The Hidden War in Ukraine

As Russia massed troops on the Ukrainian border in February, analysts hypothesized that this war would be the first example of the war of the future. Russia would begin its assault with massive, disruptive cyberattacks—the modern equivalent of eliminating air defenses before a bombing campaign. But as the kinetic campaign began, Ukraine’s command and control capabilities were largely uninterrupted, and only minor disruptions to government functions occurred.

With only limited reporting of cyberattacks and outages, those same analysts were left speculating.  Rather than cyber war changing the face of conflict, did Russia’s seeming ineffectiveness in the cyber domain prove that cyberattacks are a merely an inconsequential complement to kinetic power?

Not quite. More information has emerged in recent weeks, and it points to a thrilling, behind-the-scenes story that will shape war in the future. Before, during, and after the invasion, Russia conducted a sustained campaign of cyberattacks against critical Ukrainian sectors, but most of those attacks proved ineffective. The implications are significant: First, defense works, particularly allied defense. Second, conducting effective cyber operations is challenging, but, despite those challenges, cyberattacks will be a growing feature of modern warfare. 

A hidden, parallel cyber war has been taking place, with cyberattacks targeting a range of Ukraine’s infrastructure. In the months before the invasion, the following attacks commenced:

  • In mid-January, Ukraine’s largest gas retailer reported that it was the victim of a cyberattack. Oleg Nykonorov, CEO of Regional Gas Company, wrote on Facebook that his  IT staff had “fought like lions” and stopped the attack before any damage could be done.

  • On February 10, likely Main Intelligence Directorate (GRU) actors attacked at least 21 companies, including Chevron, Cheniere Energy, and Kinder Morgan, involved in the production, exportation, and distribution of liquified natural gas.

  • A week before the invasion, a DDoS attack disabled the defense ministry’s websites, along with two of Ukraine’s largest banks.

Then, concurrent with the start of kinetic hostilities, Ukraine suffered a series of attacks aimed at government and telecommunications:

  • The day before the invasion, on February 23, a new set of attacks emerged from Russia, which Microsoft dubbed HermeticWiper/FOXBLADE. Microsoft president Brad Smith said, “Within three hours of this discovery, signatures to detect this new exploit had been written and added to our Defender anti-malware service, helping to defend against this new threat.”

  • The day of the invasion, believed Russian actors deployed another wiper attack—IsaacWiper—targeting Ukrainian government networks. In an intriguing development, two days later, the operator dropped a new version, perhaps seeking to increase the effectiveness of the first.

  • Also on the day of the invasion, satellite internet provider Viasat saw widespread communication outages. Some of those outages took weeks to resolve and left Viasat KA-SAT modems inoperable in Ukraine. The attack had other downstream effects, causing the malfunction of 5,800 Enercon wind turbines in Germany and disruptions to thousands of organizations across Europe.

  • Meanwhile, Ukrainian telecom company and major broadband provider Triolan suffered an attack that reset computers to factory settings, disrupting communications.

  • On February 25, the day after the invasion, Russian Federal Security Service (FSB)-linked hacking group Primitive Bear, also known asGamaredon, launched a mass phishing attack on the email accounts of Ukraine’s computer emergency response team and some Latvian officials. Victor Zhora, the deputy chief of Ukraine’s State Service of Special Communication and Information Protection, said the attacks aimed to disrupt critical services but caused little to no damage.

The attacks continued through March and April:

  • On March 1, the same day Moscow targeted Kyiv's TV tower with kinetic strikes, media companies in the capital were hit by destructive hacks and cyberespionage.

  • In early March, the city of Sumy experienced electricity shortages, likely linked to suspected Russian cyber activity on critical infrastructure networks, which Microsoft identified in late February.

  • On March 7, a team out of Belarus, dubbed Ghostwriter, that is closely linked to Russian operations installed a backdoor on Ukrainian government systems.

  • On March 9, telecom company Triolan suffered a second attack.

  • On March 14, researchers discovered a fourth wiper malware, dubbed CaddyWiper, embedded on a few dozen systems.

  • On March 17, Ukraine’s Computer Emergency Response Team (CERT-UA) released an alert about a new wiper variant, dubbed DoubleZero, being used to target Ukrainian entities. This fifth wiper campaign was first observed when threat actors used phishing attacks to deliver the malware.

  • On March 20, suspected Russian actors InvisiMole, a group with suspected ties to the FSB, established the LoadEdge back door on Ukrainian organizations, allowing them to install surveillance software and other malware.

  • On March 28, a cyberattack hit Ukraine’s national telecommunications company, Ukrtelecom. Perhaps the most severe cyberattack since the start of the Russian invasion in February, it sent the company’s services across the country down within about five hours. The incident led to significant internet outages across Ukraine. At its low, network traffic was at 13 percent of prewar levels. The company’s chief executive, Yuriy Kurmaz, issued a statement saying: “In order to protect the critical network infrastructure and not interrupt services to the Armed Forces, other military bodies and users of critical infrastructure, we were forced to temporarily restrict internet access to most private users and business customers.” Services were restored about 15 hours after the attack.

  • On April 13, Ukrainian officials claimed they foiled a massive GRU attack on a power company—an attack that seemed strikingly similar to the attack that took down large portions of Kyiv’s grid eight years ago. The GRU (Sandworm) implanted the necessary malware in February, but waited until April to conduct the attack, the timing perhaps coinciding with Russia’s reappraisal of its entire warfighting strategy.

This list is the tip of a very large iceberg. Ukraine’s State Service of Special Communication and Information Protection reported that, between March 23 and March 29, 65 cyberattacks occurred on Ukrainian critical infrastructure. Microsoft confirmed that between the start of the war and April 8, Russian-backed hacking groups had launched more than 200 cyberattacks against Ukraine, 37 of them destructive. The 37 discrete destructive attacks “permanently destroyed files in hundreds of systems across dozens of organizations in Ukraine.” Microsoft further reported in its paper that “threat groups with known or suspected ties to the GRU have continuously developed and used destructive wiper malware or similarly destructive tools on targeted Ukrainian networks at a pace of two to three incidents a week since the eve of invasion.”    

Looking at the pattern of attacks, the Russian goals seem straightforward: undermine public confidence in Kyiv’s leadership and disrupt sectors that allow for movement of armies, money, and people. The Ukrainian Ministry of Defense, CERT, and communications providers make tactical sense as targets—all are critical to prosecuting the war. Taking the Ministry of Foreign Affairs offline would complicate Ukraine’s ability to secure support from global partners that has proven so critical in this fight. On the economic side, the oil and gas markets, too, are a clear tactical objective, because Russia would prefer a monopoly on oil and gas and a Ukrainian military without it. Additionally, undermining confidence in the Ukrainian banking system might have been intended to distract the government and prevent people from withdrawing the funds necessary to flee, trapping many would-be hostages in its cities. Finally, the attack on the power grid could have been disruptive for the entirety of Ukraine, from the military down to internally displaced populations. 

Lessons Learned

While there was certainly a wide spray of attacks, only a few had a measurable impact on Ukrainian operations. The Viasat and Ukrtelecom attacks caused communications outages, but still did not severely damage Ukraine’s ability to coordinate its forces. Other sectors suffered attacks but recovered reasonably quickly. Internet services in Ukraine have shown only a 16 percent reduction in connectivity during the conflict, according to researchers at the Georgia Institute of Technology’s Internet Outage Detection and Analysis project. In this new playbook for modern warfare, the first chapter fizzled.

Three factors contributed to Ukraine rebuffing the attacks of a talented, well-resourced Russian government:

  • Ukraine has a better team. In January, well before the invasion, NATO Secretary General Jens Stoltenberg hinted, strongly, that NATO’s cyber warriors were sharing information with Ukrainian officials and that some were even supporting Ukraine “on the ground.” NATO and Ukraine eventually signed an agreement “on enhanced cyber cooperation” that included “Ukrainian access to NATO’s malware information sharing platform.” Separate from NATO, CYBERCOM’s “hunt forward” initiative has strengthened partnerships on cyber defense. In May 2022, CYBERCOM reported that it had conducted 28 “defensive cyber operations that are intel-driven and partner-requested” in 16 countries, including Ukraine. General Paul Nakasone, the head of CYBERCOM, said in an interview with Sky News, "We've conducted a series of operations across the full spectrum; offensive, defensive, [and] information operations." Sharing data with allies about an adversary’s tactics, techniques, and procedures is critic Knowing how to harden defenses, and against what, keeps us a step ahead.

  • Diversified infrastructure helped. As of 2019, Ukraine had over 1,500 active broadband ISPs, and Ukrainian networks are broadly connected to multiple countries on its borders. In Ukraine’s light regulatory environment, providers are free to lay their own cables or rent capacity, leading to connections to hubs in Germany, Poland, Hungary, and Romania. As a result, blocking information is difficult. Finally, much of Ukraine’s telecommunications infrastructure is privately owned. Civilians who kept the infrastructure operating, constantly restoring broken connections, help explain the resilience of Ukraine’s infrastructure.

  • Russia’s effort may have been lacking. Moscow clearly believed this war would be short and easily won. That faulty assumption might have also informed its cyber strategy. Did it commit an equal amount of diligence and seriousness to preparing its cyber operations as it did with its military preparations? Or, because analysts had overestimated Russia’s military capabilities, did they also overestimate its cyber operations? The answer is likely a combination of both. Russia has repeatedly proven itself to be talented, capable, and determined at cyber operations. For example, ESET, the Estonian cyber firm, found evidence that at least two of the wiper attacks were in development months before their deployment. Ukraine is usually Moscow’s cyber sandbox—it tests out operations on Kyiv before rolling them out to the rest of the world, including the United States. In the final accounting, it is likely that both complacent offense and comprehensive defense played a role in defending Ukraine against attempts to gut its capabilities in the cyber domain.

War in the Future?

The Ukraine conflict has largely been fought with infantry and javelins, but we should not let the lessons of the conflict in the cyber domain fall by the wayside. Russia is unlikely to make the same mistakes in a future round of cyber competition, and other near-peer competitors are watching. NATO members and other partners should take note of the following clear lessons:  

  • The fig leaf of deniability is getting thin, but Moscow does not mind. Western cybersecurity researchers were able to quickly attribute most cyber operations in Ukraine to Russian or Belarusian groups. The U.S. government tends to lag behind private sector researchers because of the necessity of being sure; the implications of the government blaming a foreign actor for an attack are considerable. Still, at times, even federal fingers pointed definitively at Moscow. None of that attribution deterred Russian cyber actors from continuing attacks on Ukraine.

  • Naming and shaming does not stop attacks, but it helps mobilize critical alliances. In the runup to Ukraine, the U.S. government and U.K. government declassified information that outed Russian plans, proving Russia was the aggressor and leading NATO allies to assume Russia was lying about everything, including cyber attacks and disinformation. Critical response time was not frittered away with internal NATO doubts or debate, allowing for a strong and united response.

  • Deterrence in cyberspace is not yet real. The critical component of deterrence by punishment—clear and credible retribution for activity—has been weakly applied. For that threat to be real, categories of cyber activity need to be defined and ready to deploy. However, the Ukraine conflict has perhaps given some hope for deterrence by denial, with Ukrainian and NATO defense preventing Russian cyberattacks from causing mass chaos.

  • Cyber operations take time to develop. Those hoping to mount a strong offense must create robust plans and choose targets wisely. Attacks on banks, the electrical grid, and communications infrastructure were disruptive, but not decisive. In retrospect, directing energies at different targets might have been more effective for the GRU and FSB. Had Moscow anticipated that President Zelensky would be a prodigy at crisis communications, it might have prioritized severing Zelensky’s ability to communicate. Similarly, if Russian forces had a dependable communications capability independent of Ukraine’s commercial infrastructure, and had they anticipated the abundance of intelligence and inspiration flowing out of Ukrainian citizens’ cell phones on a daily basis, they also might have prioritized destroying cell phone networks.

  • This is a new front, with new warriors. As scholars struggle to understand the implications of conflict in the cyber domain, there is not a clear comparison to other forms of warfare. Cyber uses different tools and different warriors. Does a cyber operator need to be able to complete a 12-mile ruck march with a 35-pound pack? No. But do they need the physical and psychological toughness to push through exhaustion and lead soldiers on stressful missions? Absolutely. They also need to be crafty, inventive, curious, and determined. Ukraine had an army of volunteer cyber warriors assisting in defense and engaging in offense. They might not have been firing an M-16, but they have proven a key element of the total defense of Ukraine.

  • The front lines are not at the front. If a Ukrainian refugee in Germany decides to steal and leak GRU data, is that individual a combatant? What if the individual manages to replace RT’s news feed and show the Russian people the truth of the Ukrainian war? What if they interfere with Russian army communication links? Is Berlin responsible for their actions? Is Kyiv? The West has tried to hold Moscow accountable for addressing ransomware attacks emanating from Russian territory. What are the expectations when an entity is fighting from territory that is technically not party to the conflict? The laws of war have yet to catch up to the cyber domain.

The story of the Ukraine conflict is far from finished. As sanctions begin to severely constrain the Russian economy and NATO continues to pour weapons and other support into Ukraine, Moscow most likely will look to retaliate against the west economically. This potentially makes U.S. businesses and critical infrastructure inviting targets. As much as Ukraine has learned—the hard way—to cement its defenses against Russian attacks, the United States has only just begun to do so. CISA’s “shields up” campaign is a reminder to all to protect themselves, but the United States has yet to establish doctrine for prosecuting a cyber conflict. It is past time. 

Emily Harding is deputy director and senior fellow with the International Security Program at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2022 by the Center for Strategic and International Studies. All rights reserved.

Image
Emily Harding
Vice President, Defense and Security Department; Director, Intelligence, National Security, and Technology Program