Russia may push its hackers to become more aggressive in the coming months, after being stymied by Ukrainian resistance both on the battlefield and in cyberspace, Microsoft says.
In a report published Wednesday analyzing Russia’s cyber tactics in the year since it invaded Ukraine, Microsoft declared: “Should Russia suffer more setbacks on the battlefield, Russian actors may seek to expand their targeting of military and humanitarian supply chains by pursuing destructive attacks beyond Ukraine and Poland.”
As the company behind Windows, the world’s most popular operating system, Microsoft has particular insight into hacker activity. Like several major American companies and U.S. agencies, it has given cybersecurity aid to Ukraine.
During the course of the past year, Russia has deployed at least nine new “wiper” attacks, designed to worm their way into a victim’s computer network and delete files, the Redmond, Washington-based company said.
Those attacks didn’t have a significant spillover to the rest of the world, though there is precedent for that happening. The GRU, Russia’s military intelligence agency, infamously released a destructive strain of malicious software in 2017 called NotPetya, causing international condemnation. While NotPetya was intended to target Ukraine, it quickly spread around the world, causing an estimated $1 billion in damages.
Russia has previously denied responsibility for NotPetya. The Russian Defense Ministry did not immediately respond to a request for comment.
The Microsoft report came on the same day that a cybersecurity company said that the GRU had been able to exploit a previously unknown vulnerability in Microsoft’s flagship email program, Outlook, for almost a year.
Microsoft revealed the flaw Tuesday and issued a patch to fix it. Mandiant, a cybersecurity company owned by Google, said Wednesday that the GRU had been using it to hack targets for months.
A spokesperson for Mandiant said in an email Wednesday that the GRU had exploited it to spy on government computers and infrastructure in Poland, Ukraine, Romania and Turkey. A hacker with knowledge of how to exploit it could craft an email to a potential victim and gain access to computer networks without the victim’s input or knowledge.
John Hultquist, Mandiant’s head of cyber intelligence, said that security professionals need to move swiftly to patch their systems, noting that such flaws can be used by a wide variety of hackers now that it has been made public.
The Outlook flaw is “gonna get used by everyone,” Hultquist said in a text message. “Spies and criminals.”
Concerns about Russia’s hacking capabilities persist, most notably with elections on the horizon in many countries.
Two NATO members, Poland and Estonia, have elections this year that could affect how strongly those countries support Ukraine, as does Finland, which is applying for membership into the trading bloc.
The report warned that Russia likely has strong incentive to use cyber-enabled influence operations to meddle in the elections in a bid to undermine NATO and European Union support for Kyiv.
Analysts have argued that Russia’s cyber campaigns against Ukraine have been relatively lackluster so far, in part because the Kremlin likely only planned for its invasion to have quick success.
In February, Andrew Boyd, the head of the CIA’s cybersecurity division, gave a rare assessment of Russia’s cyber strategy in Ukraine on an episode of the Risky Business podcast. In it, he agreed with that view.
“I would argue they didn’t plan particularly well in cyberspace for an enduring campaign,” he said.
In March, Ukraine’s top civilian cyber defense agency released a study on Russia’s tactics in cyberspace in the first year of the invasion. As the Kremlin’s military forces pivoted to directly attacking civilian infrastructure, its hackers began campaigns to go after similar targets, though often without success, it found.
“[W]e recorded a shift in the focus of Russian hackers from the media and telecommunications industries,” the study said. “Moreover, the purposes of Russian hackers have changed as well, from a large quantity of attacks aimed at disruption to spying and data theft. This indicates that the Russian authorities are aware of the importance of the cyber component for their military operations.”