Russia bombards Ukraine with cyberattacks, but the impact appears limited
Russia bombards Ukraine with cyberattacks, but the impact appears limited
WASHINGTON — On the afternoon of Feb. 23 last year, Robert Lipovsky and his team of cybersecurity researchers were glued to the television, watching as tensions were rising between Russia and Ukraine.
But the team, from the Slovakian cyber firm ESET, kept one eye on the telemetry streaming into their servers, automatically recording activity happening on customers' devices in Ukraine.
ESET is one of the cybersecurity firms with the most customers in Ukraine, whose researchers were one of the first to discover Russia's attacks that took down Ukraine's power grid years earlier. They were expecting Russia to attack.
That's when they saw something suspicious — what turned out to be a malicious bit of code designed to wipe away data on Ukrainian government and private sector devices.
"We were on top of it, we were analyzing it until late at night, knowing it was a big deal, but actually realizing the full significance only the next morning when we saw the news that the invasion had started," Lipovsky told NPR.
In the midst of analyzing, ESET started tweeting about the wiper attack, getting the information into the world.
That's when Juan Andres Guerrero-Saade, a researcher at Sentinel One, caught in a "painfully boring corporate conference," saw the post.
"It just changed the rest of our day completely. My whole team was ordering Chinese food in some room somewhere until 6 in the morning, analyzing the malware, live-tweeting the content we found and looking for other samples and making sure we had defenses in place," he told NPR.
These are just two of the private cybersecurity companies that have worked closely with Ukraine to defend its systems against an onslaught of Russian cyberattacks. That partnership has largely been productive, preventing damage that many anticipated would hamper Ukraine's ability to defend itself before and during the invasion.
But the pressure isn't letting up. A year after Russia's full-scale invasion of Ukraine, Russia continues to make use of all the tools in its hybrid warfare strategy, including cyber weapons. At times, they've been partnered with physical attacks, or aimed at lurking inside Ukrainian servers to spy and gather information. Meanwhile, cybercriminals with ties to Russia and digital volunteers rising up to defend Ukraine complicate things even further.
The impact of cyberattacks has not been clear. But Russian and Ukrainian successes and failures using digital tools to wage war will likely be instructive for both future conflicts and times of peace.
Speaking with over a dozen cybersecurity experts who have been directly involved in the digital side of the war, it is clear that Ukrainian resilience has played a key role in minimizing the damage of cyberweapons. That defensive strategy could help the U.S and others protect critical infrastructure and sensitive data in the future.
The power of a good defense
When Russia didn't successfully knock out the power across Ukraine in advance of its full-scale invasion last February, speculation ran rampant that perhaps cyberattacks wouldn't be as influential as were first expected. That conclusion has largely been accurate, but it's not for lack of trying, according to cybersecurity experts interviewed by NPR.
In the hours before the Russian military crossed into Ukraine, Russian hackers launched wiper attacks designed to destroy data at Ukrainian agencies and companies, attempts to disrupt satellite communications, disinformation campaigns, and denial of service attacks against financial and banking websites in Ukraine.
Those attacks were "really disruptive for Ukrainian organizations," said Ryan Olson, the vice president of the threat intelligence team at Palo Alto Network's Unit 42. They contributed to an atmosphere of panic and unrest.
For Olson and others, the belief was that Russia would preface an invasion with flashy cyberattacks, but not necessarily destroy infrastructure. That's because the expected outcome from Moscow's perspective was a quick takeover. Keeping infrastructure intact would be important to ousting Ukrainian leadership and absorbing the country into Russian control.
When those plans went awry, Russia had to adapt on the battlefield and in cyberspace.
Cybersecurity researchers are confident in the fact that Russia has not let up on aggression in cyberspace since that early phase of the war.
According to a new comprehensive report by Google's cybersecurity firm Mandiant, hackers linked to the Russian government have shifted most of their attention and resources toward the war, particularly Ukrainian government and military entities, critical infrastructure and NATO allies.
Wiper attacks continued throughout the spring and summer of 2022 and resurfaced in late fall and early winter.
In 2022 alone, Google claims to have disrupted over 1,950 Russian information operations, which have primarily been focused on "maintaining Russian domestic support for the war in Ukraine." Additionally, the Ukrainian State Special Communications Service of Ukraine reported the number of cyber incidents in Ukraine tripling in 2022.
While that activity has kept defenders in Ukraine and around the world busy, the impact appears to have largely been limited. Most experts attribute that at least in part to Ukraine's ability to protect, absorb and quickly recover from attacks.
"The Russians were every bit as aggressive as we expected," explained Brad Smith, the president of Microsoft. "But the reality is, thanks in part to the resilience of Ukraine and the advance in cybersecurity technology, the first year of this war, at least, defense has proven to be far stronger than offense when it comes to attacks in cyberspace."
Some of those strategies included moving data to the cloud and to data centers outside of Ukraine. That way, the data was protected from destructive attacks. Meanwhile, at the same time, private companies like Microsoft and Google were able to have better visibility into Ukrainian networks and detect intruders before they can launch an attack. Ukrainian government agencies originally relied on data centers kept locally but quickly pivoted to cloud infrastructure at the beginning of the war, according to experts who have worked with them.
Additionally, Ukrainians have been excellent at sharing information between the public and private sectors, making it possible to quickly respond when something goes wrong, explained Matt Olney, the director of Threat Intelligence at the cybersecurity firm Cisco Talos. "Ukraine has been experiencing pretty substantial attacks from Russia for years before this," he said. "And Ukraine has learned the lessons that they needed to learn."
Continuation of a long war
For Ukrainians, including those working in cybersecurity, the war didn't start in February 2022. It began in 2014 when Russia invaded Crimea. Russia used cyberattacks to successfully take down Ukraine's power grid in 2015 and 2016, then launched a virus in 2017 that corrupted the networks of Ukrainian banks, newspapers and other companies. That virus, NotPetya, spiraled out of control and cost companies around the world billions of dollars.
Joe Slowik, who manages threat intelligence operations for the cyber firm Huntress, argues that Ukraine was never a "test lab" for Russian cyberattacks preparing for an eventual war. It's always been part of a "persistent, consistent campaign of disrupting Ukrainian critical infrastructure," he said.
One piece of evidence for that assertion is Russia's adaptation of previous attacks in the last year. For example, Russian hackers adapted a piece of malware researchers have named "Industroyer," previously used to knock out power across Ukraine. Last spring, cybersecurity researchers discovered the malware, with some updates, on the network of a Ukrainian electricity provider. Ukrainian defenders quickly partnered with the cybersecurity firm ESET to track the infection, and the Russian hackers were unable to trigger a third blackout. By discovering the similar malicious attack early, Ukrainian defenders were able to prevent it from being deployed.
Additionally, researchers noted that Russia's use of digital attacks during the war have actually been careful to remain targeted, unlike some previous attacks. In 2017, the NotPetya worm not only hit Ukrainian businesses and wiped data, but ultimately infected companies around the world. A similar attack during the war could have led to additional support for Ukraine, or be considered a direct act of aggression against Ukraine's allies including those in NATO. While some Russian phishing attacks and intelligence gathering operations have targeted NATO countries, destructive attacks have been limited outside Ukraine.
Ukrainian defenders aren't the only ones who have learned from these attacks. As Russian troops began amassing on Ukraine's border, companies with bad memories of NotPetya were quick to contact cybersecurity experts to help them increase their defenses early.
Cybersecurity aside, experts are cautious to keep things in perspective. When digital attacks on the power grid have failed, Russia has launched missiles that have been far more destructive.
"We should take a step back and realize that people are dying right now," said Joe Slowik of Huntress. "And it's a pretty nasty conflict that's emerged with cyber taking a role, but not remotely a leading role in what we've observed thus far."
Olson of Palo Alto Networks agreed: "Compared to kinetic war, the cyber impact has been very, very small."
Researchers continue to make new discoveries about how Russia is using digital intrusions not only to cause destruction but also to gather intelligence. These discoveries will likely change the academic discussion around so-called "cyber warfare."
For example, in January, Google's Mandiant discovered a Russian hacking group known as Turla had been active in the war without being detected, by making use of an older malware called Andromeda, which was spread through infected USB drives. The older malware and criminal infrastructure allowed the Russian spies to hide their activities and gather intelligence in Ukraine.
"Another interesting part here is that you see this interaction between the criminal capability and the nation state cyber capability," explained John Hultquist, the vice president of intelligence analysis at Google's Mandiant. More and more often, the cyberthreat landscape has been commoditized, explained Hultquist.
So it's getting easier for anyone to essentially purchase and repurpose different components of cyberattacks, including access to infected devices. This makes it even harder to directly link criminal hackers in Russia and nation-state employees — another key element of the chaos of wartime. These kinds of operations also demonstrate how Russia has had to prioritize covert access to Ukrainian systems to gather intelligence, rather than potentially risking that access for destructive attacks.
According to Google and Mandiant, the cybercrime landscape has been a complicating factor in the war overall.
Attackers in Eastern Europe have enjoyed a safe haven from prosecution, particularly when their attacks are in line with Russian government aims. But "war has split the loyalties of financially motivated attackers," wrote the authors of the company's new report. It's not as straightforward as all cybercriminals in Eastern Europe rallying to Russia's cause.
After the prominent cybercrime group Conti declared its allegiance with Russia at the beginning of the war, it actually led to internal divisions and a massive leak of internal chat logs, eventually causing the group to shut down.
Additionally, there's been an increase in ransomware attacks in Russia itself, according to Google and Mandiant. Even so, tools used by cybercriminals have been repurposed to target Ukraine, suggesting some connection, direct or indirect, between individual actors and Russian state goals.
The role of the IT Army
A unique element of the war in Ukraine has been the volunteer cyber forces that have been directly and indirectly involved in the conflict, including both an amateur, unsophisticated group that coordinates over Telegram, the IT Army, as well a more professional, organized, volunteer cyber army.
Stefan Soesanto, a senior researcher at the Center for Security Studies at ETH Zurich, has studied both groups in detail throughout the war and has been fascinated by the freedom by which average citizens have been able to participate.
According to Soesanto, the IT Army now allows volunteers to download tools that help them automatically launch denial of service attacks against unknown Russian targets. While those attacks are never hugely destructive or impactful in the long term, it has allowed a large number of inexperienced people to contribute. Meanwhile, the team of experienced volunteers has been supported by the government and allowed to conduct more sophisticated operations.
Soesanto says the outside research community still has a lot to learn about the volunteer groups and their functions, but also wonders whether there will ultimately be consequences for volunteers, during the war or afterward.
"I don't know what the standard will be for what the difference between a hacker and a cybercriminal is," he said. "We really have to figure out how we deal with the IT Army."
Lessons for future conflicts
Regardless of whether or not volunteer cyber operations are somehow defined in international law, Soesanto expects the IT Army to be a model that other countries will follow, particularly those who can't afford to train official military cyber operators. "I think a lot of militaries and other governments are learning quietly how Ukraine is surviving this conflict and how they're able to stand up," he said.
Soesanto says he expects countries like Georgia and Moldova, which have Russian troops on their territory, will take note.
But officials farther away are also watching. "For Taiwan, it's about turning to the Ukrainians and learning everything they can to defend themselves," Soesanto added.
Ukraine's overall digital defenses and ability to recover from attacks will be a very useful model for any country facing digital assaults, but particularly those like Taiwan that could face invasion from China.
Taiwanese officials have already invested in building a system similar to Elon Musk's Starlink to bolster communications infrastructure, in light of the war in Ukraine.
Additionally, just because Russia was unable to successfully deploy meaningful cyberattacks in advance of its invasion doesn't mean those tactics wouldn't work in another conflict.
"It doesn't take if off the table for future conflicts," said Olson of Palo Alto Networks. "There's always the potential to launch these cyber attacks that are very impactful, have a relatively low cost, and can be done with a type of anonymity that just isn't possible in the kinetic world."
Ultimately, Olson says, it "depends on the aims of the country and what they're trying to achieve."
The long tail of digital attacks
Microsoft's Brad Smith also told NPR that the impact of Russian digital attacks has been limited. However, in the chaos of war, it is hard to fully distinguish what damage has been done and what's been lost, particularly in the days before Ukraine transitioned to the cloud.
There are still a lot of unanswered questions about exactly what damage has been done to Ukrainian systems thanks to cyberattacks, including early wiper attacks.
"If I'm completely honest, I think we know next to nothing," says Juan Guerrero-Saade of Sentinel One. "I have more questions than I have answers." Attacks could have been as trivial as a local library losing access to their records of who has borrowed a book, or as concerning as losing "a critical database of service members or family registries," he continued.
For American attorneys and Ukrainian officials asking the International Criminal Court in The Hague to determine whether Russian cybercrimes are war crimes, those specifics will be important.
Ukraine's chief digital transformation officer, Victor Zhora, has publicly argued that Russian cyberattacks should be considered war crimes. He said that digital support for kinetic strikes against civilians "can be considered as war crimes," in an interview with Politico. In at least one example, the Russian military simultaneously shelled a thermal power plant while launching cyberattacks against their networks.
"We can't assess which of these were genuinely, deeply impactful, meaningful, maybe irrecoverable, maybe unforgivable in their effects versus temporary inconveniences," said Guerrero-Saade.