In March, as tensions between Russia and Ukraine reached a level not seen since the Cold War, a separate battle was playing out on the two nations' computer networks.
In March, callbacks to Russian botnets jumped by 40%
A report released today by the US-based malware research firm FireEye shows a huge surge in Russian and Ukrainian malware activity as the crisis progressed, even as activity in the rest of the world declined. The report tracks more than 30 million "callbacks," the messages sent back from infected computers, allowing hackers to control them remotely. In March of 2014, callbacks to Russia jumped by 40 percent, giving it the fourth most in the entire world behind the US, China, and Hong Kong. It also saw a jump in the number of types of malware, indicating that more botnets were coming online or old botnets were adding new capabilities. Ukraine saw a similar jump, although it wasn't as pronounced as the Russian data. The botnets weren't necessarily attacking each other, but they’re a sign that both nations were flexing their digital muscles as tensions increased.
"It could be some foreign governments in there, it could be lone hackers"
FireEye's work is based on broad traffic analysis, so it's hard to pin down specifics about the nature of the attacks, but researcher Kenneth Geers sees it as a sign that so-called "cyberwar" is more real than many skeptics think. "It could be some foreign governments in there, it could be lone hackers," Geers says, "but I bet you this is to some degree showing that these governments are using computer network operations in order to fulfill national-security objectives."
Geers' interpretation is particularly likely given both countries' history of nationalist web attacks. That same month saw the Ukrainian hacker group Cyber Berkut launch campaigns against NATO and various Russian sites. And in early March, Ukraine's National Security and Defense Council said a "massive denial-of-service attack" took down its servers for several hours. In 2007, Russian nationalist hackers launched a DDoS attack powerful enough to knock the entire nation of Estonia offline. As public tensions between the nations rose, it makes sense that the same groups might use the same tactics to help out their side.
The research is still preliminary, but Geers has promised more work on the topic as FireEye examines its networks through different periods of conflict. The premise so far is that more conflict will mean more malware, no matter where in the world it's happening. As Geers puts it, "what happens on the internet is just a reflection of what happens in human affairs more broadly."