Russia has pounded Ukrainian cities with missile and drone strikes over the past month, targeting civilians and large parts of the country’s critical infrastructure.
By Monday, 40% of Kiev residents were without water, and there were widespread power outages across the country. On Thursday, Ukrainian President Volodymyr Zelensky accused Russia of “energy terrorism” and said about 4.5 million consumers in Ukraine had been temporarily disconnected from their power supply.
The destruction shows how indiscriminate bombing remains the Kremlin’s preferred tactic eight months into its war against Ukraine. Moscow’s vaunted hacking capabilities, meanwhile, continue to play a peripheral, not central, role in the Kremlin’s efforts to dismantle Ukraine’s critical infrastructure.
“Why burn your cyber skills when you can achieve the same goals through kinetic attacks?” A senior US official told CNN.
But experts who spoke to CNN suggest they’re likely to wonder why Russia’s cyberattacks haven’t had a more pronounced impact on the battlefield.
Effectively combining cyber and kinetic operations “requires a high level of planning and execution,” argued a US military official who focuses on cyber defense. “The Russians can’t get rid of that crap between their aviation, artillery and ground attack forces.”
The lack of verifiable information about successful wartime cyberattacks complicates the picture.
A Western official focused on cybersecurity has said that the Ukrainians will not publicly reveal the full extent of the impact of Russian hacks on their infrastructure and their correlation to Russian missile attacks. This could deprive Russia of insight into the effectiveness of their cyber operations, and in turn affect Russian war planning, the official said.
To be sure, a series of alleged Russian cyberattacks have hit several Ukrainian industries, and some hacks have been linked to Russian military targets. But the kind of high-impact hacks that take out energy or transportation networks have been largely absent.
Nowhere was this more evident than in recent weeks of Russian drone and missile attacks on Ukraine’s energy infrastructure. That compares to 2015 and 2016, when after Russia’s illegal annexation of Crimea, it was Russian military hackers, not bombs, that plunged more than a quarter of a million Ukrainians into darkness.
“All citizens of Ukraine are living in these conditions now,” said Victor Zhora, the Ukrainian government’s top cybersecurity official, referring to blackouts and water shortages. “Imagine your daily routine faced with constant disruptions to electricity or water supply, mobile communication or a combination of everything.”
Cyber operations targeting industrial plants can take months to plan, and after the explosion of the bridge linking Crimea and Russia in early October, Putin was “trying to make a big, visible public response to the attack on the bridge.” said the senior US official.
But officials tell CNN that Ukraine also deserves credit for improving its cyber defenses. In April, Kiev said it had foiled an attempt to hack power substations by the same Russian military hacker group that caused blackouts in Ukraine in 2015 and 2016.
The human cost of war has overshadowed these victories.
Ukrainian cybersecurity officials have had to dodge bombings for months while also doing their job: protecting government networks from Russian spy agencies and criminal hackers.
Four officials of one of Ukraine’s main cyber and communications agencies—the State Service for Special Communications and Information Protection (SSSCIP)—were killed in missile strikes on October 10, the agency said in a press release. The four officials did not have any cybersecurity responsibilities, but their loss has weighed heavily on the agency’s cybersecurity officials in another tense month of war.
Hackers linked to Russian spy and military agencies have been targeting Ukrainian government agencies and critical infrastructure for years with an array of hacking tools.
At least six different Kremlin-linked hacking groups carried out nearly 240 cyber operations against Ukrainian targets in the weeks leading up to the February invasion of Russia, Microsoft said in April. It includes a hack the White House has blamed on the Kremlin that disrupted satellite Internet communications in Ukraine on the eve of Russia’s invasion.
“I don’t think Russia will measure its success in cyberspace with a single attack,” the Western official said, referring to the “cumulative effect” of trying to wear down the Ukrainians.
But there are now open questions among some private analysts and US and Ukrainian officials about the extent to which Russian government hackers used or “burned out” some of Ukraine’s most sensitive access points to critical infrastructure in previous attacks. Hackers often lose their original path when they discover a computer network.
In 2017, as Russia’s hybrid war in eastern Ukraine continued, Russia’s military intelligence agency released the devastating malware known as NotPetya, which wiped out computer systems at companies across Ukraine before spreading around the world, according to the Justice Department and private investigators. The incident cost the world economy billions of dollars as it disrupted shipping giant Maersk and other multinational companies.
The operation involved identifying, infiltrating and injecting malicious code into widely used Ukrainian software to make it a weapon, said Matt Olney, director of threat intelligence and interdiction at Talos, Cisco’s threat intelligence unit.
“All of that was as effective as the final product,” said Olney, who has had a team in Ukraine responding to cyber incidents for years. “And that takes time and sometimes it takes choices you can’t conjure up on your own.”
“I’m pretty sure [the Russians] They’d like to be grilled on NotPetya,” Olney told CNN.
Zhora, a Ukrainian official who is vice president of the SSSCIP, has called on Western governments to toughen sanctions on Russia’s access to software tools that could fuel its hacking arsenal.
“We should not rule out that possibility [Russian government hacking] groups are working right now on some very complex attacks that we’ll see later,” Zhora told CNN. “It’s very unlikely that all Russian military hackers and government-controlled groups are on vacation or out of business.”
Tanel Sepp, Estonia’s top ambassador for cyber affairs, told CNN that the Russians are likely to face a “new wave” of increased cyberattacks as battles continue on the battlefield.
“Our main goal is to isolate Russia internationally” as much as possible, Sepp said, adding that the former Soviet state has not communicated with Russia about cybersecurity issues in months.