The fog of war is thick. This maxim holds true for the Russian invasion of Ukraine, which began one year ago this week. In the early weeks of the war, Russian leaders assumed a decisive victory was imminent; the U.S. and its allies thought sweeping sanctions would significantly crimp the Russian economy; and practically everyone in the cybersecurity and national security spheres thought cyber warfare accompanying the ground campaign could have far-ranging collateral damage. So far all parties have been wrong on those counts, at least in degree.
But just because sweeping predictions were off doesn’t mean experts weren’t onto something. In the case of cyber implications, Russia has used cyber weaponry on a scale never seen before. Destructive attacks have escaped Ukraine’s borders and affect a growing number of countries, albeit less severely than feared. This isn’t the time for a false sense of confidence; rather, it’s time to prepare for what might be next.
In this post, we’ll glean some lessons by looking at what surprised us, what we got right, and what we can do in the future to reduce risk. Are Russia’s cyber failures in this conflict due to incompetence or, as some suggest, a deliberate play of restraint? Can U.S. cyber defenders sleep better at night or is the worst yet to come? The answer to the second question likely depends how confident we are in the answer to the first. Let’s dig in.
Before the invasion started, security experts and government agencies reported on the possibility of Russia supporting its ground campaign with cyber offensive capabilities. This was an intuitive prediction, because events in recent years, including the shutdown of Ukraine’s power grid on multiple occasions and the NotPetya attacks in 2017, made it clear that Russia possessed the capability to disrupt critical infrastructure in Ukraine. Yet aside from an attack in the opening hours of the invasion in which Russian hackers severed Ukrainian military commanders’ connection to the Viasat system they relied upon for field communications, the expectation of aggression has not matched reality over the past 12 months.
This is not for lack of trying. Ukraine’s infrastructure has been a prime target for Russian forces. The power grid has been constantly harassed — especially during the winter months, when it’s most needed for heating. But the weapon of choice to accomplish this task has more often been missiles than malware.
Malware was seen early on in the war, when on April 8th, Ukraine reported it narrowly thwarted a Russian cyber attack that aimed to take down its power grid with the help of Microsoft and ESET, a Slovakian software company. After that failure, Russian forces resorted to aggressively shelling power substations, which are far more exposed targets than power plants and resemble similar infrastructure built in Russia during the Soviet era. More recent attacks have targeted the power plants themselves.
So the assumption that Russia would target critical infrastructure in Ukraine was not exactly incorrect, but it’s been surprising to see how heavily they have relied on old-fashioned weaponry to do so.
Experts have long written about the Russian government's peculiar relationship with its cybercriminals. They are tolerated, but with what are assumed to be strict stipulations that their attacks stay outside of the motherland, and that they answer when the Kremlin comes calling. At the onset of the invasion, CISA warned U.S. businesses should prepare for retaliatory Russian cyberattacks in response to U.S. economic sanctions.
Assuming the cooperation of Russian hackers with government directives, some supposed ransomware would reach record levels in 2022 as cybercriminals, encouraged by the Russian government, would wreak havoc on Western businesses and infrastructure. This has proven incorrect. In fact, the inverse was as observed as ransomware attacks in 2022 fell to lower levels than in 2021. Moreover, things backfired for ransomware gangs who voiced support for Russia. The starkest example was of the Conti ransomware gang, which wasted no time issuing a warning to any entity Russia and threatening swift retaliation:
The result of this declaration was a devastating leak of Conti’s internal chats, source code, and operational information. Many speculated the U.S. Treasury would sanction the group and ransom payments were largely halted through collective action. Though it tried to press on, several months later Conti was disbanded.
Outside of Conti or other gangs supporting the Russian ground campaign in Ukraine, ransomware stayed far below 2021 levels.
Experts may have underestimated a number of factors, including Ukraine’s own cyber capabilities. You can think of Russia’s near-constant cyber activity in Ukraine over the last several years as a veritable testing range for offensive cyber capabilities — it’s this activity that led to dire predictions about cyberwarfare. The problem (for Russia) is that while all of the practice may have helped them gain an understanding of Ukraine’s systems and defenses, attacks are a two-way street. Each attack represented an exchange of intelligence, as Ukrainian defenders built up playbooks for combating Russian cyberattacks. So it’s perhaps not surprising that Ukraine was prepared to face down threats, but we’ve learned a lot about how well-matched they are as an opponent of Russia in the cyber sphere.
Western assistance may also be making a large difference. In addition to billions of dollars in aid and materiel, the international community has offered assistance to defend Ukraine’s networks. Governmental resources from the U.S. alone include CISA, the FBI, and U.S. Cyber Command. The EU deployed Cyber Rapid Response teams to support Ukraine’s defense.
Tech giants such as Microsoft have helped thwart attacks against critical infrastructure as well as government and media targets.
Taking a “hunt-forward” strategy, U.S. and international cyber partners deployed to Ukraine networks. Operators proactively hunted intrusions and collaborated with industry partners to analyze malware and adversary techniques, adding findings to a collaborative defense knowledge bank. While Russia’s cyber capabilities are regarded as some of the most advanced, this international coalition of defense has strength in numbers. Britain’s GCHQ has heralded the collective defense of Ukraine’s networks as “the most effective defensive cyber activity in history.”
On the flip side, Western attempts to characterize Russian cyber doctrine may have suffered from a degree of egocentrism. Russia’s cyber doctrine is more sweeping than that of the United States, including a heavy emphasis on influence operations rather than what the U.S. would consider offensive capabilities. As one commentator put it, “Russia’s premier offensive cyber capacities are housed within agencies focused on intelligence and subversion—the key tool kits used against Ukraine since 2014—rather than combined-arms warfare.” What Western notions might term psychological operations (“psyops”), Russia includes within its cyber capabilities.
This colors certain events throughout the war a little differently. In early March 2022, a video emerged apparently showing President Zelensky surrendering and asking Ukrainians to put down their weapons. The video was posted to social media and hackers placed still images and a summary on a Ukrainian TV station’s website. The video was an AI-generated “deep fake”. Although quickly removed, the aim to undercut traditional command and control carried unmistakable war-like undertones. While many expected a heavier emphasis on offensive strikes, Russia often used its cyber capabilities for subversion.
As predicted, the 2022 invasion has demonstrated the preeminent role of cyber in 21st Century nation-state warfare. Notwithstanding the failures discussed earlier, Russia has used, or attempted to use, cyber weapons to target critical infrastructure, communications technology, mass media, and government agencies. They pulled the trigger – or perhaps more aptly deployed the delete key – against the very targets many believed they would.
The volume of attacks has likewise been immense with Ukraine reporting “nonstop” attempts to compromise defense and government ministries. Google’s Threat Analysis Group report Russian government-backed hackers increased attacks on Ukrainian users by 250% in 2022 and the Ukrainian government said there have been three times as many attempts against its systems compared to before the war.
Many attacks have been targeted and particularly destructive, even if they didn’t impact the outcome of the war as much as anticipated. Special malware called “wipers” have been deployed to permanently destroy data. Within the first four months of 2022, Mandiant observed more of these destructive cyber attacks in Ukraine than in the previous eight years. FortiGuard labs revealed the same trend with seven new variants of destructive wiper malware used in attacks during the first half of 2022 alone, all deployed in parallel with the Ukraine invasion. Wiper attacks further increased by 53% between Q3 and Q4.
Wipers and other aggressive attacks did spill over to other nations, just not to the degree feared. The February 24th attack that took down Viasat satellites also rendered 5,800 wind turbines inaccessible in Germany. Since then Russia’s “hacktivist” cadre has mobilized primarily against Ukrainian targets but is increasingly hitting targets in NATO countries. These mostly consist of low-level attacks such as defacement or DDoS but have also expanded to deploying wipers, in some cases mimicking ransomware but providing no hope for data recovery. While wiper attacks stayed mostly within Ukraine’s borders in the early days of the invasion, they had spread to 24 other countries by the end of 2022.
Looking into the future, there are two risks to note.
First, desperation breeds innovation. With Russia’s strategic failures compounding, the pressure is on to make headway on the cyber front. The more trying the situation, the higher the motivation to develop and deploy even more destructive cyber weaponry.
Second, as Russia continues to develop tools to attack Ukraine’s networks, the offensive tools it develops will undoubtedly fall into the hands of regular cybercriminals to be deployed against businesses. This includes wiper malware attacks, which have already spread outside of Ukraine’s borders. Expect wiper attacks to continue spreading and a similar “trickling down” of cyber weaponry.
International collaboration and U.S. Hunt Forward Operations have given Western partners valuable intelligence on Russian cyber offensive operations. Russia’s cyber offensive against Ukraine has relied on the same mainstays used by other cybercriminals including exploiting software vulnerabilities and phishing users. Even the infamous NotPetya attack Russia initiated against Ukrainian networks in 2017 exploited a software vulnerability for which a patch was released a month prior. Western businesses can take lessons from this including ensuring a regular software patching cadence and guarding against phishing attacks with strong forms of phishing-resistant MFA. With the trickle-down of Russia’s destructive tools, these practices can help prevent attackers from getting into the network.