Russia has been pounding Ukrainian cities with missile and drone strikes for much of the past month, targeting civilians and large swathes of the country’s critical infrastructure.
By Monday, 40% of Kyiv residents were without water and widespread power outages were reported across the country. On Thursday, Ukrainian President Volodymyr Zelensky accused Russia of “energy terrorism” and said some 4.5 million Ukrainian consumers were temporarily disconnected from power.
The disaster shows how indiscriminate bombing remains the Kremlin’s preferred tactic eight months into the war against Ukraine. Meanwhile, Moscow’s vaunted hacking capabilities continue to play a peripheral rather than a central role in the Kremlin’s efforts to dismantle critical Ukrainian infrastructure.
“Why burn your cyber skills if you can achieve the same goals through kinetic attacks?” a senior US official told CNN.
But experts who spoke to CNN suggest there’s likely more to the question of why Russia’s cyberattacks aren’t having a more visible effect on the battlefield.
Effectively combining cyber and mobile operations “requires a high degree of integrated planning and execution,” argued a US military official focused on cyber defense. “The Russians can’t even put this fight between air force, artillery and ground attack.”
The lack of verifiable information about successful cyber attacks during the war complicates the picture.
A Western official focused on cyber security said the Ukrainians are likely not publicly disclosing the full extent of the impact of Russian hacks on their infrastructure and their connection to Russian missile attacks. That could deprive Russia of knowledge about the effectiveness of cyber operations and in turn affect Russia’s war planning, the official said.
To be sure, a number of suspected Russian cyberattacks have hit various Ukrainian industries, and some of the intrusions have been linked to Russia’s military targets. But the kind of high impact that takes down power or transmission networks is largely missing.
Nowhere has that been more evident than in recent weeks of Russian drone and missile raids on Ukraine’s energy infrastructure. This is in stark contrast to 2015 and 2016, when, after Russia’s illegal annexation of Crimea, it was Russian military hackers, not bombs, that plunged more than a quarter of a million Ukrainians into darkness.
“All Ukrainian citizens are now living in these conditions,” said Viktor Zora, Ukraine’s top cybersecurity official, referring to power outages and water shortages. “Imagine your normal day in the face of continuous interruptions in electricity or water supply, mobile communication or all of them together.”
Cyber operations targeting industrial facilities can take many months to plan, and after the explosion in early October of a bridge connecting Crimea with Russia, Putin was “trying to make a big, ostentatious public response to the attack on bridge”. a senior US official said.
But officials tell CNN that Ukraine also deserves credit for improved cyber defenses. In April, Kyiv claimed to have thwarted an attempted hacking of power substations by the same group of Russian military hackers that caused blackouts in Ukraine in 2015 and 2016.
The human toll of the war has overshadowed these triumphs.
Ukrainian cybersecurity officials have for months had to dodge bombing while doing their job: protecting government networks from Russia’s spy agencies and criminal hackers.
Four officials of one of Ukraine’s main cyber and communications services – the State Service for Special Communications and Information Protection (SSSCIP) – were killed on October 10 in rocket attacks, the service said in a press release. The four officers did not have cybersecurity responsibilities, but their loss has weighed heavily on cybersecurity officials in the service during another grim month of war.
Hackers linked to Russian intelligence and military services have been targeting Ukrainian government agencies and critical infrastructure for years with a range of hacking tools.
At least six different hacker groups linked to the Kremlin conducted nearly 240 cyber operations against Ukrainian targets during and weeks after the February Russian invasion, Microsoft said in April. That includes a hack, which the White House blamed on the Kremlin, that disrupted satellite internet communications in Ukraine on the eve of Russia’s invasion.
“I don’t think Russia would measure cyber success by a single attack,” the Western official said, rather “by the cumulative effect” of trying to wear down the Ukrainians.
However, there are now open questions among some private analysts and US and Ukrainian officials about the extent to which Russian government hackers have already exhausted or “burned out” some of their most sensitive access to Ukrainian critical infrastructure in previous attacks. Hackers often lose access to their original way into a computer network once they are discovered.
In 2017, as Russia’s hybrid war in eastern Ukraine continued, Russia’s military intelligence agency unleashed devastating malware known as NotPetya that wiped out computer systems at companies across Ukraine before spreading around the world, according to the Justice Department and private investigators. The incident cost the global economy billions of dollars, upsetting shipping giant Maersk and other multinational companies.
That operation involved identifying widely used Ukrainian software, penetrating it and injecting malicious code to weaponize it, said Matt Olney, director of threat intelligence and interdiction at Talos, Cisco’s threat intelligence unit.
“All of that was just as amazingly effective as the final product,” said Olney, who has had a team in Ukraine responding to cyber incidents for years. “And that takes time and opportunities that sometimes you can’t just imagine.”
“I’m pretty sure [the Russians] I wish they had what they burned during NotPetya,” Olney told CNN.
Zhora, the Ukrainian official who is deputy chairman at SSSCIP, called on Western governments to tighten sanctions on Russia’s access to software tools that could fuel its hacker arsenal.
“We should not rule out the possibility of this [Russian government hacking] teams are currently working on some high-sophistication attacks that we will see later,” Zhora told CNN. “It is highly unlikely that all Russian military hackers and government-controlled groups are on vacation or down.”
Tanel Sepp, Estonia’s ambassador general for cyber affairs, told CNN that it is possible the Russians will turn to a “new wave” of enhanced cyber attacks as their battles on the battlefield continue.
“Our main goal is to isolate Russia on the international stage” as much as possible, Sepp said, adding that the former Soviet state has not communicated with Russia on cybersecurity issues in months.
