Russia’s invasion of Ukraine in February fueled expectations it would launch a devastating campaign of cyberattacks against the neighboring country. Since 2014, state-run Russian cyber units, state-affiliated hackers, and independent cyber-criminal groups have frequently trained their sights on targets in Ukraine. They have, among other things, forced government websites offline, caused the largest-ever cyber-induced blackout of a nation’s power grid, and deployed the most destructive and costly malware to date. So, why hasn’t there been another such attack since the war began? We talked to Eurasia Group geotech analyst Sienna Tompkins to get some answers.
We’ve come to see cyberattacks as a big part of Russia’s playbook. Has that changed?
Not really. While a large-scale attack with significant repercussions or international contagion has not yet materialized, there has been a steady drumbeat of cyber activity by Russian military and intelligence units against Ukrainian targets. In a recent report, Microsoft said there have been at least 2-3 cyber operations since the eve of the invasion. Nuisance-level attacks have overloaded key government and institutional websites with traffic, several wiper malwares have been deployed, and the hack of satellite provider, Viasat, caused widespread communications outages on the first day of the invasion.
Why nothing bigger?
One reason might be that military attacks are generally more effective when it comes to disabling critical infrastructure. There has also been speculation that Russian cyber units were caught off-guard by the invasion, without sufficient notice to plan and execute large, sophisticated attacks. Moreover, Russian leaders may be wary of US retaliation or of triggering NATO’s Article 5 collective defense clause if a NATO member is affected by the fallout. Lastly, expectations of a quick and decisive victory may also have influenced the calculus to keep critical infrastructure operational for the use of a puppet regime installed by Moscow.
That said, there is also an element of uncertainty and misdirection that occurs in times of war. Cyber operations that have yet to be activated or detected could ultimately meet the threshold of a major attack. Targets may not know they have been compromised or that the root cause of a cyber operation is cyber-induced. Moreover, in a context of widespread physical destruction, it can be hard to tell if there have been contributing cyber actions as well.
What did we learn from the recent foiled attack against Ukraine’s electric grid?
It lends weight to the theory that Moscow may have wanted to keep critical infrastructure intact in expectation of a quick victory in the war. Sandworm, a group thought to be part of the hacking operations of the GRU, Russian military intelligence, infected the Ukrainian energy company’s network in February. That was prior to the invasion, yet Sandworm only attempted to cut power months later in April.
The episode also highlights Ukraine’s increased cyber resiliency. The foiled cyberattack would have affected 2 million people, making it the largest-ever cyber-induced power outage, but was discovered prior to activation. After years of being targeted by Russia, Ukraine has ramped up investment in its defenses and in cultivating cyber talent.
Has Western assistance been a factor in bolstering Ukraine’s defenses?
Yes. The US, EU, and NATO have all contributed: US Cyber Command sent a surge team to Ukraine ahead of the invasion to hunt for compromised networks; NATO admitted Ukraine to its Cooperative Cyber Defence Centre of Excellence and included Ukrainian experts in its recent digital war simulation “Locked Shields”; and the EU mobilized its newly formed Cyber Rapid Response Team to work with its Ukrainian counterparts.
Private companies have also been playing an outsized role. Major service providers, as the main conduits for many attacks, are tracking known cyber actors and taking remedial action. Microsoft recently obtained a court order to take over seven internet domains used by Strontium, another GRU cyber unit, and redirect them to blunt their impact.
Are you worried about other countries helping Russia wage cyberwarfare?
Russia is a highly sophisticated cyber actor and perfectly capable of waging cyber warfare on its own. Additional actors could add to the chaos and disruption in Ukraine in a way that is useful to Russia, but to be strategically or tactically impactful and avoid undue escalation with the US and NATO, there would need to be a level of formal cooperation. There has been some speculation that China could get involved, but it is unlikely to take such an aggressive step and there is no evidence that it has done so yet.
What about cyberattacks by Ukraine?
Ukraine has primarily been focused on what has been called “persistent defense” — fending off Russian cyber intrusions and attempted attacks. But in a new twist, Ukrainian officials have also mobilized a civilian “IT army.” The volunteer corps is focused on taking down or defacing Russian government websites, hack-and-leak operations revealing confidential datasets, and attempting to undermine propaganda on Russian TV networks. Russia’s Ministry of Digital Development and Communications has reported unprecedented volumes of attacks against government websites. Nevertheless, the attacks remain nuisance-level and serve primarily as information warfare.
What should we expect in the cyber dimension of the Ukraine war going forward?
The story is far from over. The risks of major Russian cyberattacks against Ukraine, or countries backing it, remain elevated. The Five Eyes intelligence alliance comprising Australia, Canada, New Zealand, the UK, and the US recently warned of preparations to conduct significant cyberattacks against critical infrastructure in countries that have sanctioned Russia or otherwise shown their support for Ukraine. Western governments are exhorting companies to upgrade their cyber resilience. A significant attack is likely a matter of not if but when.