Russia’s cyber-supported invasion of Ukraine: An Intelligence Assessment

Key assessments

• Russia conducted several cyberattacks in coordination with their invasion of Ukraine using destructive malware targeting Internet and satellite service providers.
• The current discourse, which questions how impactful these cyberattacks were, is not without merit. However, to say they were non-existent or not at all impactful is misrepresentative.
• Historically, experts have predicted cyber-enabled operations to be a dominant force should a kinetic war break out between Russia and Ukraine. This likely led to an exaggerated perception of what a “cyberwar” would look like in this scenario.

Since 2014, Ukraine has served as a testing ground for Russian cyber operations, experiencing the brunt of the state-sponsored attacks from its neighbor. Russian threat actors attacked electric companies, causing power outages in 2015 and 2016, and targeted Ukrainian companies with the NotPetya destructive malware in 2017. Because of this, there have been many discussions among intelligence analysts and cybersecurity experts about the role cyberattacks would play if Russia and Ukraine ever became engulfed in a kinetic war. When Russian forces began their invasion of Ukraine’s eastern and northeastern borders, many expected there to be a large cyber component to the invasion. The currently reported evidence does show that Russia likely made a concerted cyber-enabled effort to support their invasion by targeting Internet and satellite communication infrastructure.

Despite this evidence, experts and journalists still disagreed as to why Russia’s invasion did not involve more of an overt cyber component. This intelligence report will address why there continues to be discourse, as well as the currently available evidence of cyberattacks targeting Ukraine, by providing a timeline of events, historical context and expert discussion points, and an assessment of the possibilities regarding Russia’s overarching cyber strategy as it related to the invasion of Ukraine.

Timeline

Throughout 2021, there were more obvious indicators of an approaching kinetic conflict than there were for cyber-related incidents. Beginning in January 2021, Ukrainian President Volodymyr Zelensky of Ukraine began pressuring the United States to support Ukraine’s acceptance into NATO, something that Russian President Vladimir Putin was vehemently against in the past. Putin reiterated this throughout the year, going so far as demanding a guarantee that NATO would not expand any closer to Russia in December. Russia began conducting military exercises in the Spring months near the Ukrainian border, amassing 100,000 troops by November, with skirmishes between Russian and Ukrainian forces reported in January and early February.

Figure 1: Overlapped timeline of kinetic and confirmed cyberattacks.

On the cyber front, Microsoft released an annual report in June 2021 stating that the United States, Ukraine, and the U.K. were the most targeted countries by Russian state-sponsored threat actors. Instances of Russian state-sponsored groups targeting Ukrainian entities were largely absent from public reporting between July and December 2021. However, in January 2022, there were reports of a destructive wiper malware WhisperGate attributed to Russian state-sponsored actors targeting Ukrainian government, non-profit, and IT organizations. Additionally, a suspected Belarusian threat actor, tracked as UNC1151, began conducting defacements of Ukrainian websites.

February 2022 signaled a turning point in the Russia-Ukraine conflict. Cyberattacks simultaneously targeted Ukrainian entities across the country, as Russian forces began moving into the contested regions of Donbas and Luhansk, areas to the north near the Belarusian border and Kyiv, and cities to the south from the Black Sea. The initial attacks on February 13 and February 23 were denial of service attacks targeting banking institutions and government entities. However, February 24 marked the beginning of the kinetic invasion of Ukraine, as well as the most impactful recorded cyberattacks in the conflict so far.

As President Putin announced a “special military operation” in Donbas, an act that marked the “official” start of Russia’s invasion, Russian state-sponsored cyber threat actors attacked Ukrainian organizations, specifically ViaSat and Triolan, which provide Internet and satellite access to the region. Attackers targeted ViaSat with the AcidRain destructive malware, while the Triolan attack resulted in internal computers being reset to their initial factory settings. Ukrainian government entities were also impacted by the IsaacWiper and HermeticWiper destructive malware, the latter of which masqueraded as a ransomware variant though functioned as a more destructive wiper.

Moving into March and April, additional destructive attacks involving the CaddyWiper destructive malware occurred and ongoing targeting of Ukrainian government entities with malicious backdoors was reported. However, in April, Ukraine’s Computer Emergency Response Team (CERT-UA) reported an unsuccessful destructive and disruptive cyberattack targeting the country’s electrical infrastructure using the CaddyWiper and Industroyer2 malware.[1] CERT-UA and other cybersecurity experts investigating the incident assessed the state-sponsored group known as Sandworm (see below) was responsible for the attack.

The impact of the successful attacks was significant. ViaSat stated that thousands of residential consumers in Ukraine and tens of thousands across Europe were left without residential satellite Internet access. Internet accessibility since the invasion has reportedly been volatile due to the ongoing denial of service and destructive attacks against Triolan, Ukrtelecom, and other organizations.

[1] Reporting of the Industroyer2 attack released in April 2022. Though the attack was defended against, CERT-UA noted the attackers gained their initial access no later than February 2022. Because the definitive time of initial access is not known and the attack was rebuffed, it has not been included in the main timeline (Figure 1). Still, the significance of the attempt should not be discarded.

Historical context

Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST), publicly attributed and tracked as the Sandworm threat group, has a documented history of targeting Ukrainian public utilities and other organizations with cyberattacks:

• In 2015, Sandworm conducted cyberattacks against electrical companies and government organizations using the BlackEnergy destructive malware. The attacks on the electric utilities resulted in widespread power outages impacting approximately 225,000 customers in the affected region.
• In 2016, Sandworm conducted another cyberattack against an electric transmission station near Kyiv using the Industroyer destructive malware. This attack directly impacted Kyiv, causing blackouts in a portion of the capital city.
• In 2017, Sandworm launched a far-reaching attack, distributing the NotPetya destructive malware via the M.E.Doc accounting and tax software. M.E.Doc was designed specifically to interact with Ukrainian tax systems, implying that the intended victims were Ukrainian. However, systems across the globe were also impacted, causing over $1 billion in losses to organizations in and outside of Ukraine.

Before the invasion, there was much discussion among cyber threat intelligence and foreign affairs experts about Russia’s likely reliance on a cyber-driven offensive should it engage in kinetic warfare against Ukraine.

• In December 2021, William Courtney, former U.S. ambassador to Kazakhstan and Georgia, and current adjunct senior fellow at the RAND corporation stated “If Russia were to invade Ukraine, it would likely employ massive cyber and electronic warfare tools…The aim would be to create “shock and awe,” causing Ukraine’s defenses or will to fight to collapse.”
• In January 2022, John Hultquist, VP of Intelligence Analysis at Mandiant, published a blog, outlining how disruptive and destructive cyberattacks, as well as information operations, could be a large part of the Russian strategy.
• Jonathon Reiber, former chief strategy officer for cyber policy in the Office of the Secretary of Defense, stated “This may end up being the first declared hostility where cyberspace operations are a part of an integrated offensive military invasion.”

One perspective circulating since the official invasion has been that Russia’s cyberattacks in the lead up to and during the initial invasion of Ukraine have been notably tempered, especially when compared to the extreme scenarios that have circulated throughout the cybersecurity and intelligence fields since the 2015 and 2016 electric utilities attacks and the NotPetya outbreak. Several experts in the cybersecurity, intelligence, and foreign affairs fields expressed confusion and disbelief at the apparent lack of impactful cyberattacks.

• Dmitri Alperovitch, a co-founder of the cybersecurity company CrowdStrike and respected expert in the crossover of cyber and foreign affairs, had an immediate thought on February 24: “I expected them to shut down cell networks and Internet and try to prevent some of the horrible videos and photos from getting out.”[1]
• Former Cybersecurity and Infrastructure Security Agency (CISA) head Chris Krebs stated “The future think-tank monographs and war college lectures which will inevitably unpick Moscow’s strategy are likely to focus on the surprising lack of cyberattacks in Putin’s invasion plan. Theories range from the Russians not trying all that hard on the offensive cyber front, to the idea that they did — but that Ukrainian and western defenders proved too formidable.”
• John Hultquist provided a potential explanation for the lack of cyberattacks witnessed during the invasion, stating “Russia has other tools to disrupt Ukrainian infrastructure, like kinetic weapons, and may not need to lean on cyber in their campaign.”
• Thomas Rid, professor at Johns Hopkins University School of Advanced International Studies, proposed a differing idea to these three, stating “Cyberwar has come, is happening now and will most likely escalate. But the digital confrontation is playing out in the shadows, as inconspicuous as it is insidious.”

[2] Alperovitch’s comment was made prior to public knowledge of most of the attacks that occurred on February 24th.

Assessment

Four main hypotheses have been disseminated in the weeks since Russia invaded Ukraine.

1. Russia’s military cyber units conducted cyberattacks on Ukrainian targets before, during, and since the invasion. This is supported by several key pieces of evidence, especially the destructive malware attacks reported to have occurred on February 24. (H1)
2. Russia strategically decided not to conduct impactful cyberattacks in coordination with their invasion, instead relying on kinetic attacks rather than cyberattacks. (H2)
3. Ukrainian cybersecurity defenses repelled Russian cyberattacks, resulting in less impactful attacks. The key piece of evidence here was the discovery and deterrence of a suspected Sandworm attack against the Ukrainian electric grid. (H3)
4. Russian cyberattacks against Ukrainian organizations before and during the initial invasion are not yet known. Incident investigation and response to cyberattacks take time and dedicated resources, both of which were in short supply while Russian forces came across the Ukrainian borders. (H4)

An Analysis of Competing Hypotheses (ACH) was created to support the analysis of these four hypotheses and eliminate biases while crafting an assessment. As a result, the least likely hypothesis is that Russia strategically decided against the use of cyberattacks to support the invasion of Ukraine. The available evidence most supports the idea that Russian cyberattacks did occur in conjunction with the invasion of Ukraine, however, the reporting of these attacks did not occur immediately. Additionally, while there was a publicly reported instance of a successful defense against the Industroyer2 cyberattack in April, multiple destructive attacks were reported on February 24.

Figure 2. Analysis of Competing Hypotheses comparing four different hypotheses related to cyber-activity during the Russian invasion of Ukraine.

As the timeline and ACH show, disruptive and destructive cyberattacks did take place in coordination with the invasion of Ukraine, and other similar attacks may be yet discovered, investigated, and reported. This assessment assumes that additional or more impactful cyberattacks have not taken place; an assumption that could change should more information become public knowledge. Another important assumption within this assessment is the possibility of confirmation bias. None of the cyberattacks occurring on February 24 have been officially attributed to any threat group or country and the timing of these attacks could be circumstantial. Further analysis of those attacks, technical and strategic, needs to occur for attribution to be assigned.

Initial reactions from experts expressing surprise at the apparent lack of cyber-enabled disruption and destruction during the invasion are just that — initial reactions. Still, the historical attacks in 2015 and 2016 launched by Russia against the electrical grid were largely assessed to be a precursor of what’s to come should they ever invade Ukraine. The doomsday scenarios that were often extrapolated in boardrooms and media reports following the BlackEnergy, Industroyer, and NotPetya attacks likely led to an exaggerated vision of what a “cyberwar” would look like when combined with kinetic warfare.

Widespread blackouts, disabled Internet connectivity, digital communications inaccessible; this extreme level of cyber-enabled disruption has yet to be seen in this conflict. While Internet connectivity has been intermittent, the widespread power outages that were predicted in this scenario have yet to occur, or yet to be reported. There have been disruptions of power, especially in cities like Mariupol and Kharkiv, but whether they were caused by kinetic attacks like bombs and rockets or a cyberattack may never be known.