Russian-aligned hackers started attacking Ukraine as early as March 2021 - Microsoft

An illustration of a Ukrainian phone hacked
The company also detailed the "relentless and destructive" attacks seen since. Photo credit: Getty Images

A new Microsoft report says Russian hackers started targeting Ukraine in March 2021 in order to gain access to the country's IT systems.

It also provided details of the "relentless and destructive Russian cyberattacks" it had observed since Russia invaded the neighbouring country  in late February.

In a blog introducing the report, corporate vice president Tom Burt said Russia-aligned actors "began pre-positioning for conflict as early as March 2021, escalating actions against organisations inside or allied with Ukraine to gain a larger foothold into Ukrainian systems".

"By mid-2021, Russian actors were targeting supply chain vendors in Ukraine and abroad to secure further access not only to systems in Ukraine but also NATO member states," he continued.

While diplomatic efforts were failing to de-escalate tensions at the border, Russian hackers were launching wiper malware attacks with increased intensity, Microsoft said.

When the organisation found the malware in more than a dozen networks it alerted the Ukrainian government and established a secure line of communication with "key cyber officials" to ensure a rapid response to help defend the country.

"This has included 24/7 sharing of threat intelligence and deployment of technical countermeasures to defeat the observed malware," Burt wrote.

Since just before the invasion, Burt said the company had seen at least six separate Russia-aligned nation-state actors launching more than 237 operations against Ukraine, including destructive attacks that threatened civilian welfare.

"The attacks have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people's access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country's leadership," Burt wrote.

Russia's use of cyberattacks look to be strongly correlated with actual military operations targeting services and institutions critical for civilians, the report said.

"On March 13, during the third week of the invasion, a separate Russian actor stole data from a nuclear safety organisation weeks after Russian military units began capturing nuclear power plants sparking concerns about radiation exposure and catastrophic accidents," Burt wrote.

"While Russian forces besieged the city of Mariupol, Ukrainians began receiving an email from a Russian actor masquerading as a Mariupol resident, falsely accusing Ukraine's government of 'abandoning' Ukrainian citizens."

The tech giant also said it's likely that it had only identified a small number of the actual attacks so far, and it expected more as the war continued. That includes continued targeting of NATO member states.

"Russian nation-state threat actors may be tasked to expand their destructive actions outside of Ukraine to retaliate against those countries that decide to provide more military assistance to Ukraine and take more punitive measures against the Russian government in response to the continued aggression," the report said.

"We've observed Russian-aligned actors active in Ukraine show interest in or conduct operations against organisations in the Baltics and Turkey - all NATO member states actively providing political, humanitarian or military support to Ukraine."