Six months ago, the prospect of a major industrialized country attacking its neighbor both digitally and physically was no longer a theoretical exercise.
But the cyberattacks on Ukraine’s infrastructure that preceded and subsequently paralleled Russia’s unprovoked invasion have yet to prove even more successful than Russia’s attempts to overrun Kiev and install a puppet regime.
“We haven’t seen the Russian government continue with the activity as they had in the beginning,” said Mikko Hypponen, chief investigative officer at cybersecurity firm WithSecure, “which is interesting and not really what I expected.”
Meanwhile, both Ukraine and its allies in the West have had a chance to observe and learn from the Kremlin’s malware tactics. Among the lessons so far:
Malware developers ship early and often
Russia’s digital attacks on its neighbor began more than eight years ago, just as Russian troops first crossed the border into Ukraine in much smaller numbers. in 2014, and Russian malware has gone through multiple update cycles. And as with many software projects, some releases have dropped features.
An early family of malware called BlackEnergy, delivered via spear-phishing emails that exploited a zero-day vulnerability in Microsoft Office, allowed Russian operators to take over control systems at Ukrainian utilities. The blackout they staged on December 23, 2015 left some 225,000 people in the darkand their use of “eraser” tools to wipe out the hard drives or firmware of external terminals helped extend the outage by six hours.
A year later, the Sandworm group behind BlackEnergy debuted new malware, discovered and dubbed Industrial by the Bratislava, Slovakia, security company ESET, which can automatically sabotage systems once they’re in a utility’s network. But a remote blackout on December 17, 2016 only turned lights on in parts of Ukraine for about one hour because Industroyer has not built any terminals.
Meanwhile, Russian malware developers have dramatically ramped up their activities in the run-up to Russia’s February 24 frontal attack. The security company Fortinet followed suit seven different windshield wipers deployed against Ukraine in 2022 alonewhich complicates the task of defenders.
Practice matters for defenders, but luck can also help
But by early 2022, Ukrainian defenders had years of experience detecting and mitigating Russian malware. As a result, the Kremlin’s third attempt at a malware-induced blackout was carried out on April 8 with an update called Industrial2-was the least successful exercise to date.
“While the first Industroyer incident caused the one-hour power outage, the latter has not even achieved that,” said Robert Lipovsky, principal researcher of threat intelligence at ESET, in a statement. briefing at the Black Hat Information Security Conference in Las Vegas in August, crediting Ukraine for becoming more resilient.
In addition to the benefits of years of practice, Ukraine benefited from both rapid alerts from this campaign by Western companies and rapid information exchange between organizations such as ESET, Microsoft, the US Agency for Cybersecurity and Infrastructure Securityand Ukraine’s Computer emergency response team.
Kiev also caught a windfall. Victor Zhora, Vice-President of Ukraine State Department for Special Communications and Information Protectionjoined Lipovsky at the Black Hat briefing to see how Sandworm had set Industroyer2 to activate at 5:58 PM local time.
“These attackers were missing one very important thing, which is a short workday on Friday,” he said, estimating that 95% of targeted workstations had already been disabled by that time.
Russian cyber attacks have continued since then, but have not been much more effective. On Tuesday, Russian hackers attempted ‘distributed-denial-of-service’ attacks on three high-profile Ukrainian sites that flooded them with junk traffic; in all three cases defenders were able to defeat the “DDoS” attacks and make the sites function properly again.
Deterrence also works for malware
Security experts can list the defensive measures major infrastructure providers should have taken before Russian tanks began rolling into Ukraine: separating networks that monitor critical hardware from less sensitive IT networks, and protecting accounts with multi-factor authentication (USB security keys, defeating phishing attempts because they need a login confirmation request to get from the correct domain are particularly valuable), and continuous training of staff on security.
But the fact that Russia has not been as aggressive in its digital offensive as many experts had expected, even as the US and its NATO allies have aggressively provided Ukraine with weapons that have helped hundreds of those Russian tanks— points to another limiting factor, deterrence.
“Russia has failed to carry out some of the attacks it could have launched,” said Vint Cerf, who co-developed the Internet TCP/IP framework and is now a vice president and chief internet evangelist at Google.
“I think the Russians have also become more and more dependent on their own network,” he says. “You do have to think twice about attacking someone else because of the possibility that you’re going to have a counterattack.”
Tony Anscombe, chief security evangelist at ESET, suspects that the US and Russia, in particular, will continue to take a page from the nuclear deterrent handbook by keeping the worst of their digital weapons offline: “They have a vault with zero-day tickets, and neither side wants to open the safe.”