Key Takeaways

• Russia is coupling cyberattacks with their physical invasion of Ukraine to sow panic and cause disruption.

• The attacks have included distributed denial of service and wiping malware.

• The West may be affected inadvertently from virus spillover or become an intentional target, though the latter seems less likely at the moment

Cyberattacks against Ukrainian government websites and financial institutions added to the chaos of Russia’s military assault. This combination of cyberwarfare operations with real-world aggression is an example of ‘hybrid warfare’.

Cyberattacks have been a key tool of Russian aggression in Ukraine since 2014, when the Kremlin annexed Crimea. They were also used against Estonia in 2007 and Georgia in 2008. Their intent can be to sow panic, confuse and distract.

Denial of Service (DDoS) Attack

Early on Wednesday (Feb 23) the websites of the Ukrainian Ministry of Foreign Affairs, Cabinet of Ministers and the country’s parliament were down in what the government said was a denial of service (DDoS) attack. DDoS attacks overwhelm websites and make them unreachable by flooding them with junk requests. Later that day another massive DDoS attack brought down the website of multiple Ukrainian banks, including the most popular PrivatBank.

It appears there has been some cyber retaliation. Major Russian websites also came under a denial-of-service attack on Thursday (Feb 24). The sites of Russia’s military (mil.ru) and Kremlin (kremlin.ru), hosted by the Russia State Internet Network, were unreachable or slow to load as a result. 

Data wiping attack

While it appears that the DDoS attacks were meant to preempt the physical invasion, a second cyberattack came on the same day as the physical invasion. A piece of destructive malware was found circulating in Ukraine and has infected hundreds of computers. The circulation of the malware was first detected by researchers at the cybersecurity firm ESET. 

According to ESET, the malware attack required existing access to function, meaning those computer networks were already compromised. ESET believes the attack had likely been in the works for the past couple of months. The victims in Ukraine already include a government agency and a financial institution.

 Below is a screenshot of the malware message on an infected device:

The message translates: “Ukrainian! All of your personal data has been uploaded to a public site. All data on this computer has been destroyed, it is impossible to restore. All information about you has become public, be afraid and expect the worst. This was done for your past, present, and future. For Volyn (northwestern Ukrainian province), for OUN (Organization of Ukrainian Nationalists), for UIA (Ukrainian Insurgent Army), for Galicia (western Ukraine region), for Polesia (another region), and for historical land”

The lack of a ransom option and the message confirm that this is politically-motivated malware.

Potential spill over to the West

ESET researchers said that the virus has already been detected in neighboring Latvia and Lithuania. The cybersecurity world is remembering the devastation caused by the NotPetya malware attack that also started as an attack from Russia on Ukraine, but spread to become one of the worst worldwide computer viruses of all time causing more than $10 billion in total damages. One element of cyberwarfare is the unpredictable viral nature of some of the attacks. 

Potential direct threats to the West

On Tuesday (Feb 22), a senior FBI cyber official warned US businesses and local governments that they should be vigilant against potential ransomware attacks.

Russia definitely has the hacking talent to pose a serious threat to the US. Some of the biggest cyberattacks against US infrastructure in the past two years have been linked to suspected Russian hackers. The list includes the SolarWinds hack that infiltrated several government agencies in 2020, the Colonial Pipeline ransomware attack that forced a shutdown of one of America's largest fuel pipelines for several days, and another attack on one of the world's largest meat producers, JBS. While many of these attacks can't directly be linked to the Russian state, there's a widespread belief that hackers sometimes operate with state approval.

NATO has stated that a cyberattack on one of its members could constitute an assault, and might merit a collective response. In a communique they declared, "the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack."

Besides that vague wording there are no formal protocols to establish what a “significant” attack would be and what a collective response might look like. If cyberattacks escalate beyond Ukraine in the near term, Putin may force NATO to clarify its rulebook for this aspect of modern warfare.