A Kremlin-linked hacking group known for focusing on Ukraine has stepped up its spying efforts against Ukraine’s NATO allies in recent months – in part by trying to hack a big oil firm in a NATO country in August, according to US cybersecurity firm Palo Alto Networks.
It’s the latest sign that Russia’s various hacking teams are throwing out all the stops to try to get key intelligence on NATO members as Moscow tries to shift the tide of its bloody war in Ukraine.
The hacking group – which Ukraine has accused of working out of Crimea on behalf of Russian intelligence – unsuccessfully tried to break into the network of an oil refinery company based in a NATO country “that continues to import oil from Russia,” Unit 42, Palo Alto Networks’ threat intelligence group, told CNN on Tuesday. Unit 42 declined to name the NATO country or the oil firm.
Data held by the oil firm could, in theory, be helpful to Russia as it deals with a slew of Western sanctions that followed its February full-scale invasion of Ukraine.
The hackers’ “shift in targeting represents a significant expansion of their mission,” said Jen Miller-Osborn, Unit 42’s director of threat intelligence.
Throughout the war in Ukraine, Russian operatives – and those from other governments – have tried to use hacking to understand what’s going on and off the battlefield, according to US officials and private researchers.
Multiple examples of that type of cyber-espionage against non-Ukrainian targets have spilled into the public eye in recent weeks. Another set of suspected Russian hackers, for example, tried to break into six military, technology or logistics firms in the US and Europe that do work with Ukraine, French cybersecurity firm Sekoia.io reported this month.
The hacking operations typically involve deception and subterfuge.
The Russia-linked hackers tracked by Unit 42 tried to cover their tracks by changing up the internet protocol (IP) addresses – the unique numbers that identify computers online – they used in their operations. In one case, the hackers made it appear as if their activity was coming from an IP address owned by the Pentagon.
The Pentagon has been heavily involved in trying to help Ukraine defend itself from Russian cyber operations for the last year.
Cyber Command – the US military’s offensive and defensive hacking unit – sent teams of personnel to Ukraine to study Russian hacking tools in advance of the Russian invasion. US and Ukrainian officials have shared thousands of dataset of malicious cyber activity with each other to bolster defenses during that time, according to Cyber Command.