Russia's cyberwarfare tactics show it's in for the long haul, Microsoft says

Russia
Et bilde av et tastatur der Enter-knappen har påmalt et russisk flagg, med en liten gullbjørn stående på tasten. (Image credit: Shutterstock / Aleksandra Gigowska)

The Ukraine war is quickly approaching its second anniversary and Russia shows no sign of slowing its grueling offensives both on land and in cyberspace, new research has claimed.

Russia has been committed to winning propaganda wars at home and on the internet, and at times has resorted to some fairly intuitive means, including Cameo videos from Elijah Wood.

Now, in its Russia Report, Microsoft’s Threat Analysis Center (MTAC) has outlined a number of tactics favored by the Kremlin’s cyber arm.

 Civilians bearing the brunt

From the start of its invasion Russia has treated civilians as legitimate targets, from striking energy infrastructure during the winter of 2022, to the deliberate destruction of agricultural infrastructure this year. Russia hopes to demoralize the Ukrainian population, erode support for Zelensky’s government, and pollute the information space with propaganda.

The Kremlin has a wide range of hacktivist groups supportive of the Russian invasion to do its bidding, with various levels of association with the regime’s Main Intelligence Directorate known as the GRU. These groups also have connections with known state-sponsored groups such as Seashell Blizzard and Cadet Blizzard.

Among organizations targeted by Russian groups, some of the most popular have been war crime investigative organizations. Specifically targeted to disrupt the gathering of evidence, or to steal information related to witnesses and victims, these organizations have suffered repeated distributed denial-of-service (DDoS) attacks, phishing campaigns and network breaches.

There is a wide range of tactics, techniques and procedures (TTP) used by Russian-affiliated cyber groups, but one method that has seen success is the ShadowLink backdoor malware

Hackers will initially target an organization using a wide variety of means, such as password spraying and phishing campaigns, before establishing a backdoor into a network using pirated Microsoft Office software with a hidden backdoor software known as DarkCrystalRAT. This backdoor can then be used to install the ShadowLink TOR payload, establishing masked access to the network that evades firewalls via TOR.

 Eroding support abroad

Another favored target of Russian affiliated cyber groups are Ukraines allies abroad. Russian groups have routinely pursued misinformation and disinformation campaigns with messaging targeting divisive issues related to Ukraine. MTAC has been closely monitoring the work of a Russian affiliated influence actor labeled as Storm-1099. In recent months, Storm-1099 has leveraged the Israel-Hamas war to produce convincing forged stories claiming that weapons supplied to Ukraine were sold to Hamas to commit its attacks in Israel.

Russian groups also seek to erode US and Israeli opinions of Ukraine, and vice versa, with numerous stories that garnered hundreds of thousands of views, falsely suggesting that Ukrainian assets and manpower are being used by Hamas. 

One of the most innovative disinformation campaigns run by the Russian affiliated groups has been the use of celebrity videos. By leveraging Cameo, a service where fans can pay celebrities for a video usually containing a personalized message, unknown actors requested videos from celebrities with a personalized message begging “Vladimir” to cease “his” substance abuse and seek professional help. 

Video messages from the likes of Elijah Wood, Dean Norris, Kate Flannery and Mike Tyson were then edited to appear as genuine appeals from the actors directly to Volodymyr Zelensky via social media, perpetrating a known Russian disinformation campaign that alleges Zelensky suffers from a substance addiction.

Quantity, not quality

To varying degrees of success, the doctrine of quantity over quality has long been the modus operandi of the Kremlin. MTAC suggests Russia and its affiliated groups will continue to target a breadth of organizations with the intention of disrupting the daily lives of Ukrainian civilians, eroding support abroad, and generating sympathy for Russia’s illegal annexation of Ukrainian territory.

With the upcoming US 2024 presidential election, and many other important elections across Europe, we can expect to see an uptick in malicious campaigns leveraging misinformation surrounding both Ukraine, and the Israel-Hamas war, with the intention of eroding support and therefore aid to Ukraine.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict Collins is a Staff Writer at TechRadar Pro covering privacy and security. Before settling into journalism he worked as a Livestream Production Manager, covering games in the National Ice Hockey League for 5 years and contributing heavily to the advancement of livestreaming within the league. Benedict is mainly focused on security issues such as phishing, malware, and cyber criminal activity, but he also likes to draw on his knowledge of geopolitics and international relations to understand the motives and consequences of state-sponsored cyber attacks.


He has a MA in Security, Intelligence and Diplomacy, alongside a BA in Politics with Journalism, both from the University of Buckingham. His masters dissertation, titled 'Arms sales as a foreign policy tool,' argues that the export of weapon systems has been an integral part of the diplomatic toolkit used by the US, Russia and China since 1945. Benedict has also written about NATO's role in the era of hybrid warfare, the influence of interest groups on US foreign policy, and how reputational insecurity can contribute to the misuse of intelligence.


Outside of work Ben follows many sports; most notably ice hockey and rugby. When not running or climbing, Ben can most often be found deep in the shrubbery of a pub garden.