Russian hackers affiliated with military and intelligence agencies have been actively working to gather intelligence that could support the Kremlin's military operations in Ukraine. In targeted attacks aimed at infiltrating NATO, US, and European government networks, cybersecurity experts responding to the breaches have revealed the extent of the hacking efforts. One notable incident involved a Russian hacking group targeting the Turkish arm of NATO's Rapid Deployable Corps, a force kept on standby for combat situations, as reported exclusively to CNN by US cybersecurity firm Palo Alto Networks.
A Russian group has recently focused on nearly twenty embassies in Kyiv within the past nine months, with the US embassy among the targets, as reported by Palo Alto Networks and other security firms.
While it remains uncertain if the hackers were able to breach NATO forces, the alliance did not offer any comments despite numerous requests. However, Michael Sikorski, the chief technology officer of Unit 42, Palo Alto Networks' threat intelligence division, suggested that the unit would likely have frequent communications with NATO headquarters, thereby making it an attractive target for Russian spies.
US officials claim that a hacking group, reportedly acting on behalf of Russia's GRU military intelligence agency, has been targeting governments and critical infrastructure in at least 10 NATO countries in recent months, as stated by Palo Alto Networks.
Analysts indicate that the prolonged espionage campaigns highlight the increasing significance for the Kremlin to gather intelligence remotely through hacking, particularly following the expulsion of numerous Russian agents from European and American soil. Additionally, Russian forces, having been thwarted from taking Kyiv in February 2022, are now reportedly using hacking teams to gather intelligence on diplomats in the Ukrainian capital.
Dan Black, a former NATO cyber official now working for security firm Mandiant, advised that to truly grasp the discussions between governments and Kyiv, it is best to gather information from where it will be transmitted. He highlighted that a hacking unit linked to Russia's foreign intelligence service had intensified its efforts in targeting foreign diplomats to gather intelligence in anticipation of Ukraine's counteroffensive against Russian troops in June. Analysts noted that the hacking campaigns began several months ago and continue to pose a threat amid the ongoing deadlock in Russian and Ukrainian fighting. The Russian computer operatives are employing similar techniques and software exploits to target Microsoft email servers and other tech infrastructure, indicating a level of effectiveness in their operations.
Russian cyber-espionage efforts to aid the Ukraine war have resulted in charges being announced by the US Justice Department against a Russian intelligence officer and a Russian IT worker. They were charged for separate hacking campaigns involving spying on US government officials and interfering in a national election in the United Kingdom.
The US embassy in Kyiv has been a central point for US assistance in bolstering Ukraine's cyber defenses against Russian hacking. Last spring, hackers associated with Russia's SVR foreign intelligence service attempted to breach an email account at the US embassy in Kyiv, confirmed by Palo Alto Networks.
The State Department's Diplomatic Security Service was informed about the activity and, following analysis by the Directorate of Cyber and Technology Security, it was determined that it did not have any impact on Department systems or accounts, a State Department spokesperson informed CNN via email.
Reuters was the first to report on the hacking campaign targeting diplomats based in Kyiv.
The Russian SVR-linked hacking group has also attempted to penetrate "leading humanitarian organizations located in Ukraine," as stated by Tony Adams, a senior security researcher at the security firm Secureworks who has addressed the hacking. "Gaining access to any of these organizations would likely yield immediate intelligence advantages, which could then be leveraged for further operations," Adams informed CNN.
The Russian embassy in Washington, DC, ignored requests for comment. According to cybersecurity experts and Polish officials who spoke with CNN, Poland, a crucial channel for providing weapons and aid to Ukraine, has been a frequent victim of Russian cyber-espionage during the conflict.
The NATO Rapid Deployable Corps was targeted by hackers using the same techniques as several government agencies and private firms in Poland and other countries, including those working with the Polish Armed Forces, according to Lt. Col. Przemyslaw Lipczynski, a spokesperson for the Polish Cyber Command, who informed CNN. Lipczynski also stated that while Polish officials have taken measures to address the threat, they believe that the adversary is still actively using this technique.
Shift in Russias cyber tactics
According to Ukrainian and US officials who spoke to CNN, the Russian hacking campaigns targeting US and European diplomats have occurred at the same time as a change in cyber operations within Ukraine due to the Ukrainian military's halted counteroffensive efforts.
Russian cyber operations in Ukraine have shifted from destructive hacks against infrastructure to more targeted cyber-espionage, as spy agencies attempt to locate and target soldiers on the battlefield, according to Ukrainian officials and private experts. The focus has changed, with destructive cyberattacks still occurring but to a lesser extent.
A US cybersecurity defense official emphasized the importance of intelligence, stating that it is not surprising for Russia to concentrate on gaining better insight into Ukrainian movements and communications.
Russian tactics shifted as the Ukrainian military launched a major counteroffensive in June to reclaim territory in eastern Ukraine, resulting in an ongoing stalemate between the two forces. Analysts informed CNN that subtler cyber operations, such as intelligence gathering, are playing a crucial role in warfare. CNN was told by officials and private cyber experts that Russian hackers have made multiple attempts in the past four months to infiltrate Ukrainian battlefield communications, including trying to hack the tablets used by Ukrainian commanders and targeting a software platform used to track Russian forces.
The Ukrainian SBU intelligence service successfully thwarted a Russian attempt to hack into battlefield tablets, according to Illia Vitiuk, head of the SBU's cybersecurity division. If the defensive measures had failed, Vitiuk told CNN, the Russians would have had "full access" to critical communications used by Ukrainian forces in battle.
In addition to Ukraine, the US and Ukrainian cyber forces have also been involved in the conflict.
At times, we go beyond intelligence gathering and use our cyber weapons to destroy enemy infrastructure when needed," Vitiuk told CNN. He declined to provide further details on these claimed destructive hacks.
The head of Cyber Command, the US military's hacking unit, confirmed last year that the unit has conducted offensive cyber operations to support Ukraine in defending itself from Russian attacks.
Yegor Aushev, a private cybersecurity executive in Ukraine, revealed to CNN that he has been providing training to Ukrainian officials on offensive cyber capabilities for several months. "If you want to be protected, you should know how to attack," Aushev remarked. He chose not to disclose the specific ways in which the Ukrainian government was employing this training on the battlefield.
Ukrainians have managed to repel many Russian cyberattacks, thanks to their significantly improved defenses, according to US officials and outside experts. The US military continues to support Ukraine in cyberspace as the fighting in Ukraine enters another winter.
"Weve had a number of in-person conversations with the Ukrainians," the US defense official said. "Cyber Command is still persistently assisting the Ukrainians with their cyber defense."