CEO Blog Series: Ukraine Conflict Confirms Russian Cybercrime Connection

I am watching the ongoing tragedy in Ukraine with the rest of the world. It is heartbreaking and my thoughts are with the people of Ukraine. I had hoped that diplomatic efforts would work and that Putin would pull his troops back, but I would be lying if I said I was completely surprised that Russia launched a full-scale invasion of Ukraine.

Aside from displaying Putin’s imperialist aspirations, this conflict has also revealed the extent to which Russia has integrated cyber into its military strategy and how much control Russia has over allegedly “independent” cybercrime gangs.  

Cyberattacks and Hybrid Warfare

Cyber is an integral element of nation-state intelligence and a powerful tool for disrupting communications and impeding the enemy’s defenses in a military conflict. Russia and threat actors aligned with Russia have a history of employing cyberattacks against Ukraine.

In the weeks and days leading up to the Russian invasion, Ukrainian government websites and banks, along with the websites of nations allied with Ukraine were defaced. Researchers also discovered multiple malicious wiper programs deployed on Ukrainian systems.

The threat is still high, and it is not only specific to Ukraine. Nations and businesses around the world need to be on high alert for cyberattacks. As the United States and NATO allies support Ukraine with military equipment and medical supplies and increase pressure on Russia through sanctions and other means, I expect Russia and/or aligned threat actors to escalate cyberattacks in an effort to impact critical infrastructure, cripple the global economy, and weaken our collective resolve to stand united against them.

The rhetoric around potential cyberattacks is intensifying. There are reports that the Biden administration and other nations are considering options for offensive cyber operations against Russia. The hacktivist collective Anonymous claims to have knocked Russian websites offline. Meanwhile, various ransomware gangs have issued threatening statements warning that they will strike back against any nations or groups that attack Russia. 

While those attacks may be primarily aimed at government and military assets, there is no way to predict the scope or resulting impact given that the majority of critical infrastructure security rests with the private sector. Nation-state cyberattacks often bleed beyond the intended target and result in collateral damage for unrelated businesses around the world—like the NotPetya attack by Russia against Ukraine in 2017.

Russia Pulls the Strings

The Cybereason Threat Intelligence team has been carefully monitoring the situation in Ukraine as tensions have escalated. There was a dramatic drop in ransomware attack activity following the public and performative arrest of members of the REvil ransomware gang in January. Ransomware attacks originating from Russia have effectively all but ceased since mid-January. 

That actually tells me two things. First, it demonstrates the influence—control, actually—that Putin and the Russian government have over these cybercrime groups. It shows that the cyberattacks coming out of Russia are not really state-ignored or state-sponsored, but actually state-controlled.

It confirms what we have long suspected, that Putin and Russian intelligence agencies enlist cybercrime threat actors as proxies to provide a buffer of plausible deniability while effectively leveraging cyberattacks as a weapon. 

The drop in Russian ransomware activity over the last six weeks also suggests that those cybercrime groups were given a new mission. They were most likely conscripted to help the Russian government in its efforts to hack and disable critical infrastructure and defense systems in Ukraine in preparation for launching the invasion. 

Be Prepared to Defend

It’s hard to predict how things will play out from here, but you need to brace yourself for Russian cyberattacks attempting to cripple our economy, disrupt our critical infrastructure, and weaken our ability and resolve to stand against Russia. Even if the attacks don’t target your organization directly, you need to be prepared for any repercussions or the possible collateral damage that results. 

No matter how this ends, when the dust settles on this conflict one thing will be true. We now know that Russia has far more power and control over cybercrime groups and ransomware gangs than they have admitted to. They have shown their hand now, and they will no longer have the luxury of feigning ignorance. 


Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across enterprise, to everywhere the battle is taking place. More resources around emerging threats tied to the Russian aggression in Ukraine can be found here

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div