Although Russia launched its full-scale invasion of Ukraine on February 24, 2022, the cyberwar began much earlier. Russian cyberattacks are part of an at least eight-year campaign of malicious operations against Ukrainian civilians and critical infrastructure. While some cyberattacks sought to degrade and destroy Ukraine’s energy, transportation, and financial sectors, most were designed to traumatize the Ukrainian population.
These attacks range from Russia’s attempt in 2015 to disrupt Ukraine’s electricity supply to Russian operatives targeting the Viasat satellite company a few hours before Russia’s full-scale invasion and a sustained campaign of disinformation and false narratives to malign Ukrainian identity and sovereignty. Russian state-sponsored hackers are widely known for cyberoperations designed to disrupt and degrade life in Ukraine. Still, Ukraine’s telecommunications and electric grid are functioning, its banks are open for business, and 86% of Ukrainians support integration with NATO and the European Union.
This article addresses the evolution and convergence of the cyberwar with the conventional military domain, highlights trends in Russian cyberattacks and Ukrainian resilience, and recommends ways forward for both Ukraine and the United States.
Early Patterns
In 2015, Russian hackers deployed BlackEnergy3 malware to compromise information and data systems in Ukrainian energy companies to turn off Ukraine’s power grid. One year later, Russian hackers launched malware attacks against Ukrenergo, Ukraine’s national grid corporation to expose vulnerabilities at a transmission site near Kyiv that resulted in blackouts in the capital.
However, the watershed moment in cyberwarfare came in 2017 with the NotPetya malware attack that was attributed to Russian state-sponsored hackers. The NotPetya malware, named after its deceptive similarity to the Petya ransomware, surpassed cyberattacks in 2015 and 2016 in terms of its destruction.
Unlike ransomware, which encrypts files, holds data and information hostage, and then demands a ransom, NotPetya’s objective was severing cyber-physical connections in supply chains, hospitals, and radiation monitoring stations. The malware was propagated using a compromised update from Ukrainian accounting software.
Notpetya was a paradigm shift in the cyberwar threat landscape by demonstrating the risks and dangers of escalation. Notpetya was contagious with no immediate way of stopping its spread. The malware masqueraded as ransomware, and its worm-like capabilities caused significant damage within networks by encrypting the Master File Table (MFT) of NTFS file systems.
The sophistication and scale of the NotPetya attack indicated a high level of planning and resource allocation. The use of cyber weapons like NotPetya by state actors like the Russian GRU has not only escalated tensions in cyberspace but also underscored the need for robust cybersecurity and critical infrastructure protection as the country was thrust into a grim realization of digital vulnerabilities.
Although Notpetya damaged government, energy, and financial institutions, Ukraine gained an incredible amount of experience in responding to Russian cyberattacks. Furthermore, it underscored demand for a robust cyber defense strategy and catalyzed Ukraine’s rapid efforts to shore up its digital defenses.
In 2021, Ukraine established the National Cybersecurity Coordination Center (NCCC), a reflection of its commitment to coordinating cyber defense policies and combating cybercrime. The NCCC operates as a national headquarters for cyber threat intelligence, coordinating between various governmental and non-governmental agencies for cyber incident detection and response. However, its primary mission is developing a culture of cybersecurity awareness and establishing best practices in public-private collaboration.
In the wake of Notpetya
As cyber incidents in Ukraine intensified between 2017 and 2021, most were categorized as disruption operations as opposed to degradation operations against critical infrastructure. The Center for Strategic and International Studies describes espionage operations as accessing vital information for short-term objectives and degradation operations as inflicting physical damage on critical infrastructure. Before Russia’s full-scale invasion, espionage and degradation operations represented less than half of the attacks.
Disruption operations include low-cost, low risk cyber incidents to spread propaganda and disinformation through social media and state media outlets. These include Russia’s use of wiper malware or malicious software to destroy data, wage digital vandalism, and deface public websites and symbols of Ukrainian identity. It also involved spreading lies about Ukrainians as Nazis and blaming NATO for the war. The Kremlin’s propaganda has maintained that its “special military operation” is designed to “denazify Ukraine” and push back against NATO. In 2022, 57.4% of Russian cyberoperations were classified as disruptive, followed by espionage operations and degradation operations.
Russian malign operations showed a systematic series of disruption operations that, although delivered through digital means, extended far beyond the digital realm. The goal was to interfere and intervene in Ukraine’s social and political landscapes and manipulate and exploit Ukrainian national identity. Coordinated through an organized campaign of lies and distortions, Russia sought to weaken Ukraine’s political system and undermine trust in government. Russia used subtle and covert tactics of disruption to plant doubt and foment social and political discord to chip away at Ukrainian identity. But Russian disinformation operations failed to sway the Ukrainian population.
No Shift in Russian Cyber Strategy
Although the number of cyberattacks have increased from roughly 4,500 in 2022 to an expected 4,800 in 2023, there is no significant shift away from Russia’s malign and disruptive patterns. Why has Russia not launched more espionage and degradation attacks or shifted strategy?
First, Ukraine has improved cyber defense components and industrial controls in critical infrastructure protection. Russia’s cyberattacks against Ukraine’s energy, health, and transportation sectors have increased Ukraine’s experience, knowledge, and awareness in detection, incident response, and resilience. Ukraine’s computer emergency response teams (CERT) are now more skilled in fending off advanced persistent threats, distributed denial of service, and malware attacks from trained Russian hackers.
Also, Ukraine’s cybersecurity strategy has since evolved, placing a strong emphasis on the fortification of critical infrastructure, and bolstering national security. Ukraine has undertaken a rigorous process of revamping its cyber legislation and creating new bodies charged with the task of addressing cyber threats. For example, in 2022, after Russia launched cyberattacks against Kyivstar, a Ukrainian mobile telecommunications operator. While mobile services were disrupted, they quickly recovered and the damage was mitigated because of additional cybersecurity measures and cooperation among Ukrainian telecommunications carriers.
Still, Russia has launched missile and drone strikes against civilian critical infrastructure to cause human suffering. The purpose of these criminal attacks has been to brutalize the civilian population. Russian missile and drone attacks have killed countless civilians, knocked out electricity, and damaged water and wastewater systems. However, they have not fulfilled the Kremlin’s goal of breaking the will of the Ukrainian people.
Second, Ukraine’s national cybersecurity strategy has embraced relationships and partnerships in cyber defense, namely with the U.S., NATO members, and the E.U. In particular, U.S. government departments and agencies have provided Ukraine cybersecurity assistance and expanded access to U.S. cyber resources. The Federal Bureau of Investigation shared cyber threat intelligence with Ukraine’s law enforcement and national security agencies and provided capabilities to combat cyberattacks and disinformation operations.
The U.S. Agency for International Development (USAID) partnered with critical infrastructure operators in the Ukrainian energy sector to identify Russian malware, restore digital services and communications systems after cyber incidents, and build a more resilient electrical grid. USAID also transferred ground based Starlink data terminals, satellite technologies, and communications systems vital to the Ukrainian military supplied by SpaceX, providing Ukrainians with internet access after their systems were interrupted by Russia’s full-scaled invasion. However, Elon Musk would later restrict Starlink access near Crimea after Ukraine targeted Russian ships with sea drones.
Furthermore, the U.S. Department of Energy assisted Ukrainian public utilities in cyber enhancements in the energy sector and U.S. Department of Treasury has worked with Ukrainian financial institutions to improve network defenses in the banking sector. U.S. Cyber Command organized and led hunt forward operations in Ukraine that included supplying Ukrainian government agencies and businesses with analytic support and data to better understand Russian cyberattacks and increase U.S. homeland defense.
Moreover, American corporations extended cyber assistance to help Ukraine in cyber incident response and restore its electrical grid and financial services in the wake of cyberattacks. Microsoft helped transfer data from physical sites that could be destroyed in missile strikes to cloud-based networks and in data storage centers in Europe. By the end of 2023, Microsoft will have provided more than $400 million in technology support to Ukraine.
Other corporations have stepped up. Amazon Web Services developed cloud-based architecture to secure Ukrainian government information. Mandiant supplied Ukraine with analytic tools and techniques to better understand how Russia’s GRU military intelligence agency launches cyberattacks against Ukrainian targets. Mandiant developed a GRU Disruptive Playbook that provides operational guidance and information on Russian military intelligence disruptive operations in Ukraine and a Ukraine Crisis Resource Center that raises awareness of the global implications of Russian offensive cyber operations. Cisco has supplied the Ukrainian government with networking software, namely secure wireless networks, sensors, switches, access points, accessories, and cameras.
In addition, CRDF Global, a global non-profit organization created in 1995 to prevent the spread of advanced weapons technologies in the wake of the collapse of the USSR, has developed the Cyber Defense Assistance Collaborative platform for Ukraine. CRDF Global worked with the Ukrainian government to develop its first national Cybersecurity Strategy. After Russia’s full-scale invasion, CRDF Global mobilized cyber defense personnel from American cyber companies and non-profits to assist Ukraine in investigating malware attacks and enhancing resilience.
On its face, Russia’s cyber strategy does not seem to be anything more than a series of haphazard attempts to cause digital chaos in Ukraine. In effect, Ukraine is a testing ground for Russia’s cyber weapons deployed alongside the destructive conventional war.
Recommendations
Ukraine has performed very well in building resilience against Russian cyberattacks. Future U.S. security assistance should emphasize cyber and digital assistance as much as conventional weapons. But the U.S., NATO, and E.U. must replicate in the cyber and information domains what has been done thus far in the military domain on artillery, tanks, and armored vehicles. Ukraine can access how many shells, tanks, warplanes, and vehicles it needs to retake territory. However, it is more challenging to determine how many servers, data centers, cloud systems, and human detection and response units Ukraine needs to secure data and communications.
Also, NATO must provide Ukraine with greater access to it cyber defense resources. In May 2023 Ukraine joined NATO’s Cooperative Cyber Defence Centre of Excellence (CCDOE), an alliance research and training institute that provides members access to advanced technologies and facilitates cyber intelligence sharing. But Ukraine lacks formal NATO membership and is therefore not covered by the Article V collective defense guarantee in NATO’s founding treaty. Since NATO’s 2014 Wales Summit, members have agreed that cyberattacks could trigger Article V and must agree on the response on a case-by-case basis. While NATO members consider cyber defense as a core element in collective security, Ukraine lacks that protection.
After Finland and Sweden, Ukraine must become NATO’s thirty-third member. In 2008, NATO agreed that Ukraine and Georgia should become members in the Bucharest Summit in 2008 but no plans were provided. Fifteen years later, at the Vilnius Summit, NATO members recommitted to Ukrainian membership. Not only should Ukraine become a NATO member, the alliance itself would also benefit from Ukraine’s experience and knowledge of Russian cyber and malign operations. The U.S. should also extend a bilateral Israel-like security compact to Ukraine.
Moreover, public-private partnerships must be expanded to enable Ukraine to withstand future Russian cyberattacks. While the U.S. government and American companies have provided cyber defense assistance, resources, and intelligence to Ukraine, there should be a more concerted effort among government and private sector firms to not only enhance incident response but build more resilient systems.
A useful public-private operating model is the Cybersecurity and Infrastructure Security Agency’s Joint Cyber Defense Collaborative (JCDC). Communications between the U.S. government and private sector corporations and non-profit organizations must be improved and to boost resilience to cyberattacks and malign operations. A useful approach would be to enhance the strategic planning role of the U.S. Cyberspace Solarium Commission.
Developing capacities appear straightforward compared to developing a mindset that understands irregular warfare and prioritizes multi-domain operations. The digital domain cannot be separated from the conventional military domain in Russia’s war in Ukraine and beyond. The U.S. has begun challenging mindsets with investments in and partnerships developed through the Irregular Warfare Center (IWC). However, more needs to be done in elevating irregular warfare to the level of strategic planning. Battlespaces are just as important as battlefields.
About the Author
Dr. Chris J. Dolan is professor and director of the Institute for Threat Intelligence and Cyber Defense at Lebanon Valley College in Annville, PA, a two-time Fulbright U.S Scholar (Kosovo; North Macedonia), and will serve as a Fulbright specialist in cyber defense in Kosovo.
