Microsoft Issues Report of Russian Cyberattacks against Ukraine

Microsoft has a comprehensive report on the dozens of cyberattacks—and even more espionage operations—Russia has conducted against Ukraine as part of this war:

At least six Russian Advanced Persistent Threat (APT) actors and other unattributed threats, have conducted destructive attacks, espionage operations, or both, while Russian military forces attack the country by land, air, and sea. It is unclear whether computer network operators and physical forces are just independently pursuing a common set of priorities or actively coordinating. However, collectively, the cyber and kinetic actions work to disrupt or degrade Ukrainian government and military functions and undermine the public’s trust in those same institutions.


Threat groups with known or suspected ties to the GRU have continuously developed and used destructive wiper malware or similarly destructive tools on targeted Ukrainian networks at a pace of two to three incidents a week since the eve of invasion. From February 23 to April 8, we saw evidence of nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine.

Posted on April 28, 2022 at 9:15 AM18 Comments


John White April 28, 2022 10:01 AM


If America didn’t want to destroy ukraine, they shouldn’t have overthrown the last legitimate president in 2014.

Winter April 28, 2022 10:12 AM

Microsoft has a comprehensive report on the dozens of cyberattacks — and even more espionage operations — Russia has conducted against Ukraine as part of this war

I suppose the Russians know that, eventually, someone will have enough and will return the favor.

Maybe they feel invincible in “cyber-security”?

The question, obviously, is whether the Russian evaluation of their cyber-warfare strength is as accurate as their army-warfare strength. The invasion of Ukraine showed quite decisively that the strength of their army is not on par to expectations.

So, how strong, or invincible, are they really when it comes to cyber security/strength?

Winter April 28, 2022 10:24 AM

@John White
If the Americans did not want their country destroyed by the British (burning of Washington, 1812) they should not have overthrown their legitimate sovereign.

All the arguments of Putin come down to: People have no right to oppose the Kremlin, ever.

Clive Robinson April 28, 2022 10:27 AM

@ Winter, ALL,

So, how strong, or invincible, are they really when it comes to cyber security/strength?

Well unlike the Russian Mil that appear to work on the theory that “Brutality is best” to get their grunts to do as ordered.

Cyber-warfare needs people with skills of a certain type, and they are not at all common.

Find out who the “brains” are and issue “Dead or Alive” rewards of a few million per headon them and their family members…

The result will be someone will try to collect, and the other “Brains” will get to hear that they have been marked out for “High velocity lead poisoning”.

Yes I know there are very good reasons not to do this, but that’s not stoped the US doing it with,

Iran, Iraq, Lybia

In recent times. Also others such as Afghanistan, Pakistan, and others we’ve probably not heard about.

In the case of the three mentioned the US did not pay the reward money, they simply sequestered it from the accounts of those they targeted…

JonKnowsNothing April 28, 2022 10:56 AM


re: People’s right to oppose vs right for redress

Try to keep these concepts separate; one is illegal in nearly every country of the globe and the other maybe legal but not all time and not everywhere.

The right to redress is the right to challenge a government or official agency. The extent of this right varies by government and political orientation.

  • example: UK is promoting a change in their laws to allow any UK Citizen to be stripped of their citizenship without notice and without redress (ability to challenge the action). This action would take place at any time of the Governments choosing. Currently this is done when someone leaves the country to travel or visit other places and while currently they have the right to challenge the action it is much harder to do when you are penniless in a refuge camp or incarcerated for having overstayed your visitor’s visa.

The right to oppose is non-existent outside of revolution. Governments take a seriously dim view of this activity. It’s not recommended path but it happens and Governments are very much aware that it can happen and therefore put a lot of effort and funding into various policing structures to make sure it doesn’t happen. If they even have a sniff of anything funky there are places in Thailand, Poland and other locations that are more than willing to keep you there as a “Man in the Iron Mask”.


Search Terms

Man in the Iron Mask (French L’Homme au Masque de Fer; c. 1640s? – 19 November 1703)

An unidentified prisoner who was arrested in 1669 or 1670 and subsequently held in a number of French prisons, including the Bastille and the Fortress of Pignerol.

Known for remaining unidentified due to the veil worn over his face throughout his time in prison, he was held in the custody … for a period of 34 years. He died on 19 November 1703, during the reign of King Louis XIV of France (1643–1715).

Ted April 28, 2022 12:14 PM

It’s a great and important report. Microsoft is very much in the saddle logging and categorizing this activity.

I hope, in a time of their choosing, MS releases the dirt-stained, dog-eared version. It’s hard to imagine there’s a sparsity of stray-wire storylines unfolding right now.

Maybe it’s a blessing this is not the first Russian rodeo. The cyber collateral damage seems surprisingly minimal so far.

The report adds that Russian actors are eyeballing organizations in the Baltics and Turkey, as well as states on NATO’s eastern flank that are supporting Ukraine.

Winter April 28, 2022 12:43 PM


Try to keep these concepts separate; one is illegal in nearly every country of the globe and the other maybe legal but not all time and not everywhere.

My point was maybe stated ambiguously:

All the arguments of Putin come down to: People have no right to oppose the Kremlin, ever.

Here, I mean “a people”, as in “a country” like the people of Ukraine, or the people of Belarus, Azerbeidzjan, Cheznya, Georgia, or Syria.

The argument of Putin er al. is always that “Russia” has the right to “defend” it’s security interests against the wishes of these People to chose their own friends and future.

Btw, humans have no rights in Russia, nor China for that matter.

Clive Robinson April 28, 2022 12:53 PM

@ Winter,

If the Americans did not want their country destroyed by the British (burning of Washington, 1812) they should not have overthrown their legitimate sovereign.

That is not what happened or why, as I’ve explained befor.

Basically some idiots in America decided to go and invade, attack and murder their relatives in what later became Canada.

The people that lived there nominally under English protection were there in the main because they did not want to be under the thumb of those American idiots.

The only reason the idiots did what they did was because Rngland was busy fighting Napolean at the time.

lurker April 28, 2022 1:25 PM

Read this report alongside the reports on zero-days. Pot, kettle, black, chicken, egg, …

The short answer is switch off, unplug. But that is unlikely with so much of the fabric of civilization now dependent on rotting crumbling IT systems. The longer term solution could be painful and expensive. Don’t expect an answer anytime soon while other adversaries want to keep these system failures as weapons.

JonKnowsNothing April 28, 2022 3:04 PM


re: Rights and who has them

George Carlin had a wonderful comedy routine civics lesson on Rights vs Privileges.

Lots of people think they have “rights” but all they have is “privileges”. (1, 2)


Search Term

1) George Carlin

Rights Privileges

2) RL anecdote tl;dr

During one of several ER visits we had to make during my spouse’s last weeks, I could hear an exchange with a young person and the staff. There was a difference of opinion between them on what was going to happen.

Screams of “I HAVE RIGHTS!! I HAVE RIGHTS” were overshadowed by staff directions about imminent care proceedings.

A crescendo of “I HAVE RIGHTS” were followed by a generous scream, tears and in short order happier snores.

JonKnowsNothing April 28, 2022 3:15 PM

@Clive @Winter

re: The Northern Border is also a Southern Border

It was a great shock when I first read about our Northern Neighbor Canada and why they were not part of the USA. It’s one of those things that just doesn’t rise to the top of the brain cells until you get past the pre-canned-history-lessons used in education.

It was also a bigger shock that a whole lot of folks decamped the Lower 48 and moved with all alacrity to the northern neighbor during the “early years”. Later on some of them moved back, got their confiscated properties back and had all legal proceedings dropped and continued on as if they hadn’t had a long vacation on the north side.

History is malleable and sometimes you have to get a brain massage to loosen up some of those “little grey cells”.

Clive Robinson April 28, 2022 5:11 PM

@ JonKnowsNothing,

It was also a bigger shock that a whole lot of folks decamped the Lower 48 and moved with all alacrity to the northern neighbor during the “early years”.

As actual documentation from the time has showed what happend south was not universally popular with those there, in fact not very popular at all except with a certain few.

As you say,

History is malleable and sometimes you have to get a brain massage to loosen up some of those…

Bits of propaganda you get fed whilst you are too young to critically question…

So as with religion, indoctronate three successive generations and shoveling more and more “horses apples” down their throats becomes all to easy.

As for “moving back” remember that they had different crops back then, that prefered the more southern growing seasons and climate. But many neither forgot nor forgave those few idiots…

The result was the idiots forged a new nation, one that had not existed prior to the invasion and murder.

If people think I’m being hard on America, I’m not, it was just a handfull of idiots who believed that they could pretend they were being righteous whilst actually making a land grab…

Two hundred years later Russia has done the same only this time we are seeing it from the other side.

But it was not just Americans who rewrote the history that led up to 1812, but that which followed. The British politicians no more want British Children learning about it than American Politicians want American children learning about it.

However if you get the chance to dig through written records from the time that still exist, you will find that the reality was more than somewhat different to what you get taught…

Both sides are more than somewhat embarrassed by the events that led upto the founding of both America and Canada…

Perhaps if it was more honestly taught, we could all learn some valuable lessons from it.

Maybe then our attitude to various world events this current century that led upto and acted as pre-cursors would have be very different…

Better or worse, I have no idea, but certainly I would hope different.

Sadly some people will learn a lesson in general the world would rather they did not. So expect to see a renewed interest if not proliferation of,

1, Delivery systems likely hypersonic.
2, New payload packages some of which will be unlike conventional munitions.

But also, remember to feel sorry for the majority of Russia’s citizens, they know next to nothing about what has been going on. They too have been fed nonsense stories with faux-history about past glories that never were.

Whilst the truth may not set you free, it hopefully stops guilded cages of nonsense being built that ensnare people as they sleepwalk in.

The one thing I’m reasonably certain of is that various political and similar interests are driving us towards a tipping point that could go several ways. None of which will be desirable for the basic citizens of many nations who will end up paying the price in many ways most quite bad. One such way is another global war lasting a decade or so with hundreds of millions killed as citizens will almost certainly be higher priority targets than military personnel. Living in cities and suburbs is perhaps not the best places to live, as they will if other current conflicts are to be learned from, the primary front lines for remotely directed weapons…

Ismar April 28, 2022 8:39 PM

Nice report- one positive which will have wider implications than just for Ukraine is contained in this excerpt from the report:

“ We have continuously integrated intelligence gained by tracking threat activity into new product detections to block malicious use of certain tools against Ukraine-based infrastructure.”

Denton Scratch April 29, 2022 5:01 AM


Cyber-warfare needs people with skills of a certain type, and they are not at all common.

I don’t know, but I suppose that launching hostile networked attacks (I refuse to use the term “cyber”) requires a very different skillset from defending against them.

Penetration presumably requires some rather particular coding skills, to be followed up by a surveillance phase during which the critical thing is not being detected. I suppose the eventual attack itself is relatively straightforward.

I’m not sure what defence consists of, but surely a large part of it is “normal” network security and monitoring. Of course, it’s not really “normal”, because to a bean-counter network security is pure overhead; but any decent sysadmin at least knows what’s supposed to be done. The next stages would be mitigation – cleaning-upwhich depends on specific knowledge of the target network – and attribution, which I know little about. Attribution seems to be done largely by antivirus companies, relying on databases of attack intelligence.

So I think it’s possible, even likely, that Russia has fairly impressive attack capability, but poor defence. I’d be surprised if the USA wasn’t already all over Russia’s networks, before the invasion started. I wonder how much Kaspersky is involved in the defence of Russia’s state networks.

When I was last administering a network, a significant proportion of hostile network traffic originated in Ukraine. I imagine Ukraine has at least the attack capability of Russia.

Of course, the balance of advantage depends on what you have to defend. I have no idea how vulnerable assets are distributed between Ukraine and Russia. I’d bet my ass that the USA has more assets to defend than both of them together, and has a much worse defensive posture.

Clive Robinson April 29, 2022 8:05 AM

@ Denton Scratch,

With regards,

… requires a very different skillset from defending against them.

In some respects yes, but in a lot no.

Look at it as defending against a conventional weapon like a spear or sling shot.

You have to understand the use of the weapon by an attacker to understand what it’s range, advantages and disadvantages are.

With that understanding you can then realise that “hight” gives a defender significant advantage over the attacker.


Penetration presumably requires some rather particular coding skills

Don’t make the mistake of thinking you have to be a skilled artisan in the art of weapon making, to either use a weapon or understand the advantages and disadvantages a weapon has. An understanding of the laws of nature being sufficient to abstract out what a defender needs to know for most weapons (including cyber-weapons).

Which brings us onto,

I’m not sure what defence consists of, but surely a large part of it is “normal”…

Things are only “normal” if they can somehow be predicted. That requires,

1, Understanding
2, Information
3, Time

Understanding I’ve kind of covered, but it does contain a “foresight” or “predictive” element. If you turn a new attack on it’s head you realise that somebody had to see things, apply the laws of nature and then act to make the new weapon.

Gunpowder came about we believe from the search for eternal life. Both Honey and salt petere have preservative properties and cooking them up together will as one is a fuel and the other an oxadizer cause an exothermic reaction of some intensity. As part of that process an excess liberation of gas that requires a significantly larger volume occurs. So if the container you cook in is sealed then an over preasure will result and eventually the failure will be explosive.

Seeing this gave basic understanding and information that rose via a series of events over time that gave us fireworks, rockets, hand grenades, mortars, cannon, long guns and pistols. As well as balistics and the basis for orbital mechanics.

Part of being a good defender is what our host @Bruce calls “thinking hinky”. It looks like a kind of magic or almost god like ability to foresee events before they happen.

Well I can tell you for free it’s not magic or god like, you just need to firstly be “eternaly curious with a passion”. A thirst for understanding much greater than the norm is the start of it. Then be of sufficient inteligence to extract out information from what you observe and a little practical application to both test your ideas and gain confidence. All of which give you more time to think about things than the average person.

In short the basic traits of an inventor, artisan, scientist, or engineer.

Whilst formal training can speed the process of gaining knowledge depth you realy need that inate curiosity to develop the required knowledge bredth to be in effect a Renaissance Man who takes knowledge from one domain into another domain.

As your skills of observation improve they become increasingly sub concious. That is you see in less than a glance what hours of staring will not be revealed to others.

Your brain has become more acutely tuned to a new form of pattern recognition. Whilst you might not be using it as a survival instinct, that is what it is based upon.

Like all skills it improves not just with the frequency of use, but how you use it. You can train yourself to recognise the shape of things and realise when one process has the same underlying drivers as another process. Then move forward and test the ideas from one domain in another.

For instance what is now Information Theory and Shannon’s original work on information. He did not think of it as “entropy” untill an almost casual remark from someone else who recognised the underlying form of Shannon’s equations. Then he realised that much else applied from thermo-dunamics to information. Now some ask if infact the physical laws of thermo-dynamics are in effect a subset of information theory…

Similar can be seen with Eisenstein’s Field Equations, a limited version of them give Issac Newton’s equations for gravity that give us in turn basic orbital mechanics which you can in fact work out with no more than one of Newton’s laws of motion and the rules of Pythagorean triangles as they pertain to circles (yes I’ve actually done this and you can to if you hold a childs hoop in your hands and simply turn it through two of the three dimensions).

To understand the world you need a child like view of it to gain understanding. You then need to develop the understanding of knowledge to abstract out the information and give yourself the time to work with it.

If you can then see something before others not only do you have a claim on originality, but you also can start ahead of others as to thinking how it could be weaponised, and abstract from that the strengths weaknesses and thus the characteristics to recognise others using it, but more importantly how you can defend against it.

Too many people think “Event then mitigate” that is “reactive thinking/defence” and always fails for someone if not a lot of someones. The ability to forsee means you can “mitigate thus prevent” which is “proactive thinking/defence”.

The problem is you can not be either proactive or reactive against every single instance of attack, you get into the “requires to many resources” issue.

The trick is to abstract out the features that make many instances of attack into a class of attacks and then mitigate against the key class atributes.

To see this think about “Fire Drills” they are one of many “Drills” against a whole pantheon of threats, Fire, Flood, Earthquake, chemical spill, and so on, the list is endless and some will never happen to you at any given place. So if you had a drill for all of them you would be for ever practicing them not working… The trick is to realise that there are two basic ellements they all have in common,

1, Evacuate from place A to place B.
2, Using a safe route.

From that point on your activities are,

3, Characterise all threats
4, Find or build a safe point B and a route to it to mitigate the identified characteristics.

Then “job done”…

Basically you collapse down all the threats and come up with a single Drill to cover them all.

The process of building defencess is almost exactly the same. The process is not complicated in of it’s self. However as always “The devil is in the details” and thatcis where practice that gives experience helps you recognise what are the essentials to cover.

With regards,

… a significant proportion of hostile network traffic originated in Ukraine. I imagine Ukraine has at least the attack capability of Russia.

This is something I caution against with,

Attribution is hard very hard.

Basically you have two basic problems,

1, Copying or changing data is easy.
2, You only see data you are shown.

Which means your level of certainty is at best very very low. Because you can only have modest certainty about traffic flowing into or out of the node you are at, no more.

Take a LAN concected by a Gateway to another Gateway on a WAN. The reality is those gateways are a “node” and the wire between them the “edge” at some level. If you “instrument the wire” then you can see data entering and exiting the adjacent node or even both nodes. But… Unless you monitor “the wire” at both nodes, how do you actually know if there are not hidden nodes in the wire you can not see?

The answer is “almost certainly there are nodes you can not see”. Because the cable leaving the gateway is say two wire twisted single pair bi-directional. For ease of transmission out of your sight that gets split into four wire two pair of twisted pair each being unidirectional. The invisable node is a “2 to 4 wire hybrid”. The thing is being now uni-directional, injecting other data is almost trivial, only the hybrid stops you seeing it happen.

The same rules apply as you go up first all the hidden layers within the “physical layer” of the communications stack then other layers of the stack.

What you see coming out of the top of the stack you have no real idea where it came from.

Almost by definition what is beyond your perimeter is beyond your control, the only real knowledge you have is you realy do not know where your perimeter is… In short it’s the application layer of the machine you are using, anything beyond that is an assumption, without correct instrumentation.

But something we do know… There were quite a few “Russian Malware developers” effectively under Putin’s protection in the Ukraine for various reasons. Likewise we know that some Ukrainian machines were effectively VPN end points and the like for activities that originated from elsewhere some even in the US.

As indicated you are only getting given data somebody wants you to see, not reality.

For instance we now know that Russia attacked South Korea via China to get into North Korean networks to hide the fact the attack originated from Russia. In effect Russia made North Korea look the guilty party to the world, including US NSA and other IC assets being “on the spot” in South Korea.

This sort of thing goes on all the time and it can be very very difficult to untangle.

Ted April 29, 2022 9:07 AM


“ We have continuously integrated intelligence gained by tracking threat activity into new product detections…

Good find from the report.

Brad Smith, the president of Microsoft, recently spoke at an event. I thought it was positive that he encouraged the blending of humanity and technology studies.

“To be successful in the world today, everybody who is a liberal arts major should take a computer science class, a data science class, statistics, something like that,” Smith said. “Everybody who is majoring in computer science or engineering or math should take some humanities, some philosophy, some history, some economics.

I saw he also co-authored a book: Tools and Weapons: The Promise and the Peril of the Digital Age

Peter Rontea April 30, 2022 6:56 AM

Romania’s was also affected as a warning for politician Marcel Ciolacu who promised help to Ukraine .

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.