February 20, 2023 By Jonathan Reed 4 min read

Technical and non-physical attacks have always been a part of modern warfare. During World War II, the Allies used advanced cryptanalysis to decrypt encoded messages sent by the Axis powers using the Enigma ciphering system. Led by Alan Turing, this breakthrough provided the Allies with valuable military intelligence and helped win the war.

Fast forward to present-day warfare, where the cyber front has never been more intense. On February 24, Russia’s computer hackers targeted Ukraine’s satellite communications system, run by the U.S. firm Viasat, as Russian tanks prepared to invade. The attack occurred just before the invasion and was likely an attempt to disrupt Ukraine’s communications. Then there was an onslaught of wiper programs targeting hundreds of Ukrainian systems. Attackers later launched the malware Industroyer2 to take down the country’s electricity grid.

How effective were these attacks? What is the state of cyber war now? Let’s find out.

Level of damage depends on context

If you are sitting in an office in Silicon Valley and your network suffers a major incident, it’s a big deal. In some studies, the average cost of a data breach is $4.35 million. But when missiles, tanks and lost lives enter the picture, the entire perspective of cyber warfare changes. There’s no doubt cyberattacks have had an impact on Ukrainians. However, these attacks did not plunge the country into permanent darkness. They did not cut off communications and the internet completely. So at the level of a full-blown war, the impact of Russia’s cyber assault is debatable.

The Carnegie Endowment for International Peace stated that during the early stages of Russia’s invasion of Ukraine, cyberattacks may have had a limited impact. Traditional jamming techniques and the disruption of Viasat modems may have degraded Ukrainian communications. Data deletion attacks contributed to the chaos in Ukraine, but the organizations targeted reportedly experienced only minor disruptions.

More recently, the frequency, impact and novelty of Russian cyberattacks have significantly decreased. And the overall benefit to Moscow’s military ambitions may have been limited. On the other hand, maybe the expectations were so high that anything short of a total digital shutdown was a disappointment.

Ukraine’s cyber defense

According to the Carnegie Endowment, there are several reasons why Russia’s cyberattacks have not been as effective as they might have been. One major factor is a lack of Russian cyber capacity and capabilities. In addition, Moscow has weaknesses in its non-cyber institutions, while Ukraine — with significant external support — has made strong defensive efforts.

Moscow also made the mistake of maintaining or increasing its cyber activity against non-Ukrainian targets. As a result, they may have spread themselves too thin. Also, Russia did not fully utilize cyber criminals as an auxiliary force against Ukraine. Russian President Vladimir Putin and his military may not be willing (or able) to plan and wage war in a way that fully leverages cyber operations.

Ukraine, on the other hand, has a resilient digital ecosystem and has made significant cybersecurity investments. The country also received a massive influx of support from leading international companies and governments. Still, even if some of these factors had been different, it is unclear whether they would have significantly improved the military utility of Russia’s cyber operations.

Intruders hiding in the shadows

Analyzing the effectiveness of cyber warfare in the midst of actual war is inexact. The decline in Russian attacks could also have been a tactical decision. For example, why waste resources on intricate and complex cyber plans when hard weaponry gets the job done faster? Or, perhaps the Kremlin decided to invest more in espionage and info gathering rather than trying to cripple infrastructure.

Recently, a Ukrainian Ministry of Defense email account was discovered sending phishing emails and instant messages to users of the DELTA situational awareness program. This was an attempt to infect systems with information-stealing malware. The campaign was identified by CERT-UA (Computer Emergency Response Team of Ukraine), which warned Ukrainian military personnel about the threat.

DELTA is an intelligence collection and management system developed by Ukraine with the assistance of its allies. The system helps the military monitor the movements of enemy forces. It provides real-time, comprehensive information from multiple sources on a digital map that can be accessed from any device.

Meanwhile, government entities in Ukraine have recently been the target of a cyberattack campaign in which malicious Windows 10 installer files were used to conduct post-exploitation activities. Discovered by Mandiant in July 2022, the trojanized ISO files were distributed through Ukrainian and Russian-language Torrent websites.

Upon installation of the compromised software, the malware gathers information about the compromised system and exfiltrates it. While the origin of the adversary is unknown, the intrusions have targeted previous victims of disruptive wiper attacks attributed to APT28, a Russian state-sponsored actor. In this case, rather than destroy data, perhaps the perpetrators now decided to steal it to gain a tactical advantage.

Coordinating cyber and physical attacks

In some circles, there is a fascination with the idea of coordinating cyberattacks with physical ones. We might imagine a cyberattack that shuts down the electric grid of a town as tanks come rumbling in.

Russia has, on occasion, used cyberattacks to disable computer networks at a target before launching physical attacks such as ground invasions or missile strikes. For example, Microsoft cited an instance in March when it identified a Russian group infiltrating a nuclear power network. The next day the Russian military occupied the company’s largest nuclear power plant. Around the same time, Russia also compromised a government computer network in Vinnytsia. Two days later, the attacking army launched eight cruise missiles at the city’s airport.

As the Carnegie Endowment comments, these cyberattacks may not have actually caused any disabling effects, as they do not clearly meet the criteria for meaningful attacks. It’s possible that the attackers coordinated them with physical attacks. But they either failed to meet their objectives or were meant as intelligence-gathering operations in support of kinetic targeting.

As the war in Ukraine rages on, it will continue to be fought in both physical and cyber environments. We can only hope it ends soon.

Cultivate a resilient defense

The war in Ukraine has showcased the importance of a strong defense against malware. If you have questions and want a deeper discussion about malware and prevention techniques, you can schedule a briefing here. Get the latest updates as more information develops on the IBM Security X-Force Exchange and the IBM PSIRT blog. If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. More cybersecurity threat resources are available here.

More from News

Can memory-safe programming languages kill 70% of security bugs?

3 min read - The Office of the National Cyber Director (ONCD) recently released a new report, “Back to the Building Blocks: A Path Toward Secure and Measurable Software." The report is one of the first major announcements from new ONCD director Harry Coker and makes a strong case for adopting memory-safe programming languages. This new focus stems from the goal of rebalancing the responsibility of cybersecurity and realigning incentives in favor of long-term cybersecurity investments. Memory-safe programming languages were also included as a…

CISA hit by hackers, key systems taken offline

3 min read - The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked. “About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced. In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a…

DOJ’s crackdown: A brief look at hacker group takedowns

3 min read - The Department of Justice (DOJ) is ramping up efforts focused on disrupting cyber criminal organizations operating within and outside of United States borders. The dismantling of Volt Typhoon, a prolific hacker collective, marked a turning point in the DOJ's offensive against cyber crime syndicates. The group was notorious for its brazen cryptocurrency scams and heists. Through coordinated global law enforcement efforts, individuals linked to the organization were apprehended, assets were frozen and critical infrastructure was seized. The success of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today