In an 1892 collection of Sherlock Holmes detective stories, Sir Arthur Conan Doyle wrote of “the curious incident of the dog in the nighttime,” in which the canine did nothing when a crime was committed. “That was the curious incident,” Holmes said.
The absence of significant cyberattacks against Ukraine by Russia during the current war is the dog that didn’t bark or bite. Cybersecurity experts around the globe are puzzling over why Russia, with highly sophisticated cyberattack capabilities as demonstrated by NotPetya, election meddling and the SolarWinds software supply chain breach, has not done more to disrupt digital operations in Ukraine.
Aside from a few isolated and largely ineffective attacks and a surprisingly mild disinformation campaign, Russia has either refrained from or been incapable of flexing its sizable cyberwarfare muscles in the conflict. The burning question is: Why?
“Russia was perceived as a massive superpower when it comes to cyber,” Lior Div, co-founder and chief executive of Cybereason Inc., said during a virtual briefing this week on the Ukraine-Russia war. “We were sure that the first thing Russia would do is leverage capability in cyber in order to weaken Ukraine.”
Wiper malware falls short
The answer reflects a mix of factors involving the complications of modern war, possible miscalculation by Russia, defensive support from the global tech community and a set of smart moves by the Ukrainian government itself.
The global tech community has provided assistance by identifying malware variants aimed at Ukraine infrastructure before they could cause significant damage. Microsoft Corp. identified FoxBlade and Whispergate malware, which can disable computers and other targeted devices. SentinelOne has documented the Russian use of wiper malware that can overwrite key data in flash memory, as part of an attack on the country’s primary satellite provider, Viasat.
“We saw an attempt to take down the satellite company in Ukraine,” Div noted. “That was a failed attempt.”
In addition to unsuccessful attacks on network systems, Russia appears to be losing the online propaganda war as well. A deepfake video of Ukraine President Volodymyr Zelenskyy telling Ukrainian citizens to surrender was quickly removed by Meta Platforms Inc. in mid-March.
Ukraine has also relied heavily on the encrypted messaging app Telegram to counter online disinformation campaigns and ensure that its citizens receive accurate, up-to-date information on the war. The irony is that the Telegram platform was founded by the Russian tech entrepreneur Pavel Durov.
“In the warfare on information, the Ukrainian people have the upper hand, they are the ones controlling the narrative,” Div said. “Right now, it looks like Russia is losing the battle.”
No apparent planning
There has been a belief among some western diplomats that Russian president Vladimir Putin miscalculated the length of time his country’s attack on Ukraine would take. That in turn may have contributed to lack of firepower in Russia’s cyberwarfare actions, which have largely been confined to website vandalism, denial-of-service attacks on government servers and brief disruption of the country’s banking system.
Cybereason executives pointed out in their briefing this week that information warfare is not something easily accomplished by the push of a button. It takes months of planning and focus to executive effectively.
“It seems apparent that Russia believed this would be a quick war,” said Yonatan Striem-Amit, co-founder and chief technology officer of Cybereason. “They did not plan on cyber becoming a strategic component of this.”
That cyber has become a critical element of modern warfare is a notable part of the Ukraine-Russia conflict. Russia essentially used Ukraine as a test lab for its cyberwarfare capabilities during the years leading up to its incursion into the country.
In 2015, a Russian-directed cyberattack cut electric power for a quarter-million Ukrainian citizens just before Christmas, followed by additional blackouts over the course of several months. In addition to the energy sector, Ukraine’s media, finance, transportation, political and military institutions have also been attacked by Russian hackers over the course of several years.
It should be noted that Russia leveraged its prior incursions into Ukrainian systems as this year’s operation began. As recently chronicled by two high-ranking security officials for NATO in the publication Foreign Affairs, Russia successfully deployed malware against civilian communications infrastructure and military command and control centers at the start of the conflict.
Move fast, win wars
This past history of attacks also prepared Ukraine for the current conflict and the country has leveraged technology to exploit weaknesses in Russia’s combat operations. U.S. military officials believe that at least one Russian general was killed as a consequence of using unsecured cellphones accessible by opposition forces inside the country.
“If you know how to use technology fast, you can win wars,” Div said. “Cyber and information will take a growing portion of this type of conflict we will see in the future.”
Although it appears that Russia’s vaunted cyberattack capabilities are currently coming up short, Cybereason executives caution that Russia is taking steps to bring a vast network of criminal hackers into the fold.
Russia’s ransomware cartel has been at the forefront of highly successful and lucrative operations in the U.S. and other countries. One notable example occurred last spring when a Russian ransomware group choked off the supply of oil to the eastern U.S.
The ransomware-as-a-service group Conti, which was one of the first to exploit the Log4j vulnerability, recently used its dark web site to announce support for the Russian government and its intention to retaliate against countries supporting Ukraine. What was once a “hands-off” policy by Russia in regard to criminal ransomware gangs has now become a more collaborative model.
“We used to call it state-ignored, but the state-ignored has now become state-controlled,” Div said. “We are going to see a bounce back from the ransomware cartel. Once the government is in control of the ransomware cartel, they will have massive ability.”