Russian invasion of Ukraine could redefine cyber warfare

The potential Russian invasion of Ukraine could give the world its first experience of a true cyber war.

Ukraine was beset by attacks earlier this month when hackers defaced and disabled more than 70 government websites, and Microsoft discovered malware planted in Ukrainian government systems that could be triggered at any moment.

While these instances raised concerns, they were only a hint of Russian cyber capabilities. In a full-scale cyber assault, Russia could take down the power grid, turn the heat off in the middle of winter and shut down Ukraine’s military command centers and cellular communications systems. A communications blackout could also provide opportunities for a massive disinformation campaign to undermine the Ukrainian government.

Such a nightmare for Ukraine could not only give Russian President Vladimir Putin an avenue to victory, but also provide a sneak peek into the future of warfare. That future also holds implications for Washington if Putin launches cyberattacks against the U.S. to retaliate against any sanctions President Joe Biden may impose. 

“We need to keep in mind who we are dealing with. These guys are not Boy Scouts. They are absolutely ruthless,” Lt. Gen. Ben Hodges, the former commanding general of the U.S. Army Europe, said in an interview. “They will do things that will ruin people and cause great harm. This is a serious thing. It’s not just about making the lights go on and off.”

Russia has honed its cyberattack strategy for more than two decades. Russian hackers turned out the lights in portions of Ukraine in 2015 and 2016, and unleashed a virus called NotPetya in 2017 that disabled Ukrainian government agencies, banking groups and the Chernobyl nuclear power plant before spreading unchecked to companies around the world.

Criminal hackers based in Russia have also been linked to attacks in the U.S., including the ransomware attacks last year on Colonial Pipeline and meat producer JBS. As far back as 2018, the Cybersecurity and Infrastructure Security Agency warned that the Russian government was actively targeting the U.S. energy, nuclear, water and other critical sectors.

Russia launched cyberattacks that overwhelmed the websites of Estonian government agencies and other national institutions in 2007 over disagreements around Estonia’s decision to move a Soviet-era World War II statue. In 2008, the Russian invasion of Georgia was preceded by a swarm of digital attacks that overwhelmed Georgia government websites with traffic and temporarily disabled them, including the website of the country’s president. During the invasion and seizure of Crimea in 2014, Russian hackers shut down telecommunications systems in the region, including through jamming the mobile phones of Ukrainian members of parliament. While intelligence agencies around the world have pinned these attacks on Russia, Moscow historically has either denied the incidents or avoided comment.

But these attacks are nothing compared to what a full-blown physical invasion coupled with cyber warfare would look like on a scale the world hasn’t fully reckoned with.

“This may end up being the first declared hostility where cyberspace operations are a part of an integrated offensive military invasion,” said Jonathan Reiber, the former chief strategy officer for cyber policy in the Office of the Secretary of Defense during the Obama administration.

“We could see a coordinated campaign of cyberspace operations targeting the Ukrainian government’s senior leader communications, military critical infrastructure and communications, and aspects of Ukrainian national critical infrastructure, to include the energy, manufacturing, and media sectors,” said Reiber, who currently serves as the senior director for cybersecurity strategy and policy at cybersecurity company AttackIQ. “Such a coordinated campaign could extend far beyond what the Russian government has done to Ukraine in the past.”

Water systems are also likely to be at risk. Rob Caldwell, the director of industrial control systems and operational technology at cyber firm Mandiant, said that security for the water and wastewater sectors was “lagging behind” the security of other critical systems.

Other Russian ground invasions of Georgia and Crimea used cyberattacks as an element of the strategy, but stopped short of taking down heating and power and putting pressure on civilians.

Reiber added that Russian hackers could also make incursions into networks similar to the 2017 NotPetya attack. In NotPetya, Russian hackers infiltrated software from a tax preparation program that was widely used in businesses across Ukraine, enabling the attackers to use the malware to take down the systems of hundreds of companies and some government agencies.

The Ukrainian military would also be a target. Hackers could disable computer systems used by trains to move troops to the front and jam phone lines used by military leaders, making it difficult to respond to Russian attacks.

“Most if not all of the headquarters at the different levels and the different places will be targeted to make it difficult for commanders to understand what’s going on, to issue orders,” Hodges said.

Underlying it all would be disinformation operations aimed at undermining and overthrowing the Ukrainian government and breaking the will of the people to fight back, which would be made easier if government communications channels — including phone lines, email and internet access — are taken out.

“How do the senior leaders of Ukraine communicate to the population to sustain national hope and resilience in the event of something like this? That is the hardest challenge they are going to face,” Reiber said. “It’s going to be a very dark day. The Ukrainian government is going to have a very hard time resisting the forces of Russia.”

And Russian hackers have likely been inside Ukrainian networks for months or even years — making it easier to attack the electric grid or telecommunications systems and coordinate those strikes with a ground assault, said Mark Montgomery, the director of the congressionally chartered Cyberspace Solarium Commission and a senior fellow at the Foundation for Defense of Democracies.

“They will have gone in and inserted tools so that they can cause an effect at a specific time,” Montgomery said. He said they could use those tools, for example, to disable cell phone networks in areas where Ukrainian troops are deployed.

Russia demonstrated its ability to quietly infiltrate government networks in 2020 when experts concluded that Russian hackers had used vulnerabilities in software from IT company SolarWinds to infiltrate government agencies and companies in dozens of countries, including the U.S., and snoop inside of those systems for at least a year undetected.

“Does the cyber component help them do this quicker and more efficiently and maybe even create this narrative that they want? Yes,” said Christopher Painter, the former coordinator for cyber issues at the State Department under the Obama and Trump administrations. “I don’t want to see these tools being used in this way, but I think it’s inevitable they will be.”

Ukraine has taken steps to strengthen its cyber defenses, with help from the international community. The U.S. and Ukraine agreed to collaborate on cybersecurity as part of a larger strategic partnership announced in September, and the European Union committed €31 million to Ukraine for issues including cybersecurity late last year. But against Russia, widely recognized as having some of the most sophisticated cyber operations in the world, Ukraine is still extremely vulnerable.

“We’ve been working long-term on improving their cyber protection teams for several years… but unless there was direct action by Western cyber protection teams on behalf of Ukrainian infrastructure, I don’t think they’re in a position to hold off the Russians,” Montgomery said.

IT supply chain vulnerabilities may prove to be one of the most acute dangers to Ukraine. The nation’s Computer Emergency Response Team concluded this week that the website defacements in Ukraine were likely made possible by a compromise of software or another third party group related to automated systems used by the agencies. The hackers may also have exploited a vulnerability in software called Log4J that was discovered late last year and impacts millions of devices worldwide.

And attacks in Ukraine could reverberate across the business world. While NotPetya was aimed at Ukraine, it hit foreign companies as well. These included Danish shipping giant Maersk — which suffered the destruction of thousands of laptops and other user devices — and FedEx, causing some $10 billion in damage, according to Trump administration estimates.

Biden earlier this month pledged that the U.S. will “respond the same way” Russia targets Ukraine in cyberspace, and the U.S. has its own immense cyber capabilities.The Stuxnet computer worm that damaged Iran’s nuclear program in 2010 has been widely attributed to the U.S. and Israel, though neither have claimed responsibility, and The Washington Post reported that U.S. Cyber Command took down a Russian troll farm on the day of the 2018 U.S. midterm elections.

U.S. cyberattacks or punishing sanctions could prompt Moscow to strike back directly at the U.S.. The Department of Homeland Security sent a memo to critical infrastructure companies and state and local governments this week warning them Russia may hack American infrastructure in retaliation, according to CNN.

The past year alone has made it clear how vulnerable key aspects of life in the U.S. are to being disabled by hackers. The ransomware attacks against Colonial Pipeline and JBS disrupted key supply chains, and an unsuccessful attempt by a hacker to poison the water supply in Oldsmar, Fla., illustrated the ability for cyberattacks to cause harm to thousands. If Russia launched massive attacks on the U.S. or other Ukraine allies, it would mark a turning point in cyber warfare and challenge the idea that cyberattacks are less serious than physical assaults.

“This would be an evolution,” Painter said. “It would certainly advance the understanding of how cyber can be a threat in conventional war.”