The onset of the Russian invasion of Ukraine brought with it a torrent of hacking operations against Ukrainian military and civilian infrastructure. Many attacks in the early stages of the war involved the deployment of destructive malware, most notably a series of destructive wipers, but also other disruptive methods like Distributed Denial of Service (DDoS) attacks and SMS spam.
But for Russian military intelligence agencies like the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (more commonly known as the GRU), destructive hacks must compete with other intelligence-gathering and espionage-minded mandates. In a presentation on Nov. 10 at the CYBERWARCON conference in Arlington, Virginia, a pair of Mandiant researchers outlined how Russian hackers have leveraged "edge IT infrastructure” to do both.
This approach has allowed them to have their cake and eat it, too, avoiding the traditional dilemma malicious hackers usually face between disrupting a target’s IT — something that often sounds the alarm for defenders and leads to loss of tooling or infrastructure — and maintaining access for espionage or follow-up operations.
“When you deploy a wiper operation, you are inherently exposing your assets. You are showing the world that you are on that network and that might lead to remediation. You might have wiped your own access in the process of doing this,” said Gabby Roncone, an analyst at the Google-owned threat intelligence firm Mandiant.
To get around this problem, GRU-linked hackers have been targeting publicly connected assets at the edge of a victim’s network, including mail servers, routers, firewalls, VPNs and shadow IT, that offer multiple pathways to compromise while also providing the kind of persistent access that can survive a destructive wiper attack. The fact that many organizations lack visibility over all their connected servers and routers, or have unknown shadow IT assets connected to their network make this approach even more effective.
John Wolfram, a senior threat analyst at Mandiant, said these kinds of attacks offer four main benefits to GRU hackers: they’re difficult to detect, hard to defend against, offer easy lateral movement within compromised networks and help them to maintain access.
It allows Russian hackers to forgo custom malware by using commodity tools like Metasploit and reconfiguring routers to tunnel in and out of networks. It also facilitates the fast-paced tempo that Russian hackers have employed during the war, hitting key strategic targets in Ukraine with destructive or disruptive attacks followed by additional wipers or access and collection operations.
“When we talk about how these play out, it’s often pretty fast and not very elaborate for an operator. When you talk about compromising a firewall or an Exchange server, there are multiple [tactics, techniques and procedures] out there that enable you to do that,” said Wolfram.
To illustrate the benefits of this approach, the Mandiant researchers highlighted the fates of two anonymous Ukrainian organizations: one that had initially been compromised in April 2021 through a firewall and another discovered days later that had been infected as far back as 2019 through EMPIRE, a Powershell post-exploitation tool. While both were hit with wiper attacks in the early stages of the invasion, the victim compromised through their firewall later suffered a second wiper attack through the same access point.
In another instance, Russian hackers used the compromised internal router of a victim in similar ways to regain access multiple times and even pivot to other parts of the network and expand their foothold using the same methods, even after executing a wiper attack. In tracking these incidents over the course of the war, Roncone said a pattern emerged where GRU hackers generally seem to favor destructive operations over espionage, but Wolfram noted that the method allows them to pick and choose the type of attack that best meets Russia’s larger goals in the war.
“What this shows us that the GRU was able to maintain access to a network of their specific choosing, launch an attack and have an effect on the network, maintain access despite the wiper operation and launch another wiper operation at a moment of their choosing,” Wolfram said.
Despite the volume of hacks, the impact from cyber operations has still mostly taken a backseat to physical attacks that define the warspace, and it’s not actually clear how much damage Russia has been able to inflict on its opponent through digital war.
“There’s no known information that indicates any Russian cyber operations has compromised or destroyed any piece of Ukrainian military equipment, whether Western-provided or otherwise,” said Jon Bateman, a senior fellow at the Carnegie Endowment for International Peace, later in the day.
While the hack of satellite telecommunications provider ViaSat at the outset of the war may qualify, Bateman said that at best it “plausibly contributed” to early communication problems the Ukrainian military experienced in the early days of the war, and was not nearly as impactful or widely used as other methods, like jamming and electronic warfare.