Russia’s invasion of Ukraine has followed a familiar playbook: gray zone operations sew societal discord; hybrid operations prepare the ground; and conventional forces attack, with cyber tactics playing an early and leading role across all three phases.
True to form, in the months leading up to the invasion, Russia executed a series of cyberattacks targeting Ukrainian government networks and other elements of its critical infrastructure, namely institutional media. Chief among them was a distributed denial-of-service (DDOS) attack in January known as “WhisperGate,” a destructive malware-as-ransomware operation that successfully disabled government and private sector websites across the country.
Interestingly, though, neither WhisperGate nor Russia's other pre-invasion cyber attacks had the proximate impact of its previous cyber activity in the region. The former U.S. director of the Cybersecurity and Infrastructure Security Agency (CISA) has noted they were of “minimal” impact. And, while it was generally expected that Russia’s cyber attacks would escalate in tandem as it launched its invasion force, with the crippling of Ukrainian critical infrastructure as an obvious cyber goal, such attacks did not materialize. Indeed, in the days since the invasion was launched, Ukrainian power grids, media, and internet capabilities have all remained intact.
This is a notable break from the Russian cyber playbook, which from as early as the 2008 Georgian War and carrying through to the 2014 annexation of Crimea and invasion of Eastern Ukraine saw the crossover from hybrid operations to conventional attack coincide with a substantial and sustained series of DDOS attacks that crippled targeted centers of gravity while broader communications channels were manipulated to facilitate the flow of Russian-fed misinformation and disinformation.
Moreover, whereas in those earlier instances Russia’s cyber capabilities were relatively new and evolving, its cyber arsenal has grown substantially over the past half-decade such that it is now believed to be able to disrupt Ukrainian military command centers and fully dismantle Ukrainian power grids at will. As an example, a Russian attack in December 2015 partially disabled the northern Ukrainian grid resulting in a power outage that affected nearly a quarter-million citizens and lasted up to six hours in certain areas.
There are several potential explanations for this disconnect.
First, given that Russia has been readying its assault on Ukraine for many months, it is entirely possible and even probable that such attacks have been prepared and staged (i.e.: networks compromised; malware installed; attack vectors instantiated) but that their execution is being purposefully delayed. The delay might well be simply part of the overall timing and pacing of the broader war effort.
Second, the low-impact nature of the cyberattacks undertaken thus far might be a not-so-subtle signal by Russia that it is withholding its more aggressive cyber arsenal as a form of leverage, not so much as a bargaining ploy for the current conflict with Ukraine but rather for any larger scale confrontation with NATO or the United States proper. Chester Wisniewski, a principal research scientist at Sophos, notes that the current cyberattacks may be intended to “send the message that [Russia] have compromised a significant amount of Ukrainian infrastructure and these are just little morsels to show how ubiquitous their penetration is.”
Third, the exercise of constraint may be a purposefully prudent move to prevent the conflict’s spillover into adjacent NATO members or aligned countries. The United States has been vocal from the conflict’s outset that cyberattacks on American firms or critical infrastructure by Russia will meet a forceful response, and Russia no doubt remembers well its 2017 malware attack, “NotPetya,” that initially targeted Ukrainian government infrastructure but which spread quickly into private-sector networks before propagating beyond Ukraine’s borders. NotPetya was a clear reminder that cyber attacks are hard to contain, and actions that may trigger direct NATO or U.S. involvement might either have been ruled out by Russia or at least ruled out for the current phase of its overall war plan. This explanation seems increasingly unrealistic given the apparent ease with which Russia is willing to ratchet up tensions.
Fourth, it is possible but also not likely that Ukraine has been successful over the past several years creating resiliency across its cyber networks such that Russian attacks have been thwarted. Such a possibility is not without precedent; in 2018, fellow Russian neighbor Lithuania made a concerted effort to build up its cyber security capabilities and today is ranked at the top of most analysts lists of countries with a strong cybersecurity posture. Lithuania is known to have successfully thwarted a constant barrage of Russian-originated cyber attacks.
The superiority of Russian offensive cyber capabilities is well established and accepted; that the country has not made a more meaningful use of those capabilities in the days since it launched its invasion of Ukraine is hard to understand and should cause us to worry. It may be the case, as suggested herein, that Russia is “burying its lead” as part of a broader strategic plan; or that it is being prudent to avoid broadening the conflict beyond Ukraine’s borders; or even that Ukraine has successfully repelled Russian attacks. We should move quickly to explore these and other possibilities.
Tom Robertson’s writing on the intersection of cybersecurity, technology, and great power competition has appeared in The National Interest, Global Affairs, First Monday, and elsewhere.