Electronic Weapons: Russian Botnets on the Offensive


March 2, 2024: For over a decade Ukraine has been subject to an ominously large amount of Russian network reconnaissance of Ukrainian networks and growing Russian Cyber War attacks. None of this was a major news story and that was typical for the massive Cyber War campaign Russia has carried out against Ukraine in 2022. In 2023 Russian hackers attacked American internet users by quietly infiltrating hundreds of routers belonging to home and small business users and installing botnet malware. This is software that carries out illegal tasks. In this case the Russian malware was called Moobot, which was created by Russian gangsters who specialize in hacking to make money.

This particular hacking mission was carried out by the Russian GRU, which is the foreign military intelligence agency of the Russian military. This operation was carried out by GRU Military Unit 26165 to carry out espionage on Ukraine and sabotage of Ukrainian and other foreign networks. In this case the US FBI became aware of the GRU attack in 2024 and used its own malware to delete Moobot malware the GRU had installed on American routers and restore these routers to their pre-GRU attack status. The FBI also installed software that would prevent the GRU from reinstalling Moobot. The FBI has been dealing with attacks by other Russian hacker groups as well as Chinese hackers working for the Chinese government and Chinese gangsters.

Russia has always been considered a major Cyber War threat. Since the 1990s Russian Internet based espionage has been very active and effective. That led to fears of a Cyber Pearl Harbor. Russia had hoped for such a daring and damaging attack on Ukraine but was disappointed because Ukraine had looked for and noticed the Russian preparations. Before and after the first Russian attack in 2014, Ukraine had been receiving more military aid and assistance from NATO countries. Ukraine and NATO Cyber War experts agreed that an international effort, including the major American providers of Internet infrastructure and services had to be involved. This meant Amazon, Cloudflare, Google, Microsoft and several smaller but essential Internet services or security firms had to be involved.

It is not known for sure if Russia was aware that this international coalition of Internet infrastructure and services was involved with defending Ukraine. This organization came to be known as Cyber NATO because most of the major resources came from NATO nations.

Microsoft was the oldest of these Internet giants and the one that pioneered large scale, organized and highly responsive efforts to deal with hackers operating at the consumer level or against national Cyber infrastructure. These Internet giants increasingly cooperated in Cyber defense. When Ukraine and NATO governments went looking for Internet industry help and cooperation, they found that their inquiries and requests were welcomed. Ukraine took advantage of this in 2016 when they established their Ukrainian National Cybersecurity Coordination Center. This operation played a key role in coordination and synchronizing the Western efforts or forming a large-scale effort to detect and block Russian Cyber War activities against Ukraine, or any NATO nation.

Before 2022 Russia had a reputation for being a formidable threat as a practitioner of Cyber War. Russia had a formidable arsenal of Cyber War weapons and pre-planned attacks, especially against Ukraine. After the 2022 invasion of Ukraine, the Russian reputation as a military power has been much diminished along with their standing as a Cyber War threat. While Russian military activities were widely reported on by the media, much less attention was paid to the similar defeats Russia suffered as they sought to carry major Cyber War campaigns against Ukraine even before Russian troops crossed the border. The Cyber War defeats continued throughout 2022 and 2023.

Like many other capabilities, that reputation was tarnished and diminished during the recent war in Ukraine. For Russia the defeats were frequent and victories few in this network battle space. Russian defeats began the day before Russian troops crossed the Ukrainian border and continued during the first months of the war as Russian unleashed most of their pre-planned attacks designed to do maximum damage to Ukrainian networks and Internet-based capabilities. Ukraine knew what its key Internet vulnerabilities were and, with the assistance of Cyber NATO and the major American Internet services and security providers, the Russian efforts were blocked. China, the other Cyber War threat to NATO and the West, took note.

This sort of large-scale coordinated Internet defense was always theoretically possible and now the main Cyber War threats are from Russia, China, North Korea, and Iran and these nations saw or experienced this Cyber War in action. That changed the Cyber War strategies of all these aggressor nations. At the moment, the best the Internet threat nations can hope for is that the defense coalition grows less effective over time because the defenders might believe they have the problem solved and major investments of time and effort in defense are no longer necessary. That would be a mistake because the benefits of effective Cyber War weapons expand as more of the world becomes dependent on Internet based services.

It takes time and effort to develop effective large scale Internet defenses. Microsoft was the first to discover this. Since the 1990s Microsoft created a formidable Internet security organization that monitors networks worldwide for signs of malware, especially new malware, being used. Network security features have been added to the Windows operating system and one of them for PCs is to automatically send back to Microsoft potential hacker presence information back to Microsoft. At the same time, Microsoft will quickly send out fixes to infected PCs. Ukraine and Microsoft began developing a cooperative relationship in the late 1990s because, after 1991, Eastern Europe, especially Ukraine and Russia, were major sources of hacker activity. Ukraine cooperated with Microsoft to reduce the hacker threat while Russia insisted it didn’t exist.

For example, back in 2009 Ukraine cooperated with the United States and Microsoft to deal with a Ukrainian gang consisting of six specific individuals who put together one of the largest botnets ever encountered. In February and March 2009, the gang used spam, containing hidden programs, to take control of 1.9 million PCs. A computer security firm discovered the botnet, and subsequent cooperation between Ukraine, the United States and other countries led to the server controlling the botnet being found and taken offline. At the same time this effort identified members of the gang. Ukrainian police arrested the six after participating in the international effort to find them.

The Soviet Union trained many software engineers who worked for the government. Most of these programmers and software engineers were out of work after the Soviet Union collapsed in 1991. Some left for the West and found good jobs but most sought opportunities at home and the most lucrative ones involved illegal hacking, often for criminal gangs. Russia never cleaned up this problem, but Ukraine did. Russia allowed the gangs to operate in Russia as long as they did not hack Russian networks and did occasional jobs for the government. This included developing malware to be used against neighbors and Western nations in general. Ukraine vigorously enforced laws against hacking and the local hackers either left the country or found legit jobs.

Other East European nations also cracked down on the hackers. Many, but not Ukraine, joined NATO and sought to have NATO declare massive hacker attacks as a cause for war against the aggressor. After the 2022 Ukraine invasion Russia launched a major Cyber War attack on Lithuania because of Lithuanian threats to disrupt access to Kaliningrad, a Russian enclave on the Baltic Coast that must use Lithuanian or Polish railroads or roads for access to Russia,

Back in 2007 Russia planned Cyber War efforts against the more prosperous and affluent former Soviet territories. At the top of this list was Estonia, which was hit by a massive Russian Cyber War-scale attack. The Estonians withstood the attack despite the temporary damage it did to their economy. This was something a NATO member had never faced before and Estonia pointed out that if there was no NATO response to the Russian attack on Estonia, the Russians would be tempted to try it on other new NATO members in East Europe.

This led to a 2010 agreement with NATO to facilitate cooperation between NATO and Estonia if Estonia was hit by another Internet based attack. In 2008 NATO established a Cyber Defense Center in Estonia. This, and the 2010 agreement, was a result of being called on by Estonia, in 2007, to declare Cyber War on Russia. That was because Russia was accused of causing great financial harm to Estonia via Cyber War attacks, and Estonia wanted this sort of thing declared terrorism, and dealt with. NATO agreed to discuss the issue, but never took any action against Russia. The new agreement did create a legal framework for striking back, or at least to defend Estonia more vigorously if there is another attack.

In 2014 Russia seized Crimea province from Ukraine and half of two east Ukrainian provinces. There was not a lot of physical violence, but Russia did use Ukraine as a test site for new Cyber War tactics and techniques. An example of this appeared in 2016 when Ukraine accused Russia of employing hackers to insert trackers into cell phones used by Ukrainian military personnel fighting in Donbas. Ukraine has also found evidence of the same or similar hackers, usually civilian groups working as contractors for the Russian government, going after numerous government and commercial networks in Ukraine. Some of these hackers were also identified as going after targets in the United States. The hacking of cell phones used by military personnel is believed to be the cause of several accurate and fatal attacks on Ukrainian troops in Donbas who used cell phones excessively. The hackers made it possible to track the location of the phone owners and accurately fire shells or rockets at them.

These capabilities had already attracted the attention of the U.S., which was supplying Ukraine with military equipment and technical assistance. American and NATO electronic warfare experts paid close attention to what the Russians were up to in Donbas and the cell phone hack was not unexpected. When it did arrive, it was scrutinized and dissected. That led to countermeasures that were ignored by the Russians and used by Ukrainian forces fighting the 2022 invasion.

By the end of 2021 Ukraine had created a network of half a million software engineers, information specialists and other experienced Internet users to deal with Russian Cyber War attacks as well as carry out information campaigns worldwide to let the world know what was really happening in Ukraine. The Ukrainian efforts were successful, and this resulted in Ukrainian attacks against Russian networks and propaganda. The existence of these formidable Ukrainian Information and Cyber War capabilities is another reason NATO is eager to have Ukraine join the EU (European Union) and after that NATO. Ukraine is already a founding member of Cyber NATO.




Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close