On February 24, the day Russia launched its ground offensive against Ukraine, the Estonian cybersecurity group Eset identified a piece of malware that had wiped computers at a Ukrainian bank and a government agency. To cover their tracks, the attackers used a digital certificate belonging to a small Cyprus-based games company called Hermetica Digital Ltd. But cybersecurity experts say they are sure the “HermeticWiper” software, which later spread to Lithuania and Latvia as well, was part of Russia’s parallel cyberwar against Ukraine.
“Ukraine has been a giant test lab, where Russia, one of the world’s foremost cyber powers, has experimented with cyber operations for eight years,” Nadiya Kostyuk, assistant professor at Georgia Tech’s School of Public Policy, told Rest of World.
Amid intense bombardment of and street fighting in key Ukrainian cities over the weekend and an announcement by President Vladimir Putin on Sunday that Russia is putting its nuclear deterrence forces into high alert, cybersecurity experts worry that the cyber conflict could spill over, causing collateral damage that leads to even more death and destruction in Ukraine, and infecting critical infrastructure or businesses overseas.
Attacks on Ukraine’s critical infrastructure began before the military invasion last week. The Ukrainian government reported a cyberattack on January 14, targeting the websites of the country’s foreign ministry, the cabinet of ministers, and defense councils. A month later, Ukrainian cybersecurity officials also announced a distributed denial-of-service, or DDoS, attack against two of the country’s largest banks, PrivatBank and Oschadbank. DDoS attacks use large numbers of infected computers to overwhelm servers with requests, taking them offline.
While Russia’s government denied responsibility, U.S. National Security Agency and British officials claimed that infrastructure connected with Russia’s Main Intelligence Directorate, or GRU, “was seen transmitting high volumes of communication to Ukraine-based IP addresses and domains.”
Doug Madory, director of internet analysis at Kentik, a company that analyzes network performance, said that recent DDoS attacks that targeted the websites of the Ukrainian military and some of the country’s major banks were more symbolic than substantial threats.
“I don’t think they’re notable as far as any breakthrough technology or size, so these are kind of somewhat ordinary in that respect,” said Madory. “But they’re focused on Ukrainian outfits that, at least as of when it got started, had very little in the way of defenses, so DDoS attacks could be fairly effective.”
But the use of more sophisticated cyber weapons raises fears of a repeat of the 2017 NotPetya cyberattacks, wherein a Russian hacking group called Sandworm deployed malware that spread from its initial target in Ukraine to other countries, including Russia itself. NotPetya resulted in more than $10 billion in damage and crippled shipping routes, banks, and government agencies worldwide.
“Malware attacks will spread on the network and have an impact far beyond their initial objective,” Stéphane Duguin, Chief Executive Officer of the CyberPeace Institute told Rest of World. “This is not science fiction: recent attacks — notably on Kaseya and on Colonial Pipeline — demonstrate that it is illusory for the attacker to hope to truly control the perimeter of the attack.”
Though Kostyuk said it was likely that Russia has already broadly penetrated Ukrainian military, energy, and other critical computer networks, so far, most of its attacks have been limited in scope and harm, and, so far, it has been careful not to repeat the mistakes it made with NotPetya.
Duguin also worries that Russia may target Ukraine’s critical infrastructure, like hospitals and utilities, which could be “a very real danger to civilian lives.”
Four days since the fighting began, more than 350,000 Ukrainians have fled the country, according to the United Nations’ Refugee Agency, and that number is expected to rise in the coming weeks. On Sunday, Ukrainian forces were holding off an intense assault by the Russian military in the capital, Kyiv, while the country’s second-largest city, Kharkiv, had become a battleground for control amid heavy street fighting and rocket attacks. Online, social media platforms have seen a flood of fake videos and misinformation, heightening confusion and creating panic among an already vulnerable population.
Amid all this, even the threat of a cyberattack itself is likely enough to sow fear and disinformation, at a time when the information space is already muddled.
Kostyuk said her research into the effectiveness of cyberattacks shows their direct impact is often limited, unfolding at a different pace than military operations on the ground and having “no discernable effects” on such events. But the fear of cyber attacks themselves is real — and useful to the invader.
“Giving into these fears risks fighting phantom threats, playing into Russia’s hands by distracting from the need to counter its military threat, and sowing fear and confusion,” Kostyuk said.