Lessons from Russia’s cyber-war in Ukraine

Published On : 2023-01-06
Share :
Lessons from Russia’s cyber-war in Ukraine

Lessons from Russia’s cyber-war in Ukraine

In February of the last year just as Russian tanks started to pour over the borders of Ukraine, many have predicted a sort of cyber-armageddon, that would take Ukraine to the stone age thanks to immense dark powers of Russian state backed hackers. An hour before the invasion began, they were able to bring down the satellite communications system run by Viasat, an American company, on which Ukraininans were relying. Some Western officials estimated the attack had to take at least a year of very serious preparation and effort.

While this attack demonstrated that Russia does have serious capabilities in the cyber realm, we haven’t really seen the armageddon many were expecting. With almost a year of hindsight, we should be able to assess at least some relevant events and take some preliminary lessons from the war, even though we need to be aware of the fog of war that is still surrounding many of the key takeaways for future historians.

No lack of effort but lack of sophistication

Russia has been seen as a pioneer in the use of cyberweapons on the world stage. In fact, Russia has been aggressively utilizing the deniability offered by offensive action in the fifth domain in recent years, but the pioneering work in terms of military integration has actually been done in the United States, where military planners have been thinking of cyber capabilities in joint operational terms by mid 1990 s. Russia in contrast has launched its cyber forces only almost 15 years later. The Russian intelligence services have been using cyber espionage for decades and have been able to utilize privateering actors and conscript cyber criminals to do Kremlin’s bidding for years prior to acquiring own capabilities but the level of sophistication of the actions performed even by top Russian government hackers could not be compared to Stuxnet, the joint Israeli-American cyber-attack on an Iranian nuclear facility in Natanz, first identified in 2010 which thus occurred during what is now technologically an ancient history.

The Viasat cyberattack is the biggest and most sophisticated known hack of the war, but many have been expecting many more similar actions to come. Yet they are kept waiting.

That is not to say the Russians hackers remain silent in the face of severe adversity they are facing both on the battlefield and in the international arena.

A month prior to the invasion and then again on February 23rd, Russian hackers have been able to employ wipers on hundreds of Ukrainian government systems. Then, in April, as it became clear that the Russian military will not be able to conquer the capital and withdrew from the Kyiv area, the Sandworm group (also known as IRIDIUM) presumed to be part of Russia’s military-intelligence, used malware called Industroyer2 to attack the Ukrainian power grid. As the Ukrainian counteroffensive progressed and winter approached, researchers observed that Sandworm deployed wiper malware to destroy data from networks of organizations involved in power generation, water supply and the transportation of people and goods, focusing on the capital and the south of the country. However unlike 2015 and 2016, when the group succeeded in cutting power to hundreds of thousands of citizens, in 2022 the lights remained on or were restored in a matter of hours. The Ukrainian state was able to keep information flowing, shops remained open, the banks kept operating, pensioners kept getting their social welfare.

Volodymyr Zelensky presidential broadcasts have not been hijacked and the military has regularly been able to drone-spot artillery using Google online meeting tools. Any effort to disrupt civilized life or stop the military from being able to operate via cyber attacks have largely failed. We can be sure that despite disciplined media silence and thus operational security on part of the Ukrainian military, there have been cases of Ukrainian military networks penetration by Russian hackers but at the same time we can say that Russian hackers have steadily underperformed the expectations.

After a spike in wiper attacks on the power grid in October failed to produce the desired failure of the power grid and the military took over the task of depriving civilians of heat, running water and power by kinetic means, the cyber activity has shifted largely to nuisance level attacks. By early winter, DDoS attacks accounted for about 70% of all incidents, with malware attacks constituting steadily under 10% of incidents. Most attacks were performed by hacktivist collectives and privateering criminals, with only under a quarter of all incidents being attributed by researchers to the government sponsored actors.

That being said, Britain’s National Cyber Security Centre still considers Russia’s cyber campaign to be “probably the most sustained and intensive cyber-campaign on record” and David Cattler, top NATO intelligence official, stated that Russia had used more destructive malware against Ukraine by spring “than the rest of the world’s cyber-powers combined typically use in a given year”. We thus cannot overstate the importance of Ukrainian cyber defenses. The chief of UK signals-intelligence agency GCHQ Jeremy Fleming has observed in summer that Ukraine’s response has been “arguably…the most effective defensive cyber-activity in history”.

Western help was essential, but Ukrainians taught their partners valuable lessons

There is no doubt that Ukraine has done a lot to make itself a hard target in recent years as Moscow has been giving Kyiv reasons to do so at least since the annexation of Crimea in 2014. There were black outs, attacks on banks or “test runs” on dams. By the beginning of the war against the much larger military, Ukraine had a contingency plan ready.

Many crucial services were transferred to data centers outside of the country, beyond the reach of Russian fires. Ukraine’s military, contrary to many Russian units, had prepared alternative means of communication. Amazon helped in developing cloud-based backups of essential government data, putting essentially the whole government “into a box”. Or more precisely suitcase-sized solid-state hard drives, called Snowball Edge units. Critical infrastructure and economic information, more than 10 million gigabytes of data, including information from 27 Ukrainian ministries, have been flown out the country and put into cloud.

NATO provided access to its repository of known malware, Britain provided firewalls and forensic capabilities, the US pledged large but publicly undisclosed assistance, the EU digital governance powerhouse Estonia offered help based on its long term success in the digitalization of the economy. Western assistance did not stop with governments and militaries though, besides the aforementioned help from Amazon, Microsoft alone pledged $400 m in free help, being quickly followed by other companies from the industry, providing tools and know-how. Cyber officials have however noted that the cooperation has been far from one sided. Marcus Willett, a former head of cyber issues for GCHQ was quoted stating that “…the Ukrainians taught the US and the UK more about Russian cyber-tactics than they learned from them”.

Is the fifth domain overrated or were the cyber warriors set-up for failure?

Some commentators wonder whether Russia’s cyber-prowess or the overall effectiveness of cyber attacks in a major war might have been overrated. Though cyberwarfare has proven to be far from a one-click armageddon option, it now constitutes an integral and important part of interstate conflict. The preliminary takeaway for many analysts is that American capabilities in the high-end of the spectrum in cyber-domain exceeds those of Russia by even larger margin than previously thought, but we should keep some qualifications in mind.

Russia’s cyber-campaign may have been constrained less by lack of capabilities than by the intelligence failure that set up the armed forces for failure in what the political leadership outlined as a three day regime change operation. Analysts have observed lack of coordination across all levels of government, across branches of the military itself and given that deployed battalion commanders have learned of the war plans only a week beforehand, it is reasonable to assume the cyber forces were not aware of the state of play before the invasion began. At the same time the original plan counted for a takeover of the country and occupation of large swaths of the territory, thus destruction of the grid and infrastructure was not what the leadership demanded. That plan, as we are all too aware, went out of the window and Russia has switched to a strategy that relies on indiscriminate destruction in what Moscow ultimately came to see as a contest of willpower.

After the change of the strategy Russian cyber warriors were faced with the nature of the technology; unlike artillery, you cannot simply point malware at a target and fire. Sophisticated attacks, like that on Viasat, require months or even years of preparation including detailed network reconnaissance at target destination and development of bespoke tools. Such reconnaissance is much harder to achieve in a state of high alert and launching of the attack reveals the “weapon” (malware) and infrastructure (servers) for analysis, enabling the enemy to produce a patch for the exploited vulnerability and thus make the exploit unusable for future attacks after a substantial investment. It is no wonder then, the major hacking feats were all used up in the first days and weeks of the war and Russian hackers had to focus on lower levels of sophistication attacks.

And while Russia does have a reputation of significant offensive appetite, its basic infrastructure is nowhere near ready for a confrontation with NATO, with most NATO countries outranking Russia on 27th place on the National Cyber Security Index maintained by Estonian e-Governance Academy Foundation. This probably restrained Russia from using offensive capabilities recklessly in ways that could spill out outside of Ukraine into NATO territory in the opening stages of the war.

The sabotage of the Nord Stream 2 pipelines in September and Russian hackers launching intentional attacks on transport and logistics in Poland (a hub for arms supplies to Ukraine) with the Prestige malware the same month might signal a change in attitude.

ETLM Recommendation

Russia – Ukraine war is another example of how offensive and defensive cyber capabilities play an important role in the geopolitical conflict between nations. These conflicts not only threaten the critical infrastructure and other services of the countries involved, but they can also pose a threat to other friendly countries and associated industries. We also observed that this war was able to polarize threat actors as pro-Ukraine and pro-Russia groups, with some remaining neutral, such as LockBit. The energy sector, logistic supply chain, and FMCG industries were major targets for paralyzing enemy systems from both sides of the threat actors. This had a cascading effect on the global economy, which was attempting to recover from the COVID-19 impact.


We can assess that the cyber domain does not offer a silver bullet solution to military problems, but needs to be taken very seriously, especially from the point of view of defenders. It is very difficult to inflict severe damage to computer networks that are well- defended, especially if You have the resources of the biggest players in the industry backing Your efforts. Cyber attacks are not impossible to attribute and if the stakes are high enough, they are far from consequence-free. The Western allies of Ukraine have yet not suffered any large attacks but researchers warn that Russian hackers are actively scanning networks in critical infrastructure and have the potential to cause severe harm.

Cyber weapons attacking civilian infrastructure are most effective in times of peace; in times of war, especially all out war, munitions can often perform the task more easily, reliably and even cheaply. We can thus expect that at this point, the most important job of cyber forces is espionage, or signals intelligence and information operations. However the most valuable secrets obtained by cyber spooks are not likely to make the light of the day for years after the war is over, with many of them only being available when the archives will open in about 30 years time.

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.