2022 Russian Invasion of Ukraine : Cyber Security Threats and Concerns


The conflict between Russia and Ukraine has increased the possibility of cyber-attacks on the United States and its allies, and the key issue is to guarantee that extremely important services or sensitive data are adequately detected and protected from cyber threats. Furthermore, the risk of employing IT/OT products made by the US and its allies may be larger than that of the other two countries at war. One of the reasons for this is that the United States is a key player in the economic sanctions against Russia. 



In February 24, Russia launched a full-scale invasion over Ukraine. Next days, in   February 26, the European Commission, France, Germany, Italy, the United Kingdom, Canada, and the United States announced the removal of specific Russian banks from the SWIFT financial messaging system, as well as measures to prevent the Russian central bank from accessing a portion of its international reserves. The US and its allies-imposed sanctions on Russian sovereign debt, Russia’s two largest banks, Sberbank and VTB, which together account for nearly half of Russia’s banking assets, and technology exports to Russia and among other areas. 

In March 7, Russia has taken big decision in the midst of the war with Ukraine where they approved the list of unfriendly countries such as EU countries, USA, Ukraine, Australia, Albania, Andorra, United Kingdom, Iceland, Canada, Liechtenstein, Micronesia, Monaco, New Zealand, Norway, South Korea, San Marino, North Macedonia, Singapore, Montenegro, Switzerland, Taiwan and Japan. 



In mid-January 2022, Microsoft and other security organisations reported that the destructive malware “WhisperGate” was aimed at Ukrainian corporations. However, there is no solid evidence of attribution to nation-state sponsored actor for this malware. 

In a separate operation, Russian-linked hacktivists are reported to have defaced 70 Ukrainian government websites. The US and UK governments blamed Russia for a series of disruptive attacks that began in mid-February and ended on February 23. The “HermeticWiper” malware was discovered in a range of commercial and government systems in Ukraine on the same day. Also, no solid evidence of attribution to nation-state sponsored actor for this malware. 

Hacktivists or proxy groups intervened on both sides. Ukraine, which lacks matured defensive and offensive cyber capabilities, has called on the public to help bolster an “IT Army.” On Twitter, the Ukrainian government posted a list of Russian and Belarusian as a target. 

Russian ransomware operators, on the other side, offered their services, threatening retaliation against countries that sought to punish Russia. Rather than a coordinated effort, these appear to be ad hoc proxy groups. A Ukrainian member of the Russian-linked Conti ransomware gang allegedly revealed the group’s internal communication records to counter the pro-Russian stance. 

On March 2, 2022, a threat actor using a Danabot and conducted a DDoS attack against Ukrainian government. It is unclear to claim or justify whether the operation is conducted by Hacktivist or nation-state sponsored for this event, reported by Zscaler. 



We highly recommend consumers to seek assurance in correctness and effectiveness of the security controls in place in order to validate whether the critical security controls in place are able to protect and detect any sophisticated attacks internally and externally.  

Also, not to be forgotten, the needs to apply PIRs (Priority Intelligence Requirements) would definitely help and allow you to better designate the responsibility within your team. From the threat categories segregating sub-threat categories and assign the analyst to do the 6 phases of TI lifecycle. Additionally, the OODA loop can also be used escalating to purple team in order to improve your cybersecurity posture in your organization. 



These insights are based on historical events, and no strong evidence of attributions in relation to the recent Ukraine-Russia conflict.  Consider this a sensible approach to keep an eye on common threat actors for your organization’s threat intelligence programmes with an outcome to re-evaluate your security controls in a timely and effective manner. 


Threat Actors  Targeted Countries  ATT&CK ID  Common Initial Vectors 
Gamaredon  NATO/EU Countries  T1566.01  Spearphishing Campaigns 
APT28/Fancybear  NATO/EU Countries  T1566.01  Spearphishing Campaigns 
Saintbear  NATO/EU Countries  T1566.01  Spearphishing Campaigns 
Sandworm  NATO/EU Countries  T1195.002  Supply Chain Attacks 
UNC1151  NATO/EU Countries  T1566.01  Spearphishing Campaigns 
MustangPanda  European Union  T1566.01  Spearphishing Campaigns 




There is no hint of a catastrophic cyberwar between Russia and Ukraine as of March 16, 2022. However, Hacktivist executed smaller hacks between two countries, with additional countries such as the United States and the European Union participating to the hacks. The targeting was not limited to government agencies; private businesses were also affected. To summarise, there is no compelling evidence that these attacks were carried out by nation-state-sponsored threat actors. 

Based on previous war events, researchers or experts had concluded that cyberwarfare or cyber operations are not as critical as many expect, shown by past events in Iraq, Afghanistan, Syria, or Iraq. 

Cyber operations are a sort of modern political warfare that replaces decisive wars. Instead of winning wars, these operations assist espionage, deception, subversion, and propaganda. 

To begin with, the global IT sector plays a crucial role in Cyber Defense, with companies such as Microsoft and others working around the clock to identify threats to Ukraine, fix vulnerabilities, and share data. The United States and the United Kingdom sent cyber defence specialists to Ukraine in December 2021 in preparation for Russian cyber operations. According to sources, US cyber mission teams from Eastern Europe are still assisting Ukraine’s cyber defence. 

On a side note, Ukraine’s resiliency may have been bolstered by proactive measures. Ukrainians downloaded encrypted communication apps like Signal and offline maps, but the Ukrainian military also relied on conventional networks. 

When a minor or major war breaks out, hacktivists and proxy groups may use low-cost cyber operations such as denial-of-service attacks and website defacements to disrupt and distract rather than gain true tactical gains. Offensive cyber operations, such as shutting down another country’s command-and-control or air-defense systems, may be complex, but they are frequently carried out by state-sponsored threat actors. 


It is obviously that Russia and Ukraine are at most at risk, same risk applies to NATO and EU members and other countries that have imposed sanctions against Russia. There are few sectors that can be considered at risk from Russia-linked attacks. The sectors as follows: 

  1. Aviation sector 
  1. Energy & Defense sectors 
  1. Financial Services Institution 
  1. Government 
  1. Oil and Gas 

If Russia’s invasion worsens, we do not rule out the potential of a cyberwar being launched soon. Ukraine and its allies may retaliate at any time, which may have a substantial impact on consumers. 

From the standpoint of hackers, nation-state hackers will not be looking at consumers’ sensitive data as much as they will be looking at product availability and integrity. For example, hacktivists or proxy groups may instil fear in the public by boycotting brands or publicising or making up zero-day vulnerabilities. 

This will have an emotional influence on customers and brands in the long run. For example, if a source code leak from Kaspersky or Crowdstrike will have an impact on these two organisations, and customers will begin to question their security assurance. As a result, it is possible that subscriptions will be cancelled as a result of such events. 

As a conclusion, it is recommended that substantial proof or evidence be revealed prior to making such a judgement. Do not believe any fraudulent claims without first checking with the IT/OT brand owners/vendors.