A year after Russia’s invasion, the scope of cyberwar in Ukraine comes into focus
Twenty-four hours before the Russian invasion of Ukraine on Feb. 24, 2022, a group of cybersecurity researchers from the firm SentinelLabs sat together on the floor of a Miami hotel where they had gathered for a company meeting. With laptops open, they poured over a new malware sample — one that offered a preview, as it turned out, of a Russian cyber offensive to come.
SentinelLabs has built a reputation as leading analysts of Russian cyber operations. So when researchers at ESET, a Slovakian cybersecurity company with extensive experience in Ukraine, discovered Russian malware that had been compiled on Dec. 28, 2021, the SentinelLabs team was compelled to stop everything and dig in. The fact that ESET found evidence that the malware dated to late December suggested Russian hackers had been preparing the attack for months.
Dubbed “HermeticWiper,” the malware was part of a flurry of digital attacks launched by Russian-aligned hackers in the weeks leading up to the invasion. Sitting in the Miami hotel and fueled by huge quantities of Chinese take-out to push out a report on the wiper, SentinelOne’s researchers were seeing the early signs of the digital conflict to come. “It felt like — in a stupid, nerdy way — we were on the frontlines, seeing this happen on the cyber side,” said Tom Hegel, a senior threat researcher at the company.
A year after Russia’s invasion, it is possible to begin accounting for the role digital weapons have played in the conflict. Sophisticated Russian cyberattacks — such as those targeting the electricity grid — have either failed to materialize, been thwarted or gone unobserved. Cyberwarfare in Ukraine has instead been marked by widespread deployment of wipers — designed to delete and destroy data — and extensive information operations.
Amid the destruction visited on Ukraine, cyberweapons have been one tool among many to wreak havoc, and in destroying Ukrainian targets, Russian forces typically opted for more traditional weapons, like bombs and missiles. “We shouldn’t underestimate the importance of the cyber component and threats that come from Russia, but, in general, they choose to use more disruptive weapons, while keeping the cyber operations for psyops or cyber espionage,” said Victor Zhora, the deputy head of Ukraine’s State Service of Special Communications and Information Protection.
At the same time, the war has inspired a defensive effort that government officials and technology executives describe as unprecedented — challenging the adage in cybersecurity that if you give a well-resourced attacker enough time, they will pretty much always succeed. The relative success of the defensive effort in Ukraine is beginning to change the calculation about what a robust cyberdefense might look like going forward.
“For all the defeatism about cyberdefense over the years in the West this really shows you what a sustained period of preparatory planning and mobilization of capabilities in an emergency can actually achieve,” Ciaran Martin, the former CEO of the UK’s National Cyber Security Centre and now a managing director at Paladin Capital Group, told CyberScoop.
The defensive cyber strategy in Ukraine has been an international effort, bringing together some of the biggest technology companies in the world such as Google and Microsoft, western allies such as the U.S. and Britain and social media giants such as Meta who have worked together against Russia’s digital aggression.
Tom Burt, Microsoft’s corporate vice president for customer security and trust, told CyberScoop that the war in Ukraine is “the first large scale hybrid conflict that the world has seen” where there’s “been a significant component” of cyber and digital tools. That has him worried: “What we’ve seen in warfare over centuries is that when a new category of weapon is deployed, in conflict, what we tend to see is the evolution of that form of weaponry and its use again and again, in more destructive and more impactful ways in future conflicts.”
Modern warfare as info ops and wipers
In the run-up to the invasion, Ukrainian computer systems came under a sustained barrage. For the most part, these attacks were fairly inconsequential, distributed denial of service attacks that knocked banking services and some government websites offline, for example. Others were potentially more destructive, such as a wiper disguised as ransomware that was discovered in January on Ukrainian government systems.
When Russian troops crossed into Ukraine’s borders on Feb. 24 and launched an ill-fated operation to decapitate the Ukrainian government and seize control of the country in a lightning operation, Russia appeared to step up its operations in cyberspace, striking the satellite internet provider Viasat, an attack that may have degraded Ukrainian communications in the early hours of the invasion.
Russian attacks during this early period ran the gamut from information operations to destructive attacks. In what may have been a bid to degrade the Ukrainian government’s capacity to orchestrate its response to the invasion, Russian actors targeted Ukrainian government systems with wiper malware. In March, a crude deepfake appeared online showing Ukrainian President Volodymyr Zelensky ordering his country’s troops to surrender — an incident that was accompanied by additional wiper attacks and a breach of a Ukrainian media organization where the attackers posted a fake story that Ukrainian troops would soon lay down their arms.
The malware used in these attacks could have been more aggressive, reflecting what may have been an effort to limit the scope to Ukrainian targets in ways Russian hackers had not during peacetime, said Adam Flatley, the vice president for intelligence at cybersecurity firm Redacted and a former director of operations at the National Security Agency. “If you look at all of the cyber attacks that happened in Ukraine, even Viasat, and all the other ones, they were very, very targeted,” Flatley said. “They were very focused.”
After a decade of digital attacks on Ukrainian infrastructure that have seen Russian hackers knock out portions of the Ukrainian power grid at least twice, there was an expectation ahead of the war that Russia’s invasion of Ukraine would be accompanied by a cyber shock-and-awe campaign. When these attacks did not materialize, it spawned debate over Russia’s supposedly missing cyber-arsenal and why it hadn’t been deployed in Ukraine.
That debate obscured how Russia’s digital resources were actually deployed — in the form of wipers and information operations, primarily. Over the course of 2022, Google alone disrupted 1,950 instances of Russian information operations on its platforms — operations that ranged from hacktivist activity, DDoS attacks and hack-and-leak actions. And over the course of the war, cybersecurity researchers have observed roughly a dozen or more distinct wipers, some posing as ransomware, deployed against Ukrainian targets. Google saw more destructive malware attacks in Ukraine during the first four months of 2022 than in the previous eight years combined, and phishing attacks against targets in Ukraine and NATO sharply increased.
“There’s a lot of people thinking and theorizing about what cyberattacks look like in a time of war,” said Shane Huntley, senior director of Google’s Threat Analysis Group. Russia’s Ukraine invasion is the best example to date of how a major cyber power uses digital tools in a kinetic war. “There will be lessons that we should learn here for future conflicts that can really shape the debate.”
Ukrainian officials say they have observed a massive uptick in the amount of cyberattacks targeting Ukrainian systems but have been distinctly unimpressed by the Russian onslaught. In August, Zhora dismissed Russian cyberattacks as marked by an “absence of strategy.”
But this understanding of Russian cyberoperations comes with a major caveat: There is much about Russian action in cyberspace that remains out of public view. A report published by a pair of Dutch intelligence agencies this week cautioned that “the pace of Russian cyber operations is fast” and has broadly targeted Ukrainian national-security agencies that are not prone to transparency. As a result, the report cautions, “many of these attempts have not yet become public knowledge.”
“There are Russian actors that we’re starting to learn about just today that have been active for years,” said Hegel, the SentinelLabs researcher. “We’re kind of in a position where we’re looking at just the tip of the iceberg.”
Indeed, key aspects of Russian cyber activity are designed to remain clandestine, and cyber operations represent “a core source of intelligence collection” for Russia, according to a senior U.S. administration official who spoke on condition of anonymity to describe Russian cyber operations. Kremlin-backed hackers have, for example, targeted communications between soldiers and their commanders and have probed energy systems to see which are online and connected to the grid, the official said.
These intelligence-focused cyber operations may constitute an important aspect of the Russian war effort, injecting a measure of uncertainty into any analysis of Russian cyberoperations based on publicly available data. But with that caveat in mind, Russia’s digital attacks against Ukraine have been perhaps most notable for what they have failed to achieve: a major impact on the conflict’s outcome. And this mirrors Russia’s broader struggles in carrying out combined arms operations during the war’s early period.
While Russian operations have improved in recent months, Russian forces across the Ukrainian battlefield have struggled to carry out operations combining the traditional components of combined military power: armored, infantry and airborne attacks supported by a well-functioning logistical network. It should be no surprise Russian forces appear to have struggled plugging cyber operations into that malfunctioning system.
“Combined arms operations are hard,” the analyst Joe Slowik observed in his examination of the past year’s cyberoperations in Ukraine. “We should not be surprised at an overall incohesive nature behind Russia’s attempts to fuse cyber and information operations with more traditional military action.”
While there have been limited and poorly understood examples of Russia using cyberattacks in conjunction with kinetic attacks — or what would amount to the use of cyberoperations in a combined arms context — the utility of using cyberweapons together with kinetic weapons appears fairly circumscribed. In the context of a shooting war, it is much easier to fire a missile at a target that in peace time might have been attacked during peacetime with a digital weapon — which is perhaps why Ukraine’s energy infrastructure, once the target of Russian cyberattacks, has instead come under sustained missile attack in recent months.
Incidents like NotPetya — a highly destructive ransomware variant built by Russia’s military intelligence unit that caused more than $10 billion in damage — and Russia’s repeated cyberattacks on the grid convinced many policymakers that the Kremlin’s forces would rely extensively on digital attacks when trying to conquer Ukraine. “The calculus changes when, when a kinetic response is more likely,” Flatley said.
The attacks that have been the most consistent and visible have, conversely, been the most trivial. Pro-Russian “hacktivist” groups, with varying degrees of established connection to the Russian government, are almost continually bombarding Ukrainian targets — and others around the world — with relatively unsophisticated DDoS attacks. Groups such as XakNet and KillNet generate headlines around the world, even if their attacks are more for show than anything of substance.
For students of cyberwarfare, the Ukraine conflict will dominate textbooks to come. Over the past decade, Russia has demonstrated that it has an ability to deploy cyberattacks as an integrated component of its statecraft, but in Ukraine, “it hasn’t figured out how to translate it into a sustained long term campaign,” said Martin of Paladin Capital.
In Martin’s view, the conflict has provided an important corrective to our understanding of cyberattacks as a tool of warfare: “It’s not a catastrophic red button missile that blows things up.” In Ukraine, cyberattacks have mostly functioned as a “tool of intimidation.” And while Russia initially saw some success in using cyberattacks as part of an integrated military plan — by attacking Viasat and disabling some communication links — it has since become an important but, ultimately, secondary feature of the war. “We’ll be studying it for years,” he said.
Defense wins championships
Six weeks after the invasion, in April, Ukrainian officials announced a major victory against Russian hackers: Ukraine had repelled a cyberattack that would have crippled an electrical grid serving roughly 2 million people. The hackers behind the attack — best known as Sandworm — are among Russia’s best and have disrupted electricity in Ukraine at least twice before.
The fact that they were stopped is a testament to Ukraine’s massive investment in cyberdefense and a broad international campaign to help secure Ukrainian systems.
The Sandworm attack relied on an updated version of the Industroyer malware that had been successful in 2016 in cutting power. Dubbed “Industroyer2” by the ESET researchers who discovered it, it was accompanied by several destructive malware families to hinder analysis and render systems inoperable.
“We consider the Industroyer2 incident the most significant attempted cyberattack during the war thus far,” Robert Lipovsky, a senior malware researcher at ESET, told CyberScoop. “If it had been successful, it could’ve left millions of people without electricity.” The attack “was a failure,” Lipovsky said, “thanks to swift detection and good coordination among the parties involved in the defense.”
Cybersecurity industry and government officials involved in the digital defense of Ukraine unanimously describe this collaborative approach as unprecedented. Ahead of the invasion, teams from U.S. Cyber Command deployed to Ukraine, where they searched for Russian hackers in Ukrainian networks, with a focus on military and transportation systems and providing to Ukrainian officials what a senior U.S. administration official described as a to-do list detailing actions to remove Russian actors from their systems.
U.S. officials say they engaged in extensive intelligence sharing with Kyiv and allies, detailing Russian techniques in cyberspace so that they might be detected. And as Russian attacks were detected, the United States and its allies worked to publicly attribute attacks to Moscow.
With Cyber Command deployed to Ukraine and Eastern Europe, David Luber, deputy director of the National Security Agency’s Cybersecurity Directorate, said that the NSA worked with them to understand threat information and “to share it broadly with both government and industry — not only to protect Ukraine but also to protect NATO, other allies, and U.S. critical infrastructure.”
Government and cybersecurity executives describe the response to the Ukraine invasion as spurring major improvements in collaboration and information sharing. “I was surprised how much information was shared with multiple vendors to render some of the Russian cyber arsenal useless,” said John Fokker, head of threat intelligence at Trellix.
The cybersecurity industry has thrown a huge amount of resources toward bolstering Ukraine’s digital defense. Just as the United States, European nations and many other countries have delivered billions of dollars in aid and military equipment, cybersecurity firms have donated services, equipment and analysts. Google has said it’s donated 50,000 Google Workspace licenses. Microsoft’s free technology support will have amounted to $400 million by the end of 2023, the company said in February. In the run-up to the invasion there was a broad effort by industry to supply Ukraine with equipment like network sensors and gateways and anti-virus and endpoint-detection and response tools.
Ukrainian defensive investments are the consequence of the long-running conflict with Russia. It can be easy to forget that the war between Russia and Ukraine did not begin in 2022 but in 2014, when Russian forces seized Crimea. That marked the start of an intense conflict between Moscow and Kyiv, much of which has played out in cyberspace. Russia’s cyberattacks on the Ukrainian grid — using the BlackEnergy malware in 2015 and the Industroyer malware in 2016 — played a key role in alerting Ukrainian officials to the threat.
“Ukraine learned a very valuable lesson after BlackEnergy,” Fokker said. They’ve been under constant bombardment since then, Fokker said, and have built up a capable computer emergency and response team — which has kept working throughout the war and is widely credited with doing incredible work under immensely difficult circumstances.
And officials in Washington are quick to emphasize that the credit for these victories belong to Kyiv. As Eric Goldstein, the executive assistant director for cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency, put it last month: “The Ukrainian government, the Ukrainian people, Ukrainian critical infrastructure have been making investments for years to shore up the resilience of their infrastructure.”
Christian Vasquez contributed reporting for this story.