The software giant's Digital Security Unit also attributed a series of data-wiping malware attacks discovered on Ukrainian computer networks the day before Russia's February invasion to a hacking group known as Sandworm that has long been linked to Russian intelligence services.
Russia-backed attackers targeted "hundreds of systems in Ukrainian government, IT, energy, and financial organizations" hours before Russia began its physical invasion, in attempts to destabilize Ukraine authorities and confuse the Ukrainian public, Microsoft's report says.
"The attacks have not only degraded the systems of institutions in Ukraine, but have also sought to disrupt people's access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country's leadership," wrote Microsoft vice president Tom Burt in a blog post summing up the report's findings.
In total, at least six separate Russia-aligned nation-state actors have launched more than 237 operations against Ukraine since the start of the conflict — including nearly 40 of what the company called "destructive attacks that are ongoing and threaten civilian welfare."
In several cases, Russian actors launched cyberattacks in what appears to be strategically timed efforts to hit targets of its physical warfare, Microsoft's report found. On March 1, for example, a Russian hacking group attacked a major broadcasting company's computer systems within hours of a Russian missile strike in Kyiv, the report says.
A separate Russian espionage group stole data from a nuclear safety organization on March 13 weeks after the Russian military had started taking over Ukrainian nuclear power plants, the report added.
The Russian attackers have used a variety of methods to gain entry into their targets including phishing and targeting unpatched software flaws, Microsoft said. The hacking groups have also changed their malware from attack to attack in attempts to evade detection, the company added.
"It's likely the attacks we've observed are only a fraction of activity targeting Ukraine," Burt said in the blog post.
Microsoft also said Wednesday that Russia-aligned actors began preparing to set the digital groundwork for their intrusions as early as March 2021, "escalating actions against organizations inside or allied with Ukraine to gain a larger foothold into Ukrainian systems." Russian efforts to target supply chain vendors that do business with Ukraine picked up in mid-2021, the report added.
Russian actors have a long history of launching cyberattacks in Ukraine, which cybersecurity experts say Russia has viewed as a sort of testing ground for new hacking methods. A June 2017 attack, for example, paralyzed part of Ukraine's banking and electricity sectors, before spreading to organizations across the globe, including DLA Piper, whose network was shut down for days.
U.S. cybersecurity officials also warned critical infrastructure operators in March to watch out for Russian state-sponsored actors potentially launching cyberattackers as a response to international economic sanctions levied after Russia's Ukraine invasion.
--Editing by Jay Jackson Jr.
For a reprint of this article, please contact reprints@law360.com.
