Russia’s digital attacks are haphazard, chaotic, says top Ukrainian cyber official

Moscow's approach to incorporating cyberattacks into its ongoing assault reflects an "absence of strategy," said Victor Zhora.
Bystanders look at Russian military equipment that was destroyed in fights with the Ukrainian army, displayed as part of an outdoor exhibition on central square of Lviv, on Aug. 11. (Photo by YURIY DYACHYSHYN/AFP via Getty Images)

The overall Russian approach to incorporating cyberattacks into its ongoing assault on Ukraine is “chaotic,” and reflects an “absence of strategy,” Victor Zhora, one of Ukraine’s top cybersecurity officials, told CyberScoop Wednesday.

Speaking during the Black Hat cybersecurity convention in Las Vegas, which is taking place six months after the Russian invasion, Zhora said although Moscow’s digital assaults are frequent, few seem to be coordinated or aimed at significant targets.

“Most of the attacks are [distributed denial-of-service attacks] together with volunteers they continue gathering in groups through Telegram channels, or easy hacks of web resources, defacements or exploiting vulnerabilities in networks, getting access and trying to exfiltrate data and trying to interfere in media,” said Zhora, the deputy head of Ukraine’s State Service of Special Communications and Information Protection.

There’s a “huge crowd of people” continuously attacking a range of Ukrainian targets, he said, but they differ in skill and have primarily not been, so far at least, consequential. “We understand what they have on their minds, and that’s perhaps the absence of strategy,” he said. “It’s a key factor of this war.”


Cyberattacks on Ukraine generally are not “organized well on the country scale,” he said, “a good sign for all of us.” The Russians will continue searching for vulnerabilities and ways to attack, “but I don’t believe they have the opportunity to grow their potential rapidly.”

“We continue to see this constant kind of attempt to gain access or maintain access,” Nick Biasini, the head of outreach at Cisco Talos, which has been intimately involved in helping to protect Ukrainian networks for years, told CyberScoop Wednesday. “A lot of these larger range projects take time, you have to build and plan and get that set into place. And I feel like planned things have already passed at this point.”

There are two notable exceptions to that analysis, along with a several wiper attacks on government and private systems. In the hours before the Feb. 24 invasion, a hack disabled thousands of modems as part of an effort to disable Ukrainian communications networks. A host of western governments, including the U.S., formally blamed Russia for the hack May 10.

The other was the thwarted attempt April 8 to cut the electricity for various civilian populations by deploying destructive malware against a number of electronic substations. Dubbed Industroyer2 by cybersecurity firm ESET, the attack was carried out by the Russian military intelligence hacking unit known widely as Sandworm, which had successfully shut off electricity in parts of Ukraine in 2016. Ukrainian officials have said the attack was stopped, but a private notice shared by CERT-UA reported by MIT Technology Review at the time indicated power had temporarily been cut at nine substations.

Zhora told CyberScoop Wednesday that Industroyer2 “indicated targeting on completely civilian infrastructure” and was part of a broader approach by the Russian government to target civilians in military attacks.


ESET researchers Robert Lipovsky and Anton Cherepanov gave a detailed presentation of their analysis of Industroyer2 at Black Hat, and Zhora suprised the crowd of hundreds by joining them on stage:

Zhora said he came to Black Hat to continue to rally support and share knowledge with the range of experts, policy makers and others who come to the convention from all over the world. “Everybody’s very interested and attentive of what’s happening in Ukraine and the full room of people for our presentation with ESET is a good indication of this interest,” he said.

He added that he wanted to use his time at the convention to rally ongoing support for Ukraine’s defense.

“Cybersecurity is a global task, and the threats are global as well,” Zhora said. “Everybody should be aware, should be informed, should have tools, should have the knowledge base to counter these threats. That’s the reason why black hat audience is ideal for sharing these ideas.”


After a long day, Zhora reflected on one of his biggest worries as he makes his way back to Kyiv later this week.

“My biggest concern is that time goes by, and the pressure continues, one of the biggest challenges is to keep the motivation of people,” he said. “We cannot give up and the work cannot give up.” He added that he understands that people are tired of the war, and that the war’s impact on the prices of gasoline and fuel in some places “can influence the overall atmosphere of support.”

But “nevertheless, we should keep fighting to prove that all war crimes are punished, the aggression is punished and there is no place for such actions in modern society.”

Russia declared war against Ukraine on Feb. 24., 2022. Before, during and after the military campaign began, the CyberScoop staff has been tracking the cyber dimensions of the conflict.

This story was featured in CyberScoop Special Report: War in Ukraine

Latest Podcasts