Three months has passed since Russia’s first attack on Ukraine. In the prelude and the beginning of the war, there were a lot of concerns associated with the risk of devastating cyberattacks against Ukraine, but also against critical infrastructure and other interest in the western countries, who are involved in sanctions and providing weapons. This war has been designated at the world’s first hybrid war, fought both in the physical world with traditional weapons and in cyberspace between hackers.
In light of that, the biggest surprise of the war thus far is actually what has not happened in cybersecurity. We have not witnessed the Internet or other critical infrastructure in Ukraine destroyed by large Russian cyberattacks. Nor have we seen critical infrastructure in the Western world being attacked. However, it is not like nothing has happened in cyberspace – a lot has actually happened. What we have seen so far has also given us a lot of insights, but some of our initial assumptions and fears might have been wrong.
The Russian cyberattacks against Ukraine
Russia has been targeting Ukraine with cyberattacks more or less constantly for the past 10 years, with the best-known attacks being the BlackEnergy, Industroyer/Crashoverride attacks on the Ukrainian power grid in 2015 and 2016, and of course NotPetya, resulting in disruption for other companies, for example Maersk in 2017. Other attacks have involved DDoS, website defacing and of course lot of espionage.
Russian attacks on Ukraine have significantly ramped up in the prelude of the war and especially after the war started, with a broad cascade of attacks including a handful of new destructive viper malwares, additional attacks on the powergrid and lot of DDoS attacks. These attacks have disturbed various services in Ukraine, but not disrupted them. There also seems to be some level of coordination between the military attacks and cyberattacks. Microsoft has released a quite comprehensive report detailing many of the attacks where details can be found here.
Another noticeable attack happened in the morning of February 24th, 2022—the day of the Russian invasion. Viasat’s satellite internet service was disrupted across Europe, affecting 30,000 customers—including Ukrainian military communications. According to western authorities, Russian state hackers compromised Viasat’s management network and distributed a configuration change to all satellite modems disrupting their configuration. This affected not only the Ukrainian military, but also wind turbines in western Europe.
One of the surprises of the war so far, is that the digital infrastructure in Ukraine is still up and running. As we see it, one of the main reasons is that Ukraine constantly has been under attacks for the past 10 years. This has provided them with a lot of experience in handling cyberattacks and they have made a lot of improvements to their security. In the current situation this gives them resilience, which in combination with a lot of assistance from western countries and security companies have made it possible to fend off most of the Russian attacks.
So, one of the key lessons here are that preparation and exercise works. Not to mention the rumors that Russia’s own communication systems are so poor that they are reliant on the Ukrainian tele-infrastructure to be able to communicate internal…
The missing Russian cyberattacks on the west
Another big concern in the time leading up to the war, was that Russian cyberattacks would hit western critical infrastructure and businesses. The worst scenario was that Russia literally would be able to control both the electricity and heating, resulting in Russia turning it off. None of this however has materialized.
Cyberattacks disrupting societies, businesses and critical infrastructure are nothing new and have happened regularly. However, the intensity of these attacks has in general not changed after the war started. There has been an increased level of “reconnaissance” which means that scans take place, but this has not resulted in more successful attacks. The only exception is that organizations somehow involved in supporting and helping Ukraine in the ongoing conflict, have been facing espionage attacks. Some attacks may have a spillover effect far beyond their original targets, as in 2017 when Maersk was hit because the of the NotPetya malware spread.
There are most likely several reasons why we have not seen any devasting Russian cyberattacks.
One reason is that cyberattacks with a huge impact can take months to prepare and is often difficult to execute. Due to the surprise of the war outbreak, the Russian intelligence services have had limited time to prepare. Also, the Russian resources to conduct cyberattacks have most likely been occupied attacking Ukraine, and as such have had no time to attack elsewhere.
Other probable reasons could be that Russia do not wish to escalate the confrontation with the west, knowing cyberattacks would result in counterattacks and most likely expanded support to Ukraine with a possibility of new sanctions. Seen from the Russian point of view, they might be able to make a demonstration, but the real impact would be limited and symbolic and result in much worse retaliation hitting themselves.
Depending on the course of the war, the conflict may escalate even further. When performing a cyberattack you are also revealing your knowledge and your attack methods to the opponent. Many cyberattack methods are onetime tools not being effective in subsequent attacks. In the current situation, Russia most likely prefers having some tools available to use in an escalating conflict.
This is however no reason to lower the defenses, but instead should be seen as an opportunity to get the defenses in place, as one could expect the cyberthreat to continue. The situation could suddenly escalate, and the Russians might decide doing some symbolic attacks that brings them value. Russia has also spent a fair amount of time and resources getting the criminal groups under control. These groups could most likely be used to target specific organizations, while the Russian government can deny being behind the attack. Companies and governments must stay vigilant about their exposure to cyberattacks, to ransomware attacks and misinformation campaigns.
Attacks against Russia
The final surprise in the conflict this far has been the level of attacks directed against Russia. When the Russian invasion started, Ukraine chose to setup the Ukrainian IT army which is basically a volunteer army of IT-specialists helping Ukraine attack Russia. Ukraine – to some extend – controls this army, instructing them in what to target. At the same time Anonymous, the big loosely organized cyber activist network, declared war on Russian calling on all their supporters to attack Russia.
This combination has resulted in Russia being hit with some of the most serious cyberattacks ever directed against one country. This have resulted in widespread outage of various services, primarily government and financial services have been hit, but also a lot of data theft, leakage and defacement have taken place. There have also been lots of defacement incidents of websites, but also incidents like replacing the information on the display on electric car charges with anti-Putin messages.
The level of success these groups are having is remarkable considering the quite loose organization – and the fact that their members primarily are volunteers from around the world, with only a small minority being Ukrainians.
It seems like Russia have been quite miserably prepared for cyberattacks in general, so the consequences have been serious and with a great impact. This might also be the consequence of normally not being attacked, as Russian criminals normally do not attack Russians. This just emphasizes the importance of being prepared for cyberattacks.
More learnings to come
This conflict is far from over, and there are for sure still a lot of learnings ahead. But some of the observations so far are quite important, including being realistic about cyberattacks and that helps preparing and exercising the defenses.