Since Russia launched its catastrophic full-scale invasion of Ukraine in February, the cyberwar that it has long waged against its neighbor has entered a new era too—one in which Russia has at times seemed to be trying to determine the role of its hacking operations in the midst of a brutal, physical ground war. Now, according to the findings of a team of cybersecurity analysts and first responders, at least one Russian intelligence agency seems to have settled into a new set of cyberwarfare tactics: ones that allow for quicker intrusions, often breaching the same target multiple times within just months, and sometimes even maintaining stealthy access to Ukrainian networks while destroying as many as possible of the computers within them.
At the CyberwarCon security conference in Arlington, Virginia, today, analysts from the security firm Mandiant laid out a new set of tools and techniques that they say Russia’s GRU military intelligence agency is using against targets in Ukraine, where the GRU’s hackers have for years carried out many of the most aggressive and destructive cyberattacks in history. According to Mandiant analysts Gabby Roncone and John Wolfram, who say their findings are based on months of Mandiant’s Ukrainian incident response cases, the GRU has shifted in particular to what they call “living on the edge.” Instead of the phishing attacks that GRU hackers typically used in the past to steal victims’ credentials or plant backdoors on unwitting users’ computers inside target organizations, they’re now targeting “edge” devices like firewalls, routers, and email servers, often exploiting vulnerabilities in those machines that give them more immediate access.
That shift, according to Roncone and Wolfram, has offered multiple advantages to the GRU. It’s allowed the Russian military hackers to have far faster, more immediate effects, sometimes penetrating a target network, spreading their access to other machines on the network, and deploying data-destroying wiper malware just weeks later, compared to months in earlier operations. In some cases, it’s enabled the hackers to penetrate the same small group of Ukrainian targets multiple times in quick succession for both wiper attacks and cyberespionage. And because the edge devices that give the GRU their footholds inside these networks aren’t necessarily wiped in the agency’s cyberattacks, hacking them has sometimes allowed the GRU to keep their access to a victim network even after carrying out a data-destroying operation.
“Strategically, the GRU needs to balance disruptive events and espionage,” Roncone told WIRED ahead of her and Wolfram’s CyberwarCon talk. “They want to continue imposing pain in every single domain, but they are also a military intelligence apparatus and have to keep collecting more real-time intelligence. So they’ve started ‘living on the edge’ of target networks to have this constant ready-made access and enable these fast-paced operations, both for disruption and spying.”
In a timeline included in their presentation, Roncone and Wolfram point to no fewer than 19 destructive cyberattacks Russia has carried out in Ukraine since the beginning of this year, with targets across the country’s energy, media, telecom, and finance industries, as well as government agencies. But within that sustained cyberwarfare barrage, the Mandiant analysts point to four distinct examples of intrusions where they say the GRU’s focus on hacking edge devices enabled its new tempo and tactics.
In one instance, they say, GRU hackers exploited the vulnerability in Microsoft Exchange servers known as ProxyShell to get a foothold on a target network in January, then hit that organization with a wiper just the next month, at the start of the war. In another case, the GRU intruders gained access by compromising an organization’s firewall in April of 2021. When the war began in February, the hackers used that access to launch a wiper attack on the victim network’s machines—and then maintained access through the firewall that allowed them to launch another wiper attack on the organization just a month later. In June 2021, Mandiant observed the GRU return to an organization it had already hit with a wiper attack in February, exploiting stolen credentials to log into its Zimbra mail server and regain access, apparently for espionage. And in a fourth case, last spring, the hackers targeted an organization’s routers through a technique known as GRE tunneling that allowed them to create a stealthy backdoor into its network—just months after hitting that network with wiper malware at the start of the war.