Cyber Threats Snapshot: Leonardo’s report on cyber-attacks detected between January and March goes online

20 June 2022

Russia’s invasion of Ukraine marked the start of 2022, also in terms of cyber security: the Cyber Threats Snapshot Report issued by Leonardo’s Security Operation Centre (SOC) lists the most widespread attacks in Q1-2022.

Leonardo’s Cyber Threats Snapshot Report, highlighting the principal threat actors, cybercrime activities and vulnerabilities encountered between January and March 2022, has just been published. The analysis, conducted by Cyber Threat Intelligence experts in support of Leonardo’s Global Security Operation Centre (SOC), reveals some dominant strands for the period. All are, in one way or another, linked to the Russia-Ukraine conflict, confirming its character as a ‘hybrid war’ featuring:

  • attacks on Ukrainian organisations
  • widespread disinformation and propaganda campaigns
  • destructive sabotage activities

Before the Russian army invaded Ukraine, there were DDoS (Distributed Denial of Service) attacks (bombarding a site with requests until it is taken down and rendered unreachable) and defacement attacks (illicitly introducing content onto a website) targeting critical infrastructure, the Ukrainian government and financial institutions. DDoS was the most widespread type of attack.

In conjunction with and supporting these attacks, disinformation campaigns were launched to further destabilise Ukraine domestically, especially in the provinces bordering Russia. These campaigns were conducted using social networks (with many accounts suspended by the operators) and fraudulent text messages providing false information about the unavailability of some essential services – including those of the largest Ukrainian commercial banks – that were, in fact, operating as usual.

However, as of 23 February 2022, the report notes destructive sabotage activities by threat actors from both sides. These attacks involved the spreading of wipers, a type of malware that deletes data and programmes from the drives of infected devices, rendering them effectively unusable. The most commonly used ones include WhisperGate, developed to resemble ransomware but without any system recovery mechanisms, and RURansom, which spreads like a worm inside removable drives and through all mapped network shares: before encrypting systems irreversibly, it locates devices and infects only those in Russia.

However, the repercussions of the conflict can also be felt outside the countries directly involved. Globally, the government and defence sector has been among the most affected by the threat actors who immediately sided with Russia or Ukraine. This phenomenon involved governmental actors and the majority of Cyber Crime groups. The defence and aerospace industry was also one of the main targets of the attackers, who were interested in exfiltrating strategic and sensitive information such as intellectual property related to production processes and projects, but also employee personal data.

Download the full report:

For more information:

Follow our social media channels Twitter, LinkedIn and Instagram to stay up-to-date on Leonardo initiatives.