Published on the 05/08/2022 | Written by Heather Wright
And the Australia and New Zealand impact…
On February 23, 10 hours before Russian tanks rolled across the border into Ukraine and missiles started raining down on the country, Tom Burt witnessed ‘a massive round’ of cyberattacks by Russia against a wide range of government and critical infrastructure companies in Ukraine.
Since then he’s watched the cyberwar playing out, and he’s had a birds eye view of the network penetration and espionage attacks outside of Ukraine – including in Australia – and Russia’s state-sponsored ‘influence operations’, which have made their presence felt in New Zealand.
“What saw in Australia and New Zealand is that some of these information operations were very successful.”
Burt is Microsoft’s corporate vice president for customer security and trust, and is Microsoft’s point of contact between its threat context and threat analysis teams and cyber security officials in Ukraine, providing them with threat intelligence and advice on technical counter measures to help defeat Russia’s destructive malware attacks.
It’s those three aspects – destructive cyber attacks within Ukraine, network penetration and espionage outside Ukraine, and cyber influence operations targeting people around the world – that form the basis of the new cyberwar playing out.
“The conflict in Ukraine and the related cyber activity we have seen are strong indicators that the continued advance of nation state cyber activity around the globe is escalating, not de-escalating, and now we have observed it being utilised in the first large-scale hybrid war where both cyber weapons and kinetic weapons are being used strategically in support of an invasion,” Burt told iStart in an exclusive interview.
“In our view this is something that is going to continue and likely evolve.
“The history of conflict unfortunately is that new weapon systems are created and utilised in one war and by the time of the next war they are more widely and much more impactfully utilised.”
Back in January, Microsoft had witnessed several destructive attacks against Ukrainian government agencies. It was the first time Microsoft and others had observed what would become a major feature of Russia’s cyber strategy – using Wiper malware to erase data and computing capability of networks within Ukraine.
[Burt involved both US and Ukrainian government officials in conversations at the time to ensure Microsoft didn’t disrupt any ‘delicate’ conversations that were happening at the time.]
The first real shots fired came with those cyber attacks on February 23 when Microsoft’s Threat Intelligence Centre identified the destructive Foxblade wiper malware and alerted Ukraine. The ‘huge’ Wiper attack hit 300 systems in government agencies and private sector companies across Ukraine.
“We saw a significant volume of cyberattacks during the first week of the war and they were broadly targeting government agencies, especially govt agencies that provided civilian services but also others including core government functions,” Burt says.
“And we saw them targeting a number of critical infrastructure sectors – energy, media, financial sector and some others.”
When what’s believed to have been Russia’s initial strategy of rapidly encircling Kyiv and replacing the government with a favourable government failed, Burt’s team saw destructive cyberattacks decrease, replaced by an ongoing background level of surveillance attacks where actors were seeking to get into networks to gather information.
“Then once they pivoted to the Donbas region we saw an increase in both espionage and destructive activity targeting the transportation sector, and especially the railways, which makes perfect sense because they were trying to disrupt both the flow of humanitarian aid and the flow of weapons.”
The last couple of weeks have seen an increase in frequency of destructive attacks again, but Burt says there doesn’t, to date, appear to be a pattern to suggest they’re strategic. Instead, he says, they seem more opportunistic and are hitting both government and private sector.
“It seems to be more intended to be an irritant, a nuisance and just an ongoing cost of the conflict targeting Ukraine,” he says.
Burt says defence has largely been prevailing over offence in Ukraine, but that doesn’t mean that the Russia haven’t been successful.
“The malware Russia has been using in Ukraine has been very sophisticated and they have continued to evolve it to be successful even in the face of ours and others’ efforts to help defend Ukraine.
“They have had many instances where they have wiped out the data and computing capability of a network, though Ukraine have been doing a really good job with resilience and being able to re-establish their computing environments after being successfully attacked.”
Espionage and ‘influence operations’ in A/NZ
Early concerns that Australian and New Zealand organisations could be caught in the fallout of destructive cyberattacks – something agencies in both countries, and around the world, warned about – have failed to eventuate.
“The very sophisticated destructive Wiper malware [being used] has been intentionally designed to stay within a particular network.”
While it will travel through an entire network destroying data on any devices it can find, unlike the Notpetya – yet another Russian attack targeting Ukraine, this time in 2017 – the current malware of choice isn’t wormable, meaning it’s not travelling out though open ports to the internet and infecting other networks.
“What we have seen here is a deliberate choice by Russia to confine the impact of its cyber attacks to the borders of Ukraine, just as it’s doing with its kinetic attacks,” Burt says.
“That seems to be a deliberate strategic choice to avoid additional responses from Nato or other western countries.”
But while destructive attacks haven’t been seen outside Ukraine, Burt says there has been a ‘real expansion in Russian cyber espionage activity’, particularly since it refocused its strategy on the Donbas region.
“Since that time there has been increased cyber activity by Russian advanced persistent threat groups targeting government and critical infrastructure in the countries that basically border Russia, Bulgaria and even France.”
They’re being targeted not for destructive activity, but for espionage intelligence gathering, information and data exfiltration efforts.
Australian organisations too, have been targeted with espionage along with more than 40 other countries, though Burt is keen to stress that while there ‘definitely was some activity by Russia in Australia’ it wasn’t one of the most frequently targeted countries
Government agencies were the key target globally – at 49 percent – with NGOs including think tanks advising on foreign policy or humanitarian groups providing aid also targeted along with some IT and energy companies, and other companies involved in critical defence or economic sectors.
“That is just an alert that countries that have been supportive of Ukraine should be on alert for the risk of Russian cyber activity as well as the possibility that that activity is a precursor to some kind of destructive effort after gathering intelligence to support that destructive effort.”
Another area of concern for Burt and his teams is the impact of Russian influence operations – where both Australia and, in particular, New Zealand have been targeted.
“Russia has become exceptionally skilled at creating narratives and messages that they distribute through their media outlets, and emphasis and amplify through social media –and those messages are sophisticated, impactful and widely consumed.”
Issues of social sensitivity are being identified, along with the most extreme groups on both sides of the issue, with a variety of techniques being deployed to inflame conflict.
“What saw in Australia and New Zealand is that some of these information operations were very successful in driving consumption. There was a spike of these sources when the war in Ukraine began, but they also have been very successful in information operations trying to oppose the adoption of vaccines in countries outside of Russia.”
The spike in Russian propaganda consumption in New Zealand preceded an increase in the Wellington public protests in early 2022, though Microsoft stops short of drawing a direct correlation between the two.
Burt says New Zealand has been ‘a stronger target of the influence operations’ and it doesn’t stop with Russia either. China too, has been targeting the country during the same time frame.
And on the China front, it’s not just influence operations. Microsoft recently made a ‘high volume of notifications’ to a New Zealand organisation which came under attack from a Chinese actor in intent on launching password spray attacks at the organisation.
“We notified that organisation each time it happened, and that was a large volume of activity,” he says.
Lessons for organisations everywhere
For Burt, the Ukraine situation has driven home the importance of having critical workloads with hyperscale cloud providers.
While that might seem self-serving, given Microsoft’s role as a hyperscale cloud provider, Burt points to the fact one of the first missiles launched by Russia was targeted at the Ukraine government’s data centre.
Just one week prior to the start of the war, Ukraine passed a new law to enable government agencies to move workloads to the cloud. It was signed into law soon after the war began with workloads rapidly moved to the cloud with the help of Microsoft and other vendors.
On-prem, he says is also more vulnerable to cyberattack.
“It is hard and expensive to do all of the hygiene that you need to do and stay on top of, with patching, MFA and zero trust architecture of your network.
“These basic things you need to do to be protected against most kinds of cyberattacks are hard, take resources and time, and most governments and most companies haven’t done a good job of doing those things.”
Cloud providers, ‘whether us or one of our competitors’ on the other hand have the resources and can also provide tools to make it easier.
Cloud-based end-point protection has also played a role in the defence, he says, citing the example of a company operating mostly on-premise, but using Microsoft’s cloud-based threat defence service, Defender for Endpoint, which, using algorithms, was able to identify, block and remove Russian malware before it wiped their systems.
“The other lesson learned is the advances in cloud-based end point protection and how that has helped Ukraine defend against cyber attacks.
Basic hygiene, including patching systems , goes a long way in significantly reducing exposure to attacks, he notes.
“The key message is the time to take action is right now before you are attacked. And the action you need to take is to move your workloads to the cloud where they can be the most secure and take the recommended, basic cybersecurity hygiene steps to protect all your endpoints, computers and devices and any other compute you have in an on-premises network. MFA, is key, as is a zero trust environment in your network.”