On January 3, 2022, Microsoft noticed unusual activity from two Microsoft Exchange servers: sending a large amount of data to IP addresses. Investigation revealed that the attackers, later identified as Russian hackers, used a vulnerability in Microsoft to steal the entire contents of several user mailboxes worldwide, including in Ukraine, the US, and Australia. This was the first of a series of cyber attacks on Ukraine, including taking down government websites and putting out threatening messages, sending Ukrainians to withdraw cash from ATMs, DDoS attacks on banking, bomb threats to schools, and even a malware wiper that would erase all data in a network.
Russia has previously been implicated in cyber attacks in Ukraine, Estonia, Georgia, and the US. In 2014, four days before the Ukrainian parliamentary elections, malware was installed on the Ukrainian central election system, which then portrayed a pro-Russia candidate as a winner. This malware compromised and deleted critical files, and made the vote-tallying system inoperable. After the polls closed, the Ukrainian Central Election Commission faced DDoS attacks that disabled their network. As a result, they were unable to announce results for two hours. During these two hours, the Russian media announced that the candidate they supported had won the election with 37 percent of the votes.
In 2015, Russian cyber troops launched remote malware attacks against Ukraine. A malware known as BlackEnergy targeted individuals’ emails in different energy companies. Once these individuals clicked on the attached malware, they activated KillDisk destructive malware which wipes out parts of the computers’ hard drives and prevents systems from rebooting. This led to power outages in Ukraine. Hackers simultaneously launched a TDoS (Telephony Denial of Service) attack to prevent citizens from calling the electricity help centre to report any loss of power. This double attack caused a severe electricity blackout in Ukraine that affected more than 225,000 citizens. The incident is considered to be the first remote public infrastructure attack using cyberweapons.
A tested strategy: Cyber attacks on Russia's neighbours
In 2007, during a dispute between Russia and Estonia following Tallinn's decision to relocate one of the Soviet World War II war memorials from its original place, Russian cyber troops took down the Estonian state’s banking and public administration systems after hijacking and harnessing a million computers worldwide in an operation called BotNet. It is estimated that Russia used more than one million computers from 70 different countries in this attack. Estonia requested help from NATO under Article V on collective defense, yet NATO was not able to offer support at that time, a situation that brought up the issue of cyberattacks as requiring the organization's collective defense. Later, the alliance adopted the strategic concept to “prevent, detect, defend against and recover from cyber-attacks, including using the NATO planning process to enhance and coordinate national cyber-defense capabilities, bringing all NATO bodies under centralized cyber protection, and better integrating NATO cyber awareness, warning and response with member nations.”
In August 2008, Russia and Georgia engaged in an armed conflict over South Ossetia, a territory that seceded from Georgia. While conducting military operations, Russia oversaw DDoS attacks against numerous Georgian websites that severely affected communication and financial services. In response, the National Bank of Georgia on 9 August ordered all banks to stop offering electronic services. Unfortunately, the Georgian physical infrastructure ran through Russia and Azerbaijan (in addition to a single fibre optic cable to Turkey). During the escalation of the conflict, Russian troops locked the optic cables of international telephone traffic and seized both cellular and primary international telephone traffic. This lock caused an overload on the rest of the channels used by civilians and non-governmental organizations.
With the degradation of its communication channels, the Georgian government decided to censor Russian news and communication, and to filter Russian IP addresses from their network to stop DDoS attacks. This reduced DDoS attacks temporarily, but then hackers started to mask their IP addresses and targeted Georgian services on foreign hosts. For example, Russian hackers attacked US-based servers with DDoS after the Georgian government migrated their server to a private web server in Atlanta.
After the Russian DDoS cyber attack, many pro-Georgia hackers started counter-attacks against Russian servers, including a few Russian media sites. But with Russian websites, communication, and news blocked, Georgian citizens soon drowned in an information blackout. The media censoring and internet filtering created panic and helped spread rumors and disinformation about a Russian victory.
The Georgian government was unable to debunk false news or to connect with its citizens. The state of confusion and suspicion had a significant effect on morale, which reflected on the battlefield.
In this war, Russia achieved their victory by controlling the streams, the internet, and the narrative by disabling government services, websites, financial servers and denying Georgian citizens access to information.
Lessons for Ukraine
This holds lessons for Ukraine’s current challenges. In Ukraine, once Russian cyberattacks started in February 2022, an anonymous pro-Ukraine hacking collective announced that it had targeted Russian TV channels to show pro-Ukrainian messages, while a Telegram channel had been formed with thousands of members fighting online for Ukraine.
Unlike Georgia in 2008, Ukraine is backed electronically by NATO and its neighbours. After Russia moved its troops toward Kyiv, NATO signed an agreement with Ukraine to enhance its cyber capabilities and give it access to the alliance’s malware information sharing platform. The White House also offered the Ukrainian government cyber support. Elon Musk offered his satellite broadband service, Starlink, to run government servers. Additionally, the European Union formed a cyber rapid-response team (CRRT); headed by Lithuania, this team includes 12 experts from Lithuania, Croatia, Poland, Estonia, Romania, and the Netherlands, from private and government entities. Romania also launched a partnership to provide pro bono technical support and threat intelligence to Ukraine’s government, businesses and citizens.
Despite attempts by Ukraine to return the attack, it is difficult to assess their success. One possible indication could be dated to May 9, when hackers interrupted Putin's speech on TV during the celebration of Victory Day. On that day, Russia smart TV users’ and online viewer saw the names of their TV programmes changed to “The blood of thousands of Ukrainians and hundreds of their children is on your hands. TV and the authorities lie. No to war.”
Surprisingly, despite their capacities, Russian hackers have only caused moderate harm to Ukraine’s digital infrastructure. Both parties have made mistakes similar to the ones experienced in Georgia. Putin recently blocked all Western media websites and social media like Facebook, Instagram and Twitter, to saturate Russian citizens with Russian discourse. Russian security services have also started to randomly search citizens’ mobiles in the streets, looking for anti-war posts, photos, videos, or messages.
At the same time, the EU decided to block Russian propaganda arms like Sputnik and Russia Today. The Ukrainian president also banned on March 20 eleven left-wing opposition parties accused of supporting Russia; these parties have 10 percent of the seats in the national parliament.
In addition to sanctions, Russians are denied access to internet services from foreign providers, making Russian censorship more effective. At the same time, the Ukrainian government banned and blocked certain opposition voices. As the war progresses, the lesson from Georgia is that the flow of information to citizens might be a decisive factor.