View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 19, 2023updated 20 Apr 2023 9:33am

The GRU is ‘using Russian hackers’ to fight Ukraine, but may be losing control

The agency's sprawling network of cyber spies may have grown beyond its control, a report commissioned by the NCSC claims.

By Claudia Glover

Russian intelligence agency the GRU appears to be outsourcing its intelligence efforts to an increasingly wide range of cybercriminals as the war in Ukraine continues, a new report claims. However, the breadth of the agency’s network means it risks losing control of the operations, the research says.

ECCRI report claims the GRU is failing to centralise its network of cybercriminals. (Photo by Militarist/Shutterstock)

The report, produced by researchers at the European Cyber Conflict Research Initiative (ECCRI) and commissioned by the UK’s National Cyber Security Centre, was published today as part of the CyberUK conference taking place in Belfast.

The GRU is losing control of its cybercriminals

According to the report, the GRU operates by commissioning external groups to implement its cyber warfare campaigns. “It leans heavily on cyber contractors, hacktivists and other state-affiliated cybercriminal groups,” the researchers say.

The war in Ukraine has seen many hacktivist groups take sides, with Russia-based criminals supporting the war effort by launching DDoS strikes on targets in Kyiv, while Ukrainian hacktivists have mounted a counter-offensive in an attempt to disrupt the invading army.

This network is growing quickly, perhaps beyond the control of the GRU. “This ecosystem is rapidly expanding as the war continues making coordination and centralisation more difficult,” the ECCRI report says. 

But the Kremlin still wields considerable control over the gangs, not least because, the report says, the GRU is “operating at an unprecedented volume of activity” since the start of the conflict in Ukraine.

The GRU’s disregard for international law means it is happy to target NGOs and hospitals with cyberattacks, the report says. This also empowers cybercriminals to act with impunity and launch strikes against organisations which might otherwise be considered off-limits.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

The ECCRI also notes that General Valery Gerasimov, who is known to be an active proponent of using cyber warfare as part of military campaigns, was placed in charge of the war effort in January 2022.

Are kinetic and cyber operations coordinated?

There is mounting evidence that the cyberattacks are being launched to coincide with traditional kinetic warfare, the report says. “Cyber activity is associated with kinetic activity bursts and lulls,” the authors explain.

For example, the liberal use of wiper malware has coordinated with many kinetic movements. Tech Monitor has reported on how a wiper was used to disrupt Ukrainian satellite communications hours before the first Russian troops crossed the border last February. “For several of these attacks, Russia appeared to use intrusions attained months prior,” the report says, suggesting that Russia may have “deliberately held on to this information for months to coordinate its cyber activities with its kinetic operations”.

Disinformation, particularly targeting the global South, has also played a big part in Russia’s cyber offensive, the report says. The ECCRI believes Western governments have been “too often parochial in their understanding of information operations,” dismissing Russian disinformation without understanding the intended audience. 

The report notes that targeted countries have been slow to impose sanctions. “Very few countries in Africa, Latin America, and Southeast Asia have joined the sanctions regime,” it says. “This situation may have been influenced by Russian information operations.”

Read more: UK holds Ukraine cybersecurity summit

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.