Major Takeaways: Cyber Operations During Russia-Ukraine War

Russian Attacks Continue at Serious Pace, Blunted by Ukrainian Defenses, Failovers
Major Takeaways: Cyber Operations During Russia-Ukraine War
Ukraine President Volodymyr Zelenskyy holds a press conference on June 27, 2022. (Photo: Ukrainian government)

What happened to the cyber war that Russia was meant to unleash on Ukraine?

See Also: Malware Analysis Report: DarkGate – From AutoIt to Shellcode Execution

Few thought to disagree that in the event of an invasion, Moscow was sure to order a furious online assault taking power plants offline, scrambling defenders' communications and sowing mass chaos.

As Russia's invasion of Ukraine nears its half-year mark, experts find themselves reevaluating long-held assumptions and grappling with surprising developments that few saw coming. Russia's constant probing of Ukrainian networks - leading to some government sites getting knocked offline - has yet to cause massive disruptions.

As Jeremy Fleming, the head of the U.K.'s security, intelligence and cyber agency, GCHQ, said: "Perhaps the concept of a 'cyber war' was over-hyped."

In part, experts say, the big anticlimax stems from the quality of Ukraine's defenses, both in Kyiv's ability to block attacks and its ability to switch to backup processes when IT networks do get hit.

But those aren't the only cybersecurity surprises or takeaways so far from the conflict. In the nearly five months since Russia invaded Ukraine, here are nearly a dozen cybersecurity lessons learned.

How Russia's Cyberattacks Failed

Russia continues to try and overwhelm Ukrainian critical infrastructure and communications via cyberattacks.

Cyber intrusions or attacks launched by Russia in the early days of the invasion (Source: Microsoft)

"Based on publicly available information, Russia launched a broad cyber campaign shortly before the invasion," says James Andrew Lewis, senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies.

"The primary targets were Ukrainian government websites, energy and telecom service providers, financial institutions and media outlets, but the cyberattacks encompassed most critical sectors," Lewis says. "This was a wide-ranging attack using the full suite of Russian cyber capabilities to disrupt Ukraine, but it was not a success."

Such attacks continue. "Malicious cyber activity involves sending of phishing emails, distributed denial-of-service attacks, and use of data-wiper malware, backdoors, surveillance software and information stealers," according to a June report from the European Parliament.

Timeline of cyberattacks on Ukraine from March 2014 through May 9, 2022 (Source: European Parliament Research Service, click to enlarge)

Initially, Russia did manage to disrupt access to Viasat's KA-SAT satellite network from Ukraine on the day it invaded. But this didn't have the impact Moscow likely anticipated, with Kyiv getting a replacement service from satellite provider SpaceX's Starlink up and running in just days.

"The metric for Viasat and for other actions is not whether a cyberattack is effective in terms of network penetration or the disruption of services or data, but whether its effect helps achieve - in this case - the occupation of Ukraine and the elimination of its elected government," Lewis says. "By this metric, the Viasat attack was not a success."

But without Viasat, how did the Ukrainian government headed by President Volodymyr Zelenskyy guide the military in the initial hours and days of the invasion?

The operational security expert known as the grugq says Russia did disrupt command-and-control communications - but the disruption failed to stymie Ukraine's military. The government had reorganized from a "Soviet-style" centralized command structure to empower relatively low-level military officers to make major decisions, such as blowing up runways at strategically important airports before they were captured by Russian forces. Lack of contact with higher-ups didn't compromise the ability of Ukraine's military to physically defend the country.

The Russian government, of course, hasn't drawn attention to its failures, including in the online realm. "The Russians have done a pretty good job of basically spreading disinformation that they are not aggressively attacking," says Chad Sweet, CEO of consultancy The Chertoff Group.

Aggressive Pace of Attacks Continues

Experts say Russia continues to actively target Ukraine with online attacks, spearheaded by Russia's military intelligence agency, the GRU. On the day of the invasion, the GRU launched wiper attacks that affected 300 systems across 12 different government and command-and-control organizations, says Sweet, who served as chief of staff for the U.S. Department of Homeland Security during the Obama administration.

CyberPeace Institute, a non-governmental organization that tracks global cyberattacks, says that since the start of the war it's counted at least 256 online attacks against targets in 18 countries, tracing to 35 different threat actors.

Some attacks do cause disruptions. The European Parliament report says that since the invasion began, "limited Russian cyberattacks have undermined the distribution of medicines, food and relief supplies," and that "their impact has ranged from preventing access to basic services to data theft and disinformation, including through deepfake technology."

"So it's just factually false that the Russians aren't attacking; they're actually very aggressively attacking," Sweet says. "The good news, though, is our Ukrainian allies. We've been assisting them in their preparation for just such an attack as this. And so they're part of the reason it's not grabbing the headlines - they're doing a pretty good job on the defense."

Jeremy Fleming, director of GCHQ, talks about how the expected Russia-Ukraine "cyber war" was perhaps "over-hyped," on May 10, 2022, at the CyberUK conference in Wales.

Intelligence agencies continue to track attacks. "There's plenty of cyber about, including a range of activity we and partners have attributed to Russia," GCHQ's Fleming said at a May cybersecurity conference in Wales organized by the U.K.'s National Cyber Security Center. "We've seen what looks like some spillover of activity affecting other countries. And we've seen indications that Russia's cyber operatives continue to look for targets in countries that oppose their actions."

Forget 'Cyber War,' Think 'Cyber Operations'

Another lesson learned from the conflict is that the concept of "cyber war" is so imprecise as to be essentially meaningless. As the grugq says in a conference presentation on "the dynamics of Russian cyber war" delivered in May, "What we are seeing here is not cyber war; what we are seeing is a war with cyber."

"The Russians have not done what we wanted them to do, what we expected them to do," the grugq says. "But they have done what makes the most sense, given what they were trying to do in general."

Hence Ukraine's power grid hasn't been targeted, nor ATMs disrupted. "What they want is these sharp, tactical uses of cyber that will help enable their military operations," he says.

Wiper Malware Has Been Used

Russia's online attacks might not have hit power stations or disrupted the company's financial services sector, but they have been effective in some places, says Mikko Hypponen, chief research officer at WithSecure. He cites as an example wait times of up to 40 hours at the Ukraine-Poland border as women and children attempted to flee the start of the conflict.

"They couldn't leave and people were stumped - like, why are the borders closed?" he says. "The borders weren't closed, but the computers of the Ukraine border control had been wiped by HermeticWiper, which was developed and deployed by the GRU from Russian military intelligence. That's what cyber war looks like in the real world."

The chart shows wiper families used in the conflict and their attribution. Ember Bear has been tied to attacks that back Russia but were not attributed to any particular government agency, while APT28, or Fancy Bear, is widely believed to be tied to the GRU. (Source: Trellix)

Russia has been bringing an arsenal of wipers to bear on Ukraine, says John Fokker, principal engineer and head of cyber investigations for Advanced Threat Research at Trellix, which has also been assisting multiple organizations in Ukraine.

"We found multiple wipers, and the wipers were technically different," Fokker says, which is unusual, since attackers typically won't reinvent the wheel. Trellix has identified more than 15 wipers so far seen to be in play, provoking the question: Why?

"If you zoom out, it's quite obvious that there's one aggressor behind it, and we saw multiple wipers being launched in a timespan of two and a half hours in one network," Fokker says. "It's not unthinkable that they're actually outsourcing the development of these wipers to public or private industry sector companies, and maybe even had a tender out or some kind of contest," he says.

With multiple contestants or contractors, a government could rapidly procure a range of completely different-looking wipers.

Corporate Defenders and Rise of 'IT Army' Surprised Experts

Another surprising development is the open involvement of Western technology companies in Ukraine's cyber defense, WithSecure's Hypponen says. "I'm surprised by the fact that Western technology companies like Microsoft and Google are there on the battlefield, supporting Ukraine against governmental attacks from Russia, which is again, something we've never seen in any other war."

Western corporations aren't alone, either. Kyiv raised a first-ever volunteer "IT Army," consisting of civilians recruited to break computer crime laws in aid of the country's military defense. It numbers, perhaps, 400,000 or more individuals.

As the European Parliament says, there have been numerous disruptions in Russia as a result of Ukraine's keyboard volunteers. "Since the beginning of the invasion, a significant number of counter-attacks have been launched by independent hackers, affecting the Russian state, security, banking and media systems," it says.

Using civilians to achieve military aims, as well as asking them to violate cybersecurity norms, remains "problematic," Rob Joyce, director of the U.S. National Security Agency's Cybersecurity Directorate, said at the May NCSC conference in Wales. All the same, "You want to sit back and root for the folks who are trying to do noble things."

Juhan Lepassaar, executive director of the EU Agency of Cybersecurity, known as ENISA, said at the conference that the surge in "organized hacktivism … being channeled in this conflict" remains for him "a point of concern."

Western Critical Infrastructure May Be Off-Limits

Western cybersecurity agencies continue to warn that Russia could unleash a chaotic attack along the lines of NotPetya in 2017. That wiper malware, disguised as ransomware, spread quickly, wiping systems worldwide and causing an estimated $9 billion in commercial damages.

So far, Russia doesn't appear to have actively targeted Western critical infrastructure or unleashed uncontrolled wiper malware. Potentially, doing so could escalate the conflict, leading to Western governments getting even more involved in it.

Chatter in the cybercrime underground is that Russian government contacts have been telling criminals to steer clear of Western critical infrastructure. "Many of them specifically don't want to target the U.S. at all," says Jon DiMaggio chief security strategist at Analyst1.

Especially for ransomware-wielding groups, "it's just not good for business," since critical infrastructure victims likely won't pay a ransom. Just the opposite, since a successful attack invites "the full backlash of the United States intelligence community," he says. "So they just don't want the headache; they don't want to have that kind of heat on them, and it's just not worth it."

The grugq dismisses fears that Russia might tap patriotic domestic cybercrime talent to assist in the invasion. While some calls have gone out for patriotic hackers to take action, he says the government has not enlisted current cybercriminals to help. Instead, cyberattacks remain the domain of the GRU, as well as the foreign intelligence service, known as the SVR, and the Federal Security Service, known as the FSB.

"The establishment … the government, and so on, does not look at the ransomware guys as providing any sort of military technologies or military capacity that they can use," he says. Criminals, meanwhile, oftentimes style themselves as profit-obsessed Mafiosi rather than government tools. "They are businessmen; they're making money. They do not want to stop making money to go and do something for the government."

Ukraine Has Well-Honed Defensive Plans

Another secret to Ukraine's success: The country remains well practiced not just at cybersecurity defense, but also incident response and mitigation.

"The lack of cyber activity is not really because Russia wouldn't be trying," Hypponen says. Actually, they've been trying since 2014, when Russia illegally annexed the Crimean Peninsula in a preview of its disregard for Ukrainian sovereignty. "Ukraine is the best country in Europe to defend their networks against Russian nation-state attacks. … Why? Because they've been doing it for eight years."

Kinetic and cyber activity targeting Ukraine from Feb. 23 to April 6 (Source: Microsoft)

Some Western intelligence officials say that if there's one overriding takeaway from Ukraine's success thus far, it's the value of having a well-designed incident response plan.

"One of the things they've done is: They have emergency plans, having been under pressure for years," the NSA's Joyce says. "It hasn't been just this crisis, but they have been able to practice and they understand what good incident response is, and they're able to then recover."

Such capabilities haven't happened in a vacuum. The EU - including its Cyber Rapid Response Teams - as well as the U.S. and NATO have all offered assistance for combating online attacks and protecting critical infrastructure. Likewise, the private sector and nongovernmental organizations have been helping.

Another secret to Ukraine's success has been not just good defense and resilience, but excellent failover capabilities and "ways of continuing operations … after cyber has been used against them," the grugq says. Should email become unavailable, the government uses smartphones and messaging services. And when IT systems at rail networks were targeted, the government switched to using analog communications systems.

"A lesson we're taking out of this is that sometimes resilience is not necessarily being able to defeat the attack," he says. "It's being able to continue, even if the attack is successful, and I think Ukraine is an excellent example of that."

No Spillover or Notable Western Targeting So Far

If the pace of Russian cyberattacks against Ukraine has remained fast and furious - despite relatively low levels of efficacy - another surprise is the relative lack of spillover or direct attacks targeting Western governments and organizations helping Ukraine.

In March, cybersecurity firm Mandiant warned that "organizations making public statements condemning Russian aggression and/or supporting Ukraine and organizations taking actions to restrict Russian participation in international commerce, competitions, and events face elevated risk of future reprisal."

Sectors facing elevated risk from Russian cyber operations (Source: Mandiant, March 2022)

At least so far, however, Russia seems to have "decided not to tangle with NATO, in terms of a cyber war event," instead favoring "precision in terms of deciding to aid the military on the ground in Ukraine with cyberattacks," says Ian Thornton-Trump, CISO of threat intelligence firm Cyjax.

Russian Escalation Remains a Risk

Of course, all of that could change, and experts are continuing to track the threat.

"I'm concerned that at some point the Russians are going to launch cyber retaliatory attacks against the United States at election infrastructure and the transportation, financial and energy sectors," says the FBI's Elvis Chan, an assistant special agent in charge who manages the bureau's cyber team based in San Francisco.

As the war continues, as it may do for years, anything remains possible, especially if sanctions further disrupt Russia's economy.

"The problem is … everyday Russians are going to have a hard time providing for themselves and their family, and this is a very technically capable country," says Rep. Eric Swalwell, a California Democrat who serves on the House Permanent Select Committee on Intelligence and chairs the Intelligence Modernization and Readiness Subcommittee.

"So you could see everyday, law-abiding Russians who worked in their own innovation economy out of work or with limited work, and now they have a skill that they could use, and they could be a freelancing ransom actor - a zone that's already flooded right now," he says.

In the U.S., the upcoming midterm elections in November remain a likely target. "We know that Russia in 2016, '18 and '20 attacked us, and we know that they've attacked our allies across the world," Swalwell says. "But they've never been successful in actually going into a voting system and taking someone's name off the rolls or changing a vote, and will they want to try and unleash that in retaliation for what we've done to help Ukraine? So these are the things I worry about, and why we have to be so hyper vigilant."

Western Organizations Must Stay Prepared

Western governments are not going to rescue every organization that might get hit, especially if they're outside critical infrastructure sectors.

"The bad news is … if you're a midsized company in, say, Idaho, unfortunately, the cavalry is not coming," The Chertoff Group's Sweet says. "The U.S. government is so overwhelmed. It is very difficult for them to answer the call to all these different attacks."

Accordingly, the U.S. Cybersecurity and Infrastructure Security Agency and Britain's National Cyber Security Center continue to urge all CISOs to carefully track the conflict and ensure their organization has in place robust cybersecurity defenses.

Because when it comes to the use of cyber operations to support a military invasion, who knows what might happen next?


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.