It was expected to be the harbinger of terrible things. In the early hours of 24 February, satellite communication systems for the Ukrainian military suddenly failed. The disruption was quickly traced to ViaSat, a satellite communications firm supplying broadband internet services across Europe.
Russian state-sponsored hackers, investigators later concluded, had used wiper malware to erase and disable the company’s routers and modems. Unable to communicate, Ukraine’s armed forces were thrown into chaos when waves of Russian troops crashed over its border a couple of hours later.
Elsewhere in Ukraine, banks and government systems were afflicted by similar malware. Ahead of the invasion, analysts predicted a general collapse in the country’s digital infrastructure as Russia brought the full weight of its cyber-offensive prowess to bear.
This capability had been in evidence since 2007, when Russian hackers brought Estonia’s government, media and banking systems to their knees in a series of devastating cyberattacks. Then came the barrage of attacks that have been inflicted on Ukraine since the annexation of Crimea in 2014, attacks that have shut down parts of the country’s power grid, held its financial sector to ransom, repeatedly disrupted the basic functions of government – and even targeted its water supply.
This history of using Ukraine as a testing ground for its cyber capabilities lent greater weight to analysts’ arguments that Russia’s ‘cyberwar’ against the country would be spectacular and short. They were wrong. While Moscow has attempted several major cyberattacks against Kyiv in the past few months, none have come close to achieving the disruption caused by the ViaSat hack.
Instead, Ukraine has successfully fought Russian hackers to a standstill. According to Marina Krotofil of Kudelski Security, cyberattacks are proving as militarily useful as throwing rocks at the enemy. “Ukraine throws some stones, Russia throws some at us,” says Krotofil. “It’s not so practical.”
That is in part, she adds, because it’s now much harder to disrupt Ukrainian life using cyberattacks than it ever was in peace. Why attempt to engineer power outages or water shortages, after all, when the civilian population now takes such catastrophes in their stride?
Content from our partners
It’s also because Ukraine has received significant outside assistance in securing its critical systems. For several years now, the US and its allies have funded capacity-building initiatives that have seen Kyiv strengthen its cybersecurity defences and expertise. This effort accelerated late last year, with Washington dispatching officials from US Cyber Command to shore up key systems ahead of an anticipated Russian invasion.
The US has now admitted mounting cyberattacks in support of Ukraine against Russian targets. Even so, neither side shows any sign of striking a decisive blow using cyber alone, instead relying on old-fashioned kinetic weaponry to inflict maximum damage against critical infrastructure and military assets. Once viewed as the future of conflict, there are now serious questions about the utility of cyberattacks as a weapon of war, especially in one as brutal as Russia’s invasion of Ukraine.
How Russia launches cyberattacks against Ukraine
That Moscow has so far been unable to mount spectacular cyber offensives against Kyiv is no surprise to Krotofil, who has over a decade’s worth of experience in securing cyber-physical systems across Ukraine. Having seen for herself the aftermath of some of Russia’s most devastating cyberattacks on her country, she knows exactly what kinds of preparations go into taking down a power grid, mobile network or a bank. It’s not as simple as people think.
First, hackers have to identify a critical system they wish to attack, and then find a way to burrow inside. Once access has been obtained, either by exploiting a vulnerability or through a surreptitious phishing campaign, “then you really need to get into the environment, move laterally, establish a persistent foothold and find the system of interest,” says Krotofil – all while remaining completely undetected.
This can take months of careful planning and analysis. Indeed, some of the most spectacular cyberattacks on Ukrainian infrastructure in 2016 were the result of thousands of hours of patience burrowing through key systems, explains Krotofil, with hackers from the GRU and other Russian intelligence agencies taking great pains to cover their tracks.
Was Russia poorly prepared for cyberwar in Ukraine?
This may also be the reason that Russia has mounted only one truly spectacular cyberattack on Ukraine’s critical infrastructure since the start of the war. “In order for Russia to leverage cyber warfare effectively, when did they need to start preparing? A year ago,” says Krotofil. That didn’t happen, she suggests, because Putin only gave his inner circle advance notice of his intention to invade Ukraine roughly two months before Russian tanks crossed the border.
From this perspective, the cyberattack against ViaSat is the exception that proves the rule. Krotofil thinks that, in all likelihood, the company had already been hacked by Russia – and therefore one of the only systems it could undermine in time for its invasion.
Not that they didn’t try. “There was a lot of cyber around,” says Dr Greg Austin, a senior fellow at the International Institute for Strategic Studies (IISS), including attempts to unleash wiper malware across thousands of computers across Ukraine and shutting down its power grids.
One of the main reasons why these attempts have failed, says Austin, was an early intervention by Microsoft before the conflict had even started. As early as January, the company spotted destructive malware being planted inside Ukrainian systems. A recent report from Microsoft also details how it not only helped exfiltrate the data of several government ministries out of Ukraine and into the cloud days before the invasion – thereby preserving it when Russia attacked a key data centre with a cruise missile – but has played a key role in securing systems across the country since the invasion.
Since then, the report continues, Ukraine’s cyber defences have largely remained intact against destructive cyberattacks. Indeed, Russia has had more success in pairing cyberespionage with kinetic firepower, appearing to compromise networks close to the frontline to identify physical targets for bombardment.
But there may also be an element of Moscow pulling its punches. Like most major cyber powers, Russia is thought to have a Pandora’s Box of zero-day exploits it can use to more easily tunnel into a variety of enemy systems. But since the invasion, said Microsoft, the Russians have refrained from using ‘wormable’ malware similar to its highly successful NotPetya cyberattack on Ukraine in 2017.
That may be out of a fear of escalating the conflict beyond Ukraine – after all, NotPetya also ended up infecting computer systems across Europe. Russia may also not want the world to know what zero-day exploits they have up their sleeves, explains VS Subrahmanian, a computer science professor at Northwestern University. “Every time they use a vulnerability,” says Subrahmanian, “they give up the opportunity to use the vulnerability in the future” as it’s quickly neutralised by security companies and rival governments.
Allied cybersecurity in Ukraine
This should not diminish the efforts of the Ukrainians themselves in protecting their networks. Ironically, Moscow’s repeated attacks on Ukraine’s critical systems since 2014 helped to create and galvanise a formidable cybersecurity sector. “Now, it’s a gigantic business,” says Krotofil, one that has seen the state, private enterprise and security companies work hand in glove to shore up national cyber defences and repair the damage to critical systems quickly if they are penetrated.
Ukraine has also been able to count on its allies for support. “The Biden administration actually provided early warning of a potential Russian attack at least eight weeks in advance, if not longer,” says Subrahmanian. “My understanding is that many companies in the space were told to be prepared for this well in advance,” including major social networks and IT firms. Most did, helping to secure exposed flanks in the private sector while US military hackers went to work shoring up Ukrainian critical systems and mounting their own offensive operations against Russian targets.
We don’t know the nature of these attacks, but experts like Subrahmanian have a good idea of how some of them might work. “Intuitively, there’s a pipe between the Russian network and the Ukrainian network,” he explains. Allied cybersecurity staff sitting in the latter could, in theory, “use the same pipe to push data and malware into the Russian network and cause chaos there,” either through malware or feeding back false information about Ukrainian systems or military deployments.
There is also, undoubtedly, an element of self-interest in the allied cybersecurity commitment. “I’m fairly certain, especially given the extent of Russian cyber activity in Ukraine for many, many years, that it’s a good place for US and Western intelligence agencies to better understand Russian tools, tactics and procedures within those networks,” says Subrahmanian.
It’s also the best kind of training for any future cyber conflict. After all, says Krotofil, cybersecurity is “a skill you need to develop not in the lab, not in the virtualised environment, not on cyber ranges, [but in] realistic environments”.
Spillover effects from cyberwar
The war has also been a useful case study for foreign policy strategists on how cyberattacks can expand the conflict in new and unpredictable ways. After all, it’s not just state-sponsored hackers who have been active during the war. White hat hackers, for example, have flocked to join Ukrainian efforts at securing key systems. “In addition, you have groups like Anonymous pitch in,” says Subrahmanian, pledging allegiance to Ukraine’s cause by leaking sensitive data and disrupting railway networks in Belarus. “Most law enforcement and political leaders feel very, very uncomfortable with what’s become an informal partnership.”
Russia has its cyber-auxiliaries too, as demonstrated in April when the pro-Moscow criminal gang Killnet mounted a DDoS attack against Romanian government websites and in May, when suspected cybercriminals leaked private emails from prominent pro-Brexit politicians in the UK. Russia has also attempted to infiltrate the networks of 128 organisations in 42 countries, according to Microsoft, prioritising Poland but increasingly targeting Scandinavia and Turkey. Based on its own data, said the company, “Russian actors have been successful 29% of the time.”
So far, however, this spillover effect has not extended to destructive attacks against NATO members, despite warnings of their inevitability from both Five Eyes nations and Moscow. For his part, Subrahmanian considers the prospect unlikely.
“My feeling is that the Russians probably do not want to unleash more cyber assets and waste parts of their stockpile on something that’s clearly not giving them a win,” he says, predicting that the cyberwar will remain confined to Ukraine until at least the end of this year. “I don’t think Russia wants to aggravate the West even more than they have already.”
Meanwhile in Ukraine, the impact of Russian cyberattacks continues to be muted. Most of them, explains Krotofil, now consist of DDoS attacks and web defacements. “This is not difficult, this is not smart,” she says. “It also doesn’t last long, and the damage is minimal. And, especially in wartime, who cares?”
Is the threat of cyberwarfare overrated?
Krotofil has her own doubts about the ultimate utility of cyberattacks as a weapon of war. Even the effects of hacking critical infrastructure do not last an especially long time before systems are restored with back-ups and vulnerabilities patched. “Cyber is more like a nuisance,” says Krotofil, adding a frisson of distraction while the real war happens on the front lines. “You can’t compare it with the fact of kinetic weapons.”
There are signs that the world’s leading powers feel the same way. A recent comparative study published by IISS about Chinese, Russian and American strategic approaches to cyberattacks concluded that all three have yet to attain a ‘mature’ capability in this area, insofar as they consider cyberattacks only useful in gaining short-term advantage. “None of those three countries,” says Austin, have “really accepted the strategic potential of cyber operations to bring about meaningful strategic impact.”
There is one major caveat to all this. While the war in Ukraine has demonstrated the limitations of Russian cyber capabilities, it does not mean that their deployment in the future will be just as ineffective. “[T]he underlying technologies are developing fast,” says the report. “The potential for other governments to achieve strategic surprise by innovative application of a cyber campaign is an important component of cyber policy in China, Russia and the US.”
As such, it is not unreasonable to assume that cyberattacks, with the right level of preparation and subterfuge, will be capable of delivering a decisive blow to enemy logistics and critical systems in support of an invasion – an opportunity ultimately squandered by Russia in Ukraine.
Read more: Capacity building: How the US boosts its allies’ cyber defences