Ukraine accuses Russian spies of hunting for war-crime info on its servers

Russian have shifted tactics in the first half of 2023, with mixed results

The Ukrainian State Service of Special Communications and Information Protection (SSSCIP) has claimed that Russian cyberspies are targeting its servers looking for data about alleged Kremlin-backed war crimes.

According to the analysis, which covers Russia's evolving cyber tactics during the first half of 2023, espionage operations of this sort were conducted by military-backed hackers doubled between January and June.

Incidents serious enough to involve the Ukrainian Computer Emergency Response Team now run at about five a day.

"Their primary objectives were to identify which evidence of Russian war crimes and exercise control over potential ground-deployed spies have our law enforcement teams," states the report [PDF], which was released on Monday.

Intruders linked to Russia's Federal Security Service (FSB), Main Intelligence Directorate (GRU), and Foreign Intelligence Service (SVR) also sought out material that could be used in criminal proceedings against Russian spies, other specific individuals, institutions, and organizations "potentially leading to sanctions or other actions," the SSSCIP reports. 

The research is based on data collected by the SSSCIP and was released days after the International Criminal Court confirmed an ongoing "cybersecurity incident" as it investigates suspected war crimes committed by Russia during its illegal invasion of Ukraine.

In addition to attempted break-ins targeting law enforcement, Russian intelligence services were also behind a growing number of attacks against private-sector companies, it's claimed. 

The intent of this is "to leverage cyber capabilities for monitoring the outcomes of their kinetic operations, including missile and drone attacks," according to the report. "Furthermore, these attacks were aimed at scrutinizing the plans of government contractors and supply chain members, as part of Ukraine's proactive measures for future actions."

Now the good news

While the attacks may have doubled, Ukrainiane says it is fighting back and has drastically reduced its adversaries' success rate.

Ukraine's CERT recorded just 27 "critical" cyber incidents in H1 of 2023, compared to 144 in the second half of 2022. Similarly attacks targeting the energy grid saw a decrease during this same period. H2 of 2022 experienced 141 such incidents, 16 deemed "critical" with "registered impact," compared to 55 in H1 of 2023, with eight marked critical. 

Overall, destructive cyberattacks affecting operations fell from 518 to 267.

"The attackers appear to be using less sophisticated tactics, employing a 'spray and pray' approach, while Ukraine's defense of its infrastructure has markedly improved compared to six months ago," the report asserts. 

The most active group so far this year is the FSB's cyber unit Gamaredon, which jumped from just 128 operations in 2022 to 103 in the first half of 2023 alone, according to the research. The good news: not all of them were successful and only 11 were ranked critical or high-severity incidents.

Researchers attributed Gamaredon's increased volume of attacks to several factors, which don't necessarily bode well for the rest of the year — or post-war blowback.

"These include an expansion in manpower and team capacity, the infusion of new talent from Russia's abundant pool of skilled individuals, and the mobilization of IT professionals from the private sector to serve in the military," the report states.

Sandworm behind majority of destructive attacks

While Gamaredon has been the most prolific attacker detected this year, the majority of destructive attacks was carried out by the GRU's Sandworm. This includes wiping servers and data storage systems, crashing virtualization systems, disabling networks, and encrypting endpoints. 

"During the last six months, they developed new variants of malicious software (there are more than 10 new samples) using legitimate utilities (like SDelete, WinRaR) or built-in features of systems (for example NAS storages)," researchers noted. 

Just last month, the Five Eyes' security agencies said Sandworm had used an Android malware strain dubbed Infamous Chisel to remotely access Ukrainian soldiers' devices, monitor network traffic, access files, and steal sensitive information.

At last month's Black Hat conference Jen Easterly, head of the US government's Cybersecurity and Infrastructure Security Agency (CISA), surprised many by describing current US/Ukrainian computer security relationship as closer than with Five Eyes partners over the last year.

"What we've been doing together over the past year now, it's probably the closest we've worked – operationally speaking – with any foreign partner in terms of how we're thinking about sharing information with our computer emergency response team and enriched with what we're both getting from the private sector and other national partners," she noted

This group also frequently targets media outlets for influence operations, the SSSCIP states, and the organization doesn't see this tactic changing anytime soon, as the "use of aggressive propaganda" remains a key part of Russia's approach to cyber warfare.

The new report echoes comments from Ukraine's cybersecurity boss Victor Zhora who, in an August interview with The Register, said his agency has documented a shift in destructive cyberattacks that hit Ukrainian targets during the latter half of last year, to more data collection and cyber espionage attempts that began in 2023.

Zhora also warned that he expects Russia's online attacks against his country to continue long after the physical war ends.

"Russia will continue to be dangerous in cyberspace for quite a long period, at least until a complete change of the political system and change of power in Russia, converting them from an aggressor to a country that should pay back for all they've done in Ukraine and also in other countries," Zhora said. ®

More about


Send us news

Other stories you might like