A Russian flag in computer code. (Graphic by Breaking Defense, original images via Pexels)

UPDATE 4/18/23 at 6:45pm ET: This article has been updated to reflect clarifications from Mandiant regarding Russia’s purported use of ransomware.

WASHINGTON — Moscow’s military hackers may be spread thin, new research suggests. Russian cyberattacks on Ukraine and its allies surged last fall only to decline again in early 2023, said experts at cybersecurity shop Mandiant, part of Google Cloud.

What’s more, not only was the fall campaign smaller than the initial cyber onslaught before and after the ground invasion in January-April 2022, Mandiant said, it used different software, relying more on criminal-style ransomware and less on the specialized “wipers” that had characterized earlier attacks.

The research shows that the time period from October to December 2022 “was characterized by a resurgence in disruptive cyber attacks in Ukraine,” says the report.

“Though some of the attacks appeared similar to disruptive attacks seen in previous phases, this new wave of disruptive attacks appeared to deviate from the historical norm. Earlier attempts relied on quick turnaround operations using CADDYWIPER variants, but the attacks undertaken in October to December saw GRU clusters deploying ransomware variants on targeted networks,” says a Mandiant report published today, referring to Russian military intelligence. Specifically, Russian-backed hacker group IRIDIUM deployed a form of ransomware called Prestige in a series of attacks on Ukrainian and Polish networks, focusing on the transportation and logistics sectors crucial to shipping Western arms to the front line.

“GRU’s shift to using ransomware may be a sign they are undergoing tooling shifts and don’t have the resources to rely on writing or modifying custom malware,” the report says.

Mandiant Intelligence VP Sandra Joyce, however, emphasized that the appearance of ransomware could also have been an unsuccessful, one-off attempt to make the attacks look like they were coming from a criminal group rather than Russia intelligence.

RELATED: State Dept wants ‘cyber assistance fund’ to aid allies and partners against hackers

Overall, Mandiant Intelligence senior manager Nick Richard was cautiously optimistic about the current threat picture.

“While ongoing and new investigations continue to be analyzed through the first quarter of 2023, to date Mandiant has not observed tracked threat actors mustering the same level of disruptive activity that was observed in the last quarter of 2022,” he said in an email to Breaking Defense. In other words, the Russian surge has subsided since the timeframe covered in the report.

Ironically, Russia’s resort to ransomware occurs as the tidal wave of ransom hacks may finally be falling back worldwide. Now, Mandiant doesn’t claim to track every attack, just those that came up in the company’s own investigations, which have increasingly focused on supporting Ukraine. But with that caveat, the report says, “Mandiant experts note a decrease in the percentage of global intrusions involving ransomware between 2021 and 2022,” from 23 percent in down to 18.

There’s probably no single cause, Richard told Breaking Defense, but rather multiple factors working together. Government agencies have systematically targeted ransomware hackers; the conflict in Ukraine has disrupted Eastern Europe-based cybercrime and consumed the energy of many Russian and Ukrainian hackers; and potential victims are getting better at preventive measures, such as disabling the mini-algorithms known as macros as a shortcut in many software programs.

In fact, the global cybersecurity picture is looking brighter overall. “Attacks are being detected faster than ever before,” the report says. The “dwell time” between a breach occurring and it being detected now averages 16 days. While that’s still plenty of time for an attacker to do damage, it’s still almost 25 percent better than the 21-day median in 2021 and almost 85 percent better than the 101-day median just five years before.

Mandiant breaks its dwell-time figures down to look separately at “internal” detections, when the victim finds the breach itself, and “external,” when the victim is notified by an outside organization, such as law enforcement or an intelligence agency. The number of external notifications is rising faster than internal discoveries, the report finds, and victims’ response time to those external warnings is getting dramatically faster. (Internal discovery timelines are improving too, but the improvement there isn’t as marked, so it’s not driving most of the overall trend.) This improvement in external notifications is especially pronounced in Europe. Richard acknowledges some of that uptick might be a fluke rather than a trend, driven in part by Mandiant and other cybersecurity companies rallying to the defense of Ukraine.

“A noted increase in external notifications for the EMEA [Europe/Middle East/Africa] region has some correlation to Mandiant’s investigative support to and significant cybersecurity industry interest in threat activity in Ukraine,” he acknowledged. “Some metrics may revert next year based on the current reporting period distinctions.”

Overall, however, the improvement suggests “improved collaboration across the public and private sectors,” Richard said. “As this cooperation and the notification framework evolves and refines, providing victim organizations timely and critical information, organizations are able to ingest information more rapidly to respond effectively to a diverse array of cyber threats.”

Experts have highlighted better cooperation between cybersecurity firms, potential targets, and government agencies as one of the biggest lessons-learned from the cyber war in Ukraine.