day as the first rocket strikes against the city. Those were just examples from the first two weeks of the war.
In the report, Microsoft reiterates a warning given by the Cybersecurity and Infrastructure Security Agency at the start of the invasion:
"As the conflict persists and countries provide more military assistance to Ukraine or take more punitive measures against the Russian government, Russian nation state threat actors may be tasked to expand their destructive actions in retaliation against targets outside of Ukraine in retaliation."