By Pieter-Jan Dockx*
Since the Maidan Revolution in 2014, Ukraine has been subject to an unprecedented barrage of cyberattacks. Russian government-linked hackers infiltrated Ukraine’s electricity infrastructure, interrupting supplies in a first-of-its-kind attack. In 2017, they also targeted the country with sophisticated malware, which spread across the globe to become the most destructive attack in history.
Consequently, as the Kremlin launched a full-fledged invasion of Ukraine in February 2022, commentators expected a new wave of cutting-edge destructive malware. When this cataclysmic offensive did not materialise, they dismissed the cyber domain as insignificant in the war.
This conclusion is based on unrealistic expectations and a misinterpretation of the relationship between cyber and kinetic warfare. A closer look at the first large-scale war involving a major cyber power paints a more nuanced picture. It demonstrates the role of cyber operations in interstate conflict and how they interact with kinetic warfare.
The first objective of the Kremlin’s cyber actions has been intelligence collection to facilitate its invasion and subsequent occupation. Russian cyberespionage intrusions in support of its military operation were recorded as far back as early 2021. They have targeted Ukrainian military networks, government officials, and defence industry. Through this, Moscow aims to obtain information on matters such as defensive planning, battlefield decision-making, and troop movement.
Digital intrusions have also focused on collecting data that could benefit its post-invasion occupation. Kremlin-backed hackers have breached Ukraine’s Ministry of Internal Affairs as well as a national car insurance database in search of personal information. This knowledge could help identify both potential agitators and collaborators.
Degrade and Disrupt
Russian cyber actors have also sought to degrade and disrupt Ukraine’s critical infrastructure to advance its war objectives. More specifically, they have targeted communication and transportation systems used by Kyiv’s armed forces to gain battlefield advantage. An hour before the start of the invasion, Russian hackers disrupted Viasat, the satellite communication technology used by the Ukrainian military. When the Kremlin refocused its war effort towards Eastern Ukraine, destructive malware was launched against their adversary’s transportation infrastructure, disrupting supply lines to the region. These attacks highlight the degree of coordination between cyber and kinetic manoeuvres.
Ukrainian critical infrastructure has also faced an onslaught of data-destroying software called wiperware. Attacks of this kind aimed at crippling government operations started in January and peaked in the hours leading up to the physical invasion. Russian actors have used wipers against Ukraine in the past. In 2017, an attack infected systems far outside of the country to become the costliest cyber incident on record. The current malware is designed to specifically target networks in Ukraine, likely to prevent spill-over to NATO countries that could trigger their collective defence clause.
Another objective of the Kremlin’s digital strategy has been to destabilise Ukrainian society and economy, especially taking aim at the energy sector. In April, a Russian actor attacked the country’s electricity infrastructure attempting to cut power. The same hackers were also responsible for blackouts in Ukraine in 2015 and 2016. This time, however, the intrusion was detected before any large-scale outages could occur.
Cyberattacks have also been part of the Kremlin’s playbook to undermine Ukrainian confidence in the government and its ability to defend the country. Targets of this type of psychological cyberwarfare typically include sectors such as government, energy, and banking. As such, Russian hackers have not only targeted electricity infrastructure, but also conducted denial of service campaigns against banks—disrupting their functioning. Additionally, cyber actors have compromised government websites leaving threatening messages on the homepage. These defacements intend to erode the institutions’ credibility.
Russia also looks to control the publicly available information on the war through digital means. It has launched information operations propagating false narratives of Ukraine’s surrender, its forces abandoning people, and genocide in Donbas. These fabrications have been spread by bots on social media, Telegram channels, and even reach Ukrainian military personnel through text messages. On top of that, Kremlin-backed actors have carried out digital attacks to obstruct Kyiv’s flow of information. To this end, they have infiltrated media organisations and communication providers. Internet traffic in occupied territories is also rerouted through Russian service providers, exposing it to the Kremlin’s surveillance apparatus.
Contrary to current mainstream thinking, cyberwarfare is a prominent feature of the war. The Kremlin has conducted digital operations to disrupt the adversary, gather intelligence, and shape the war’s narrative. The targeting of Viasat also demonstrates how the cyber domain has been integrated into overall military strategy rather than operating in a silo.
Moreover, observers’ flawed predictions of a cyber ‘shock and awe’ appear based on the grey zone conflict that engulfed Ukraine for nearly a decade. This conflict—below the threshold of war—benefited from the ambiguous nature of destructive cyber actions. In the current situation of unrestrained open war, electronic warfare is outcompeted by the destructiveness of kinetic weaponry. Full-fledged conflict also exposes cyber operations to new constraints. This is exemplified by the use of wiperware, which was allowed to spread globally during hybrid warfare but has been restricted in open war not to draw in NATO.
*About the author: Pieter-jan Dockx, Researcher, Centre for Internal and Regional Security (IReS)