{ "id": "5ad57873-ba6c-42ef-a16d-1dedd61eb95d", "created_at": "2026-04-06T00:18:09.325497Z", "updated_at": "2026-04-10T03:37:04.173228Z", "deleted_at": null, "sha1_hash": "67a30fed62050363cc4e441bd35a17fd4bf9edd0", "title": "Reassessing cyberwarfare. Lessons learned in 2022", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1095897, "plain_text": "Reassessing cyberwarfare. Lessons learned in 2022\r\nBy GReAT\r\nPublished: 2022-12-14 · Archived: 2026-04-02 10:35:12 UTC\r\nAt this point, it has become cliché to say that nothing in 2022 turned out the way we expected. We left the\r\nCOVID-19 crisis behind hoping for a long-awaited return to normality and were immediately plunged into the\r\nchaos and uncertainty of a twentieth-century-style military conflict that posed serious risks of spreading over the\r\ncontinent. While the broader geopolitical analysis of the war in Ukraine and its consequences are best left to\r\nexperts, a number of cyberevents have taken place during the conflict, and our assessment is that they are very\r\nsignificant.\r\nIn this report, we propose to go over the various activities that were observed in cyberspace in relation to the\r\nconflict in Ukraine, understand their meaning in the context of the current conflict, and study their impact on the\r\ncybersecurity field as a whole.\r\nTimeline of significant cyber-events predating Feb 24th\r\nIn the modern world, it has become very difficult to launch any kind of military campaign without intelligence\r\nsupport in the field. Most intelligence is gathered from various sources through methods such as HUMINT\r\n(human intelligence, gathered from persons located in the future conflict area), SIGINT (signals intelligence,\r\ngathered through the interception of signals), GEOINT (geospatial intelligence, such as maps from satellites), or\r\nELINT (electronic intelligence, excluding text or voice), and so on.\r\nFor instance, according to the New York Times, in 2003, the United States made plans for a huge cyberattack to\r\nfreeze billions of dollars in Saddam Hussein’s bank accounts and cripple his government before the invasion of\r\nIraq. However, the plan was not approved because the government feared collateral damage. Instead, a more\r\nhttps://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nPage 1 of 15\n\nlimited plan to cripple Iraq’s military and government communication systems was carried out during the early\r\nhours of the war in 2003. This operation included blowing up cellphone towers and communication grids as well\r\nas jamming and cyberattacks against Iraq’s telephone networks. According to the same article, another such attack\r\ntook place in the late 1990s when the American military attacked a Serbian telecommunications network.\r\nInadvertently, this also affected the Intelsat communications system for days, proving that the risk of collateral\r\ndamage during cyberwarfare is pretty high.\r\nThe lessons learned from these events may allow predicting kinetic conflicts by monitoring new cyberattacks in\r\npotential areas of conflict. For instance, in late 2013 and January 2014, we observed higher-than-normal activity\r\nin Ukraine by the Turla APT group, as well as a spike in the number of BlackEnergy APT sightings. Similarly, at\r\nthe beginning of February 2022, we noticed a huge spike in the amount of activity related to Gamaredon C\u0026C\r\nservers. This activity reached hitherto-unseen levels, suggesting massive preparations for a major SIGINT\r\ngathering effort.\r\nAs shown by these cases, during modern conflicts, we can expect to see significant signs and spikes in\r\ncyberwarfare relating to both collection of intelligence and destructive attacks in the days and weeks preceding\r\nmilitary attacks. Of course, we should note that the opposite is also possible: for instance, starting in June 2016,\r\nbut most notably since September 2016 all the way to December 2016, the Turla group intensified their satellite-based C\u0026C registrations tenfold compared to its 2015 average. This indicated unusually high activity by the Turla\r\ngroup, which signaled a never-before-seen mobilization of the group’s resources. At the same time, there was no\r\nensuing military conflict that we know of.\r\nKey insights\r\nToday’s military campaigns follow gathering of supporting intelligence in the field; this includes SIGINT\r\nand ELINT among others\r\nhttps://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nPage 2 of 15\n\nSignificant military campaigns, such as the 2003 invasion of Iraq, have been complemented by powerful\r\ncyberattacks designed to disable the enemy’s communication networks\r\nIn February 2022, we noticed a huge spike in activity related to Gamaredon C\u0026C servers; a similar spike\r\nwas observed in Turla and BlackEnergy APT activity in late 2013 and early 2014\r\nWe can expect to see significant signs and spikes in cyberwarfare in the days and weeks preceding military\r\nconflicts\r\nDay one\r\nOn the very first day of the conflict (February 24, 2022), a massive wave of indiscriminate pseudo-ransomware\r\nand wiper attacks hit Ukrainian entities. We were not able to determine any form of consistency when it came to\r\nthe targeting, which led us to believe that the main objective of these attacks may have been to cause chaos and\r\nconfusion — as opposed to achieving precise tactical goals. Conversely, the tools leveraged in this phase were just\r\nas varied in nature:\r\nRansomware (IsaacRansom);\r\nFake ransomware (WhisperGate);\r\nWipers (HermeticWiper, CaddyWiper, DoubleZero, IsaacWiper);\r\nICS/OT wipers (AcidRain, Industroyer2).\r\nSome of them were particularly sophisticated. As far as we know, HermeticWiper remains the most advanced\r\nwiper software discovered in the wild. Industroyer2 was discovered in the network of a Ukrainian energy provider,\r\nand it is very unlikely that the attacker would have been able to develop it without access to the same ICS\r\nequipment as used by the victim. That said, a number of those tools are very crude from a software engineering\r\nperspective and appear to have been developed hurriedly.\r\nWith the notable exception of AcidRain (see below), we believe that these various destructive attacks were both\r\nrandom and uncoordinated – and, we argue, of limited impact in the grand scheme of the war. Our assessment of\r\nthe threat landscape in Ukraine in the first months of the war can be found on SecureList.\r\nThe volume of wiper and ransomware attacks quickly subsided after the initial wave, but a limited number of\r\nnotable incidents were still reported. The Prestige ransomware affected companies in the transportation and\r\nlogistics industries in Ukraine and Poland last October. One month later, a new strain named RansomBoggs again\r\nhit Ukrainian targets – both malware families were attributed to Sandworm. Other “ideologically motivated”\r\ngroups involved in the original wave of attacks appear to be inactive now.\r\nKey insights\r\nLow-level destructive capabilities can be bootstrapped in a matter of days.\r\nBased on the uncoordinated nature of these destructive attacks, we assess that some threat actors appear to\r\nbe capable of recruiting isolated groups of hackers on short notice, to perform destabilizing tasks. We can\r\nonly speculate as to whether those groups are internal resources reassigned to low-level cyberattacks or\r\nexternal entities that can be mobilized when the need arises.\r\nWhile the impact of these destructive cyber-attacks paled in comparison to the effects of the kinetic attacks\r\ntaking place at the same time, it should be noted that this capability could in theory be directed against any\r\nhttps://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nPage 3 of 15\n\ncountry outside of the context of an armed conflict and under the pretense of traditional cybercrime\r\nactivity.\r\nThe Viasat “cyberevent”\r\nOn the 24th of February, Europeans who relied on the ViaSat-owned “KA-SAT” satellite faced major Internet\r\naccess disruptions. This so-called “cyber-event” started around 4h UTC, less than two hours after the Russian\r\nFederation publicly announced the beginning of the “special military operation” in Ukraine. As could be read from\r\ngovernment requests for proposals, the Ukrainian government and military are notable consumers of KA-SAT\r\naccess, and were reportedly affected by the event. But the disruptions also triggered major consequences\r\nelsewhere, such as interrupting the operation of wind turbines in Germany.\r\nViaSat quickly suspected that disruptions could be the result of a cyberattack. It directly affected satellite modems\r\nfirmwares, but was still to be understood as of mid-March. Kaspersky experts ran their own investigations and\r\nnotably uncovered a likely intrusion path to a remote access point in a management network, while analyzing\r\nmodem internals and a likely-involved wiper implant. The “AcidRain” wiper was first described later in March,\r\nwhile ViaSat published an official analysis of the cyber-attack. The latter confirmed that a threat actor got in\r\nthrough a remote-management network exploiting a poorly configured VPN, and ultimately delivered destructive\r\npayloads, affecting tens of thousands of KA-SAT modems. On May 10, the European Union attributed those\r\nmalicious activities to the Russian Federation.\r\nA lot of technical details about this attack are still unknown and may later be shared away from government eyes.\r\nYet it is one of the most sophisticated attacks revealed to date in connection to the conflict in Ukraine. The\r\nmalicious activities were likely conducted by a skilled and well-prepared threat actor, within an accurate\r\ntimeframe which cannot be fortuitous. While the sabotage has likely failed to disrupt the Ukrainian defense badly\r\nenough, it had multiple effects beyond the battlefield: stimulating the US Senate to require a state of play on\r\nsatellite cybersecurity, accelerating SpaceX Starlink deployment (and later, unexpected bills), as well as\r\nquestioning the rules for dual-use infrastructure during armed conflicts.\r\nKey insights\r\nThe ViaSat sabotage once again demonstrates that cyberattacks are a basic building block for modern\r\narmed conflicts and may directly support key milestones in military operations.\r\nAs it has been suspected for years, advanced threat actors likely preposition themselves in various strategic\r\ninfrastructural assets in preparation for future disruptive actions.\r\nCyberattacks against common communication infrastructures are highly likely during armed conflict, as\r\nbelligerents might consider these to be of dual use. Due to the interlinked nature of the Internet, a\r\ncyberattack against this kind of infrastructure will likely have side-effects for parties that are not involved\r\nin the armed conflict. Protection and continuity planning are of utmost importance for this communications\r\ninfrastructure.\r\nThe cyberattack raises concerns about the cybersecurity of commercial satellite systems, which may\r\nsupport various applications, from selfie geolocation to military communications. While protective\r\nmeasures against kinetic combat in space are frequently discussed by military forces, and more datacenters\r\nhttps://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nPage 4 of 15\n\nare expecting to fly soon … ground-station management systems and operators still seem to be highly\r\nexposed to common cyberthreats.\r\nTaking sides: professional ransomware groups, hacktivists, and DDoS attacks\r\nAs has always been the case, wartime has a very specific impact on the information landscape. It is especially true\r\nin 2022, now that humanity commands the most potent information spreading tools ever created: social networks\r\nand their well-documented amplification effect. Most real-world events related to the war (accounts of skirmishes,\r\ndeath tolls, prisoner of war testimonies) are shared and refuted online with varying degrees of good faith.\r\nTraditional news outlets are also affected by the broader context of information warfare.\r\nDDoS attacks and, to a lesser extent, defacement of random websites have always been regarded as low-sophistication and low-impact attacks by the security community. DDoS attacks, in particular, require generating\r\nheavy network traffic that attackers typically cannot sustain for very long periods of time. As soon as the attack\r\nstops, the target website becomes available again. Barring temporary loss of revenue for e-commerce websites, the\r\nonly value provided by DDoS attacks or defacement is the humiliation of the victim. Since non-specialized\r\njournalists may not know the difference between the various types of security incidents, their subsequent reporting\r\nshapes a perception of incompetence and inadequate security that may erode users’ confidence. The asymmetric\r\nnature of cyberattacks plays a key role in supporting a David vs. Goliath imagery, whereby symbolic wins in the\r\ncyberfield help convince ground troops that similar achievements are attainable on the real-life battlefield.\r\nAccording to Kaspersky DDoS Protection, since the beginning of 2022 during 11 months the service registered\r\n~1.65 more attacks than in the whole 2021. While this growth may be not too significant, the resources have been\r\nunder attack 64 times longer compared to 2021. In 2021 the average attack lasted ~28 minutes, in 2022 – 18.5\r\nhours, which is almost 40 times longer. The longest attack lasted 2 days in 2021, 28 days (or 2486505 seconds) in\r\n2022.\r\nhttps://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nPage 5 of 15\n\nTotal duration of DDoS attacks detected by Kaspersky DDoS Protection in seconds, by week, 2021 vs 2022\r\nSince the start of the war, a number of (self-identified) hacktivist groups have emerged and started conducting\r\nactivities to support either side. For instance, a stunt organized by the infamous collective Anonymous involved\r\ncausing a traffic jam in Moscow by sending dozens of taxis to the same location.\r\nKaspersky DDoS protection also reflects this trend. Massive DDoS attacks were spread unevenly over the year\r\nwith the most heated times being in spring and early summer.\r\nhttps://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nPage 6 of 15\n\nNumber of DDoS attacks detected by Kaspersky DDoS Protection in seconds, by week, 2021 vs 2022\r\nThe attackers peaked in February-early March, reflecting growth of hacktivism, which has died down by autumn.\r\nCurrently we see a regular anticipated dynamic of attacks, though their quality has changed. In May-June we\r\ndetected extremely long attacks. Now their length has stabilized, nevertheless, while typical attacks used to last a\r\nfew minutes, now they last for hours.\r\nOn February 25, 2022, the infamous Conti ransomware group announced their “full support of Russian\r\ngovernment”. The statement included a bold phrase: “If anybody will decide to organize a cyberattack or any war\r\nactivities against Russia, we are going to use our all possible resources to strike back at the critical\r\ninfrastructures of an enemy“. The group followed up rather quickly with another post, clarifying their position in\r\nthe conflict: “As a response to Western warmongering and American threats to use cyber warfare against the\r\ncitizens of Russian Federation, the Conti Team is officially announcing that we will use our full capacity to deliver\r\nretaliatory measures in case the Western warmongers attempt to target critical infrastructure in Russia or any\r\nRussian-speaking region of the world. We do not ally with any government and we condemn the ongoing war.\r\nHowever, since the West is known to wage its wars primarily by targeting civilians, we will use our resources in\r\norder to strike back if the well being and safety of peaceful citizens will be at stake due to American cyber\r\naggression“.\r\nTwo days later, a Ukrainian security researcher leaked a large batch of internal private messages between Conti\r\ngroup members, covering over one year of activity starting in January 2021. This dump delivered a significant\r\nblow to the group who saw their inner activities exposed before the public, including Bitcoin wallet addresses\r\nrelated to many million of US dollars received in ransom. At the same time, another cybercriminal group called\r\n“CoomingProject” and specializing in data leaks, announced they would support the Russian Government if they\r\nsaw attacks against Russia:\r\nhttps://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nPage 7 of 15\n\nOther groups, such as Lockbit, preferred to stay neutral, claiming their “pentesters” were an international\r\ncommunity, including Russians and Ukrainians, and it was “all business”, in a very apolitical manner:\r\nOn February 26, Mykhailo Fedorov, the Vice Prime Minister and Minister of Digital Transformation of Ukraine,\r\nannounced the creation of a Telegram channel to “continue the fight on the cyber front”. The initial Telegram\r\nchannel had a typo in the name (itarmyofurraine) so a second one was created.\r\nIT ARMY of Ukraine Telegram channel\r\nhttps://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nPage 8 of 15\n\nThe channel operators constantly give tasks to the subscribers, such as DDoS’ing various business corporations,\r\nbanks, or government websites:\r\nList of DDoS targets posted by IT ARMY of Ukraine\r\nWithin a short time, the IT Army of Ukraine, composed of volunteers coordinating via Twitter and Telegram,\r\nreportedly defaced or otherwise DDoSed over 800 websites, including high-profile entities such, as the Moscow\r\nStock Exchange[1].\r\nhttps://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nPage 9 of 15\n\nParallel activity has also been observed by other groups, which have taken sides as the conflict was spilling over\r\ninto neighboring countries. For instance, the Belarusian Cyber-Partisans claimed they had disrupted the operations\r\nof the Belarusian Railway by switching it to manual control. There goal was to slow the movement of Russian\r\nmilitary forces through the country.\r\nBelarusian Cyber-Partisans post\r\nA limited and by far not exhaustive list of some of the ransomware or hacktivist groups that expressed their\r\nopinion about the conflict in Ukraine include:\r\nOpen UA support Open RU support Neutral\r\nRaidForums Conti ransomware Lockbit ransomware\r\nAnonymous collective CoomingProject ransomware ALPHV ransomware\r\nIT ARMY of Ukraine Stormous ransomware\r\nBelarusian Cyber-Partisans KILLNET\r\nAgainstTheWest\r\nNB65\r\nSquad303\r\nKelvinsecurity + …\r\nAmong the openly pro-Russian groups, Killnet, which was originally established as a response to the “IT Army of\r\nUkraine”, is probably the most active. In late April, they attacked Romanian Government websites in response to\r\nstatements by Marcel Ciolacu, president of the Romanian Chamber of Deputies, after he promised Ukrainian\r\nauthorities “maximum assistance”. On May 15, Killnet published a video on their telegram channel declaring war\r\non ten nations: the United States, the United Kingdom, Germany, Italy, Latvia, Romania, Lithuania, Estonia,\r\nPoland, and Ukraine. Following these activities, the international hacking collective known as “Anonymous”\r\ndeclared cyber war against Killnet on May 23.\r\nhttps://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nPage 10 of 15\n\nKillnet continued its activities throughout 2022, preceding their attacks with an announcement on their Telegram\r\nchannel. In October, the group started attacking organizations in Japan, which they later stopped due to a lack of\r\nfunds. It later attacked a US airport and governmental websites and businesses, often without significant success.\r\nOn November 23, Killnet briefly took down the website of the European Union. Killnet also repeatedly targeted\r\nwebsites in Latvia, Lithuania, Norway, Italy, and Estonia. While Killnet’s methods are not sophisticated, they\r\ncontinually make headlines and drive attention to the group’s activities and stance.\r\nKey insights\r\nThe conflict in Ukraine has created a breeding ground for new cyberware activity by various parties\r\nincluding cybercriminals and hacktivists, who rushed to support their favorite sides\r\nWe can expect the involvement of hacktivist groups in all major geopolitical conflicts from now on.\r\nThe cyberware activities are spilling over into neighboring countries and affecting a large number of\r\nentities, including governmental institutions and private companies\r\nSome groups, such as the IT Army of Ukraine, have been officially backed by governments, and their\r\nTelegram channels include hundreds of thousands of subscribers\r\nThe majority of attacks have relatively low complexity\r\nMost of the time, attacks conducted by these groups have a very limited impact on operations but may\r\nerroneously be reported as serious incidents and cause reputational damage.\r\nThese activities may originate from genuine “grassroots” hacktivists, groups encouraged or supported by\r\none of the belligerents, or from the belligerents themselves – and telling which is which may well prove\r\nimpossible.\r\nHack and leak\r\nOn the more sophisticated end of attacks attempting to hijack media attention, hack-and-leak operations have been\r\non the rise since the beginning of the conflict. The concept is simple: breaching into an organization and\r\npublishing its internal data online, often via a dedicated website. This is significantly more difficult than a simple\r\ndefacing operation, since not all machines contain internal data worth releasing. Hack-and-leak operations,\r\ntherefore, require more precise targeting, and will, in most cases, also demand more skill from attackers, as the\r\ninformation they are looking for is, more often than not, buried deep within in the victim’s network.\r\nAn example of such a campaign is the “doxing” of Ukrainian soldiers. Western entities were also targeted, such as\r\nthe Polish government or many prominent pro-Brexit figures in the UK. In the latter cases, internal emails were\r\npublished, leading to scrutiny by investigative journalists. In theory, these data leaks are subject to manipulation.\r\nThe attackers have all the time they need to edit any released document or could just as well inject entirely forged\r\nones.\r\nIt is important to note that it is absolutely unnecessary for the attacker to go to such lengths for the data leak to be\r\ndamaging. The public availability of the data is proof itself that a serious security incident took place, and the\r\nlegitimate, original content may already contain incriminating information.\r\nKey insights\r\nhttps://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nPage 11 of 15\n\nIn our 2023 APT predictions, we foresee that hack-and-leak operations will be on the rise next year, as they\r\nare very efficient against entities that already have high media exposure and corruption levels (i.e.\r\npoliticians).\r\nInformation warfare is not internal to a conflict, but instead directed at all onlookers. We expect that the\r\nvast majority of such attacks will not be directed at the belligerents, but rather at entities who are perceived\r\nas being too supportive (or not supportive enough) of either side.\r\nWhether it is hack-and-leak operations or DDoS, cyberattacks emerge as a non-kinetic means of diplomatic\r\nsignaling between states.\r\nPoisoned open-source repositories, weaponizing open-source software\r\nOpen-source software has many benefits. Firstly, it is often free to use, which means that businesses and\r\nindividuals can save money on software costs. However, since anyone can contribute to the code and make\r\nimprovements, this can also be abused and in turn, open security trapdoors. On the other hand, since the code can\r\nbe publicly examined for any potential security vulnerabilities, it also means that given enough scrutiny, the risks\r\nof using open-source software can be mitigated to decent levels.\r\nBack in March, RIAEvangelist, the developer behind the popular npm package “node-ipc”, published modified\r\nversions of the software that contained a special functionality if the running systems had a Russian or Belarusian\r\nIP address. On such systems, the code would overwrite all files with a heart emoji, additionally deploying the\r\nmessage, WITH-LOVE-FROM-AMERICA.txt, originating in another module created by the same developer. The\r\nnode-ipc package is quite popular with over 800,000 users worldwide. As is often the case with open-source\r\nsoftware, the effect of deploying these modified “node-ipc” versions was not restricted to direct users; other open-source packages, for instance “Vue.js”, which automatically include the latest node-ipc version, amplified the\r\neffect.\r\nPackages aimed to be spread in the Russian market did not always lead to destruction of files, some of them\r\ncontained hidden functionality such as adding a Ukrainian flag to a section of the website of software or political\r\nstatements in support of the country. In certain cases the functionality of the package is removed and replaced with\r\npolitical notifications. It is worth noting that not all packages had this functionality hidden with some authors\r\nannouncing the functionality in the package description.\r\nhttps://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nPage 12 of 15\n\nOne of the projects encourages to spread a file that once opened will start hitting various pages of the enlisted\r\nservers via JavaScript to overload the websites\r\nOther repositories and software modules found on GitHub included those specifically created to DDoS Russian\r\ngovernmental, banking and media sites, network scanners specifically for gathering data about Russian\r\ninfrastructure and activity and bots aimed at mass reporting of Telegram channels.\r\nKey insights\r\nAs the conflict drags on, popular open-source packages can be used as a protest or attack platform by\r\ndevelopers or hackers alike\r\nThe impact from such attacks can extend further that the open-source software itself, propagating to other\r\npackages that automatically rely on the trojanized code\r\nFragmentation\r\nDuring the past years, most notably after 2014, this process began to expand to the IT Security world, with nation\r\nstates passing laws banning each other’s products, services, and companies.\r\nFollowing the start of the conflict in Ukraine in February 2022, we have seen a lot of western companies exiting\r\nthe Russian market and leaving their users in a difficult position when it comes to receiving security updates or\r\nsupport. At the same time, some western nations have pushed laws banning the use of Russian software and\r\nservices due to a potential risk of these being used to launch attacks.\r\nObviously, one cannot totally rule out the possibility of political pressure being applied to weaponize products,\r\ntechnologies, and services of some minor market players. When it comes to global market leaders and respected\r\nhttps://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nPage 13 of 15\n\nvendors, however, we believe this to be extremely unlikely.\r\nOn the other hand, searching for alternative solutions can be extremely complicated. Products from local vendors,\r\nwhose secure development culture, as we have often found, is usually significantly inferior to that of global\r\nleaders, are likely to have “silly” security errors and zero-day vulnerabilities, rendering them easy prey for both\r\ncybercriminals and hacktivists.\r\nShould the conflict continue to exacerbate, organizations based in countries where the political situation does not\r\nrequire addressing the above issues, should still consider the future risk factors that may affect everyone:\r\nThe quality of threat detection decreases as IS developers lose some markets, resulting in the expected loss\r\nof some of their qualified IS experts. This is a real risk factor for all security vendors experiencing political\r\npressure.\r\nThe communication breakdowns between IS developers and researchers located on opposite sides of the\r\nnew “iron curtain” or even on the same side (due to increased competition on local markets) will\r\nundoubtedly decrease the detection rates of security solutions that are currently being developed.\r\nDecreasing CTI quality: unfounded politically motivated cyberthreat attribution, exaggerated threats, lower\r\nstatement validity criteria due to political pressure and in an attempt to utilize the government’s political\r\nnarrative to earn additional profits.\r\nGovernment attempts to consolidate information about incidents, threats, and vulnerabilities and to limit access to\r\nthis information detract from overall awareness, since information may sometimes be kept under wraps without\r\ngood reason.\r\nKey insights\r\nGeopolitics are playing an important role and the process of fragmentation is likely going to expand\r\nSecurity updates are probably the top issue when vendors end support for products or leave the market\r\nReplacing established, global leaders with local products might open the doors to cybercriminals exploiting\r\nzero-day vulnerabilities\r\nDid a cyberwar happen?\r\nEver since the beginning of the conflict, the cybersecurity community has debated whether or not what was going\r\non in Ukraine qualifies as “cyberwar”. One indisputable fact, as documented throughout this report, is that\r\nsignificant cyberactivity did take place in conjunction with the start of the conflict in Ukraine. This may be the\r\nonly criteria we need.\r\nOn the other hand, many observers had envisioned that in the case of a conflict, devastating preemptive\r\ncyberattacks would cripple the “special operation” party. With the notable exception of the Viasat incident, whose\r\nactual impact remains hard to evaluate, this simply did not take place. The conflict instead revealed an absence of\r\ncoordination between cyber- and kinetic forces, and in many ways downgraded cyberoffense to a subordinate role.\r\nRansomware attacks observed in the first weeks of the conflict qualify as distractions at best. Later, when the\r\nconflict escalated this November and the Ukrainian infrastructure (energy networks in particular) got explicitly\r\ntargeted, it is very telling that the Russian military’s tool of choice for the job was missiles, not wipers[2].\r\nhttps://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nPage 14 of 15\n\nIf you subscribe to the definition of cyberwar as any kinetic conflict supported through cyber-means, regardless of\r\ntheir tactical or strategic value, then a cyberwar did happen in February 2022. Otherwise, you may be more\r\nsatisfied with Ciaran Martin‘s qualification of “cyberharassment”[3].\r\nKey insights\r\nThere is a fundamental impracticality to cyberattacks; an impracticality that can only be justified when\r\nstealth matters. When it does not, physical destruction of computers appears to be easier, cheaper, and more\r\nreliable.\r\nUnless very significant cyberattacks have failed to reach public awareness, at the time of writing this, the\r\nrelevance of cyberattacks in the context of open war has been vastly overestimated by our community.\r\nConclusion\r\nThe conflict in Ukraine will have a lasting effect on the cybersecurity industry and landscape as a whole. Whether\r\nthe term “cyberwar” applies or not, there is no denying that the conflict will forever change everyone’s\r\nexpectations about cyberactivity conducted in wartime, when a major power is involved. Unfortunately, there is a\r\nchance that established practice will become the de facto norm.\r\nBefore the war broke out, several ongoing multiparty processes (UN’s OEWG and GGE) attempted to establish a\r\nconsensus on acceptable and responsible behavior in cyberspace. Given the extreme geopolitical tensions we are\r\ncurrently experiencing, it is doubtful that these already difficult discussions will bear fruit in the near future.\r\nA promising initiative in the meantime is the ICRC’s “digital emblem” project: a proposed solution to clearly\r\nidentify machines used for medical or humanitarian purposes, in the hopes that attackers will refrain from\r\ndamaging them. Just like the real-life red cross and red crescent emblems cannot stop bullets, digital emblems will\r\nnot prevent cyberattacks on a technical level – but they will at least make it obvious to everyone that medical\r\ninfrastructure is not a legitimate target.\r\nAs it seems more and more likely that the conflict will drag on for years, and with the death toll already being\r\nhigh… we hope that everyone can at least agree on that.\r\n[1]\r\n The point of this section is not to evaluate the accuracy of those numbers, which are self-reported in many\r\ncases, but to study how these cyberattacks are used to shape narratives.\r\n[2]\r\n This report does not make the assumption that the Russian military would use, could use, or has ever used\r\nwiper malware. US-CERT however went on the record on this exact subject. So did a number of industry peers.\r\n[3]\r\n We recognize that information about ongoing cyberattacks and their impact isn’t exactly forthcoming. This\r\nassessment may be revised at a later date, when more data becomes available.\r\nSource: https://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nhttps://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/\r\nPage 15 of 15\n\nAccording to Kaspersky ~1.65 more attacks DDoS Protection, than in the whole since 2021. While the beginning this growth of 2022 during may be not too 11 months significant, the service registered the resources have been\nunder attack 64 times longer compared to 2021. In 2021 the average attack lasted ~28 minutes, in 2022 -18.5\nhours, which is almost 40 times longer. The longest attack lasted 2 days in 2021, 28 days (or 2486505 seconds) in\n2022. \n Page 5 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/" ], "report_names": [ "108328" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "f547e816-ea17-442e-915d-c5c76a30669b", "created_at": "2022-10-25T16:07:23.891717Z", "updated_at": "2026-04-10T02:00:04.780944Z", "deleted_at": null, "main_name": "NB65", "aliases": [], "source_name": "ETDA:NB65", "tools": [ "NB65" ], "source_id": "ETDA", "reports": null }, { "id": "4f472ea8-b147-486d-8533-88f8036343a6", "created_at": "2024-01-23T13:22:35.081084Z", "updated_at": "2026-04-10T02:00:03.520098Z", "deleted_at": null, "main_name": "Cyber Partisans", "aliases": [], "source_name": "MISPGALAXY:Cyber Partisans", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8754f54b-7154-4996-b065-94f04f846022", "created_at": "2023-11-07T02:00:07.095161Z", "updated_at": "2026-04-10T02:00:03.405596Z", "deleted_at": null, "main_name": "NB65", "aliases": [ "Network Battalion 65" ], "source_name": "MISPGALAXY:NB65", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05b0c294-6e79-4d58-8291-73d2c1c7d9bd", "created_at": "2024-06-25T02:00:05.048321Z", "updated_at": "2026-04-10T02:00:03.665219Z", "deleted_at": null, "main_name": "BlueHornet", "aliases": [ "APT49", "AgainstTheWest" ], "source_name": "MISPGALAXY:BlueHornet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "b4a6d558-3cba-499c-b58a-f15d65b7a604", "created_at": "2023-01-06T13:46:39.346924Z", "updated_at": "2026-04-10T02:00:03.295317Z", "deleted_at": null, "main_name": "Killnet", "aliases": [], "source_name": "MISPGALAXY:Killnet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63f532e6-4b4a-4f17-bbff-8517f0dd1868", "created_at": "2024-01-09T02:00:04.192588Z", "updated_at": "2026-04-10T02:00:03.507424Z", "deleted_at": null, "main_name": "KelvinSecurity", "aliases": [], "source_name": "MISPGALAXY:KelvinSecurity", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434689, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/67a30fed62050363cc4e441bd35a17fd4bf9edd0.pdf", "text": "https://archive.orkl.eu/67a30fed62050363cc4e441bd35a17fd4bf9edd0.txt", "img": "https://archive.orkl.eu/67a30fed62050363cc4e441bd35a17fd4bf9edd0.jpg" } }