When Russia invaded Ukraine on February 24, 2022, despite many attempts at assessment, none of us knew what role cyberattacks might play in a full-scale invasion. Russia had been carrying out cyberattacks on Ukraine since its occupation of Crimea in 2014, and it seemed inevitable that these tools would continue to play a role, especially after the attacks on the Ukrainian power grid and the global spread of the NotPetya worm .

An analysis by cyber expert Chester Wisniewski from Sophos.
Chester Wisniewski, Principal Research Scientist at Sophos, describes Russian cyber operations leading up to and during the Ukraine War

One of the challenges in assessing the effectiveness or impact of cyberattacks is seeing how they fit into the “big picture.” When we find ourselves in the midst of a conflict, the “information fog” of war often obscures and distorts our view of the effectiveness of a particular action. Now, more than six months after the start of the war, let us look back and try to determine the role of cyber weapons up to this point.

According to the Ukrainian State Service for Special Communications and Information Protection (SSSCIP), Ukraine has been attacked 1,123 times . 36.9% of targets were government/defense, and attacks consisted of 23.7% malicious code and 27.2% intelligence gathering.

The cyber component of the war began almost 24 hours before the land invasion. In my conflict diary , I noted that DDoS attacks and wiper attacks began around 4:00 p.m. local time on February 23rd. Immediately afterwards it became very confusing as a large number of attacks and techniques were used in parallel. To better analyze intensity, effectiveness and targets, I have divided these attacks into four categories: destruction, disinformation, hacktivism and espionage .

Strategy 1: Destruction

Since the war did not develop according to plan for Russia, some of these techniques have been used differently in different phases of the war so far. The first and most obvious was the destructive malware phase. Starting in January 2022, according to SSSCIP releasing wiper and boot sector altering malware that aimed to wipe a system's contents or render it inoperable. They primarily targeted Ukrainian service providers, critical infrastructure and government agencies.

These attacks continued during the first six weeks of the conflict and then tapered off. Most of these activities were concentrated between February 22nd and 24th - the immediate run-up to and during the invasion. These activities certainly had an impact on various systems in Ukraine, but ultimately do not appear to have had a positive impact on the success of the Russian land invasion.

One reason for this may be that a few days before these attacks, the Ukrainian government moved many of its official online functions to a cloud infrastructure managed and controlled by third parties not involved in the fighting. This avoided disruptions and allowed Ukraine to maintain many services and communicate with the world. This is reminiscent of a similar crackdown when Georgia moved key government websites to third countries during Russia's DDoS attacks on the country in 2008.

The Viasat attack was very effective and also affected German wind turbines

Another devastating attack was the attack on the Viasat satellite communications modems deployed throughout Central and Eastern Europe - just as the invasion began. According to Reuters' Raphael Satter, a senior Ukrainian cybersecurity official explained that this resulted a truly enormous loss of communications right at the start of the war This attack also caused collateral damage to NATO members and, among other things, disrupted the operation of more than 5,800 wind turbines in Germany.

This is probably the most effective of all attacks carried out so far during the war. Given that most experts have speculated that Russia planned a 72-hour war , a disruption in military communications if this strategy were to succeed could have had significant negative consequences for Ukraine. Additionally, Ukrainian commanders were able to regroup and establish alternative communications to minimize disruption. In the long term, it has become clear that Russia struggles with the chain of command far more than Ukraine. Perhaps due in part to support from technology companies such as Microsoft and ESET, as well as U.S. intelligence agencies, Ukraine's success in fending off destructive attacks has been impressive.

One of the most sophisticated malware threats targeting critical infrastructure was detected and neutralized when it was discovered on the network of a Ukrainian energy supplier. The malware, known as Industroyer2, was a combination of traditional wipers that targeted Windows, Linux and Solaris and ICS-specific malware that targeted the operational technology (OT) used to control and monitor the power grid.

Microsoft pointed out in a recent report that many Russian cyberattacks appear to have been coordinated with conventional attacks in Dnipro, Kiev and Vinnytsia Airport. But there is still no evidence that the cyber component contributed to any apparent progress in the Russian offensive.

In my opinion, destructive cyber operations have so far had almost no influence on the outcome of real war events. They gave a lot of people extra work and made a lot of headlines, but what they didn't do was make a significant impact on the war.

Strategy 2: Disinformation

The disinformation strategy targeted three groups: the Ukrainian people, Russia itself and the rest of the world.

Russia is no stranger to weaponizing disinformation to achieve political results. The original mission appears to have called for a quick victory and the installation of a puppet government. With this plan, disinformation would be critical initially in two spheres of influence and then in three spheres of influence as it progresses.

The most obvious target is the Ukrainian people – they should be convinced that Russia is a liberator and ultimately accept a pro-Kremlin leader. Although the Russians appear to have attempted numerous influence operations via SMS and traditional social networks, this attempt had little chance of success from the start due to an increasingly patriotic Ukraine.

Russia has had much more success with disinformation at home, its second most important target. It has largely banned foreign and independent media, blocked access to social media and criminalized the use of the word “war” in connection with the Ukraine invasion.

It is difficult to actually assess the impact of these actions on the general population, although polls suggest that the propaganda is working - or at least the only opinion that can be publicly expressed is support for "military special operations."

The third target of disinformation as the war drags on is the rest of the world. Attempting to influence non-aligned states such as India, Egypt and Indonesia may help dissuade them from voting against Russia in United Nations votes and may lead them to support Russia.

Promoted stories about US bioweapons labs , denazification and alleged genocide by the Ukrainian army are intended to challenge Western media portrayals of the conflict. Much of this activity appears to come from pre-existing individuals generating disinformation, rather than from compromised accounts or any type of malware.

Disinformation clearly has an impact, but similar to destructive attacks, it does not in any way directly impact the outcome of the war. Civilians do not welcome Russian troops as liberators, and Ukrainian forces neither lay down their arms nor surrender. The US and Europe still support Ukraine and the Russian people appear cautious but not rebellious. Most notably, Ukrainian forces have recaptured areas under Russian control in recent days and have even been greeted as liberators by some civilians near Kharkiv.

Strategy 3: Hacktivism

Would the well-known, highly experienced hackers across Russia and Ukraine resort to cyberweapons and unleash damaging waves of attacks, each supporting their own side? It looked like this might be the case at the start of the war.

Some well-known cybercrime groups like Conti and Lockbit said they were for one side or the other, but most of them said they didn't care and would carry on as usual. But we saw a significant decrease in ransomware attacks for about six weeks after the initial invasion. Normal volumes of attacks resumed in early May, suggesting that the criminals were experiencing supply chain disruptions just like the rest of us.

One of the most notorious groups, Conti, made threatening statements against the West on their leak site, which led to a Ukrainian researcher revealing , which ultimately led to their dissolution.

On the other hand, hacktivists on both sides were in full swing in the early days of the war. Web defacements, DDoS attacks, and other trivial hacks targeted just about anything that was vulnerable and clearly identifiable as Russian or Ukrainian. But the phase didn't last long and doesn't seem to have any lasting effect. Research shows that these groups quickly became bored and moved on to the next distraction. Here too, the activities did not have any material impact on the war - but they did lead to pranks for which the respective hacktivists may have celebrated themselves. Recently, for example, a group allegedly hacked Yandex Taxi and ordered all taxis to the center of Moscow, causing a traffic jam.

Category 4: E-espionage

The final category is the most difficult to quantify because it is inherently complicated to assess the impact of something that is inherently obscured. The most promising way to estimate how extensive espionage was carried out in this war is to look at the times when the attempts were discovered. The attempt can then begin to extrapolate how often attempts might have been successful, given how often they were not.

Unlike destructive attacks, e-espionage attacks are useful against all adversary targets, not just Ukraine, due to their covert nature and the inherent difficulty in attributing them. As with disinformation, there is far more activity in this area targeting Ukraine's supporters than other types of attacks that U.S. and NATO allies could bring to the ground war.

Claims of attacks on non-Ukrainian companies must be carefully examined. It is nothing new for Russia to attack the United States, the European Union and other NATO member states with malware, phishing attacks and data theft, but in some cases there is compelling evidence that attacks are specifically motivated by the war in Ukraine .

In March 2022, Google's Threat Analysis Group (TAG) published a report highlighting Russian and Belarusian phishing attacks that targeted U.S.-based nongovernmental organizations and think tanks, the military of a Balkan country, and a Ukrainian defense contractor. Proofpoint also published research showing that EU officials working to support refugees were targeted by phishing campaigns emanating from a Ukrainian email account that was allegedly previously compromised by Russian intelligence.

Russian attacks on Ukrainian targets have not abated over the past six months and continue to exploit the latest security vulnerabilities as they are publicly disclosed. For example, in July 2022, a Russia-based cybercrime group was among the key players making extensive use of a new vulnerability in Microsoft Office called “ Follina .” It appears that one of the targets for malicious documents in this campaign was media organizations - an important tool during a war.

Conclusion

The war in Ukraine teaches us a lot about the role that cybersecurity and cyberattacks can play in times of war. Russia appears to have been inadequately prepared and could have used cyberattacks far more effectively.

The early stages of the war appeared to focus on destabilization, destruction and disruption and were based on the assumption of a quick victory by Russia. However, as the war drags on, these techniques are becoming less important and the focus is increasingly on espionage and disinformation.

It remains to be seen how things will develop in the coming months in light of energy supplies and Russia's dominant role in this area. Will disinformation kick into high gear to pressure European leaders to ease sanctions? Will criminal groups focus on attacks on European energy suppliers, as we have already seen ?

The war is not over and the role of cyberattacks may evolve in new and unforeseen ways. It is unlikely that she will play a decisive role. At least in this conflict, it is another tool to be used in conjunction with other weapons and tools of war - and as with every other aspect of war, a strong defense is often the best offense.

Source: Sophos

Also read:

Donation fraud in the name of Ukrainian President Zelensky
No sale of Ukrainian agricultural land to US companies
Pro-Russian hacktivists Killnet attacks over 200 websites in Estonia
Russia is deceiving with an alleged pro-Ukrainian app


If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:

📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.

Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!

* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!


Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )