Russia has been known as a capable actor in conducting a wide range of cyber espionage and sabotage operations since the 1990s. Russia also conducted several cyber-attacks on Ukraine before the invasion in 2022. One of the most sophisticated operations was blacking out Kyiv in 2016. At midnight, a week before Christmas, hackers struck an electric transmission station north of the city of Kyiv, blacking out a portion of the Ukrainian capital equivalent to a fifth of its total power capacity. According to experts, it was the first real-world malware that attacked physical infrastructure since Stuxnet.
However, although Russia has conducted several cyber-attacks on Ukraine since the start of the invasion in 2022, it has not flagged up any strikingly successful Russian CW operations up to now. In this respect, a question is whether Russia has not used its sophisticated cyber capabilities in the war yet, or the cyber defence quality of Ukraine and its allies has helped blunt them. This commentary aims to explore these problems.
Cyber-attacks Since the Beginning of 2022
In case of the invasion of Ukraine in 2022 Russia already conducted several cyber-attacks.
Although the invasion of Ukraine increased the intensity of Russian cyber operations compared to 2014−2021, at least until October 2022 it had not inflicted significant damage on Ukrainian infrastructure. Reports published after February 2022 offer two competing explanations for Russia’s cyber-attack failure. According to findings of Tetyana Malyarenko and Borys Kormych, the first assumes that Russia’s cyberwar against Ukraine had already reached its highest possible level of complexity, so there is either too little room for qualitative growth on the Russian side or sufficient resilience on the Ukrainian side. The second explanation is based on published reports from government agencies and private companies, such as Microsoft, which show that Russian cyberattacks have improved and increased since January 2022, but attention and intervention by the United States and other international cyber specialists helped Ukraine neutralize the attacks and successfully counterattack.
Cases
In January a hacker group linked to Belarusian intelligence carried out a cyberattack that hit Ukrainian government websites and used malware similar to that used by a group tied to Russian intelligence. Known as WhisperGate, this closely mirrored a 2017 Russian cyberattack against Ukraine, known as NotPetya, that similarly destroyed data on thousands of local computer systems.
United States and United Kingdom officials claimed Russian military hackers were behind a spate of distributed denial of service (DDoS) attacks that briefly jammed Ukrainian government and banking websites in the beginning of February.
However, since the beginning of the war there are several known cyber operations conducted by Russia. In the beginning of the invasion the main goal of Russian cyberattacks was to paralyze Ukraine’s information systems, which would make it easier to achieve military goals in other domains of war. Russia’s invasion was preceded by a massive cyberattack on the Ukrainian government’s websites in January 2022. Reportedly Russian cyber groups hacked used state-run Diya app’s known vulnerabilities to gain access to data on 2,6 millions of individuals, businesses and law firms, and government agencies.
U.S. officials have described Russian forces using cyberattacks in conjunction with kinetic ones. «We have seen the Russians having an integrated approach to using physical and cyberattacks, in an integrated way, to achieve their brutal objectives in Ukraine,» a senior White House cybersecurity official said. Microsoft also reported on how Russian cyber threat groups were performing actions in support of their military’s strategic and tactical objectives. As Microsoft observed, a timeline of military strikes and cyber intrusions shows several examples of computer network operations and military operations seeming to work in tandem against a shared target set, though it is unclear if there is coordination, centralized tasking or merely a common set of understood priorities driving the correlation. The report found that Russia’s cyber operations since the beginning of the war have been consistent with actions to «degrade, disrupt, or discredit the daily functioning of the Ukrainian government, secure footholds in critical infrastructure, and to reduce the Ukrainian public’s access to information». Moreover, cyber and kinetic military operations appeared to be directed toward similar military objectives, according to Microsoft’s report. The State Service for Special Communications and Information Protection of Ukraine also stated that Russian hackers are acting in sync with the Russian military.
From February 23 to April 8, nearly 40 discrete destructive attacks permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine. Up to the end of April 2022, more than 40% of destructive attacks were aimed at organizations in critical infrastructure sectors that could have negative second-order effects on the government, military, economy, and people. Another 32 percent affected «Ukrainian government organizations at the national, regional, and city levels». Microsoft also notes that the Russian threat actors are slightly modifying the malware to evade detection with each wave of deployment.
Targets of Russia’s cyber-attacks are not only in Ukraine. Microsoft’s Threat Intelligence Centre (MSTIC) detected that up to the end of June 2022, there had been Russian network intrusion efforts on 128 targets in 42 countries outside Ukraine. According to MSTIC, a range of strategic espionage targets likely to be involved in direct or indirect support of Ukraine’s defence, 49 percent of which have been government agencies. Another 12 percent were NGOs that most typically are either think tanks advising on foreign policy or humanitarian groups involved in providing aid to Ukraine’s civilian population or support for refugees. As the report shows while these targets are spread around the globe, 63 percent of this observed activity has involved NATO members and Russian cyber espionage operations focused on targets in the United States more than any other country (12 percent of the global total outside Ukraine). However, all of these attacks were relatively small-scale operations compared to previous attacks on the Ukrainian infrastructure including power grid in 2010s as described above.
One of the striking cases during the war was Russia’s cyberattack on U.S. satellite communications provider Viasat at the start of the invasion, an incident that triggered satellite service outages across central and eastern Europe. Although the primary target of the attack is believed to have been the Ukrainian military, which relies on satellite communications, the February 24 attack also impacted internet service for thousands of Viasat customers in Ukraine and tens of thousands of customers across Europe. The attack also affected the operations of 5,800 wind turbines across Germany as they relied on Viasat routers for remote monitoring and control. There were also several other Russian cyber operations during the invasion.
Does the Quality of Ukrainian CW Defense Capabilities Matter?
Ukraine is one of the former Soviet republics where its national cyber community is quite strong. Famous for its hacker community, Ukraine ranked among the Top 10 countries in the world in cyber-crime and number 15 as a source of Distributed Denial of Service (DDoS) attacks in 2015.
Although Ukraine has limited counter-attack capacities, it has endeavored to boost its cyber defense with external assistance after the start of the invasion in 2022. The government has gathered international volunteers to form an IT army and the IT team set up by the minister of digital transformation has launched several DDoS and wiper attacks.
According to Kenneth Geers, in this cyber war, defense has seemed to play a bigger role than the offense. He believes that Ukrainian cyber defense has matured over the years, which is probably why it is harder for Russian hackers to achieve significant damage in Ukraine. Russia, on the other hand, is known for its offensive operations but cares little about cyber defense. «Russian computer systems often use old unpatched software and are therefore very vulnerable to malware attacks,» Geers notes.
There is essential support provided by western states and foreign hackers. In March a widespread assault took place in cyberspace; Russian companies and government bodies were swarmed by hordes of pro-Ukrainian hackers, many of whom were new and previously unknown players to cyber-security experts. Hundreds of millions of documents spilling out from targets as varied as Transneft, a huge oil pipeline operator close to the Russian government; Russia’s Ministry of Culture; Belarusian power supplier Elektrotsentrmontazh; and an arm of the Russian Orthodox Church that has backed the war in Ukraine.
In April Victor Zhora, State Service of Special Communication and Information Protection of Ukraine, ESET and Ukraine’s Computer Emergency Response Team (CERT) stated that an elite Russian hacking team known as Sandworm, which attacked Ukraine’s power grid in 2015, had attempted to cause another blackout in the country. The hackers, reportedly part of Russia’s military intelligence agency, designed a piece of malware named Industroyer 2, which could manipulate equipment in electrical utilities to control the flow of power. It was announced that the Russian cyberattacks were successfully stopped. Ukrainian officials described how advanced the attack was and how much damage it could have done, had it been successful, potentially cutting off power for two million people. But there was no information released as to what kind of sophisticated tools were used by Russia and what exactly was done by Ukraine to fight off this assault.
Problems of the Russian CW Attack Capabilities?
Reportedly, in contemporary Russia, cyber warfare groups function under four Russian special services: the Russian military intelligence service (GRU), the Federal Security Service (FSB), the Foreign Intelligence Service (SVR) and the Federal Protective Service (FSO). In February 2017, Russian Defence Minister Sergei Shoigu announced the creation of an Information Operations Troops [Voyska informatsionnykh operatsiy; VIO] under the Ministry of Defence. In fact, it is possible that such a group was operating before the invasion of Ukraine in 2014. However, the Information Operations Troops first publicly mentioned in 2014, seek to integrate and synthesize these activities, judging from Russian officials’ statements. There are also several private cyber companies might be used by Moscow in cyber war operations.
The main question regarding the Russian CW performance in Ukraine during the current war is whether Russia used or could use sophisticated CW capabilities in attacks. According to recent reports, the malware used to target the Ukrainian energy sector in April was highly sophisticated but was intercepted before it was deployed. This might suggest Russia retains talented hackers with intimate knowledge of industrial control systems, but that the weak operational security of the Russian government is undermining its cyber operations. Josephine Wolff suggests that it might also indicate that Russia’s cyber capabilities are currently strongest when it comes to writing malware programs but relatively weaker when it comes to identifying the vulnerabilities and leveraging the resources necessary to distribute that malware so it can infect targeted systems.
Conclusion
Of course, there are not easy responses to whether Russian CW operations were just not that sophisticated, or if Ukrainian cyber defenses were formidable; perhaps it is some combination of the two.
To answer how effective Ukrainian cyber defenses currently are against Russian cyberattacks requires more information. There are several cybersecurity metrics for measuring the resilience and security of computer networks without divulging sensitive information at a time of war. Even so, it is never easy to examine the success and shortcomings of cyber operations. What is clear is that Russia’s «cyber army» — as with its conventional forces —has not conducted any decisively successful operations yet in its war against Ukraine. In this respect, preparations of Ukrainian cyber capabilities before the invasion and western support have played an essential role in cyber defense during Russia’s invasion in 2022.
