By Sean Lyngaas, CNN
US officials warned that a wave of debilitating cyberattacks could accompany Russia’s war on Ukraine. So far they haven’t materialized, and US and Ukrainian officials are contemplating why as they prepare for the next phase of the war.
There have been several hacks of Ukrainian organizations, but no reports yet of the sort of high-impact cyberattacks on transportation or electric infrastructure that some feared.
The possible explanations for this, analysts say, range from disorganization in Russian military planning to hardened Ukrainian defenses, to the fact that bombs and bullets take precedence over hacking in wartime.
The reason Russia has so far not flexed in cyberspace during the war may be unattainable — or require being inside the minds of Russian spy chiefs. But how US, European and Ukrainian officials perceive the situation shapes how they allocate resources to defend Ukrainian computer networks as the war continues.
“What we have seen to date from Russia’s state cyber actors appears to reflect the same challenges seen in their conventional forces,” said a US cyber defense official, who spoke on the condition of anonymity because they were not authorized to speak to the press. “It is likely that inadequate preparation and bad assumptions have resulted in a haphazard performance that underplays their known capabilities.”
Limited Russian cyberattacks
Cyberattacks have played a supporting, not a central, role in the war and hacking incidents preceded and accompanied Russia’s bombardment of Ukraine:
• February 15: Cyberattacks temporarily knocked the websites of Ukrainian agencies and big banks offline. The White House blamed Russia for the incident (the Kremlin denied involvement).
• February 23: Hours before Russian airstrikes began hitting Ukraine, a cyberattack deleted data at multiple Ukrainian government agencies and private companies.
• February 25: Ukrainian government officials accused hackers working for the Belarusian Ministry of Defense of trying to break into the private email accounts of Ukrainian military personnel.
• March 10: Unidentified hackers caused disruptions at Ukrainian internet service provider Triolan, which has customers in big Ukrainian cities. Triolan blamed “the enemy” (a reference to Russia) for the incident but did not provide evidence to support the allegation.
Gen. Paul Nakasone, the most senior military cyber official in the US government, offered a vague, multi-faceted explanation for the relatively muted Russian cyber activity to lawmakers this week.
Defensive work by Ukrainians, “some of the challenges that the Russians have encountered, and some of the work that others have been able to prevent their actions” explained the situation, said Nakasone, who heads the National Security Agency and US Cyber Command.
“They bomb critical infrastructure, So they don’t need to hack it’
Ukrainian computer defenses have indeed improved since 2015 and 2016, when cyberattacks cut power in parts of Ukraine, and 2017, when devastating malicious software known as NotPetya emerged in the country and spread to organizations around the world, costing billions of dollars in damage. (The Justice Department blamed Russia’s GRU military intelligence directorate for all three attacks; the Kremlin denied involvement.)
But many analysts say that heightened Ukrainian cyber defenses cannot be the sole reason for the lack of visible Russian cyber operations. And US officials are predisposed to crediting Ukrainian network defenses in which Washington has invested millions of dollars, and countless hours on the ground in recent years, in building them up.
Yegor Aushev, a Ukrainian cybersecurity executive who helped organize an ad hoc group of hackers to target Russian organizations during the war, offered a simpler explanation.
“The first phase of the war was a hybrid war,” Aushev said by phone from Ukraine this week.
The Russians, he said, used cyberattacks because there is plausible deniability in doing so. But the second phase of the war has been out in the open.
“They bomb critical infrastructure,” Aushev said. “So they don’t need to hack it, in hidden mode.”
John Hultquist, vice president of intelligence analysis at cybersecurity firm Mandiant, echoed that point.
“Cyberattacks are often reversible and they are often carried out for their psychological effects,” Hultquist, a US Army veteran, told CNN. “And in a situation when the Russians are already shelling cities, those effects are going to be fairly limited.”
The so-called Ukraine “IT army” that Aushev is working with claims thousands of volunteer hackers from Ukraine and abroad. The Ukrainian government is actively encouraging these cyberattacks on Russian organizations — and claiming that these hacks are disrupting Russian cyber activities aimed at Ukraine.
“As it turns out, [Russian computer] systems are not that secure,” boasted Serhiy Demedyuk, deputy secretary of Ukraine’s National Security and Defense Council. “They employed their potential to carry out destructive attacks on other states, but failed to secure their own resources.”
The extent to which pro-Ukraine hacking against Russian organizations has been successful is difficult to assess. There have been disruptions to Russian state media websites that parrot the Kremlin’s propaganda about the war.
The longer game
Another possibility is that the fog of war has obscured some Russian cyber activity.
We might not hear about it for months if some of the elite hacking teams associated with Russian intelligence services have engaged in significant activity in Ukraine, Hultquist said.
“It’s a perfect environment for chaos to hide in,” Hultquist told CNN.
All the more so if bombs destroy digital evidence of a hack.
The Ukrainian government has made plans to move some of its computer infrastructure out of Kyiv as Russian troops continue to pound the city. Preserving those digital records could be key to learning more about any additional Russian cyber activity during the war.
With the war grinding on, US and European officials are also wary of any spillover from a Russian hack in Ukraine that could hobble agencies or corporations in NATO countries.
The data-wiping hack on the eve of Russia’s invasion was precisely targeted, but did infect two Ukrainian government contractors with a presence in Latvia and Lithuania, which are NATO members.
NATO Secretary General Jens Stoltenberg has said a cyberattack could trigger NATO’s collective defense clause, requiring all members to defend an attack on another member. But that has never happened and it is unclear what NATO’s threshold in cyberspace is.
Erica Lonergan, associate research scholar at Columbia University’s Saltzman Institute of War and Peace Studies, said it would make sense for Russia to retaliate against Western government sanctions in cyberspace in a way that doesn’t escalate conventional conflict with NATO.
“Precisely for the reasons that cyber isn’t necessarily useful in the battlefield, it is a way that states engage in subversion, create information advantage and cause disruption,” Lonergan told CNN.
™ & © 2022 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.