Russia has pummeled Ukrainian cities with missile and drone strikes for much of the past month, targeting civilians and large swaths of the country’s critical infrastructure.
By Monday, 40% of Kyiv residents were left without water, and widespread power outages were reported across the country. On Thursday, Ukrainian President Volodymyr Zelensky accused Russia of ‘energy terrorism’ and said that about 4.5 million Ukrainian consumers were temporarily disconnected from the power supply.
The destruction exemplifies how indiscriminate bombing remains the Kremlin’s preferred tactic eight months into its war on Ukraine. Moscow’s vaunted hacking capabilities, meanwhile, continue to play a peripheral, rather than central, role in the Kremlin’s efforts to dismantle Ukrainian critical infrastructure.
“Why burn your cyber capabilities, if you’re able to accomplish the same goals through kinetic attacks?” a senior US official told CNN.
But experts who spoke to CNN suggest there is likely more to the question of why Russia’s cyberattacks haven’t made a more visible impact on the battlefield.
Effectively combining cyber and kinetic operations “requires a high degree of integrated planning and execution,” argued a US military official who focuses on cyber defense. “The Russians can’t even pull that sh*t off between their aviation, artillery and ground assault forces.”
A lack of verifiable information about successful cyberattacks during the war complicates the picture.
A Western official focused on cybersecurity said the Ukrainians are likely not publicly revealing the full extent of the impacts of Russian hacks on their infrastructure and their correlation with Russian missile strikes. That could deprive Russia of insights into the efficacy of their cyber operations, and in turn affect Russia’s war planning, the official said.
To be sure, a flurry of suspected Russian cyberattacks have hit various Ukrainian industries, and some of the hacks have correlated with Russia’s military objectives. But the kind of high-impact hack that takes out power or transportation networks have largely been missing.
Nowhere was that more evident than the recent weeks of Russian drone and missile strikes on Ukraine’s energy infrastructure. That’s a stark contrast to 2015 and 2016 when, following Russia’s illegal annexation of Crimea, it was Russian military hackers, not bombs, that plunged more than a quarter million Ukrainians into darkness.
“All the Ukrainian citizens are now living in these circumstances,” said Victor Zhora, a senior Ukrainian government cybersecurity official, referring to the blackouts and water shortages. “Imagine your ordinary day in the face of constant disruptions of power or water supply, mobile communication or everything combined.”
Cyber operations aimed at industrial plants can take many months to plan, and after the explosion in early October of a bridge linking Crimea to Russia, Putin was “trying to go for a big, showy public response to the attack on the bridge,” the senior US official said.
But officials tell CNN that Ukraine also deserves credit for its improved cyber defenses. In April, Kyiv claimed to thwart a hacking attempt on power substations by the same group of Russian military hackers that caused blackouts in Ukraine in 2015 and 2016.
The war’s human toll has overshadowed those triumphs.
Ukrainian cybersecurity officials have for months had to avoid shelling while also doing their jobs: protecting government networks from Russia’s spy agencies and criminal hackers.
Four officials from one of Ukraine’s main cyber and communications agencies — the State Service of Special Communications and Information Protection (SSSCIP) — were killed October 10 in missile attacks, the agency said in a press release. The four officials did not have cybersecurity responsibilities, but their loss has weighed heavily on cybersecurity officials at the agency during another grim month of war.
Hackers linked with Russian spy and military agencies have for years targeted Ukrainian government agencies and critical infrastructure with an array of hacking tools.
At least six different Kremlin-linked hacking groups conducted nearly 240 cyber operations against Ukrainian targets in the buildup to and weeks after Russia’s February invasion, Microsoft said in April. That includes a hack, which the White House blamed on the Kremlin, that disrupted satellite internet communications in Ukraine on the eve of Russia’s invasion.
“I don’t think Russia would measure the success in cyberspace by a single attack,” the Western official said, rather “by their cumulative effect” of trying to wear the Ukrainians down.
But there are now open questions among some private analysts and US and Ukrainian officials about the extent to which Russian government hackers have already used up, or “burned,” some of their more sensitive access to Ukrainian critical infrastructure in previous attacks. Hackers often lose access to their original way into a computer network once they are discovered.
In 2017, as Russia’s hybrid war in eastern Ukraine continued, Russia’s military intelligence agency unleashed destructive malware known as NotPetya that wiped computer systems at companies across Ukraine before spreading around the world, according to the Justice Department and private investigators. The incident cost the global economy billions of dollars by disrupting shipping giant Maersk and other multinational firms.
That operation involved identifying widely used Ukrainian software, infiltrating it and injecting malicious code to weaponize it, said Matt Olney, director of threat intelligence and interdiction at Talos, Cisco’s threat intelligence unit.
“All of that was just as astonishingly effective as the end product was,” said Olney, who has had a team in Ukraine responding to cyber incidents for years. “And that takes time and it takes opportunities that sometimes you can’t just conjure.”
“I’m pretty certain [the Russians] wish that they had what they burned during NotPetya,” Olney told CNN.
Zhora, the Ukrainian official who is a deputy chairman at SSSCIP, called for Western governments to tighten sanctions on Russia’s access to software tools that could feed its hacking arsenal.
“We should not discard the probability that [Russian government hacking] groups are working right now on some high-complexity attacks that we will observe later on,” Zhora told CNN. “It is highly unlikely that all Russian military hackers and government-controlled groups are on vacation or out of business.”
Tanel Sepp, Estonia’s ambassador-at-large for cyber affairs, told CNN that it’s possible the Russians could turn to a “new wave” of stepped up cyberattacks as their battlefield struggles continue.
“Our main goal is to isolate Russia on the international stage” as much as possible, Sepp said, adding that the former Soviet state has not communicated with Russia on cybersecurity issues in months.