This is part four of a series, ‘Lessons from the first cyberwar.’ Read part one, part two and part three.
From the Estonian attack in 2007 to leveraging cyber operations and supporting military operations in Georgia in 2008, Russia already had some experience waging cyberwar. And before the Euromaidan Revolution in Ukraine in late November 2013, Russia had begun preparing for an actual war against Ukraine – both physical and digital.
Ukraine’s president at the time, Viktor Yanukovych, who had close ties with Russia, had backpedaled against closer ties with the European Union, refusing under the Kremlin’s pressure to sign an association agreement with the EU.
Russia offered Ukraine US$15 billion in economic aid, which was seen by some as a bribe to Yanukovych to turn away from the EU.
Activists started large protests against the president’s decision to try to bring the country deeper into Russia’s sphere of influence. Yanukovych tried to stop these protests with force, but that only made the protesters more determined and brought more people into the streets. The situation continued to escalate and eventually Yanukovych fled to Russia.
Putin exerted pressure on Yanukovych to pivot Ukraine toward joining the Eurasian Economic Union (EEU), mirroring Russia’s successful coercion of Armenia.
Compared with Armenia’s transition from the EU Association Agreement to the EEU, which occurred without significant public dissent, Ukraine’s situation was markedly different, culminating in mass protests.
Following the ascent of the Euromaidan activists to power, Russia executed an invasion of Crimea. This operation was characterized by the deployment of Russian special forces, who were notably disguised as “little green men” – soldiers without identifiable insignia.
However, during Russia’s invasion of Crimea and illegal referendum, the Kremlin also launched an eight-minute DDoS attack against Ukraine, which was 32 times more powerful than Russia’s largest attack against Georgia during its invasion in 2008.
Then, on the day of the referendum in Crimea, Russia also began conducting DDoS attacks against NATO websites for voicing support for Ukraine against Russia’s invasion. This set a precedent for Russia targeting Ukraine’s supporters with cyberattacks in subsequent confrontations.
In May 2014, the pro-Russian hacktivist group CyberBerkut tried to disrupt the Ukrainian presidential elections. Four days before the vote, they hacked into Ukraine’s main election computers and deleted important files, causing the system that counts the votes to stop working.
The next day, the hackers announced they had “destroyed the computer network infrastructure” used for the election, leaking emails and documents online to show what they had done.
Furthermore, they continued attacking the vote counting system with DDoS attacks, which overloaded the system with traffic. The next day, Ukrainian officials reported that they had fixed the system using backup files, which were ready to be used again. However, government cyber experts still had to remove – 40 minutes before the results were announced – a virus that would have resulted in false votes being released.
Russia’s aim was to discredit Ukraine’s elections. The attacks also revealed how Russian cyber operations are targeted to disrupt services and create instability.
In April 2014, after illegally annexing Crimea, Russia also sent militant groups into south-eastern Ukraine to create a violent uprising that ultimately led to war in Ukraine’s Eastern Donbas region between Ukraine and Russian-backed militants.
As Russian tanks invaded Ukraine in August 2014, Russian hackers were already working on conducting cyberattacks against Ukraine, with the country distracted by what was happening politically.
The war in eastern Ukraine also gave Russia-affiliated hackers the opportunity to begin launching extensive cyberattacks against Ukraine. As a result, Ukraine’s situation would end up being termed “Russia’s test lab” for cyberwar.
In 2015, Russia conducted an unprecedented hack of Ukraine’s power grid, which marked one of the first known instances of a cyberattack resulting in a major power outage, this affecting around 230,000 residents of Western Ukraine.
The hackers used a spear-phishing scheme with malicious Microsoft Office attachments to first gain access to the networks by obtaining the legitimate credentials of three regional electricity distribution companies, providing them with remote access.
They sent malicious emails to employees, which, when opened, infected their operating systems. The attackers deployed BlackEnergy malware on the companies’ computer networks, which was used to gather intelligence on infrastructure and networks to guide future cyberattacks.
The hackers took over the control systems of the power distribution stations and manually switched off the electricity. The power was only out for one to six hours in the affected areas, but even two months after the attack, the control centers were still not fully operational.
The attack was carefully planned and executed over many months with one of Russia’s political goals being to undermine public trust in the Ukrainian Government and private companies.
Viktor Yushchenko, who was Ukraine’s president from 2005 to 2010, highlighted that Russia’s tactics in the digital and physical realm were intended “to destabilize the situation in Ukraine, to make its government look incompetent and vulnerable.”
Russia also began using these attacks against Ukraine to learn about the impact and to perfect its craft for future attacks against both Ukraine and the West.
The attack on Ukraine’s critical infrastructure served as a wake-up call for the international community about the potential dangers of cyber warfare and the impact it could have on civilians.
In 2016, Russia conducted another cyberattack targeting Ukraine’s critical infrastructure. This attack specifically targeted the electrical grid of Kiev, the capital of Ukraine, and marked a continuation of the cyberwar tactics that were evident in the 2015 attack on Ukraine’s power grid in Western Ukraine.
The 2016 cyberattack used a more sophisticated approach by deploying a new type of malware known as “Industroyer.” Industroyer is highly sophisticated and dangerous because it is designed to directly target and control electricity substation switches and circuit breakers. This enables it to automate the process of controlling the electrical distribution network.
The blackout malware was similar to the Stuxnet attack in that the aim was not only to disrupt physical infrastructure but to destroy it. The attack was also designed to cause prolonged harm, potentially resulting in power outages that could have lasted for weeks, if not months.
This showed that hackers were developing more sophisticated tools specifically designed to disrupt critical infrastructure, foreshadowing future Russian cyberattacks. Ukraine had become a “battleground in a cyberwar arms race for global influence.”
In what would become one of the most devasting cyberattacks ever launched, Ukraine was hit with an attack involving the NotPetya ransomware, which took place on June 27, 2017, Ukraine’s Constitution Day.
This attack was particularly destructive and had a far-reaching impact, both on the country’s infrastructure and also internationally as the cyberattack resulted in a global financial impact of $10 billion worth of damage.
The primary objective of NotPetya was to disrupt Ukraine’s financial system but its effects extended well beyond that as it targeted a wide range of entities including banks, energy companies, government offices, airports and even some non-governmental organizations.
Within 24 hours, NotPetya managed to erase data from 10% of computers across Ukraine, causing widespread disruption across various sectors.
The malware initially spread through MeDoc, Ukraine’s most popular accounting software.
Researchers discovered that some of MeDoc’s software updates contained a hidden “back door.”
This was likely implemented by someone with access to the company’s source code and provided hackers with a stealthy way to infiltrate the systems of various companies without being detected.
As compared with typical ransomware, which encrypts data and demands payment for its release, NotPetya was more destructive as it masqueraded as ransomware but was designed primarily to wipe data and disrupt systems. NotPetya also spread on its own and was a much more effective malware attack than in previous cases.
Former US Department of Homeland Security advisor Tom Bossert stated that the use of NotPetya was like “using a nuclear bomb to achieve a small tactical victory.”
The attack also pointed out the interconnected nature of cyber vulnerabilities and how a cyberattack can rapidly spread around the globe from one piece of software. In essence, Ukraine’s vulnerabilities in the cyber war against Russia are also the West’s vulnerabilities.
The need to help Ukraine shore up its defenses was becoming more critical due to the fear of contagion in a globalized, interconnected world. In July 2018, Russia attempted a cyberattack against a Ukrainian chlorine plant, the Auly Chlorine Distillation, with the intent of causing damage to the country’s infrastructure.
The facility is involved in the treatment of chlorine, which is vital for water purification and other industrial processes. The attackers used a malware known as “VPNFilter” which can survive a reboot, making it particularly resilient. The malware can be used to spy, steal data, and disrupt industrial processes and render devices inoperable.
The malware targeted the chlorine station’s control systems, which could have interrupted how chlorine is treated and supplied. If the plant’s operations were badly affected, it might have caused major environmental and health problems for the civilian population.
This attack was planned to be Russia’s next big cyberattack on Ukraine. However, security companies found the botnet, which had 500,000 infected devices before it could fully launch.
Next: Russian cyber operations against the West (2014–2022)
David Kirichenko is a Ukrainian-American security engineer and freelance journalist. Since Russia’s full-scale invasion of Ukraine in 2022 he has taken a civilian activist role.
These articles are excerpted, with kind permission, from a report he presented at the UK Parliament on February 20 on behalf of the Henry Jackson Society.