Whatever Happened to Russia’s Vaunted Cyberoffensive?

People had already begun laying flowers in front of the Ukrainian Embassy in London by the time Liam Maxwell arrived for a lunchtime meeting with Vadym Prystaiko, the Ukrainian ambassador to the United Kingdom, on Feb. 24, the day that Russia sent troops and missiles screaming over the Ukrainian border in the opening phases of the largest ground war in Europe since World War II.

As director of government transformation at Amazon Web Services, the online retail giant’s cloud computing arm, Maxwell had come to see how the company could assist the Ukrainian government as it came under Russian assault. Over a lunch of borscht, they quickly settled on the idea of ​​migrating government systems to the cloud to protect vital data and ensure that they could continue to operate regardless of the damage wrought by Russia.

“We sat down and we went, ‘Right, what’s the first thing we need to save?'” said Maxwell, who previously served as the British government’s national technology advisor.

On the back of an index card, they began drafting a list of the most critical government databases to preserve: a list of the country’s population; the land ownership registry; the tax system; the anti-corruption and procurement systems; and the justice, education, and health care systems. As he left the embassy that day with a list of Ukraine’s most precious digital assets in hand, a distinct thought passed through Maxwell’s mind: “Don’t mess this up.”

Over the next several months, Amazon Web Services helped Kyiv migrate over 10 petabytes, a colossal amount of crucial government data, from across almost 30 government ministries to the cloud and out of the reach of Russia’s invading forces. Mykhailo Fedorov, Ukraine’s minister for digital transformation, would later credit the move with helping to preserve the Ukrainian government and economy.

“Russian missiles can’t destroy the cloud,” he said at an Amazon Web Services conference in Las Vegas in November.

Ahead of Russia’s invasion of Ukraine, there was widespread belief that a ground invasion would be accompanied by a cyber-doomsday that would take out much of the country’s critical infrastructure. Despite some early successes, including a malware attack on an American satellite communications system used by the Ukrainian military, the anticipated digital route of Ukraine never materialized.

Part of the answer as to why lies in the unprecedented degree of cooperation among technology companies such as Amazon, Ukraine, and Western governments that have rallied to help shore up Kyiv’s cyberdefenses. “I’ve never seen this level of public-private collaboration; it’s really been remarkable,” he said Anne Neuberger, deputy US national security advisor for cyber and emerging technology, in an interview with Foreign Policy.

But it is also just one piece of the puzzle. One reason the feared cyber-Armageddon never came to be is that the flawed assumptions that underpinned the opening moves of the Russian invasion—namely, that Kyiv would fold within a matter of days—appear to have extended to their cyberoperations as well. “Akin to the military invasion, it appears the Russians expected to be quickly successful and, as such, hadn’t planned for a more extensive, lengthy—and, frankly, integrated—cyber operation,” Neuberger said.

Still, while the battlefields of eastern Ukraine have increasingly come to resemble the trenches of World War I, the first world cyberwar, as Fedorov has dubbed it, is being closely studied by cybersecurity experts and government officials seeking to gain a glimpse into the future of cyberconflict.

As Russian forces moved in to occupy Ukrainian territory in the early stages of the war, so-called hunt teams deployed by cybersecurity firm Mandiant watched as regional offices or data centers belonging to government agencies were overrun by Russian troops who used those networks to launch cyberattacks on other computers within the network in Ukrainian-held territory. Similarly, in the hours just before the start of the war, Russian hackers succeeded in temporarily crippling the Ukrainian military’s communications by attacking modems and routers that form part of the US-based Viasat’s European satellite network. The attack also affected tens of thousands of customers in Europe, including the French emergency services.

“Clearly, there is some battlefield coordination with cyber units to hijack those systems,” said Ron Bushar, head of government solutions at Mandiant. He said that it was unclear whether cyber units were embedded with Russian ground forces or troops with basic computing skills were able to plug some kind of device into the Ukrainian systems that were then accessed remotely by hackers in Russia.

While Moscow’s failures on the battlefield may have prompted NATO allies to reassess Russia’s military prowess, Bushar said it’s too soon to count Russia out as a formidable cyberpower.

“I would never discount Russia’s ability, especially on the foreign intelligence side of the house, to execute some frankly scary technologies.”

From February through October of this year, Mandiant has tracked 16 unique destructive or disruptive attacks on Ukrainian entities that it has been supporting, according to data provided by the company, which noted that attacks are still ongoing. And while Russia has more often been the perpetrator than the victim of cyberattacks, a wartime scenario means it also has to maintain its own cyberdefenses—without the support from allies and the private sector that Ukraine has benefited from.

“In the physical world, for a military force to be on the highest alert for a year is very difficult,” he said Sergey Shykevich, threat intelligence group manager at cybersecurity firm Check Point. “In cyberwarfare it’s the same—for defense, it’s not easy.”

Cyberoperations fall into two broad categories: intelligence gathering and offensive attacks. Once you’ve breached a computer system, you can either quietly hunker down and listen in, or wreck the place. In the case of the former, Russia’s foreign intelligence service, the SVR, is regarded as highly sophisticated. The 2020 hack of the Texas-based software company SolarWinds succeeded in compromising about 100 companies, including Microsoft and Intel, and at least nine government agencies including the Pentagon, the Treasury, and the Department of Energy. Proceeding from eavesdropping to jaw-dropping is where Moscow starts to stumble.

“Russia is really immature from the standpoint of incorporating what they know from the intelligence and subversion that they’re very skilled at in the cyberdomain,” said Gavin Wilde, an expert on Russia’s cybercapabilities with the Carnegie Endowment for International Peace. “Translating that into military objectives is a very different ballgame,” he said.

An artillery tube can be fired over and over (until it wears out). Each digital weapon can only be deployed once. After it has been exposed and a fix has been developed, its potency is spent. “It gets incrementally harder to get into these environments as you continue to attack them,” Bushar said.

While Russia has launched devastating cyberattacks on Ukraine’s energy grid in the past, plunging more than 200,000 homes into darkness in a highly sophisticated attack in 2015, Moscow appears to have come to the conclusion that lobbing missiles at the country’s electrical substations can cause more chaos. The attacks have already destroyed half of the country’s energy infrastructure, according to the United Nations.

Russia’s own need for critical Ukrainian infrastructure for its military operations on the ground, particularly in the early days of the conflict, may have contributed to its cyberwarriors holding back more than they might have, according to Shykevich. “Russian forces needed the electricity, the water supply, because, as we all know, there are a lot of problems in the logistics of the Russian army,” he said.

One advantage for Ukraine of having regularly come under Russian cyberattack over the past several years is that it has given Ukrainians time and expertise to hone their defenses ahead of the assault that began in February. One week before the Russian invasion, Ukraine’s parliament passed a law allowing government agencies to use cloud-based services to store data, which paved the way for the mass migration of critical information on Amazon’s servers in the early days of the war. There are also echoes of the warring parties’ respective strengths and weaknesses on the battlefield playing out in the cyber-realm. Without a stand-alone cyber command, coordination of Russia’s cyber operations is run out of the presidential administration, undermining its ability to respond quickly to the realities of the conflict.

“The Ukrainians have shown the value of being able to be nimble in their strategic communications, their information operations, and their cyberdefenses,” Wilde said. “That mirrors what I think is happening on the kinetic battlefield as well.”

The other pillar of Ukraine’s digital success has been the remarkable coordination between both private technology companies and foreign governments to aid Kyiv’s cyber defenses. Unlike in conventional warfare, where states have a near-monopoly on the use of force, the cyber-realm is dominated by the private sector, giving larger companies a unique overview. “In a certain sense, Microsoft is the largest signals intelligence agency in the world,” Wilde said.

The absence so far of a doomsday attack by Russia on Ukraine or its Western allies does not mean they can rest easy, experts say. In fact, they may need to be even more alert in the months to come, as the region’s punishing winter potentially makes conventional warfare more challenging. “Unfortunately, I think there is much more to come,” Shykevich said.

The risk of digital attacks spilling beyond Ukraine’s borders is also increasing. Cyberattacks on Latvia have gone up 30 percent since the start of the Ukraine invasion, a senior official of the country’s Computer Emergency Readiness Team said in an interview with cybersecurity firm Recorded Future, and the country has been a frequent target of Russian hacktivist groups such as Killnet. In a report earlier this month, Microsoft said Russian military intelligence had also carried out a ransomware-style attack on Ukraine’s neighbor and ally Poland, pointing to the attack as a possible signal of things to come.

This was the first war-related cyberattack against entities outside of Ukraine since the Viasat KA-SAT attack at the start of the invasion,” Microsoft said. “We believe these recent trends suggest that the world should be prepared for several lines of potential Russian attack in the digital domain over the course of this winter.”

While the United States has not observed any intelligence that Russia plans to ramp up its offensive cyberoperations, neither Ukraine nor its Western partners are letting their guards down. “We still believe—given its winter, given its energy systems, given there’s an ongoing complex crisis situation—we must ultimately prepare for any scenario,” Neuberger said.

The emerging lessons from the war in Ukraine underscore the difficulty of trying to wage a conventional battle alongside a digital one.

“I think that tells you a lot about the limitations of cyberwarfare, and the idea that this is going to be a critical part of every war going forward was a misguided analysis,” said Dmitri Alperovitch, chairman of the think tank Silverado Policy Accelerator.

Leave a Comment