Google says it has been working around the clock alongside other Big Tech companies to fight Russian cyberattackers waging a digital war against Ukraine, guarding against some of the same ransomware attackers who previously hit the U.S.
The tech Titan published a “Fog of War” report Thursday saying the Ukrainian government is under “near-constant digital attack” from Russia, including via its military intelligence service, the GRU.
“We’ve observed a notable uptick in the intensity and frequency of Russian cyber operations designed to maximize access to victim networks, systems and data to achieve multiple strategic objectives,” the report said. “For example, GRU-sponsored actors have used their access to steal sensitive information and release it to the public to further a narrative, or use that same access to conduct destructive cyberattacks or information operations campaigns.”
Google said it disrupted government-backed attackers to protect people from exploitation and notified users of products such as Gmail that they had been targeted, when the company deemed it appropriate.
The U.S. government is among those teaming with tech companies to benefit Ukraine. The intelligence community is counting on tech companies, including Microsoft, to assist in fighting Russian cyberattackers.
National Security Agency Cybersecurity Director Rob Joyce told The Washington Times that his agency leveraged a “power collaboration” with cybersecurity and information technology service providers to identify and eradicate malicious cyberoperations with a large impact in Ukraine, The Times reported this week.
SEE ALSO: Vaunted Russian military overhaul fares poorly amid setbacks
Such partnerships sprang up in the aftermath of devastating breaches across the U.S. in 2021, when cybercriminal gangs deployed ransomware against computer networks to extort payments from victims.
Google said Thursday that it saw cyberattackers on the digital battlefield in Ukraine that the NSA had warned about hitting U.S. infrastructure in 2021. The NSA, the FBI and the Cybersecurity and Infrastructure Security Agency said in 2021 that the Conti ransomware gang had waged 400 attacks against U.S. and international organizations.
The Conti ransomware gang splintered along political and geographical lines during Russia’s invasion last year. Google said some former members of Conti had repurposed their techniques to target Ukraine under the banner of an attacker identified as UAC-0098.
“In early 2022, the attackers shifted their focus to targeting Ukrainian organizations, the Ukrainian government and European humanitarian and nonprofit organizations,” the report said. “The group’s targeting wildly varied from European NGOs to less targeted attacks on Ukrainian government entities, organizations and individuals.”
Google’s report said the attackers demonstrated a strong interest in Ukraine’s hospitality industry, including by launching multiple direct cyberattack campaigns against the same hotel chains.
The company reported seeing Russian government-backed cyberattackers driving a 250% increase in phishing campaigns targeting Ukrainian users in 2022 and a 300% increase in phishing campaigns aiming at NATO countries for 2022, compared with a 2020 baseline.
The findings in Google’s report, authored by its Threat Analysis Group, cybersecurity team Mandiant and Google Trust & Safety, appear consistent with other cybersecurity professionals’ observations.
Christian Sorensen, CEO of cybersecurity company SightGain, said he has seen techniques of ransomware operators overlapping with Russian cyberattackers’ efforts in Ukraine. Mr. Sorensen, who formerly served in U.S. Cyber Command, said businesses need to begin preparing for problems now.
“The majority of the techniques that are effective, the malicious techniques that are effective, are not new,” Mr. Sorensen said. “They’re not zero days or novel sort of things that are taken off the shelf and used.”
Google said it did not see an uptick in reported ransomware attacks against U.S. and allied critical infrastructure networks in response to the Ukrainian conflict. The company noted that the American response to the ransomware attack on major U.S. fuel supplier Colonial Pipeline in 2021 was one potential reason why the U.S. looked to be a less favorable target.
The response to that ransomware attack included the establishment of the Biden administration’s Joint Cyber Defense Collaborative in August 2021 to team government agencies such as the NSA and Department of Defense to fight hackers and cyberattackers. Microsoft and Google are members of the collaborative.
The government has described the role of the collaborative’s companies as defensive rather than offensive, with a focus on preventing attacks and limiting damage.
There is a great deal of hostile action that private companies can take against cyberattack intruders discovered inside their networks, said Stewart Baker, a former NSA general counsel and Department of Homeland Security policy chief.
Mr. Baker, who now practices law with the private firm Steptoe & Johnson, said businesses that venture outside their networks to fight cyberattackers risk incurring a felony, although the line of permissible conduct can be modified at the direction of the government.
“There is a line,” Mr. Baker said. “It’s maybe not as bright as everyone would like.”
As the anniversary of the war in Ukraine approaches next week, Google said it expects Russia will increase its disruptive and destructive cyberattacks. The tech company said it will continue working with others to defend against Russia’s aggression.
“This level of collective defense — between governments, companies and security stakeholders across the world — is unprecedented in scope,” the Google report said.