Russian Cyber Stumbles Amid Conventional Conflict

By Collin Husted, MALD 2023 Candidate, The Fletcher School

While the occupation of Ukraine is still evolving, Russia has yet to launch a critical cyberattack. This lack of devastating cyber activity from the Kremlin is surprising, as foreign policy and security experts predicted during the military buildup over the past several months that the opening salvo would be found not on the battlefield but in cyberspace.

Recent history has provided enough evidence to support these predictions: pro-Russian group CyberBerkut attacked Ukraine’s Central Election Commission in 2014, Russian security services disrupted electricity distribution in 2015 and again in 2016 using the first known malware to target electric grid operations, and in 2017 the Sandworm group, housed under Russian military intelligence, launched the devastating NotPetya attack.

In the initial days of the invasion, there was an uptick in targeted cyberattacks, most notably through a series of wiper malware, which destroys data rather than locking it and demanding payment as ransomware does. There were also a series of Distributed Denial of Service (DDoS) attacks which took down Ukrainian government websites. The WhisperGate malware was seen on Ukrainian systems and seems to have been in them since January. A second wiper malware, HermeticWiper, was detected in Ukraine as well as in Latvia and Lithuania on February 23, 2022. A third wiper malware, dubbed IsaacWiper, was later detected and had been in Ukrainian networks since February 24. CaddyWiper, the latest wiper malware to be detected, but is present in only a handful of organizations.

The assumption that a major cyber offensive was imminent extended to the highest echelons of government and President Joe Biden was reportedly presented with his own cyber options in response to the Kremlin, including disrupting power, destabilizing internet connectivity, and interfering with railroad control systems to stymy resupply efforts. Ukrainian forces have since destroyed the rails between the two countries using more traditional means. The Cybersecurity and Infrastructure Security Agency (CISA) within the U.S. Department of Homeland Security also issued warnings on February 12 for critical infrastructure providers, advising that they take heightened postures in light of Russia’s penchant for using cyber as a major aspect of the nation’s force projection. The CISA advisory stopped short of describing a specific threat though.

Non-state cyber actors have also taken sides in the wake of the invasion, although the extent of their impact remains to be seen. Traditionally, Ukrainian and Russian hackers collaborated with zero concern for national allegiance, but there appears to be a growing schism in the community. Notorious hacktivist group Anonymous declared war on February 25 in its “#OpRussia” campaign and claimed to have taken down more than 300 government, state-owned media, and financial institution websites in the following 48 hours. The group also leaked 35,000 emails from the Central Bank of Russia and hijacked streaming channels within Russia to show footage from the invasion. On March 28, Anonymous claimed to have 1.22 terabytes of data from the Central Bank of Russia that it plans to leak. Ghostsec, a self-described vigilante group, is also siding with Ukraine in the ongoing conflict. Meanwhile across the border, the Conti ransomware gang has stated that it will retaliate against any aggressor that launches a cyberattack against Russia. In response to this threat, an unnamed hacker leaked 60,000 internal messages of the group, dealing a massive blow to the group’s operations. The Red Bandits, a Russia-based cyber-criminal group, is also actively launching DDoS attacks on Ukrainian government sites and threatening to escalate if necessary. In response to the level of cyber activity, the Ukrainian government is reportedly recruiting hackers to protect critical infrastructure and conduct cyber operations against Russian forces.

Since the start of the invasion, the level of cyber activity may seem high, but the impact has remained relatively low. The most significant attack against Ukrainian IT infrastructure was on March 28, over a month after the invasion began. Services that had been taken down were largely restored within a day, but this is likely the first of many attempts to reduce connectivity.  A satellite has also been hacked, and although not officially attributed to Russia, it is within the country’s capability and traditional approach. Thus far, any cyber weapon of mass destruction the Kremlin may have remains unused, and Ukrainian resistance continues to maintain its connectivity, command, and control structure.