There have been several hacks by Ukrainian organizations, but no reports yet of the kind of high-impact cyberattacks on transportation or electrical infrastructure that some feared.
Possible explanations for this range from the disorganization in Russian military planning to the hardened Ukrainian defenses to the fact that bombs and bullets take precedence over hacking in wartime, according to analysts.
The reason Russia hasn’t ventured into cyberspace so far during the war may be unattainable — or requires getting into the minds of Russian spy chiefs. But how US, European and Ukrainian officials perceive the situation will determine how they allocate resources to defending Ukrainian computer networks as the war rages on.
“What we have seen so far from Russia’s state cyber actors appears to reflect the same challenges seen in their conventional armed forces,” said a US cyberdefense official, who spoke on condition of anonymity because he was not authorized to join to speak to the press. “It is likely that inadequate preparation and poor assumptions led to a haphazard performance that underestimated their known abilities.”
Limited Russian cyber attacks
Cyberattacks have played a supporting, not a central, role in the war, and hacking incidents preceded and accompanied Russia’s bombing of Ukraine:
• February 25: Ukrainian government officials accused hackers working for the Belarusian Defense Ministry of trying to break into the private email accounts of Ukrainian military personnel.
• March 10: Unidentified hackers disrupted Ukrainian ISP Triolan, which has customers in major Ukrainian cities. Triolan blamed “the enemy” (a reference to Russia) for the incident, but provided no evidence to support the claim.
General Paul Nakasone, the senior military cyber official in the US government, this week offered lawmakers a vague, multi-faceted explanation for the relatively muted Russian cyber activity.
Defense work by Ukrainians, “some of the challenges that the Russians have encountered and some of the work that others have been able to prevent their actions,” explained the situation, said Nakasone, who manages the National Security Agency and the US Cyber Command directs.
“They bomb critical infrastructure, so they don’t have to hack it”
However, many analysts say that the increased Ukrainian cyber defenses cannot be the only reason for the lack of visible Russian cyber operations. And U.S. officials tend to give credit to Ukrainian network defenses, which Washington has invested millions of dollars and countless hours on the ground in building in recent years.
Yegor Aushev, a Ukrainian cybersecurity executive who helped organize an ad hoc group of hackers that targeted Russian organizations during the war, offered a simpler explanation.
“The first phase of the war was a hybrid war,” Aushev said by phone this week from Ukraine.
The Russians, he said, use cyber attacks because it is plausible to deny it. But the second phase of the war was open.
“They are bombing critical infrastructure,” Aushev said. “So you don’t have to hack it in hidden mode.”
John Hultquist, vice president of intelligence analysis at cybersecurity firm Mandiant, echoed that point.
“Cyberattacks are often reversible and are often carried out for their psychological impact,” Hultquist, a US Army veteran, told CNN. “And in a situation where the Russians are already shelling cities, that impact will be fairly limited.”
The so-called Ukrainian “IT army” Aushev works with claims thousands of volunteer hackers from Ukraine and abroad. The Ukrainian government actively encourages these cyber attacks on Russian organizations – claiming that these hacks disrupt Russian cyber activities targeting Ukraine.
“As it turns out, [Russian computer] Systems are not that secure,” boasted Serhiy Demedyuk, Deputy Secretary of the National Security and Defense Council of Ukraine.
To what extent pro-Ukraine hacking against Russian organizations was successful is difficult to assess. There was disruption to Russian state media websites mimicking Kremlin propaganda about the war.
The longer game
Another possibility is that the fog of war has obscured some Russian cyber activities.
We might not hear about it for months if some of the elite hacking teams linked to Russian intelligence agencies were involved in significant activities in Ukraine, Hultquist said.
“It’s a perfect environment for chaos to hide in,” Hultquist told CNN.
Even more so when bombs destroy digital evidence of a hack.
The Ukrainian government plans to move some of its computing infrastructure out of Kyiv while Russian troops continue to bombard the city. Preserving these digital records could hold the key to learning more about further Russian cyber activities during the war.
Given the ongoing war, US and European officials are also wary of a spillover in Ukraine from a Russian hack that could weaken agencies or companies in NATO countries.
The data-wiping hack on the eve of the Russian invasion was well-targeted, but infected two Ukrainian government contractors with a presence in Latvia and Lithuania who are NATO members.
NATO Secretary General Jens Stoltenberg said a cyberattack could trigger NATO’s Collective Defense Clause, which requires all members to repel an attack on another member. But that has never happened, and it’s unclear where NATO’s cyberspace threshold is.
Erica Lonergan, associate research scholar at Columbia University’s Saltzman Institute of War and Peace Studies, said it would make sense for Russia to retaliate against Western government sanctions in cyberspace in a way that doesn’t escalate the conventional conflict with NATO.
“For precisely the reasons that cyber isn’t necessarily useful on the battlefield, it’s a way states engage in subversion, create information advantage, and cause disruption,” Lonergan told CNN.