Euro Security Watch with Mathew J. Schwartz

Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime

Why Hasn't Russia Launched a Major Cyberattack on Ukraine?

Whatever Putin's Reasons, the Risk of Serious Escalation on All Fronts Remains
Why Hasn't Russia Launched a Major Cyberattack on Ukraine?
Ukrainian President Volodymyr Zelenskyy addresses the European Parliament from Kyiv on March 1, 2022. (Photo: European People's Party Group via Flickr/CC)

Why hasn't Russia unleashed major cyberattacks against either Ukraine or the West?

See Also: AI-Driven Strategies for Effective Cyber Incident Recovery

That's a question being asked by cybersecurity experts as they track the invasion of Ukraine, which began Thursday at the order of Russian President Vladimir Putin.

Many experts had predicted that Russia would use online attacks to take out key infrastructure in Ukraine ahead of moving in ground forces and warned that such attacks might cause collateral damage worldwide. But aside from some distributed denial-of-service attacks against government agencies and banks, as well as some minimal wiper malware attacks against Ukrainian government systems, this doesn't appear to have happened, at least yet.

Only Putin knows which strategies he might pursue, and for what reasons.

But the early days of the war, while causing Ukrainian military and civilian casualties, appear to have been a shambles for Russia.

Reports continue to emerge of a poorly organized invasion, widespread use of unencrypted communications and some soldiers - including conscripts - apparently psychologically unprepared to unleash violence on people often seen as kin. Significant numbers of tanks and other military vehicles have reportedly been abandoned by the side of the road after fuel ran out and no resupply was available.

A Pentagon official told Economist Defense Editor Shashank Joshi that some Russian troops appear to have been sabotaging their own vehicles, "presumably to avoid combat."

Meanwhile, Putin has yet to order severe online attacks.

"It's quite surprising that Russia hasn't employed all the cyber tools at their disposal from what we can infer, but that is still being kept as a reserve as well," says Sam Curry, CSO of security firm Cybereason. "I mean, they're thinking about a long-term game."

Many cybersecurity watchers, in other words, aren't optimistic. "I'm relieved that Russia's cyberattacks have been fairly limited thus far, but it is clear they have the capacity to do much more, and that it could be potentially devastating for neighboring NATO allies," the chairman of the Senate Intelligence Committee, Sen. Mark Warner, D-Va., says via Twitter (see: US Officials Tracking Russian Cyberattack Escalation Risk).

When it comes to the lack, so far, of full-scale cyberattacks, Ciaran Martin, the former head of Britain's National Cyber Security Center, offers three theories: "Russia holding back for some reason; Russia wasn't ready - high-impact attacks take time, skill, luck; it's much harder than often portrayed to achieve this type of impact." Or perhaps it's a combination of all three, he says.

Meanwhile, Matthias Schulze, deputy head of research at the German Institute for International and Security Affairs, has cataloged more than a dozen viable explanations for Russia's cyber restraint to date, including Moscow not wanting to escalate the conflict by the West getting involved, and Russian intelligence agencies perhaps not knowing that Putin was about to launch an invasion.

Another explanation could be "Western bias," he says, with the West over-focusing "on technical disruptions because we are more vulnerable here, while it was always the information angle that was more important to Russia."

But that, too, doesn't appear to have been well-executed by Moscow, at least so far. Indeed, despite aggressive disinformation campaigns being run by Russia, observers say Ukrainian President Volodymyr Zelenskyy's administration has done a masterful job of relaying what appears to be accurate information from inside Ukraine and rallying Western governments to its cause.

This includes Western governments pledging weapons and money for Ukraine. In addition, the EU has banned state-backed RT - formerly Russia Today - and Sputnik, which are widely seen as propaganda channels (see: The US Presidential Election Hacker Who Wasn't). Also, the U.S. and its allies have issued a number of strict sanctions against Moscow, which include excluding some Russian banks from the SWIFT international payments messaging system, a move that already appears to have destabilized Russia's economy.

All of this is due in no small part to Zelenskyy being able to get his message out, to boost Ukrainians' morale and to rally world leaders to the cause of countering Russian aggression. "As someone who studies misinformation, the past week has been a masterclass in how positive actors with a strong information operation and tech platforms being (somewhat) sensible can create an environment in which misinformation struggles to take hold," tweets Laura Edelson, a researcher at New York University's Center for Cybersecurity.

Crisis Communications

Whether they're true or not, stories have circulated across social media and news channels of Ukrainian grandmothers handing sunflower seeds to Russia soldiers so that after they're killed in action, flowers will grow over their unmarked graves; Ukrainians driving up to stranded Russian tank crews and offering to tow them back to Russia; Ukrainian citizens taking up arms; and refugees fleeing Russia's ground invasion and missile strikes, oftentimes with their pets.

Not allowing misinformation, or doubt, to take hold is a core tenet of effective crisis communications. This succeeds by communicating sufficient levels of accurate, timely information to core stakeholders in a transparent manner. Doing this well demonstrates that the people in charge of response are on the job and strongly suggests they have appropriate, well-practiced plans in place that they're now executing.

Example of good crisis communications in the corporate realm include Danish shipping giant Maersk's transparency as it battled a serous NotPetya infection in 2017, and the same again for the Scottish Environmental Protection Agency after it got crypto-locked by ransomware on Christmas Eve 2020 (see: Post-Ransomware Response: Victim Says 'Do the Right Thing').

But bad examples also abound in the corporate realm, as demonstrated by data breach notifications filled with weasel words and strategies that literally show that organizations are not being transparent (see: Retailer Fat Face Pays $2 Million Ransom to Conti Gang).

Escalation Will Continue

Unfortunately for Ukraine, excellent communications strategies will only go so far. Russia has many soldiers and may have been holding back its more seasoned forces. The tempo of missile strikes and civilian casualties also appears to have strongly increased in recent days. Many more horrific weapons could soon to brought to bear, no matter the cost to Ukrainian lives and infrastructure.

Putin may simply not stop until he has seized all of Ukraine and signaled to the world that far beyond cyberattacks, tanks, cruise missiles or thermobaric bombs, he might even use nuclear weapons to do so.

"They're playing a very aggressive game, which is Russia against the world," Cybereason's Curry says. "So we've got to pay attention to that and think of it in terms of an escalating ladder … because it has big implications as it goes past certain points. Nobody knows where the ceiling on this conflict is, and that makes people very nervous."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.