top of page
  • Writer's pictureISSP

From the beginning of the war until today. How russia attacked Ukraine in cyberspace

Updated: Jun 12, 2023

ISSP CEO Roman Sologub analyzed for the activity of russian hackers in Ukraine over the past year and assessed whether russia’s cyber capabilities were overestimated on the eve of the war.

ISSP CEO Roman Sologub analyzed the activity of russian hackers in Ukraine over the past year and assessed whether russia’s cyber capabilities were overestimated on the eve of the war

The beginning of a full-scale invasion from russia into Ukraine has clearly demonstrated that the aggressor country continues to use cyberattacks as one of the tools of warfare.

Over the past year, cyberattacks have been synchronized with information and psychological operations (PSYOPs), as well as conventional attacks.

Cyber-attacks on critical infrastructure did not become something new for Ukraine, as since 2014 our country has been at the forefront of hybrid warfare. In such context, the cascade of attacks on the three largest media holdings in Ukraine (Starlight Media, TRK “Ukraine” and Inter Media Group) in 2015, the attack on Prykarpattiaoblenergo in 2015 using the BlackEnergy Trojan can be mentioned, cyber-attack on “Kyivenergo” in 2016 and of course, NotPetya cyberattack on the eve of the Constitution Day in 2017 that still remains the largest supply chain attack in the entire history not only in Ukraine, but also throughout the world.

However, a number of Western experts suggests that capbilities of russian special services and proxy hackers sponsored by russia to conduct complicative cyber operations before war were a bit overvalued. Is that really so? Let’s figure it out.

Buttles on cyber fields

According to the government’s Computer Emergency Response Team CERT-UA, about 2,100 cyber incidents were recorded in 2022. And since the start of the full-scale invasion, more than 1,500.

The main objects of russian cybercriminals remains energy and public sectors, banks, TV companies and media.

On the night of February 15, 2022 russian hackers carried out the most powerful DDoS attack in the history of Ukraine. According to the State Service of Special Communications it lasted more than 5 hours and targeted the websites of 15 Ukrainian banks, as well as the websites of the Ministry of Defence, the Armed Forces and the Ministry of Reintegration of the Temporarily Occupied Territories. On February 23, there was a repeated attack on a number of banking websites and government web resources.

In addition, in the morning of February 24, just an hour before a full-scale invasion, russians had attacked the KA-SAT satellite network operated by Viasat, one of the world’s largest commercial satellite operators. This attack not only caused communication problems in Ukraine, but also disrupted operation of wind farms operated by the German energy company Enercon.

It is clear that the main goal of the above attacks was not commercial interest, but the desire to destabilize key banking institutions, sow panic, undermine confidence in government agencies and show inability to perform their functions in a crisis situation. It can be assumed that the cyberattacks of January 13 – 14, 2022, when the websites of 22 state authorities were affected, had the similar goals.

According to Ukrenergo, the peak of cyberattacks against the energy sector also occurred on February 23 – 24 – exactly at the moment when Ukrainian power grids were connected to the United European Energy Network ENTSO-E.

In general, February-April last year became record breakers for the number of cyberattacks on Ukraine. During the first month of the war, ISSP experts estimate that the number of “alerts”, i.e., triggering of monitoring systems, increased by 60%. The beginning of the war was also characterized by increased phishing activity and hackers exploiting previously compromised systems and accounts.

Cyber plus missile attacks

In the second half of the year, the number of cyberattacks on Ukrainian infrastructure decreased significantly, especially in the summer. While at the beginning of the war, Microsoft recorded an average of three powerful cyberattacks on Ukrainian organizations per week, starting in July and until the end of 2022, the company reported little or complete absence of wiper activity - malware that infects computer systems and destroys data on them. A certain “surge” was recorded only in October.

Mandiant, a subsidiary of Google, engaged in information security and cyber incident analytics, has investigated russian destructive attacks when not just one, but a large number of organizations fall victim to an attack. So, between June and September, only one such russian attack was recorded, although at the beginning of the war there were several per week.

In autumn, the activity of russians was focused on IT-infrastructures of energy companies. However, back in April 2022, information system of the regional energy company Vinnytsiaoblenergo was hacked, and in early July, russian hackers launched a cyberattack on DTEK Group’s assets in the background of missile attacks on the Kryvyi Rih power plant.

It is worth to mention that until 2022, the russian government denied any involvement in cyberattacks on Ukrainian energy sector. It seems that during the war, cyber operations to interfere with the work of energy companies were planned along with missile attacks on Ukrainian energy facilities. No one has tried to refute russian’s involvement in the first and second types of attacks.

Have Russian cyber capabilities been overestimated?

The events of the last year have demonstrated that Russia is unable to carry out a large number of complicated multi-step cyberattacks on a sustained basis for a long time. A single complex cyber operation can take from three months to several years to organize. This will involve significant organizational and human resources. Thus, with only a few exceptions, we have not seen the truly large-scale cyberattacks that we expected before the war began.

Herewith, the enemy’s ability in cyber space should not be underestimated.

Preparing for the attack: gathering information, choosing tools, developing malware and studying vulnerabilities can take a significant period of time and take place without explicit contact with the victim’s information resources.

Forecasting and implementation of cyber operations by the enemy is constantly going on and it is difficult to count the resources involved. This is why it is impossible to give an objective assessment of russia’s cyber capabilities in offensive operations at a given time without active counterintelligence actions in cyberspace. Especially given the fact that russian hackers have been conducting attacks on key Ukrainian enterprises and organizations for a long time, many of which, unfortunately, have been successful.

It’s also hard to say how many embedded access mechanisms – “sleeper agents” are still waiting for their time.

What to do?

That is why we strongly advise Ukrainian businesses not to neglect cybersecurity. Building an effective security system should start with risk analysis and a risk mitigation plan.

Next step - compromise assessment - searching for compromised information system assets or “sleeper agents”. It is possible that the company’s infrastructure has already been compromised and is being controlled by attackers, and the victim is unaware about it.

We would like to draw the attention of software developers and IT service providers for government agencies and critical infrastructure facilities in particular. You are the most attractive target for cybe-attacks on the supply chain, so you should intensify monitoring of your systems and develop infrastructure protection.

Keep in mind, cybersecurity at the organizational level is a collective responsibility, not just the task of individual specialists. The same is true at the national level. The success of Ukraine as a state in economic and military terms depends, among other things, on the overall assessment of cyber readiness of both state-owned enterprises and all Ukrainian businesses.

Source: NV



bottom of page