Russia’s war in Ukraine has been a brutal disaster on many levels. In the war’s early stages some
commentators expected cyber ‘shock and awe’ as part of Russia’s invasion. Because of the valiant
efforts of Ukrainian cyber defenders, supported by nation states and large private organisations like
Microsoft, the actual impact was somewhat less shocking and less awesome than expected. Some
commentators have now suggested that Russia’s cyber warfare capabilities were as overstated as
their conventional prowess. Under-estimating Russian cyber capabilities in this context is a mistake.
In the lead up to the invasion, Russia would have considered its range of cyber warfighting options
from denying/disrupting Ukrainian critical infrastructure and defences, to deception and
misinformation, to exploiting access for intelligence purposes. Russia clearly had a program of
increasing its remote access ahead of the war, followed by some operations to deny/disrupt at a
tactical level, however the long game Russia is more likely playing is to exploit its access for
intelligence purposes, only selectively feeding snippets to the front line for tactical kinetic
operations. Russia, like most countries exploiting cyber as a war fighting domain, will have a
collection of highly prized zero-day exploits, but these will be reserved in favour of less exciting but
still highly effective commodity operations like account takeovers and remote access attacks.
With Ukraine regaining territory, a complex set of opportunities and threats arise. While occupying
Ukrainian terrain, Russian forces had direct physical access to swathes of Ukrainian networks. In
their retreat, it wouldn’t be a surprise to see the Russians using cyber ‘stay behind’ tactics which can
be as simple as leaving firewalls exposed, installing remote access backdoors and persistence tools
like key loggers. There is an awful lot of harm Russia could do in this phase, particularly regarding
remote persistence. This of course is even before you consider the insider risks – Russian spies left
in Ukraine’s midst. Hopefully Ukraine’s civil and military authorities are including cyber hygiene as
part of their battlefield clearance and broader processes in liberating territory.
Tactical mischief using Ukrainian infrastructure isn’t new in this war. In the early days of the
occupation, we witnessed Ukrainian IPs appearing in numerous attacks around the world. Russian
based attackers were likely using Ukrainian infrastructure that once upon a time would have been
avoided or obfuscated, possibly to direct blame Ukraine’s way (and possibly just out of
convenience). This spike may have also been influence by the well-publicised schism in Conti, a
mixed Russian / Ukrainian hacking group that unsurprisingly fractured along nationalist lines.
In the coming weeks and months, with Russia’s ground war going badly, it will be no surprise if
Russia ramps up its cyber warfare effort both in the primary theatre of Ukraine, but more broadly as
it seeks to target Western supply chains to Ukraine, European energy infrastructure, sanctions
enablers and the broader political support opposing Russia. Russia’s cyber warfare apparatus and its
criminal proxies are still capable of launching large-scale symbolic attacks and retains its long-game
capability of undermining democracy and rules-based-order and unity in the West.