The pace of cyberattacks directed against Ukraine has been unrelenting over the past 12 months. While attacks have been aimed at military targets – such as a widely condemned attack on Ukrainian satellite company Viasat early in the conflict that disrupted Ukrainian military communications — hackers are taking aim even more at critical utilities used in daily life.
More than 2,000 cyberattacks were aimed at Ukrainian organizations in 2022, according to statistics from Ukraine’s Computer Emergency Response Team provided to POLITICO. While more than 300 of these attacks were against the security and defense sector, more than 400 attacks targeted groups affecting civilian life, including organizations in the commercial, energy, financial, telecommunications and software sectors. More than 500 other attacks were aimed at government groups.
A recent report from Ukraine’s State Service of Special Communications and Information Protection found that while the pace of cyberattacks against Ukraine slowed overall between September and December of 2022, these attacks were increasingly aimed at public services and energy instead of military targets.
Moscow is trying to make these attacks as psychologically difficult for Ukrainians as possible, insiders say. Microsoft warned in a December report that the Kremlin is coordinating cyberattacks and missile strikes on Ukrainian energy and water groups, and that these destructive cyberattacks may spread to countries, such as neighboring Poland, and private companies providing aid to Ukraine. These include organizations that provide humanitarian aid.
“Many of these attacks carried out were designed to affect the civilian populace rather than any military targets,” said John Hultquist, vice president of threat intelligence at the cybersecurity company Mandiant, which has helped support Ukraine’s cyber defenses. “We think that some of these attempts, on power in particular, are done…to strike fear into every Ukrainian and really just raise the psychological toll.”
Attacks have included an unsuccessful effort aimed at an electrical substation that would have disrupted power for millions of Ukrainians, an incident eerily similar to previous successful Russian-linked attacks in 2015 and 2016 that shut off the lights in portions of Ukraine. Those two earlier attacks both took place in the dead of winter, likely to cause maximum discomfort for Ukrainians, a tactic Russia is continuing to pursue during the current colder months.
“We’ve seen the Russians target civilian infrastructure in unsuccessful attempts to undermine the Ukrainians’ will to fight,” Senate Intelligence Committee Chair Mark Warner (D-Va.) said in a statement provided to POLITICO.
Joyce said Russian hackers have successfully compromised groups in the emergency, transportation and communications sectors as well, and were targeting surveillance cameras to potentially inform troop movements. He stressed that while overall cyberattacks have not had the widespread impact predicted they would prior to the Russian invasion of Ukraine, this is not due to a lack of effort on Moscow’s part.
“We know they continue to try to gain access,” Joyce said.
Ukrainian officials are acutely aware of the increasing threats to civilians in cyberspace, and are working to defend against them. Hultquist noted that “Ukrainian defenders have been hyper-vigilant” in identifying and responding to intrusions, and pointed to this as a major factor in preventing many attacks.
These efforts have not, however, prevented Moscow from attempting to take down systems. Victor Zhora, deputy chair and chief digital transformation officer of Ukraine’s SSSCIP, said that the public sector is now attacked “twice as much” as the military sector.
“The key purposes of Russia’s hacking activity are espionage, misinformation and damaging critical infrastructure that impacts large amounts of population,” Zhora said in a lengthy statement provided to POLITICO. “Russia’s activities in Ukraine, their unprovoked aggression in cyberspace, have the same goals as their so-called ‘military strategy’ for Ukraine, ie terrorizing Ukrainian civilians.”
These cyberattacks are only likely to intensify as the conflict grinds on in 2023. Zhora said that “complex” attacks on power grid operators and electricity distributors were ongoing, and warned that Moscow is targeting less secure companies that provide software to critical infrastructure groups in order to gain backdoor access.
Joyce said the NSA is “always worried” about supply chain compromises, citing the example of the SolarWinds attack in 2020, in which Russian government hackers used a vulnerability in software to infiltrate the networks of over a dozen US federal agencies for months. He stressed his concern that Moscow will only become more “brazen” in its cyberattacks aimed at civilians if the war does not go in its favor.
“[I’m] more and more concerned for the outcomes as they get more and more desperate,” Joyce said. “They will use all the different means at their disposal from kinetic through non-kinetic.”
Ukraine may not be the only target. Following the invasion last year, President Joe Biden warned of potential Russian cyberattacks not only on Ukraine, but on the networks of the US and other Ukrainian allies, prompting a nationwide effort to strengthen critical systems. While no successful major Russian cyberattacks on the US in retaliation for assisting Ukraine took place in 2022, the threat remains.
“We have not seen the Russians really seriously deploy the formidable cyber capabilities we know they have in an attempt to target the West in this conflict,” Warner said. “Should they do so, they need to know that we also have formidable cyber capabilities that could be used to respond.”