There has been widespread surprise in the media that the ground war in Ukraine has not spilled over into large scale and overt cyber conflict outside the region. A visible campaign of Russian attacks on Western economic sectors and nations, especially those linked most strongly with sanctions, has not materialised yet. Commentators have questioned whether urgent government advice to improve defences, the US ‘Shields Up’ initiative and its equivalents in other countries, was really justified.
The reality is more complex.
First, to anyone watching this within the region, there has been no shortage of offensive cyber activity. Ukraine has of course, been a test bed for low intensity Russian cyber activity for at least ten years; but in the months and weeks before the invasion, there was a clear intensification, culminating in the cyber equivalent of an artillery barrage to ‘soften up’ the country immediately before the ground war.
Massive denial of service attacks and multiple waves of sophisticated new wiper malware were unleashed on the Ukrainian government and private sector organisations. Defacement of websites and other political operations accompanied this, as well as manipulation of social media.
Significantly, much of the wiper malware suggested the attackers had established access to these networks well in advance. Even more significantly, some of the wiper viruses were carefully selective in their destruction, maintaining access to the organisation by avoiding the deletion of key domain information.
This technical detail points to one of the problems for Russia in using offensive cyber capability in Ukraine. While useful in a pre-conflict world of hybrid warfare and political effect, using offensive capabilities to destroy networks of a country you plan to control and run poses a dilemma.
Russia clearly thought that it would install a puppet regime in Kyiv within days and assumed that it would need functioning networks to communicate and exert control. Just as it fundamentally underestimated Ukrainian military and political resistance, Russia also underestimated its cyber defences. It further misunderstood the degree to which Ukrainian civilian hackers would rally to their government’s call to attack Russia. This crowdsourcing of offensive cyber is genuinely new and unpredictable.
By contrast, Russia’s own favoured use of criminal proxies to exert pressure also began to get complicated as ransomware groups split along nationalist lines and international hacktivists piled into the fight. The result is a cyber conflict in Russia and Ukraine which is still hard to quantify but clearly adding further chaos to Russia’s economic problems.
Where does the West fit into this, or why does it appear to be left out?
There has of course been a good deal of collateral damage. For example, the impact of alleged Russian attacks on satellite internet services was felt by German companies earlier in the year. And attacks from Russian-based criminal groups have not stopped, even if their efforts have been diverted or displaced at times. But there are a number of reasons why a wider nation-state campaign against western economies may not have materialized yet.
Although Russia has invested heavily in offensive cyber and has developed impressive capabilities, its capacity is not limitless. Its strategic priority is to make the invasion a success — or at least to rescue it from failure — and that is where offensive cyber skills and resources will be concentrated. Viewed from Moscow, this is the absolute priority, particularly while revenue from oil and gas sales remains buoyant. As sanctions bite further, and if things go very badly for Russia in Eastern Ukraine, or it settles into a ‘frozen conflict’, that calculation may change. At that point, ‘lashing out’ at Western countries may become attractive, whether through cyber or other means.
Second-guessing Russian strategic intent, especially when strategic thinking seems to have been confused throughout, is difficult. But Russia will pause over the impact of a large-scale attack on Western economies, which could backfire and shore up Western resolve at a time when Russia will be hoping to see cracks and fatigue in the Western alliance.
Second, it is certainly true that Western cyber defences have got better. ‘Shields Up’ and the campaigns of recent years, have had some effect and those companies that were not getting the basics of cyber security right, will have had a new incentive to look again. No doubt NATO governments have played their parts overtly and covertly — it would be odd if they had not. But it would be a mistake to be complacent about our defences simply because there has not been a successful major attack yet.
We know that our cyber readiness is not yet where it should be, even in the critical national sectors of Western countries. Given the track record of Russia’s cyber operators in burying themselves in the supply chains and infrastructure of the West, it would be prudent to assume that they have accesses that they have not yet exploited.
It remains likely that at some stage, Russia will use these to target particular entities or, if things go badly for them, to lash out indiscriminately. Western economies need to keep following the advice of ‘Shields Up’ and keep preparing for attacks, particularly from within the supply chain.