Six months ago, the prospect of a major industrialized country launching a full-fledged assault on its neighbor in both the digital and physical realms stopped being a theoretical exercise.
But the cyberattacks on Ukraine’s infrastructure that preceded and then paralleled Russia’s unprovoked invasion have yet to prove more successful than Russia’s attempts to overrun Kyiv and install a puppet regime.
“We haven’t seen the Russian government keep up the activity as they had in the beginning,” says Mikko Hypponen, chief research officer at cybersecurity firm WithSecure, “which is interesting, and not really what I was expecting.”
Along the way, both Ukraine and its allies in the West have had the chance to observe the Kremlin’s malware tactics and learn from them. Among the lessons so far:
Malware developers ship early and often
Russia’s digital attacks on its neighbor began a good eight years ago, much as Russian troops first crossed the border into Ukraine in far smaller numbers in 2014, and Russian malware has gone through multiple update cycles. And as in many software projects, some releases have dropped features.
For example, an early family of malware called BlackEnergy, delivered via spear-phishing emails that took advantage of a zero-day vulnerability in the Microsoft Office, let Russian operators take over control systems at Ukrainian utilities. The blackout they staged on December 23, 2015, left some 225,000 people in the dark, and their use of “wiper” tools to blank the hard drives or firmware of remote terminals helped prolong the outage by six hours.
A year later, the Sandworm group behind BlackEnergy debuted new malware, discovered and dubbed Industroyer by the Bratislava, Slovakia, security firm ESET, that could sabotage systems automatically once inside a utility’s network. But a blackout remotely inflicted on December 17, 2016, only turned off the lights in parts of Ukraine for about an hour because Industroyer didn’t brick terminals.
Meanwhile, Russian malware developers dramatically stepped up their activity in the run-up to Russia’s frontal assault on February 24. The security firm Fortinet tracked seven different wipers deployed against Ukraine in 2022 alone, complicating the task of defenders.
Practice matters for defenders, but luck can help too
But by early 2022, Ukrainian defenders had years of experience detecting and mitigating Russian malware. As a result, the Kremlin’s third attempt at a malware-induced blackout—staged April 8 using an update called Industroyer2—was the least successful exercise yet.
“While the first Industroyer incident caused the blackout lasting one hour, this latest one didn’t even accomplish that,” said Robert Lipovsky, principal threat intelligence researcher at ESET, in a briefing at the Black Hat information-security conference in Las Vegas in August, crediting Ukraine for growing more resilient.
In addition to the benefits of years of practice, Ukraine benefited from both prompt warnings of this campaign from Western firms and rapid information-sharing among such organizations as ESET, Microsoft, the U.S. Cybersecurity and Infrastructure Security Agency, and Ukraine’s Computer Emergency Response Team.
Kyiv also caught one lucky break. Victor Zhora, deputy chair of Ukraine’s State Service for Special Communications and Information Protection, joined Lipovsky at the Black Hat briefing to note how Sandworm had set Industroyer2 to activate at 5:58 p.m. local time.
“These attackers missed one very important thing, that Friday is a short working day,” he said, estimating that 95% of targeted workstations had already been switched off by then.
Russian cyberattacks have continued since then but have not been much more effective. Tuesday, Russian hackers attempted distributed-denial-of-service assaults on three high-profile Ukrainian sites that flooded them with junk traffic; in all three cases, defenders were able to defeat the “DDoS” attacks and restore the sites to proper operation.
Deterrence works for malware, too
Security experts can recite the defensive measures that key infrastructure providers should have already adopted before Russian tanks began rolling into Ukraine: segregating networks that control critical hardware from less sensitive IT networks and protecting accounts with multifactor authentication (USB security keys, which defeat phishing attempts because they need a login-confirmation request to come from the correct domain, are especially valuable at this), and continuously training staff on security.
But the fact that Russia has not been as aggressive in its digital offensive as many experts expected—even as the U.S. and its NATO allies have aggressively supplied Ukraine with weapons that have helped shred hundreds of those Russian tanks—points to another limiting factor, deterrence.
“Russia has not launched some of the attacks it could have launched,” says Vint Cerf, who codeveloped the internet’s core TCP/IP framework and is now vice president and chief internet evangelist at Google.
“I think the Russians also have become increasingly dependent on their own network,” he says. “You have to think twice about attacking somebody else because of the possibility that you will get a counterattack.”
Tony Anscombe, chief security evangelist at ESET, suspects that the U.S. and Russia, in particular, will continue to take a page from the nuclear-deterrence handbook by keeping the worst of their digital weapons offline: “They have a safe with zero-day tickets, and neither side wants to open the safe.”