One Year Later: Cyber Battles Still Rage in Ukraine
President
Biden
made
a
surprise
visit
to
Ukraine’s
capital
of
Kyiv
this
past
week
to
meet
with
Ukrainian
President
Volodymyr
Zelenskyy,
and
that
was
just
the
beginning
of
a
series
of
meetings
with
international
partners
regarding
the
one-year
mark
in
the
Russia-Ukraine
conflict.
In
the
midst
of
global
headlines
analyzing
which
military
equipment
the
U.S.
and
NATO
countries
should
give
to
Ukraine,
as
well
as
how
much
financial
support
will
be
ongoing,
a
less
publicized
cyber
war
continues
unabated.
As
I
wrote
about
in
detail
in
my
annual
cybersecurity
review
back
in
December,
2022
was
the
year
the
Ukraine
war
shocked
the
world.
On
Feb.
16,
Google’s
Threat
Analysis
Group
(TAG)
wrote
an
excellent
blog
entitled
“Fog
of
war:
how
the
Ukraine
conflict
transformed
the
cyber
threat
landscape.”
Here’s
an
excerpt:
“Nearly
one
year
ago,
Russia
invaded
Ukraine,
and
we
continue
to
see
cyber
operations
play
a
prominent
role
in
the
war.
To
provide
more
insights
into
the
role
of
cyber,
today,
we
are
releasing
our
report
Fog
of
War:
How
the
Ukraine
Conflict
Transformed
the
Cyber
Threat
Landscape
based
on
analysis
from
Google’s
Threat
Analysis
Group
(TAG),
Mandiant
and
Trust
&
Safety.
The
report
encompasses
new
findings,
and
retrospective
insights,
across
government-backed
attackers,
information
operations
(IO)
and
cybercriminal
ecosystem
threat
actors.
It
also
includes
threat
actor
deep
dives
focused
on
specific
campaigns
from
2022.”
Here
are
some
key
findings
from
the
47-plus-page
report
:
-
“Russian
government-backed
attackers
have
engaged
in
an
aggressive,
multi-pronged
effort
to
gain
a
decisive
wartime
advantage
in
cyberspace,
often
with
mixed
results. -
“Moscow
has
leveraged
the
full
spectrum
of
IO
—
from
overt
state-backed
media
to
covert
platforms
and
accounts
—
to
shape
public
perception
of
the
war. -
“The
invasion
has
triggered
a
notable
shift
in
the
Eastern
European
cybercriminal
ecosystem
that
will
likely
have
long
term
implications
for
both
coordination
between
criminal
groups
and
the
scale
of
cybercrime
worldwide.”
There
is
a
section
at
the
end
outlining
forward-looking
trends,
and
a
quick
summary
of
that
section
shows
that
cyber
attacks
will
likely
continue
and
even
accelerate
in
2023
—
against
both
Ukraine
and
NATO
countries.
The
fact
that
NATO
members
were
becoming
targets
in
unprecedented
cyber
attacks
from
Russia
was
clear
last
year,
as
I
wrote
in
this
blog
last
September.
The
Hacker
News
added
this
when
commenting
on
Google’s
report:
“Russia’s
cyber
attacks
against
Ukraine
surged
by
250%
in
2022
when
compared
to
two
years
ago,
Google’s
Threat
Analysis
Group
(TAG)
and
Mandiant
disclosed
in
a
new
joint
report.
“The
targeting,
which
coincided
and
has
since
persisted
following
the
country’s
military
invasion
of
Ukraine
in
February
2022,
focused
heavily
on
the
Ukrainian
government
and
military
entities,
alongside
critical
infrastructure,
utilities,
public
services,
and
media
sectors.
“Mandiant
said
it
observed,
‘more
destructive
cyber
attacks
in
Ukraine
during
the
first
four
months
of
2022
than
in
the
previous
eight
years
with
attacks
peaking
around
the
start
of
the
invasion.’
“As
many
as
six
unique
wiper
strains
—
including
WhisperGate,
HermeticWiper,
IsaacWiper,
CaddyWiper,
Industroyer2,
and
SDelete
—
have
been
deployed
against
Ukrainian
networks,
suggesting
a
willingness
on
the
part
of
Russian
threat
actors
to
forgo
persistent
access.”
WHERE
ARE
THE
CYBER
ATTACKS
ON
THE
WEST
FROM
RUSSIA?
One
big
question
that
keeps
coming
up
as
I
discuss
these
topics
around
the
country
is:
Where
are
the
anticipated
cyber
attacks
against
U.S.
and
NATO
countries’
critical
infrastructure?
There
are
a
few
answers
to
that
question.
A
recent
report
by
Recorded
Future
News’
The
Record
claims
that
“Many
cyberattacks
by
Russia
are
not
yet
public
knowledge.”
Here’s
an
excerpt:
“Although
dozens
of
private
sector
reports
have
detailed
Russian
ops
during
the
war
in
Ukraine,
experts
have
questioned
whether
the
cybersecurity
industry
has
visibility
into
the
full
extent
of
that
activity.
The
joint
report
from
the
Dutch
General
Intelligence
and
Security
Service
(AIVD),
alongside
its
Military
Intelligence
and
Security
Service
(MIVD),
cites
two
reasons
why
‘many
of
these
attempts
have
not
yet
become
public
knowledge.’
“The
fact
that
‘the
pace
of
Russian
cyber
operations
is
fast’
is
a
big
factor,
the
report
said.
And
the
nature
of
many
targeted
institutions
—
such
as
military
and
diplomatic
agencies
—
leads
to
secrecy
about
their
vulnerabilities.
…
“NATO
members
who
are
providing
military
support
to
Ukraine
also
are
common
targets
of
Russian
intelligence.
The
joint
report
said
that
the
‘Dutch
armed
forces,
ministries
and
embassies
have
also
been
the
target
of
(unsuccessful)
cyber
espionage
attempts
in
the
past
year.’
“Alongside
espionage
operations,
Russian
cyber
forces
have
repeatedly
attempted
to
deploy
‘wiper’
malware
strains
designed
to
destroy
data
in
computer
systems.
“‘Moscow
regularly
attempts
to
digitally
sabotage
Ukrainian
vital
infrastructure
and
carries
out
constant
wiper
malware
attacks.
The
sustained
and
very
high
pressure
that
Russia
exerts
with
this
requires
constant
vigilance
from
Ukrainian
and
Western
defenders,’
said
the
joint
report.”
The
report
goes
on
to
say
much
more,
including
that
the
combined
cyber
defenses
of
NATO
countries
have
been
very
successful
so
far.
Finally
on
this
topic,
this
World
Economic
Forum
(WEF)
opinion
piece
describes
the
view
that
the
world
is
missing
a
big
message
on
cybersecurity
in
Ukraine:
“Frankly,
cyber
attacks
don’t
have
much
impact,
as
counterintuitive
as
that
may
feel,
given
oft-cited
catastrophic-level
scenarios
such
as
the
potential
hacking
of
nuclear
weapons
or
complete
disruption
of
the
financial
system.
Even
if
the
latter
were
possible,
the
fundamental
limitation
of
cyber
operations
would
soon
be
realized
—
reversibility.
“The
major
difference
between
cyber
operations
and
their
kinetic
alternatives
is
that
when
kinetic
attacks
occur,
what
goes
down
is
more
likely
to
stay
down
for
longer.
To
appreciate
this
point,
it
helps
to
look
at
reversibility
—
or
permanence
—
of
attacks
along
a
spectrum.”
OTHER
GLOBAL
CYBER
THREATS
FROM
THE
UKRAINE
CONFLICT
The
Hill
reported
this
week
on
“How
the
war
in
Ukraine
is
shaping
cyberspace.”
The
Hill
also
reported
that
“Russia’s
overt
influence
operations
conducted
by
its
state-controlled
media
has
decreased
on
the
platform,
[and]
attempts
at
covert
activities
tied
to
the
war
in
Ukraine
have
sharply
increased
over
the
last
year.”
InfoSecurity
Magazine
released
an
article
on
Feb.
23
that
described
how
new
norms
in
cyber
warfare
are
emerging.
Here’s
an
excerpt:
“In
hybrid
warfare,
the
lines
between
the
commercial
and
military
domains
are
often
blurred,
particularly
when
it
comes
to
cyberspace.
This
can
be
seen
in
the
Russia-Ukraine
war,
which
has
brought
with
it
a
range
of
cyber-related
demands
for
both
government
and
private
sector
actors.
“Infosecurity
spoke
to
defense
and
cybersecurity
analysts
about
the
current
cyber
landscape
in
Ukraine,
the
impact
of
digital
connectivity
and
whether
cyber-Armageddon
is
still
a
possibility.
“The
war
in
cyberspace
began
long
before
Russian
troops
staged
their
all-out
invasion
of
Ukraine
in
February
2022,
noted
Dr.
Josef
Schroefl,
deputy
director
for
Strategy
and
Defense
at
the
European
Centre
of
Excellence
for
Countering
Hybrid
Threats
(Hybrid
CoE)
in
Helsinki,
Finland,
an
organization
that
works
closely
with
NATO
and
the
EU
on
countering
hybrid
threats.
Schroefl
said
that
as
of
January
2023,
Ukraine
has
registered
more
than
5000
cyber-attacks
on
state
institutions
and
critical
infrastructure
since
2014.”
I
also
like
a
piece
from
the
Carnegie
Endowment
for
International
Peace
that
describes
“Cyber
Operations
in
Ukraine:
Russia’s
Unmet
Expectations.”
Here’s
a
summary
quote
from
that
report:
“A
review
of
academic,
doctrinal,
and
journalistic
writing
covering
the
last
three
decades
of
Russian
military
theorizing
on
cyber-related
issues
yields
three
hypotheses
that
may
explain
the
mismatch
between
the
expectations
of
many
Western
observers
and
the
reported
impact
of
Russian
cyber
operations
in
the
2022
invasion
of
Ukraine.
By
exploring
the
unique
and
oft-overlooked
facets
of
Moscow’s
conceptualization
of
‘cyber,’
this
paper
provides
a
foundation
for
better
assessing
Russia’s
performance
in
cyberspace
in
Ukraine
in
early
2022,
along
with
a
more
nuanced
understanding
of
its
capabilities
and
possible
expectations
going
forward.
These
hypotheses
are
as
follows:
-
Russia’s
Information
Operations
Troops—a
rough
analog
to
Western
military
cyber
commands—remains
in
its
infancy
and
appears
optimized
more
for
counterpropaganda
than
for
offensive
cyber
operations.
The
operational
command
structure
over
offensive
cyber
operations,
meanwhile,
remains
murky
and
is
possibly
more
political
than
military
in
nature. -
Russia’s
premier
offensive
cyber
capacities
are
housed
within
agencies
focused
on
intelligence
and
subversion—the
key
tool
kits
used
against
Ukraine
since
2014—rather
than
combined-arms
warfare. -
Moscow’s
secretive
and
poorly
executed
February
2022
invasion
precluded
optimal
performance
in
the
initial
period
of
the
war,
which
is
particularly
pivotal
in
Russian
thinking
about
effectiveness
in
the
information
domain.”
FINAL
THOUGHTS
As
I
read
through
these
reports
from
various
sources,
I
come
to
the
conclusion
that
a
major
force
of
NATO’s
cybersecurity
capabilities
is
being
deployed
to
assist
Ukraine
in
their
war
efforts.
However,
many
of
these
efforts
and
specific
tactics
remain
classified
and
cannot
be
shared
openly.
These
substantial
capabilities
provide
the
basis
for
a
strong
overall
cyber
defense
for
NATO
countries
that
have,
at
least
so
far,
muted
the
effectiveness
of
Russian
cyber
attacks.
Assuming
this
is
true,
Ukraine
remains
a
hot
battleground
and
test
bed
for
many
new
cyber
weapons
and
cyber
defense
strategies
being
deployed
in
the
world
today.
This
reality
is
impacting
both
the
public
and
private
sectors,
as
is
described
in
a
Radware
case
study
on
DDoS
attacks
against
Ukraine.
Whether
new
tactics
or
new
cybersecurity
weapons
will
alter
this
cyber
war
narrative
in
2023
and
beyond
remains
to
be
seen.
But
it
appears,
at
least
for
now,
that
the
Ukraine-Russia
conflict
will
continue
to
dominate
the
cybersecurity
landscape
(both
defense
and
attack)
for
the
foreseeable
future.
About Author
