It’s safe to say that Putin’s invasion of Ukraine hasn’t gone to plan. Russian forces are suffering mounting setbacks, after underestimating the resistance of his adversaries — and that’s just in cyberspace.
The Kremlin’s hacker army – like its conventional military – hasn’t lived up to its fearsome reputation. At least, not yet.
Analysts have offered an array of explanations for Russia’s cyber limitations. They range from upgrades to Ukraine’s defenses to changes in the Kremlin’s tactics.
“Be afraid and expect the worst.”
The early signs were ominous. Ever since armed conflict in the Donbas erupted in 2014, Russia-linked hackers have bombarded Ukrainian IT systems. Their exploits have set several alarming milestones, from the first known power outage caused by a digital weapon to the costliest cyberattack in history.
The lead-up to the full-scale invasion escalated concerns. After January peace talks ended without a breakthrough, hackers splashed a menacing message across Ukrainian government websites: “Be afraid and expect the worst.”
The cyber threat escalated as Russia’s armed forces advanced. As troops prepared to flood across the border, a cyber attack struck a satellite internet network run by Viasat, a US-based communications firm.
Viasat’s services cover both military and commercial markets. On February 24, hours before Russia invaded Ukraine, hackers struck the company’s modems. The attack caused outages for a communication system used by Ukraine’s armed forces, as well as regular consumers. Initial reports indicated the attack severely constrained the military’s ability to coordinate operations. Russia, as usual, denied responsibility.
The incident sparked fears that a catastrophic cyber war had begun. Ukrainian officials, however, recently said the attack had little impact. In September, Victor Zhora, the deputy head of Ukraine’s main cybersecurity agency, said only a backup military communications service had been affected.
“The other ways of communication remained alive… There was no loss of coordination between forces,” Zhora said at the IT Arena conference in Lviv last month.
Nonetheless, the reverberations were felt beyond Ukraine’s borders. Viasat customers in other European states were also knocked offline, as well as routers used to remote control thousands of wind turbines in Germany.
The collateral damage exposed a danger that hacks can pose to their perpetrators: unintended consequences.
Friends and foes
One explanation for Russia’s apparent cyber restraint is that the Kremlin recognizes its limitations — and risks. The Viasat attack provided a powerful example. The spillover affected tens of thousands of internet users across Europe, and as far away as Morocco.
The 2017 NotPetya worm — which was also widely attributed to Russia — spread even further. The malware scrambled the data of companies more than 60 companies and caused more than $10 billion of damage globally.
Not all of these victims were intentionally targeted. Cyber weapons can spiral out of control — which can backfire on the assailants.
Kenneth Geers, an ambassador at the NATO Cyber Center, believes the Viasat hack galvanized Ukraine’s allies.
“Western Europe, NATO, and the EU were sent into alarm mode by the collateral damage,” he said. “That may have been a big mistake… All of a sudden, you’ve got the political level engaged.”
Those allies have been integral to Ukraine’s defenses. While no country has more experience in fighting Russia’s cyber army, international support became increasingly important after the February invasion.
The US, for instance, has provided over $40 million in cyber development assistance since 2017. In 2022, it added another $45 million in supplemental aid to the cause. In addition to the funding, the US has briefed Ukrainian partners on Russian cyber operations, provided hands-on support to essential service providers, and supplied more than 6,750 emergency communications devices. Such growing support for the world’s one true superpower has buttressed Ukraine’s cyber fortress.
“We’ve been strengthening Ukraine’s cyber defenses for years.”
The UK, meanwhile, recently revealed that it had secretly mobilized a “Ukraine Cyber Program” shortly after the February invasion. The British government said the initiative has provided incident response support, limited attacker access, helped Ukraine to harden critical infrastructure, and delivered frontline cyber security hardware and software.
Further assistance has come from both other countries and international organizations.
“We have been working to strengthen Ukraine’s cyber defenses for years, with training, and information and intelligence sharing,” said NATO Secretary General Jens Stoltenberg at a conference this month.
“For example, Ukraine has access to NATO’s malware information-sharing platform. Where experts exchange information about threats and responses in real-time.”
Another key development in Russia’s cyber shortcomings is the growing collaboration between Ukraine with industry.
“This is not simply an alliance of governments,” said Lindy Cameron, chief executive at the UK’s National Cyber Security Centre, in September. “The private sector is also deeply entrenched in the defense of Ukraine.
On behalf of the President Zelenskyy I’m honored to pass the first Ukraine’s peace prize to @Google @Karan_K_Bhatia. Our small express of gratitude. Company proved its bravery and devotion to freedom. As Ukrainians do every single day. Google stands for Ukraine! Just google it 😉 pic.twitter.com/xqJCVHS8IZ
— Mykhailo Fedorov (@FedorovMykhailo) May 25, 2022
The private sector’s involvement has taken many forms. NATO and Microsoft exchange information to mitigate malware attacks; Google has provided threat intelligence; Amazon has helped move 10 million gigabytes of data from servers in Ukraine to the cloud; Starlink has donated satellite internet services.
These relationships have bolstered Ukraine’s already formidable digital defenses.
Ukraine is often described as a testing ground for cyber weapons. These experiences have provided extensive insights into digital warfare.
“This made us stronger,” said Zhora. “We took our lessons from this cyber aggression.”
A powerful example emerged in April. That month, Kyiv said it had thwarted an attack on power substations by the same hackers that caused blackouts in Ukraine in 2015 and 2016.
The escape followed a wave of changes to Ukraine’s defenses. The country has introduced an array of new policies and tactics, from founding a department of cyber police in 2015 to launching a new cyber strategy in 2016. Technical moves have further improved resilience.
The strengthening of networks, for instance, has helped secure Ukraine’s internet, while a transition to the cloud has added data protection. In June, Microsoft said the country “successfully sustained its civil and military operations by acting quickly to disburse its digital infrastructure into the public cloud, where it has been hosted in data centers across Europe.”
The country has also benefited from a so-called “IT Army” of thousands of supportive hackers. At last week’s G20 summit, Ukrainian President Volodymyr Zelensky said the group has foiled more than 1,300 Russian cyberattacks over the past eight months. He pledged to share the insights from these events with allies.
“My good advice to you is to take Ukrainian defense experience in order to guarantee the safety of your people,” Zelensky said. “Ukraine is willing to help. Our security experience is your security experience.”
Despite the impressive defenses, Russia’s limited cyber successes have surprised many pundits. While attacks on Ukraine’s public and private sectors have been common, hackers have largely failed to shut down infrastructure or hurt Ukraine’s military.
Some experts argue that Russia has “burned” its most potent weapons. The NotPetya attack, for instance, would be difficult to reproduce.
“I’m pretty certain [the Russians] wish that they had what they burned during NotPetya,” Matt Olney, director of threat intelligence and interdiction at Talos, Cisco’s threat intelligence unit, told CNN this month.
Another potential constraint is a lack of targets. Ukraine has a lot of old Soviet military equipment, which lacks the digital components required for cyber attacks. The arsenal does comprise a growing range of more advanced systems supplied by allies, but these provide another form of protection.
“I think that there will be some advantages over time to Russia, if Ukraine has more modern or networked weapons,” said NATO ambassador Geers. “The problem, though, is that those weapons have shared intelligence and indicators compromised from dozens of countries now, and I think that that’s going to be really hard for Russia to crack.”
Analysts have also suggested that Ukraine isn’t revealing the full extent of the threat, as doing so could give Russia tactical insights. But perhaps the most significant factor in the limited impact of the country’s cyber warfare is the difficulties of executing successful attacks.
These complexities were highlighted in research by Dr Erik Gartzke, a political science professor at the University of California, San Diego, and Dr. Nadiya Kostyuk, an assistant professor at the School of Cybersecurity and Privacy at Georgia Institute of Technology. In an article published this summer, the duo argued that “cyber war cannot replace traditional forms of combat.”
“Cyber attacks will also often fail to make physical attacks more effective or practical, unless and until each is well coordinated with the other,” they added. “Even then, it will make little sense to coordinate across domains unless each domain is utilized for its primary purposes.’
These issues offer one explanation for the Kremlin prioritizing kinetic assaults on infrastructure. In the digital realm, information warfare can be more straightforward than cyber attacks.
“Breaking things over the internet is hard work and not very productive in political terms,” said Gartzke and Kostyuk. “Much more can be done by collecting and disseminating (dis)information in cyberspace, which can then be used to enhance outcomes in other domains.”
“It could get worse.”
In recent weeks, Russia’s cyber attacks have appeared haphazard. “We continue observing rather chaotic actions, the absence of a particular strategy, and opportunistic operations,” said Zhora.
Yet Zhora emphasized that more targeted cyber tactics could be under development. Indeed, there are growing concerns that Moscow’s failures on the battlefield will intensify the focus on cyberspace.
“Russian generals seem to think that cyber is part of the preparation for war, but when bombs start dropping and missiles start flying, cyber takes the backseat,” said Mikko Hyppönen, a security guru and the chief research officer at WithSecure, a Helsinki-based IT firm. “I believe the cyber situation could still get much worse. Let’s hope it doesn’t.”