As of Monday, five days after tanks moved into Ukraine, the Internet and other key Ukrainian infrastructure were still functioning, the outgunned Ukrainian military was still coordinating effectively and Russia’s vaunted disinformation capabilities were failing to persuade Ukrainians that resistance is futile.
“We imagined this orchestrated unleashing of violence in cyberspace, this ballet of attacks striking Ukraine in waves, and instead of that we have a brawl. And not even a very consequential brawl, just yet,” said Jason Healey, a former White House staffer for infrastructure protection and intelligence officer who’s now a research scholar on cyber conflict at Columbia University.
A vastly larger, more powerful military — one especially feared for its cyber-military prowess — has allowed Ukrainians almost unfettered access to the Internet. This has helped them get weapons to citizens and harness social media to rally global political support through direct, emotional appeals backed by stirring visuals.
“It’s certainly not what anyone predicted,” said Dmitri Alperovitch, a longtime cybersecurity executive and U.S. government adviser who heads Silverado Policy Accelerator.
Ukraine’s core cyberdefense has done better than expected because it focused on the issue after Russian hackers briefly knocked out power to swaths of the country in 2015 and 2016, said David Cowan, a veteran cybersecurity venture capitalist and corporate director, and because it has had help from American and European experts.
“I would have thought that by now Russia would have been disabled a lot more infrastructure around communications, power and water,” Cowan said. “If Russia were attacking the U.S., there would be more cyber damage.”
The absence of major disruptions predicted by cyberwar doctrine has allowed Ukraine’s President Volodymyr Zelensky to deliver propaganda coups with little more than a smartphone and a data link. Images of civilian casualties, the brutal shelling of cities and also some Russian losses have undermined that nation’s claims of a limited and humane “special military operation.” A viral audio clip of Ukrainian soldiers on a tiny island telling a Russian warship to “go f— yourself” has become a defining moment of national resistance.
“It’s become a global participatory thing. Everybody thinks they’re part of it,” said Doug Madory, director of Internet analysis for Kentik, which tracks global data flows. “It would be a lot harder to do all that if there was a blackout.”
Ukraine has not escaped unscathed, and some experts warn that cyberattacks or Internet outages could grow as Russia’s invasion intensifies in the face of unexpectedly stout resistance.
Russia or its allies already have deployed software to wipe data off some Ukrainian computers, including border control offices. But such intrusions are not nearly as widespread as in past attacks such as NotPetya, in which fake ransomware attributed to the Russian government caused billions of dollars in damages, much of it in Ukraine.
“I do not think the destructive malware had an impact of any significance,” said Vikram Thakur, head of threat intelligence at Broadcom’s Symantec division.
Russia also may be holding back to some extent, for strategic reasons or because the timeline for the invasion was so closely held that cyber teams did not know what to target or when.
An invading army might be expected to quickly cut backbone cables or switch them off through hacks, said Madory, a former Air Force communications engineering officer.
But neither has happened. And Madory isn’t sure why.
“Is it following the playbook? I don’t know if we have the right playbook,” Madory said. “So far the Internet is still up.”
“You need to develop access and know how those targets are going to fit into the overall plan of the campaign,” said Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council.
He and other experts point to several possible explanations, starting with the possibility that the Russians thought Ukraine would fall so quickly that it wasn’t necessary to damage systems they would want operational once an occupation began. Disabled telecommunication systems — or ones that are bombed — can require costly, time-consuming repairs.
It’s also possible that the Russians themselves needed a functioning telecommunications system, including high-speed data links, for their own communications. Images from Ukraine have shown Russian soldiers appearing to use smartphones. Modern militaries typically have sophisticated radios for battlefield communications, but glitches might have forced reliance on Internet-based systems instead.
Finally, there are downsides to using even the most sophisticated cyberweapons. A system shut down by a hacker can’t be used for ongoing intelligence gathering, typically a high priority in wartime. Even destroyed computers can be replaced ― sometimes within just a few hours.
“If I wipe a bunch of their computers today, I can’t do that tomorrow,” said Jake Williams, a former National Security Agency hacker, now on the faculty of the information security research group IANS. “A big question is: When do you pull the trigger?”
The best time, he said, is typically at the beginning of a conflict, when depriving victims of the ability to detect attacks and communicate with the outside world can be demoralizing. By the time tanks are rolling in the streets and cities are being bombed, the most effective moment for cyberattacks often has passed.
Many experts said they expected more serious cyberattacks to come in the next few weeks, in Ukraine and elsewhere.
“Putin has not initiated significant retaliation yet for any U.S., E.U., NATO sanctions, probably because he is too busy dealing with the surprising level of Ukrainian resistance and failures by the Red Army,” said Richard Clarke, the first White House cyber coordinator and author of one of the first books on cyberwarfare.
“We still believe retaliation, including cyberattacks, is coming.”
Columbia’s Healey said that the more Russia is isolated from Western markets and financial networks, the less it has to lose by attacking them.
But for now, Ukraine has rallied to its side a stunningly broad, hodgepodge alliance to fight back on the Internet.
Tech savvy cabinet member Mykhailo Fedorov successfully appealed to Tesla founder Elon Musk to distribute Starlink satellite Internet terminals that would withstand cellular network disruptions, and he asked PayPal and credit card companies to stop processing payments in Russia.
@elonmusk, while you try to colonize Mars — Russia try to occupy Ukraine! While your rockets successfully land from space — Russian rockets attack Ukrainian civil people! We ask you to provide Ukraine with Starlink stations and to address sane Russians to stand.
— Mykhailo Fedorov (@FedorovMykhailo) February 26, 2022
More surprisingly, Fedorov welcomed the contributions from activist hackers, forming a volunteer “IT Army” and urging it to hack Russian government and commercial sites.
Existing cyber activist networks have taken up the cause with glee. One of the most popular Twitter accounts promoting the loose Anonymous movement, YourAnonNews, has been suggesting unorthodox tactics to its more than 7 million followers, such as leaving business reviews on Google maps that pass along to ordinary Russians banned information about events in Ukraine.
Though some covert government operatives could be using the cover of Anonymous to contribute to attacks, one of the account’s administrators said it was not working directly with any officials. “We see many Anonymous activists participating, and the support is overwhelming,” the person said.
On Monday, some Russian news sites were hacked and briefly defaced with calls for Russia to pull back.
Even the most widely expected alliance, between the Russian government and organized criminal ransomware groups that have long been tolerated or encouraged there, are not following the script.
The ransomware gang Conti was first out of the gate with a public comment, declaring that it was loyal to Russia and that it would respond to any attacks on it with renewed penetration of U.S. critical infrastructure.
But like many Russian-speaking crime groups, Conti has members in Ukraine, some of whom objected fiercely, said Dmitry Smilyanets, a former Russian hacker who analyzes the gangs for security company Recorded Future.
The pushback prompted a revised statement that Conti was beholden to no government. But one angry participant in the group’s closed chats still leaked more than a year’s worth of private discussions that named victims and included drafts of payment demands.
“That leak will destroy Conti,” Smilyanets said.
