18 February 2023

Why Russia has failed to win the cyberwar in Ukraine


The printers of the offices of the European Commission, in Brussels, were working at full capacity in the spring of 2022. Names, phone numbers and other staff contact details were being put on paper, along with other documents containing all the necessary information for the European Union to continue to be operational in the event of an IT blackout, a genuine concern after Russia invaded Ukraine in February of that year. However, such a blow has not materialized. Although the shadow of a
major cyberattack with international consequences has loomed over Europe since the beginning of the war, a week before the first anniversary of the Kremlin’s assault, cyberwarfare still has not played a significant role in the conflict.

There were persuasive reasons to believe it would be a more decisive factor. Between 2015 and 2016, not long after Moscow’s annexation of Crimea, Russia launched one of the most sophisticated attacks on energy infrastructure in history – the BlackEnergy virus – which left several Ukrainian cities without heating in the dead of winter. Later, in 2017, Kremlin-related groups launched the NotPetya attack. Initially aimed at Ukrainian companies and public institutions, this cyberweapon took on the appearance of ransomware, which encrypts a system and releases it in exchange for money, although NotPetya didn’t offer that option: it simply destroyed information. It eventually spread to a large part of the world, with at least 300,000 computers affected, and is still considered one of the most powerful cyberattacks in history.

But no digital attacks on that scale have been staged by Moscow since the invasion began. “Russian cyber forces as well as their traditional military forces have underperformed against expectations,” Mieke Eoyang, deputy assistant secretary of defense for cyber policy at the Pentagon, said in November. “Russia was not prepared for the conflict to go on as long as it did.” The CEO of the UK-based National Cyber Security Centre, Lindy Cameron, has also stated that Russian cyberattacks “simply have not had the intended impact.”

This has not been for lack of trying. As NATO’s top intelligence official David Cattler explained in April, Russia used more destructive malware against Ukraine in the first quarter of 2022 “than the rest of the world’s cyber-powers combined typically use in a given year.” As soon as the conflict started, Russia attacked several Ukrainian government organizations and financial companies with a wiper (a type of malware designed to erase information). They also caused some institutional websites to collapse. The day before the start of the invasion, another wiper called AcidRain tried to disable the network of military satellites used by the Ukrainian army, an attack that failed thanks to the help of Elon Musk’s Starlink satellite system.

“The world has overestimated Russia in many ways,” Ukraine’s Vice Prime Minister Mykhailo Fedorov told EL PAÍS via email. One clear example is the “myth” that Moscow possesses some of the world’s best hackers. “Ukraine has totally proved the opposite, we keep going, [after] almost a year of the full-scale invasion.” Fedorov, who is also the minister of digital transformation and the head of the country’s cyberdefense effort, points out that Kyiv counters Russian cyberattacks on a daily basis and while several thousand attacks have been detected since February 24, 2022, they have not caused any real losses to the economy, stopped the banks from operating or damaged any critical infrastructure. “Our cybersecurity system is efficient,” he adds.

While Russian missiles have caused power supply disruptions, computers have not. Nor have Ukrainians stopped being able to make phone calls or use the internet. Fedorov explains that they have three types of communications systems that complement each other: broadband, mobile and satellite. If the broadband internet goes down due to a lack of electricity, the mobile connection keeps things working, and vice versa. And if the classic networks are completely destroyed, “wireless communication from Starlink saves the situation,” says Fedorov.

The Russian digital offensive

Is Russia losing in the field of cyberwarfare? Has it deployed its entire arsenal, or does it have an ace up its sleeve? “Russian APTs [Advanced Persistent Threats, organized groups of hackers with no official ties to governments, but which often receive funding and instructions from a national administration] are well-known internationally. I would be surprised if they have not been interested in attacking until now,” says Guillermo Suárez-Tangil, a researcher at the IMDEA Networks Institute in Madrid, Spain.

It is impossible to know if Moscow has more resources than it has so far used. Analysts are divided between those who believe that the Kremlin’s potential in the cyber arena has been overestimated and those who believe that, for whatever reason, Moscow still has not unleashed its full virtual firepower. Adam Meyers, vice president of intelligence at the Texan cybersecurity company CrowdStrike, speculates that the Russians did not launch any devastating attacks at the beginning of the war because they thought they would reach Kyiv in two or three days, and they would need the country’s infrastructure, which would also explain why they did not destroy Ukraine’s mobile networks.

According to the Microsoft Digital Defense Report 2022, Russian cyber commandos initially attempted to destroy data and destabilize Ukrainian government agencies, and as the war has progressed, they have “sought to derail the transport of military and humanitarian assistance to Ukraine, disrupt public access to services and media, and steal information of longer-term intelligence or economic value to Russia.”

There are many reasons to doubt the effectiveness of the Russian army in the virtual field. Early in the war, Russian troops were largely dependent on the infrastructure of captured territories. They used ordinary cellphones for military communications. Had that failed, Meyers points out, it would have been a problem for the war effort. It was because of their use of civilian phones instead of encrypted communication systems that the world found out the highest-ranking Russian officer deployed in Ukraine, General Vitaly Gerasimov, died a few weeks after the start of the war. That leak cast serious doubts over Russia’s cyber capabilities.

Daniel Moore, author of the book Offensive Cyber Operations, believes that Russia has done what was to be expected; launching cyberattacks in combination with military incursions to disable Ukrainian communications. The Russians have proved to be technically capable but also disorganized from an operational point of view, he explains. Thus, many of their attacks have caused either too much damage or too little. That was the case with NotPetya, which targeted a number of Ukrainian institutions and companies and ended up causing more than $10 billion in losses around the world.

Another factor that could explain Russia’s lack of impact in the digital field is that, according to the Kremlin’s organizational structure, those in charge of cybersecurity are the same people who deal with disinformation, and they have focused all their attention on the latter.
A strong defense

Last February, Ukraine was better prepared to deal with Russian cyberattacks than in 2014. Having Russia as a neighbor – Fedorov explains – the country focused its attention on strengthening its cybersecurity, increasing investment, working with international partners and hiring renowned specialists. And in addition to the EU and other national governments, Ukraine has the support of an international army of hacktivists known as the IT Army, which performs tasks that Kyiv coordinates through a Telegram channel.

“Several campaigns have been detected that could be compared to NotPetya. The lessons learned in recent years and the support of cybersecurity companies have helped mitigate their impact,” says Josep Albors, research director of cybersecurity firm ESET in Spain. The Slovak company is, together with Microsoft, one of the most active in the cyberdefense of Ukraine, and the support of these big companies has helped Kyiv to develop very strong defenses in the virtual field. This collaboration has made it possible to identify “numerous wiper campaigns that have been taking place, from hours before the start of the invasion until just a few weeks ago,” says Albors, “in addition to detecting and blocking, together with the authorities of Kyiv, an attempt by Industroyer2 to leave a large region of the country without power.”

Another key element of the Ukrainian resistance concerns the management of the data centers where the systems are housed. “In recent years Ukraine reached agreements with other countries as well as with Amazon Web Services to generate digital twins, so that if one is rendered unusable on Ukrainian soil there is a copy elsewhere,” explains Raquel Jorge, a technology policy analyst at the Elcano Royal Institute for International and Strategic Studies, in Spain. Fedorov highlights Poland’s assistance in this regard, pointing out that some Ukrainian records and backups have been transferred to Warsaw. They also established an infrastructure to house tax records and other data from the Treasury on Polish soil.

After almost a year, Ukraine continues to resist the Russian invasion, both military and cybernetic. Nonetheless, the extension of the conflict could bring new surprises in the digital arena. According to an investigation, the cyberattack campaign that left Ukraine without electricity in 2015 took 19 months of planning and work; even if Russia has used up its aces, the longer the war carries on, the more time Moscow will have to develop, deploy and activate more significant cyberattacks, warns Moore.

No comments: