Start your day with intelligence. Get The OODA Daily Pulse.

Home > Analysis > Russia’s Cyber Attacks in Ukraine is Less About Testing New Attacks and All About Regime Survival

Russia’s Cyber Attacks in Ukraine is Less About Testing New Attacks and All About Regime Survival

A recent article in Newsweek suggested that Russia is using the ongoing conflict in Ukraine as a test bed for new cyber weaponry and tactics to ultimately be used against NATO.  Per one Ukrainian security official, Ukraine has been on the receiving end of at least eight years’ worth of cyber attacks that have ranged from disruption to destruction, depending on the type of attack. Perhaps the most notable of these assualts impacting Ukraine include the 2017 NotPetya ransomware attack that seemed more focused on destroying information systems and the information resident on them than collecting extortion, and the 2007 BlackEnergy attacks that used malware to facilitate distributed denial-of-service (DDoS) attacks, cyber espionage, and information destruction.  These were noteworthy at the time for the aggressiveness of the attacks, as well as their targets, many of which were critical infrastructure entities.

Leading up to and during its invasion of Ukraine, Russian cyber attacks have been well documented and tracked and have included standard offensives such as DDoS, malware, and phishing to impact their targets.  Indeed, according to the article, throughout the conflict, DDoS activity has increased 200 percent, malware attacks were up by 400 percent, and phishing attacks continued to rise by 300 percent.  Certainly, the volume and frequency of digital offensives have coincided with the more kinetic and conventional Russian military offensives against Ukraine, mimicking the reality occurring on the ground. There has been constant bombardment but no decisive maneuver or execution of an attack that has been instrumental in gaining an insurmountable advantage.

It can be argued that despite the ongoing onslaught by Russian state cyber actors, their proxies, and capable patriotic cyber forces, Ukraine has withstood the constant bombardment remarkably well.  Two reasons have factored into these end results. The first is that the United States, NATO, and other sympathetic governments have significantly contributed to bolstering Ukraine’s cyber defenses.  The United States has provided substantial economic assistance to Ukraine to bolster its cybersecurity apparatus leading up to and during the conflict.  This and other cyber assistance was solidified in June 2022 when Washington and Kyiv signed a Memorandum of Cooperation based on the core principles of information exchanges and sharing of best practices on cyber incidents; critical infrastructure security exchanges; and cybersecurity training and joint exercises.  Moreover, Ukraine has been sharing information of its cyber engagement with other friendly countries as well.  One Ukrainian official stated that the government is providing Brazil, the European Union, Israel and Spain information via cyber dialogues.

What’s more, the United States has deployed its cyber forces to help defend Ukraine with its “defend forward” strategy that seeks to take offensive actions to the enemy in order to maintain a strong defensive posture.  In June 2022, the head of U.S. Cyber Command admitted that the United States had been conducting defend-forward operations in support of Ukraine. In fact, there is some evidence indicating that U.S. cyber troops were already in Ukraine months in advance of the Russian invasion in preparation for the cyber defense of Ukraine.  Such assistance has been no doubt instrumental in helping to mitigate and remediate Russia’s cyber offensives, as Russia is not so much battling Ukraine in cyberspace as it is several Western countries in addition to Ukraine.

But is Ukraine really a test bed for unseen before attacks?  Without being on the ground and working cyber defense issues, any tentative conclusions can only be drawn from publicly observed incidents and reporting. There is no question that Russia has executed disruptive and destructive attacks but little indication that anything is “new.”  The aforementioned types of attacks attributed to Russian assets though perhaps more impactful are not novel, nor are the types of targets on which these forces have focused.  In an April 2022 report, Microsoft revealed that at least eight different types of destructive malware used by Russia, and while the malware may be different, more potent, and more resilient, they were not part of a new attack methodology. The frequent execution of wiper malware might be a rarely used option for Moscow, but it’s certainly neither a different type of cyber attack, nor is it even new to Russian use.  NotPetya proved to be a self-replicating wiper malware disguised as ransomware.

Attacks on third parties and supply chains as an entry point to the desired targets is also not an innovative tactic.  Russia’s successful compromise of SolarWinds showed the extent and reach that an espionage operation can yield.  Include a destructive payload into the campaign and exploitation has quickly escalated to attack.  The process hasn’t changed, nor has the threat of vulnerable third-party sources, only the intended result.  This is not cutting-edge thinking, as the approach used to exploit a target or attack a target involve many of the same components and phases with the biggest difference being in the intent of the end result.

The targets themselves have revealed no fresh thinking with respect to executing cyber attacks.  Government institutions, critical infrastructure, media, and third-party suppliers and partners have all been the victims of cyber malfeasance in the past and are generally considered go-to targets for hostile state cyber operations.  Aside from these attacks’ correlation to conventional Russian military strikes, there is nothing unusual about the attacks themselves, aside from their volume.  Arguably, one of the most noteworthy attacks occurring during this conflict was Russia’s successful February 2022 attack on Viasat Inc’s KA-SAT Network that created a far-reaching impact, but did little to advance Russian military advantage, calling into question the strategic relevance of such an endeavor.

There appears to be a misconception of how the world has assessed Russian cyber capabilities and the role of cyber attacks in an actual armed conflict.  This is not to say Russia is not advanced, sophisticated, and extremely dangerous. Moscow’s more notable campaigns like SolarWinds and BlackEnergy have justifiably raised concerns about the security of vital services in the face of a brazen antagonist. But watching the first cyber/conventional military conflict unfold has not provided new insight into attacks that have not already been seen.  Given the perception of Russia’s losses, and its intimation of potential using tactical nuclear weapons certainly suggest if it was going to unleash a never-seen-before style of cyber attack, it would be now, or at most, in the very near future. Recent reporting indicates Ukraine expecting a barrage of cyber attacks against its critical infrastructures and in particular its energy sector, but there is no evidence suggesting that this will incorporate new weaponry or tactics.

What’s happening in Ukraine is less of a test bed for cyber attacks and more of a state struggling for advantage.  Cyber attacks have not proven to be a decisive weapon thus far and will require more thought from nations states of how to practically apply their use in hostile situations. Unfortunately, to become more instrumental tools for military conflict, they will have to be continually incorporated wherever military operations are conducted no matter how large or small. This means we can expect to see more state-driven cyber attacks during various periods of tension and conflict to improve their effectiveness and to integrate them better to support the advancements of strategic goals.  States have watched Russia’s cyber effort and are taking notes accordingly, with an eye of adjusting how they might use them under similar circumstances.

Tagged: cyber Russia
Emilio Iasiello

About the Author

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.