As Russia faces major defeats on the physical front, worries over its cyber capabilities remain: can the Kremlin still opt for a full-scale cyber war with Ukraine instead?
While countries often use the help of nation-state “cyber warriors” to conduct digital operations on their behalf, it’s not uncommon for hackers to back states in conflicts. As such, the hacking group Anonymous has declared a cyber war on Russia following its invasion of Ukraine. Russia also has its supporters: the pro-Kremlin hacker collective Killnet has been engaged in a wide spectrum of attacks on countries, entities, and organizations critical of the Russian government.
These, however, are mostly isolated cases that tell us little about the overall digital posture and cyber preparedness of Russia and Ukraine. Both countries are taking the “cyber war” seriously. Russia’s cyberattacks on Ukraine’s systems often coincided with its kinetic attacks on the country’s infrastructure with the help of its National Cyber Army. What is more, researchers discovered data-wiping malware in Ukraine days before the invasion, suggesting that pro-Kremlin hackers already knew that tensions were about to rise high.
And yet, many were surprised that Russia failed to cause any critical damage to Ukraine’s systems, with only one successful cyberattack on the country’s infrastructure recorded since the invasion. Does this suggest that the Kremlin was ill-prepared to wage war on the cyber front, or is there more to worry about going forward?
Mykola Volkivskyi, International Relations Expert, Founder of the Foundation for the Development of Ukraine in Poland, and Artem Oliinyk, Political Scientist and Researcher at the Academy of Political Science of Ukraine at Coventry University, shared their take on the ongoing cyber war between Russia and Ukraine, exploring the enemy’s digital potential.
How does Russia use cyberattacks to wage war on the cyber front?
Mykola Volkivskyi: For the Russians, cyberattacks remain a means of intimidation, a war against the civilian population, a method of sowing panic and spreading chaos. The cyber groups of the Russians are considered the last elite units of the army, as the landing forces, aviation, and modernized tank groups have been destroyed or suffered powerful losses. The time for the restoration of these forces will be considerable - sometimes decades if we are talking about the hypothetical restoration of the potential of the aviation industry or sea vessels. So, yes, the cyber army of the Russian Federation is a non-standard military group that received and continues to receive tasks of a specific nature.
If on the eve of war Russian cyber troops were mainly engaged in espionage, recruitment, and blackmail, today the nomenclature of their tasks has transformed: they mostly carry out attacks, spread viruses, try to create obstacles for communication systems, find data on the deployment of military units, and more. Based on this, it cannot be said that attacks have stopped or that the danger from cyber forces is negligible.
Unfortunately, it will not be possible to completely protect against them or to neutralize their influence on the conduct of war – these groups are constantly looking for weak points that can be struck by physical, not digital, tools. In any case, the conditional utility coefficient from Russian cyberattacks is very low, given the non-fulfillment of the absolute majority of set goals. I am convinced that even after the end of the war, the threat from such persons will remain. Therefore, Ukraine’s national security [depends on] strengthening the ability to respond to such attacks by state institutions. Ignoring this problem would be a big mistake for us.
Have you noticed changes in the frequency/nature of cyberattacks on Ukraine since the beginning of the war?
Mykola Volkivskyi: The Russian Federation does not stop attempts to carry out both individual and planned systemic attacks against Ukraine. Thanks to effective international sectoral cooperation, allies work closely with Ukraine to support and strengthen cybersecurity. Moreover, this applies to both the US and Britain, which are extremely effective in helping our country repel Russian attempts to inflict maximum damage. In the end, the planned attacks that took place on the day of the full-scale invasion and the following, most dramatic, days of the war had no results. To the world's surprise, the banking system, telephone and internet connections, television, and other things did not fail – the stability of the system was ensured by the forces of both Ukrainian and allied fighters on the cyber front.
We can say that on the eve of war and at its beginning, the number of attacks increased significantly compared to the same period last year. There is no exact data, but we estimate that the number of attacks increased at least ten times in the first days of the invasion. At the same time, the Russian attacks did not stop thereafter – their intensity varied, depending on the circumstances at the front, the timing of the advance, specific dates, and so forth.
Today, these attacks are taking place, and the danger of paralyzing our networks remains. However, due to coordinated work, it is safe to say that the risks of a possible mass shutdown are low. All hope lies in the professionalism and experience of Ukrainian fighters, thanks to which not only are our territories constantly liberated but also civil life continues for millions of people throughout the country.
Microsoft reported that in the hours before the invasion, the Russian Main Intelligence Directorate (GRU) threat group Iridium used the FoxBlade wiper on hundreds of Ukrainian military and government networks. Was this part of the botched "blitzkrieg" plan that many are talking about?
Artem Oliinyk: The Russians planned to launch multiple physical attacks on computer network nodes and data storage facilities in full support of cyberattacks on systems that were supposed to fail or be in a shaky state. Thanks to the pre-war preparations of Ukraine, it was possible to deposit most of the important critical information in European centers, where there is a guarantee of the preservation of extremely important documents of government and other institutions, and state enterprises.
It should be recognized that even with the successful destruction of the nodes in Ukraine, which were located in the zones of political centers, the Russian Federation would still not have provoked a long-term national collapse in Ukraine. The first mass attempts to invade cyberspace occurred a day before the invasion, on February 23, but failed. The rapidity of Russian tactics consisted of the paralysis of structures with attacks on military infrastructure objects and the rapid seizure of Ukrainian territory with the elimination of the top military-political leadership in Kyiv.
All this could not be done thanks to the heroism of the Ukrainian people, who decided to resist the invaders at all costs. So the attempts of the Russians to “put down” military, government, communication, and other networks at the beginning of full-scale war were unsuccessful due to the opposition of Ukrainian cyber specialists and foreign colleagues, who did not allow the country to be brought to a standstill during the most difficult period of the invasion.
In part, we can talk about the failure of the Russians in the cybernetic space, but this failure was ensured by the high professionalism of Ukrainian fighters, and we cannot completely ignore the danger from Russia in this area in the future.
Some experts believe that since the February invasion, the number of cyberattacks on Ukraine appears to be lower than expected. Why so?
Mykola Volkivskyi: These estimates are very superficial. First of all, we do not currently have access to information about the current situation with the number of cyberattacks. It is clear that these are definitely hundreds of moderate and even thousands of small attacks that were recorded or repelled by Ukrainian troops. Secondly, the widespread assessment of cyberattacks is based on the experience of the impact of such attacks, which was on the eve of a full-scale invasion, and in 2017, for example [the global NotPetya ransomware attack, which disrupted the work of websites and organizations in Ukraine, as well as across Europe, Australia, the UK, and the US.]
In fact, people may have had the false impression that Russia did not make any attempts to disable Ukrainian systems or that their attempts were limited to a few isolated cases. It must be said clearly: there was a large number of attacks, and their repulsion was the result of Ukrainian opposition to Russian attempts to destabilize the entire state system. Therefore, I cannot agree with other experts who believe that the Russians have decided not to act against Ukraine. Such attacks continue even now, and they will intensify to affect the energy-supply system and cause a humanitarian catastrophe in Ukraine. Therefore, one should not underestimate the Russians' attempts to cause us even greater harm.
Does Russia focus primarily on cyberattacks on Ukraine, or other countries as well?
Artem Oliinyk: Ukraine has become one of the record holders for the number of cyberattacks [sustained] in recent world history. Even if it is not first place, it is definitely top five. But before the start of the full-scale invasion, there was a lot of training and practice of techniques. You may remember how our banking system was paralyzed, government websites were hacked before, and so on.
Some of the professional Russian employees belonging to the cyber forces acted as an international unauthorized hacking group. This is a common tactic, to deflect blame from the Kremlin and convince the international community of the self-initiative of such hacker associations.
In practice, however, attacks took place regularly against many states. For example, there was a cyberattack on Poland to obtain secret data on the current state of its defense capabilities: information about weapons, repairs, procurement of goods, problems with weapon samples, the amount of ammunition, and such like. Interference in the election process in the USA, and the 2016 [Brexit] referendum in Great Britain, and interference in other electoral cycles, clearly demonstrate how diverse the goals of Russia's cyber forces are.
Of course, espionage is carried out in Asian countries as well. The same can be said about the Baltic states, Romania, Italy, and other states. Ukraine remains a priority target for Russian cyber warfare, but Moscow does not cease to be a threat to other countries around the world.
What does the Kremlin aim to achieve with cyberattacks? Can it help Russia advance on the physical front, or is it more a tool of political pressure?
Artem Oliinyk: The main targets for the Russians are systems whose failure would have the greatest impact on society, causing significant regional or national instability. Fortunately, the absolute majority of attacks are repulsed, and the Russians do not gain an advantage by stopping the usual activities of cities, villages, regions, and districts. However, energy facilities, distribution stations, and operational points from where local and regional networks are managed remain targets. It is much more ergonomic to turn off the power supply, reduce voltage level in a network, or launch a virus into a control system that will prevent operators from controlling the processes than hitting all the points with missiles that are finite in nature.
In addition, priority targets include components of the banking (financial) system, web portals of state institutions, logistical arteries of media distribution, and all platforms that can be used to spread fakes. At the beginning of the war, the danger of posting fake messages on behalf of government agencies on official web portals could adversely affect millions of people due to shock and poor orientation. However, such a provocation today will not be able to provide the desired effect, because the defeat of the Russian army is well known.
And it is not necessary to hope for the satisfaction of set goals. At the same time, attacks on the banking sector or energy facilities will not stop – the enemy will try to paralyze Ukrainian networks for hours or days. All these actions are not directed against the military, but against the civilian population: therefore it is impossible to separate direct war crimes from indirect ones [those] carried out by cyber terrorists of the Russian army [and those perpetrated by] engineers and sappers who blow up infrastructure facilities or maintenance workers on planes and helicopters. There should be no distinction – a cyber terrorist from Russia is a criminal who should be brought to justice after the end of the war.
How would you describe Russia's cyber readiness for digital warfare? How does it compare with Ukraine in terms of cyber capabilities?
Mykola Volkivskyi: The Russian Federation has achieved good results in training and using its fighters to carry out operations: recently, they managed to steal a lot of data, influence the results of elections and plebiscites, and threaten the regular functioning of systems that we depend on.
As for individual cases, the Russians have occasionally achieved their goals there. It should be understood right away that these were independent hacker groups and not structural divisions of the Russian special services. If you look at it from this angle, the success of operations was determined by the insufficient readiness of national governments to resist targeted cyberattacks using the resources of entire states. Since 2016, the situation has gradually changed [until it is] beyond recognition: today, Russia’s attempts to penetrate and influence the course of events are quite insignificant. Will they be able to arrange some large-scale provocation or take control of one of the major industries? The chances are extremely low.
And now the other side of the question. Provided there is another professional counter-group, the Russians will lose. In other words, it can be concluded that Russia is ready only for certain operations where it will remove any form of responsibility for the consequences. At the same time, its readiness to fight against competitive cyber armies is too low, and defensive tactics are very poorly practiced. It can be said that if the need arose, for example, the American, British, or German cyber forces would be able to perform their tasks in Russian space without much difficulty.
In your opinion, has Russia already fully developed its cyber potential, or does Ukraine still have something to be ready for?
Artem Oliinyk: Russia, like us, is learning lessons about the war. Of course, on propaganda channels or in the statements of officials dependent on the Kremlin, they will not openly admit what steps they will take next. I think that thanks to the reorientation of markets and certain agreements with autocracies, the Russians will be able to obtain technologies and develop some of their inventions. Together, they will have the potential to pose a threat to Ukrainian systems.
Unfortunately, Russia is not yet completely isolated, and Western technology still reaches it through countries that help circumvent sanctions. A scenario involving cyber troops and their use with high intensity against Ukraine is possible. Based on this, it is too early to talk about the limit of the enemy's cyber potential, because it can still cause trouble for Ukraine.
Even in the case of a quick end to the war and the provision of security guarantees to Ukraine, the cyber sphere will remain an unregulated one in practice, from where the Russians can regularly strike at us. Taking into account the news about the increase in allocations to Ukraine for the fight against cyber threats, it is clear that European partners, who are watching Russian plans, are aware of the dangers. In any case, Ukraine should develop its cyber countermeasures and act in advance. Given the maniacal plans of the Russians, Ukraine cannot afford not to perceive this threat, which could hit us hard and spread to neighboring states.
I believe that Ukraine, as part of the Atlantic security system, will be able to effectively resist these threats and carry out its operations in the enemy's cyberspace with high intensity.
More from Cybernews:
Subscribe to our newsletter