News Region & Country Ukraine

Inside the Russian cyber war on Ukraine that never was

Many experts believed a Russian invasion of Ukraine would start with significant cyber warfare operations. They never materialized.
Max Hauptman Avatar
Russian cyberwarfare
Reconnaissance officers take part in exercises held by the Russian Southern Military District's Special Forces units at a shooting range near the village of Molkino on October 17, 2017. (Photo by Vitaly Timkiv/TASS via Getty Images)

A little more than two weeks ago, with almost 200,000 Russian troops massed on the border with Ukraine, many experts predicted that a potential conflict could be one of the first examples of extensive warfare carried out in the domain of cyberspace.

“A Russian invasion of Ukraine may redefine how we think about cyber conflict because it will be the first time a state with real capabilities is willing to take risks and put it all on the line,” said Jason Healey, a former White House official and senior researcher in cyber warfare told The Washington Post in an interview published the day the invasion commenced.

Subscribe to Task & Purpose Today. Get the latest in military news, entertainment and gear in your inbox daily.

After all, Russia has had a long history of conducting cyber operations against its neighbors, from the 2014 annexation of Crimea to the 2015 cyber attacks on Ukraine’s power grid to supporting operations in the breakaway regions of Donetsk and Luhansk. The Central Intelligence Agency attributed Russian military hackers to the 2017 “NotPetya” ransomware attack, which initially targeted Ukrainian banking and energy software before spreading globally, to countries including Denmark, India, and the United States.

But over the past two weeks, an overwhelming Russian cyber attack has yet to appear. 

“When you look back at the initial troop buildup, it looked like a very coordinated, methodical effort, and in that case you would normally have your cyber component planning well in advance with the intention of executing attacks,” said David Kennedy, a former Marine Corps cyber warfare analyst and CEO of cybersecurity firm TrustedSec. “Instead what we saw was very limited, mostly malware and distributed denial of service (DDOS) attacks on Ukrainian websites, which would indicate a lack of planning.”

Cars drive past a destroyed Russian tank as a convoy of vehicles evacuating civilians leaves Irpin, on the outskirts of Kyiv, Ukraine, Wednesday, March 9, 2022. A Russian airstrike devastated a maternity hospital Wednesday in the besieged port city of Mariupol amid growing warnings from the West that Moscow’s invasion is about to take a more brutal and indiscriminate turn. (AP Photo/Vadim Ghirda)

In the weeks leading up to the invasion, malware that the Cybersecurity Infrastructure & Security Agency (CISA) has attributed to Russia did target some Ukrainian government and commercial networks. But nothing thus far has seriously impeded Ukraine from resisting invasion, or completely prevented President Volodymyr Zelensky and the nation’s citizens from communication outside the country’s borders.

“From a cyber warfare perspective, it takes a substantial amount of time to determine targets, to get access, and to remain undetected. That’s months if not years of preparation,” said Kennedy. “Perhaps they were counting on sheer military force and kept things secret, including from their cyber commands, but even with limited planning I would have expected Russia to have prepared a much better foothold in Ukraine, that’s what is most surprising.”

“Are their efforts focused somewhere we aren’t seeing, or are they maybe just not as capable as we thought?” he added. 

With the invasion ongoing, it is also possible that Russian intelligence networks may want the ability to access and leverage information from Ukraine. 

“If you try to shut down networks in Ukraine, you are essentially denying service to your own intelligence, which wants to collect as much information as possible,” said Kenneth Geers, a senior fellow at the Atlantic Council and the NATO Cyber Centre ambassador with 20 years of experience with the U.S. Army, the National Security Agency and NATO.

With the invasion now entering its third week, the role of cyber warfare may continue to be limited. 

“You have three basic types of operations; espionage and stealing information, denial of service, and manipulation,” said Geers. “Now that the kinetic war is fully underway, resources are going to be focused on the battlefield. Russia may not have the time for more exotic operations.”

“And at this point, anything cyber-related can’t approach the horror and the immediate goals of the war the way bombs and rockets can,” he added. 

Russia Ukraine War
An apartment building damaged following shelling on the town of Irpin, 26 kilometers west of Kyiv, Ukraine, Friday, March 4, 2022. (AP Photo/Oleksandr Ratushniak)

Russia itself may also be hesitant to expand its operations in the cyber domain due to its own weaknesses. 

“Ukraine and the west have presented a very strong, unified front, and Russia itself is quite vulnerable,” said Geers. “Which means that Russia is looking at a very formidable adversary when it comes to a response.”

This includes not only government response, but individuals as well. Just days after the invasion began, Ukraine called on volunteers for an “IT Army,” to assist in its fight against Russia. 

“Non-state actors are a big player,” said Chris Rouland, CEO of Phosphorus Cybersecurity. “At this point, any hacker who wants to target Russia can pull up a list of targets and go to work. And Ukraine itself was already somewhat of a tech hub, so there is domain expertise there on the ground.”

The extent to which the cyber war is spreading beyond Russia and Ukraine is unclear, but “a key concern is that we are going to deal with retaliation by Russia against those perceived as assisting Ukraine,” said Kennedy. “So it’s all hands on deck now preparing for that.”

What’s new on Task & Purpose

Want to write for Task & Purpose? Click here. Or check out the latest stories on our homepage.