While cyber has been recognised as a warfighting domain by most of the world’s military powers, computers are still far less capable of killing people than the artillery amassed on Ukraine’s borders.
Just weeks after Viktor Yanukovych, Ukraine‘s president at the time, was ousted in 2014 (when he refused to sign an association agreement with the European Union in favour of closer ties with the Kremlin) Russia-backed forces annexed Crimea.
Since 2014, Russia’s attacks on Ukraine have repeatedly harmed civilians, from the shooting of Malaysian Airlines flight MH17 to the NotPetya cyber attack that spread out of control and caused billions in damages – including in Russia itself.
As mixed signals abound about Russia’s preparations for an invasion, what does a look at the past teach us to expect in the future?
‘Humiliated and destroyed’: Russia taunts West – live updates
Major cyber operations in Ukraine
- 2013: Mobile blackout and websites taken down over Euromaidan
- 2014: Election commission attacked, documents released
- 2015: Power grid taken offline in December
- 2016: Power grid again taken offline in December
- 2017: NotPetya attack, causes global damage
- 2022: Government sites go offline alongside destructive attack
The Yanukovych regime’s security services are believed to have conducted the operations to suppress the Euromaidan protests. The Kremlin has been accused of the others but denies the blame.
No such thing as ‘cyber war’
“Ukrainians will tell you they’ve been at war with Russia for years. That’s true. And cyber has been a dimension of that,” said Ciaran Martin, the former chief executive of the UK’s National Cyber Security Centre, now an Oxford professor.
“There’s been constant digital harassment: two power outages in Kiev back in 2015 and 2016, disruption of government online services, and targeting of Ukrainian military for intelligence purposes.
“Over the last seven or eight years, Ukraine has probably faced greater cyber aggression than any other country on Earth.”
He added: “If the military conflict escalates into some sort of invasion, we could expect an uptick in aggressive cyber activity too.
“But this will not be what some people call a cyber war. There’s not really any such thing. There would be a cyber dimension to a real war, if that’s what happens.”
A history of interference
The ballots in the first presidential election in Ukraine after Russia’s invasion had to be counted by hand after hackers deleted critical files in the country’s central election system.
The hackers released data online as part of the hack, and at the time the election commission described the incident as “just one component in an information war being conducted against our state”.
The next year, the first publicly acknowledged successful hack of a power grid turned off energy supplies for more than 200,000 people for up to six hours. Another even more sophisticated attack in 2016 also took out the power supply in the capital Kyiv.
Another watershed moment was to come in 2017.
On the eve of Ukraine’s national Constitution Day, 27 June, hackers whom the UK has said were “almost certainly” the Russian military detonated a malicious data encryption tool which had been inserted into accounting software used by most government and financial institutions in Ukraine.
The malware was wormable, meaning it could spread itself from computer network to computer network – and it did just that, spreading like wildfire without the hackers who had designed it being able to direct it to damage specific networks.
It even took Chernobyl’s radiation monitoring system offline as it affected businesses around the world, including in Russia, destroying their computers and causing more than $10bn in damages, according to a White House assessment.
Malware is likely to be similarly lying dormant in critical networks across Ukraine, though it is unlikely to be wormable and capable of causing the same damage as the incident in 2017.
What should we expect?
Mike McLellan, the director of Secureworks’ counter threat unit, said: “What we have seen so far with this current crisis, including website defacements and wiper attacks, is in one sense nothing new.
“However, if Russia does decide to initiate military action against Ukraine we would expect to see further and probably more aggressive cyber operations.
“It’s hard to say at this stage what those operations might consist of, but they might include disruption of communications or other critical infrastructure, and information operations aimed at causing confusion among the Ukrainian population.”
John Hultquist, the vice-president of threat intelligence at Mandiant, a cyber security firm, anticipated several threats as the crisis in Ukraine escalated, including information operations – “a regular feature of Russian and Belarusian cyber activity”.
Serhiy Demedyuk, the deputy secretary of Ukraine’s national security and defence council, said a series of defacements conducted in January were cover for more destructive cyber activities by a group that has been linked to Belarus.
The aim of these operations may not be to directly disable military equipment but to disrupt Ukraine’s defences and force the country to deploy its resources in a manner that Russia could take advantage of.
In a blog, Mr Hultquist said: “The crisis in Ukraine has already proven to be a catalyst for additional aggressive cyber activity that will likely increase as the situation deteriorates.
“At Mandiant, we have been anticipating this activity, and we are concerned that, unlike the recent defacements and destructive attacks, future activity will not be restricted to Ukrainian targets or the public sector.”
The US and UK have both warned domestic organisations to check their defences due concerns about the potential for new Russian attacks linked to tensions with Ukraine.