A year of war, and years of cyberwar, in Ukraine
When Russia invaded Ukraine a year ago, many security experts braced for an unprecedented escalation in cyberwarfare in addition to the physical assault.
For years before the large-scale invasion, Ukraine was hit by massive cyberattacks that disrupted financial systems, transportation, energy and politics — disruptions that were expected to only intensify.
But things haven’t exactly played out that way, according to Adam Meyers, chief of intelligence at the cybersecurity firm CrowdStrike.
Marketplace’s Meghan McCarty Carino interviewed Meyers about the state of cyberwarfare in Ukraine. The following is an edited transcript of their conversation.
Adam Meyers: We’ve seen a number of destructive, disruptive attacks that have occurred targeting Ukraine that have largely been in concert with kinetic operations and initiatives. So for example, at one point the Russians had been actively targeting the media, television and radio inside of Ukraine. And when they were doing that with cruise missiles, they also were conducting “wiper” attacks against those targets. It’s a destructive attack, where the goal is to overwrite system data files and make them unrecoverable. So they’ve been largely constraining their cyber operations to more tactical activity. The reason that they didn’t conduct widespread disruptive attacks as the campaign was kicking off was because they anticipated needing all that infrastructure to prop up [a Russian-installed] government. When the campaign didn’t go as expected, I think that they realized that they were actually reliant on some of that infrastructure as well. So they didn’t conduct widespread attacks at that point, either. Really the only, what I would say, widespread attack, something that spilled over outside of Ukraine, was the wiper attack that targeted satellite modems that occurred just within about an hour of [Russian President] Vladimir Putin announcing the special operation in Ukraine. And that was meant to disrupt satellite communications and did so effectively. But it also had reportedly impacted systems as far as Germany in breaking these modems for the satellite communications.
Meghan McCarty Carino: So how would you describe how these threats have evolved over the last year in terms of quantity and quality?
Meyers: They really haven’t. We’ve seen new wiper attacks. So one of the things that you do as a threat actor, when your tools have been exposed, you have to change them so that they’re not detected before you get to use them again. So we’ve observed some evolution. We’ve seen that they’ve also kind of moved more toward espionage as well because as this military conflict has dragged on, the need for intelligence from places like Moldova and Poland and Latvia and Lithuania has increased, right? Because these are countries that are in the region. Some of them, like Poland, are being used [by Western countries] to supply military equipment. So they started off with a lot of disruptive attacks, and then they moved into espionage in order to collect information that would be beneficial for military and decision making.
McCarty Carino: So if these kind of big, audacious attacks on infrastructure have been a smaller part of the picture, what have been some of the targets?
Meyers: So they’ve targeted various government entities within Ukraine. Reportedly, they targeted things like border patrol and police stations. They’ve targeted energy [infrastructure]. At one point, they conducted a disruptive attack against power in specific regions of Ukraine, using a tool that we track as Industroyer2, which we associate with a threat actor we call Voodoo Bear. Once the conflict kicked off, there was also this back and forth hacktivism, both pro- and anti-Russia, [that] has impacted different targets in the region as well.
McCarty Carino: And what about for other countries outside of Ukraine that are supporting them in their efforts? Have they been targeted?
Meyers: We’ve seen some minimal activity. I don’t think that there has been much in terms of disruptive activity. That would likely be escalatory, and I don’t think that they’re looking to do that. I think we’ve seen some indications of smaller, disruptive attacks that might have spilled over or might have impacted some of these countries, but not a widespread campaign like what we’ve been concerned about. A lot of us were very, very concerned that, you know, the Russians might try to react to being kicked out of the SWIFT [financial communications] network or respond to sanctions that occurred with disruptive attacks. And that really kind of peaked right after the conflict started, when a lot of Western businesses took it upon themselves to distance themselves or disassociate with their businesses in Russia. And we did see a little bit of indications that they were conducting reconnaissance that would support that type of activity. But it seems that backed off as they started to focus more in the conflict in Ukraine and reposition what they were doing right around the March-April time frame.
McCarty Carino: Overall, how would you characterize the role of cyberattacks in this war over the last year?
Meyers: In a word, I would say “tactical.” Initially we saw destructive attacks that started in January or so, what went through February and into middle late February, and then it kind of dropped off a little bit. We saw some disruptive attacks, some information operations, and then it kind of surged again a little bit later with more wiper attacks, as they kind of repositioned and figured out, like, that they needed to use these things for tactical purposes. So when they went after, as I said, the television stations that was both kinetic — cruise missiles and bombs and things — but also cyber operations. When they were trying to disrupt the border and people leaving through western Ukraine to go into Poland, we saw the refugees trying to get out. There was some disruption that occurred there with the goal of creating confusion on the ground and trying to increase or enhance the fog of war.
McCarty Carino: So what have you learned about how to build up resilience to cyber threats from this?
Meyers: Well, I think the Ukrainians have been living this experience for many years. I can remember over the years seeing reports of compromises on video screens inside of Kyiv that were trying to scare and intimidate the population with [information operations], showing Russian troops and things like that. As the tensions were increasing over the last year and leading up to the conflict, they were working to move government data and systems into the cloud outside of Ukraine so that if they were captured, the Russians couldn’t exploit that to their advantage. So, you know, I think that there is a degree of cyber resilience that the Ukrainians have learned and have implemented. And that, you know, has also made some of these disruptive attacks a little bit less effective because they’ve been living in that world for so many years.
McCarty Carino: As this conflict drags on, where do you see all this going from here?
Meyers: There is this concern about a spring offensive. That may bring with it additional cyber capabilities [or] cyber operations to support that spring offensive. At this point, we have not seen any indications that the Russians will change their targeting vastly and go after Western entities. Right now, I think what we’ll expect to see is more tactical operations combined with kinetic operations for the short to mid-term.
Related links: More insight from Meghan McCarty Carino
We mentioned there was a series of cyberattacks aimed at Ukraine in the weeks leading up to the invasion.
For more on that, you can read this CrowdStrike article from January of last year that details the types of cyberwarfare on Ukraine that they’d seen since at least 2014, when Russia annexed Crimea. They ranged from malware to denial of service attacks.
Last year, Marketplace’s Kimberly Adams spoke to CrowdStrike co-founder Dmitri Alperovitch, now the executive chairman of the nonprofit Silverado Policy Accelerator, about the likelihood that Russia would launch cyberattacks against the United States.
Something that Adam Meyers said hasn’t happened to a large extent.
But according to a recent article in Wired, several cybersecurity groups found that over the last year, Ukraine suffered the largest number of wiper attacks — in which malware destroys data — recorded anywhere, ever. And those can have ripple effects globally.
One expert from cybersecurity firm Fortinet told Wired that they have detected other hackers reusing those wiper tools in 25 countries around the world.
The future of this podcast starts with you.
Every day, the “Marketplace Tech” team demystifies the digital economy with stories that explore more than just Big Tech. We’re committed to covering topics that matter to you and the world around us, diving deep into how technology intersects with climate change, inequity, and disinformation.
As part of a nonprofit newsroom, we’re counting on listeners like you to keep this public service paywall-free and available to all.
Support “Marketplace Tech” in any amount today and become a partner in our mission.