The Ukraine – Russia Cyberwar: Everything You Need to Know

Russia may have moved troops into Ukraine on February 24th, 2022, but its cyberwar against Ukraine began eight years earlier. Long before Putin’s full-scale invasion, Russian hackers began targeting Ukrainian infrastructure and government institutions.

Because the cyberwar is an important but hidden element of this campaign, we’ve gathered as much data as we can to update you on this side of the conflict. We’ll cover significant cyberattacks, cyber’s role in the current conflict, and steps you can take to stay safe.

We’ll also update this article as the situation in Ukraine develops so those affected know what’s happening with their data.

The Buildup to the Cyberwar in Ukraine

Since Putin first came to power in 2000, Russian diplomatic relations with former Soviet republics have been marked by Russian aggression and disinformation. He has described the dissolution of the Soviet Union as “the greatest geopolitical catastrophe of the century,”¹ and talks openly about rebuilding the Soviet Union

This began in 1999 with the Second Chechen War, before Putin was even formally elected President of Russia. In that campaign, in a way that foreshadows what’s happening today in Ukraine, Putin declared the Chechen President’s authority illegitimate and, in a series of increasingly aggressive moves that belied his stated intentions, took control of the country, which is now part of Russia.

Putin used similar tactics of disinformation and cyber warfare in Russia’s 2014 campaign against the Crimea, a formerly Ukrainian territory located along the northern coast of the Black Sea. In the Russian annexation of Crimea, Putin dissolved Crimean press, used state sponsored media as well as social media to spread lies about fascism in Ukraine, and used troops disguised as separatists to overtake the Crimean parliament.

When Russia formally moved troops into Crimea, its stated intention was to protect Russians and “normalize” the situation.

Following the 2014 annexation of Crimea, brutal and bloody conflict has raged in eastern Ukraine between Russian-backed separatist forces and the Ukrainian military. At the same time, Russian cyberattacks against Ukraine have escalated, focusing on Ukrainian hospitals, energy systems, government institutions, and websites. This is all in an apparent effort to destabilize Ukrainian politics, aid the spread of disinformation, and affect the Ukrainian military.

Ukraine has responded with cyberattacks of its own, targeting Russian military forces, disinformation campaigns, and intelligence agencies. However, the economic disparity between the two nations puts Ukraine at a disadvantage.

Cyberwarfare between the two nations further escalated in late February, 2022, following Russia’s full-scale invasion of Ukraine. Following the same playbook Russia used in Chechnya and Crimea, Russian hackers and news outlets are spreading disinformation to build a pro-Russian justification for the invasion.

Putin has falsely claimed that Ukraine is a fascist government committing genocide on its own people. And his disinformation campaign is extremely effective in Russia. Reports have even emerged of Russian citizens refusing to believe images that show Russian aggression in Ukraine.³ Russian cyber tactics are also designed to disrupt Ukrainian defensive efforts, communication channels, and civilian infrastructure.

And Russia is a master of cyberwarfare. According to Rolf Mowatt-Larsen, a former chief of the CIA’s Moscow station, it’s part of “Putin’s playbook.” Speaking to USA Today, Mowatt-Larsen warned, “The whole world is now getting introduced to the idea of hybrid war.”

Analysts warn that Russian hackers could disable Ukrainian infrastructure completely to help the Russian advance on Kyiv. According to Mowatt-Larssen, “[Putin] could turn out the lights in Ukraine before it even knows what’s happening.”

Since he first came to power, Putin has expressed concern over the continued eastward expansion of countries joining NATO, and has in particular forbidden NATO to include Ukraine as a member nation.

He has also expressed his desire to return Russia to the former glory of the Soviet Union. He sees Ukraine as important to achieving that glory, and he has shown that he is willing to use cyberwarfare and disinformation, and to break international law, to bring Ukraine back into the Soviet fold.

With the Russian invasion, Ukraine’s Vice Prime Minister and Minister of Digital Transformation, Mykhailo Fedorov, has called on volunteers to join the “IT Army,” a cyber force created to repel Russian cyberattacks and disinformation, as well as to attack Russian infrastructure. And Western nations and big-tech institutions have hit Russia with some of the hardest economic sanctions in history, and imposed measures to limit Russia’s disinformation campaign.

In response, Putin’s rhetoric has grown more threatening and erratic, and analysts fear Russian cyberattacks could spread beyond the Russia-Ukraine conflict to target Western nations. If that happens, it could lead to cyber warfare on a global scale.

Why Does Russia Use Cyberwar?

Russia has used cyberwar to accomplish a number of its objectives, both in Ukraine and elsewhere. Between 2014 and 2022, Russia launched a number of cyberattacks designed to disrupt Ukraine’s government institutions and influence the nation’s foreign policy.

Cyberattacks on energy infrastructure caused major power outages across Ukraine in 2015 and 2016. Speaking to Slate, cyberwar author and Wired writer Andy Greenberg said these attacks were designed to make Ukrainian citizens feel vulnerable.

“These cyberattacks were a way to send a message to the rest of Ukraine that you too are vulnerable. Even though you’re hundreds of miles away from the fronts, we can reach you, too. You’re all subject to our sphere of influence.”⁴

Russian disinformation campaigns continued to spread pro-Russian and anti-Ukrainian propaganda for several years. Russia also used cyber operations in Ukraine as training exercises to develop its capabilities.

Russia has adopted similar hacking methods outside of Ukraine, often targeting influential Western governments like the US, the UK, and Germany. In 2014, Russia used cyber tactics to disrupt the Ukrainian Presidential Election. And in 2016, Russia ran a similar disinformation campaign against the United States’ Presidential Election.

Russian attacks on elections continue to undermine the democratic process in Western nations, including the theft of sensitive intelligence data. For example, in 2016, Germany’s domestic intelligence agency claimed Russian hackers attacked state computers. And in 2020, the CIA blamed Russian state-sponsored actors for a breach of the US Federal Government.

In 2022, cyberattacks have been used to create fear and confusion in Ukraine. To “prepare the battlefield”⁴ according to Greenberg. Speaking to Slate, Greenberg also outlined how Russian cyber tactics have shifted during the physical invasion:

“Cyberattacks have been designed to prepare the battleground in the sense of creating confusion as Ukraine tries to figure out what is going on, to scare people. But then once the physical invasion starts, it is more tactical accompaniments of physical war.”⁴

Who’s Involved?

Several hacking groups and nation-states are acting on behalf of Russian and Ukrainian forces following the Russian invasion.

Pro-Russian Hacking Groups

In Russia, three major intelligence agencies account for much of the government’s cyber activities: The Federal Security Service⁵ (a domestic security agency), the Foreign Intelligence Service⁶ (an external intelligence agency), and the GRU⁷ (a military intelligence agency).

The GRU is of particular interest. Most of Russia’s disruptive state-sponsored hacking operations come from the GRU and its infamous hacking groups are extremely proficient.

Unit 26165 is responsible for several high-profile cyberattacks in recent years. Also known as Fancy Bear (or APT28), the group was behind the 2014 cyberattacks on the Ukrainian election and the 2016 US Presidential Election hacks.

Unit 74455 is another hacking group in the GRU. Also known as Voodoo Bear or Sandworm, this group is responsible for the NotPeyta hacks in 2017, which caused billions of dollars worth of damage globally.

Speaking to Slate, Greenberg calls Sandworm the most active cyberwarfare hacker group in the world. “This is a group that specializes in just inflicting maximum chaos globally.”

Other hacking groups are supporting Russia’s invasion. UNC1151 (or Ghostwriter) has attacked Ukrainian websites. Ghostwriter has sophisticated capabilities and acts on behalf of the Belarussian government. Conti is another group openly supporting the Russian invasion.

Pro-Ukrainian Hacking Groups

Russian cyber capabilities outgun Ukraine’s, but over the last six years, the Ukrainian Cyber Alliance (UCA) has helped the Ukrainian government repel Russian hackers. Several hacktivist groups merged to form the UCA, which is responsible for the Surkov Leaks among others.

In February, 2022, Ukraine’s Vice Prime Minister and Minister of Digital Transformation, Mykhailo Fedorov, asked for volunteers to join the “IT Army,” a cyber team of civilian hackers designed to counter Russian hacking. “We are creating an IT army. We need digital talents,” wrote Fedorov in a Twitter post. So far 230,000+ people have joined, with Russian websites, banks, and energy the group’s primary targets.

Hackers from around the world have also rallied in support of Ukraine, including the decentralized hacking collective known as Anonymous. The members of Anonymous operate individually under the Anonymous name, and the hacktivist collective has been responsible for a number of high-profile cyberattacks going back to 2003. Their activity stalled after a series of high-profile arrests in the 2010’s, but resurged following the murder of George Floyd in 2020.

And in late February 2022, Anonymous declared cyberwar on Russia. The group already claims to have successfully attacked Russia’s Ministry of Defense.


%d bloggers like this: