February 20, 2023 By Jonathan Reed 4 min read

Technical and non-physical attacks have always been a part of modern warfare. During World War II, the Allies used advanced cryptanalysis to decrypt encoded messages sent by the Axis powers using the Enigma ciphering system. Led by Alan Turing, this breakthrough provided the Allies with valuable military intelligence and helped win the war.

Fast forward to present-day warfare, where the cyber front has never been more intense. On February 24, Russia’s computer hackers targeted Ukraine’s satellite communications system, run by the U.S. firm Viasat, as Russian tanks prepared to invade. The attack occurred just before the invasion and was likely an attempt to disrupt Ukraine’s communications. Then there was an onslaught of wiper programs targeting hundreds of Ukrainian systems. Attackers later launched the malware Industroyer2 to take down the country’s electricity grid.

How effective were these attacks? What is the state of cyber war now? Let’s find out.

Level of damage depends on context

If you are sitting in an office in Silicon Valley and your network suffers a major incident, it’s a big deal. In some studies, the average cost of a data breach is $4.35 million. But when missiles, tanks and lost lives enter the picture, the entire perspective of cyber warfare changes. There’s no doubt cyberattacks have had an impact on Ukrainians. However, these attacks did not plunge the country into permanent darkness. They did not cut off communications and the internet completely. So at the level of a full-blown war, the impact of Russia’s cyber assault is debatable.

The Carnegie Endowment for International Peace stated that during the early stages of Russia’s invasion of Ukraine, cyberattacks may have had a limited impact. Traditional jamming techniques and the disruption of Viasat modems may have degraded Ukrainian communications. Data deletion attacks contributed to the chaos in Ukraine, but the organizations targeted reportedly experienced only minor disruptions.

More recently, the frequency, impact and novelty of Russian cyberattacks have significantly decreased. And the overall benefit to Moscow’s military ambitions may have been limited. On the other hand, maybe the expectations were so high that anything short of a total digital shutdown was a disappointment.

Ukraine’s cyber defense

According to the Carnegie Endowment, there are several reasons why Russia’s cyberattacks have not been as effective as they might have been. One major factor is a lack of Russian cyber capacity and capabilities. In addition, Moscow has weaknesses in its non-cyber institutions, while Ukraine — with significant external support — has made strong defensive efforts.

Moscow also made the mistake of maintaining or increasing its cyber activity against non-Ukrainian targets. As a result, they may have spread themselves too thin. Also, Russia did not fully utilize cyber criminals as an auxiliary force against Ukraine. Russian President Vladimir Putin and his military may not be willing (or able) to plan and wage war in a way that fully leverages cyber operations.

Ukraine, on the other hand, has a resilient digital ecosystem and has made significant cybersecurity investments. The country also received a massive influx of support from leading international companies and governments. Still, even if some of these factors had been different, it is unclear whether they would have significantly improved the military utility of Russia’s cyber operations.

Intruders hiding in the shadows

Analyzing the effectiveness of cyber warfare in the midst of actual war is inexact. The decline in Russian attacks could also have been a tactical decision. For example, why waste resources on intricate and complex cyber plans when hard weaponry gets the job done faster? Or, perhaps the Kremlin decided to invest more in espionage and info gathering rather than trying to cripple infrastructure.

Recently, a Ukrainian Ministry of Defense email account was discovered sending phishing emails and instant messages to users of the DELTA situational awareness program. This was an attempt to infect systems with information-stealing malware. The campaign was identified by CERT-UA (Computer Emergency Response Team of Ukraine), which warned Ukrainian military personnel about the threat.

DELTA is an intelligence collection and management system developed by Ukraine with the assistance of its allies. The system helps the military monitor the movements of enemy forces. It provides real-time, comprehensive information from multiple sources on a digital map that can be accessed from any device.

Meanwhile, government entities in Ukraine have recently been the target of a cyberattack campaign in which malicious Windows 10 installer files were used to conduct post-exploitation activities. Discovered by Mandiant in July 2022, the trojanized ISO files were distributed through Ukrainian and Russian-language Torrent websites.

Upon installation of the compromised software, the malware gathers information about the compromised system and exfiltrates it. While the origin of the adversary is unknown, the intrusions have targeted previous victims of disruptive wiper attacks attributed to APT28, a Russian state-sponsored actor. In this case, rather than destroy data, perhaps the perpetrators now decided to steal it to gain a tactical advantage.

Coordinating cyber and physical attacks

In some circles, there is a fascination with the idea of coordinating cyberattacks with physical ones. We might imagine a cyberattack that shuts down the electric grid of a town as tanks come rumbling in.

Russia has, on occasion, used cyberattacks to disable computer networks at a target before launching physical attacks such as ground invasions or missile strikes. For example, Microsoft cited an instance in March when it identified a Russian group infiltrating a nuclear power network. The next day the Russian military occupied the company’s largest nuclear power plant. Around the same time, Russia also compromised a government computer network in Vinnytsia. Two days later, the attacking army launched eight cruise missiles at the city’s airport.

As the Carnegie Endowment comments, these cyberattacks may not have actually caused any disabling effects, as they do not clearly meet the criteria for meaningful attacks. It’s possible that the attackers coordinated them with physical attacks. But they either failed to meet their objectives or were meant as intelligence-gathering operations in support of kinetic targeting.

As the war in Ukraine rages on, it will continue to be fought in both physical and cyber environments. We can only hope it ends soon.

Cultivate a resilient defense

The war in Ukraine has showcased the importance of a strong defense against malware. If you have questions and want a deeper discussion about malware and prevention techniques, you can schedule a briefing here. Get the latest updates as more information develops on the IBM Security X-Force Exchange and the IBM PSIRT blog. If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. More cybersecurity threat resources are available here.

More from News

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Has BlackCat returned as Cicada3301? Maybe.

4 min read - In 2022, BlackCat ransomware (also known as ALPHV) was among the top malware types tracked by IBM X-Force. The following year, the threat actor group added new tools and tactics to enhance BlackCat's impact. The effort paid off — literally. In March 2024, BlackCat successfully compromised Change Healthcare and received a ransom payment of $22 million in Bitcoin. But here's where things get weird: Immediately after taking payment, BlackCat closed its doors, citing "the feds" as the reason for the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today