Russia-Ukraine war, and the fears of NotPetya-style attacks

April 24, 2023
Cyber activity since the invasion shows the difference between peacetime and wartime attacks

When Russia invaded Ukraine in early 2022, governments and businesses in the West became alarmed about the possibility of Russian cyberattacks against Ukraine that could cascade out from the war zone to target infrastructure, companies and government agencies in the United States, other NATO countries and elsewhere.

The fears weren’t unfounded, considering what the world had seen in 2017 with the NotPetya attack. A wiper virus (which erases or overwrites data) disguised as ransomware launched from a group in Russia, NotPetya, destroyed computer systems throughout Ukraine and also quickly rode VPNs across borders into more than 60 countries. It crippled the systems of thousands of multinational companies, including giants such as Maersk, FedEx, Merck, hospital chains and many others. The total cost of NotPetya has been estimated to be $10 billion.

On the heels of Russia’s invasion in February 2022, terrified companies began scrambling for help in protecting themselves from a similar attack that Russia might launch against Ukraine that could also extend into other countries. Businesses operating in NATO countries and the United States, which were supporting Ukraine and issuing sanctions against Russia, were especially concerned. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) launched its Shields Up campaign, urging companies, particularly those operating infrastructure, to increase security measures.

As it turned out, however, Russian cyberattacks against Ukraine have been almost exclusively limited to Ukraine, for several reasons. The threat still exists from wipers like NotPetya, and companies always have reason to be on their guard, but with the exception of the attack on Viasat’s satellite network, as the invasion began, Russia has not been aggressive on the cyber front. A big reason for their restraint, I suspect, is Russia’s fear that cyberattacks against NATO allies in the midst of a kinetic war could prompt direct NATO involvement in military actions, which would spell doom for Russia.

War Changes Cyberattack Calculus

A lesson about cyberwar we can draw from the Russia-Ukraine conflict is that there is a difference between state-sponsored cyberattacks in peacetime and wartime.

There have been several large-scale cyberattacks that have shaped people’s perceptions about what attackers could get away with, such as NotPetya and WannaCry, which also first struck in 2017 and was attributed to North Korea. Those attacks caused widespread damage around the globe, but the countries that were strongly suspected of being behind the attacks, whether Russia or North Korea, suffered no repercussions whatsoever. The world just kind of sat back and took it. The lesson to attackers was that they could get away with almost anything as long as the attack was not 100% attributable to a particular government.

When the shooting starts, however, nation-states need to apply a different calculus to their cyber activities. Russia has tried hard to keep its attacks within Ukraine’s borders. The malware with wiper functions that have been used in Ukraine has had its ability to self-replicate set very low, typically limited to one hop before it stops replicating. That’s not normal for Russia during peacetime.

It is likely that Russia is holding back out of concern that a destructive cyberattack that impacts NATO counties could trigger NATO’s Article 5 clause for collective defense, and bring NATO into the armed military action. But it also could be a consequence of the fact that cyberattacks serve a different purpose during a war.

Cyber as Just One Tool on the Battlefield

Another reason for Russia’s restraint may be its inability to effectively use cyberattacks as a wartime tool.

In a war like the one in Ukraine, cyber operations are most effective in two ways. The first is for gathering intelligence, such as where the enemy is, how many soldiers they have and what equipment they’re marshaling. Secondly, cyberattacks can be used to support a specific purpose, such as enabling a planned military action or preventing one from the enemy. Simply taking out a server or a thousand servers, isn’t as effective as taking out a server that will give forces an advantage in battle.

Russia’s performance in the war, which has often been derided by military experts, suggests it may not be capable of coordinating cyber and kinetic attacks. It has often failed to coordinate artillery and air power, so using cyberattacks to enable battlefield actions—layered in with kinetic capabilities—may be out of reach.

Where Treats Still Exist

Although large-scale cyberattacks haven’t played a part in the Russia-Ukraine war so far, there are potential threats. One could be if Russia started using ransomware gangs to conduct attacks on its behalf while retaining a measure of plausible deniability about awareness of the attacks.

A month or two before its invasion of Ukraine, Russia started arresting ransomware actors, under the guise of cracking down on criminal activity. Those ransomware experts, who are still in custody, could conceivably carry out attacks for Russia in a non-attributable way.

And they could do a lot of damage because the infrastructure in the United States and other NATO countries is very vulnerable. Power grids, water systems, financial systems, emergency response networks and other essential infrastructure would be at risk of considerable damage. It’s not a question of whether Russia and some other countries are capable, it’s a question of whether they are willing to conduct operations under the current circumstances.

Fortunately—for the moment—it appears Russia has concluded that the repercussions from any large-scale cyber operations outweigh any advantages it could gain.  

The Threats Will Return

It’s perhaps ironic that a kinetic war has provided some respite from cyberattacks from Russia, but the cyber threat has by no means been eliminated. The realities of the current situation, and Russia’s apparent reluctance to spark a shooting conflict with NATO, will not stop them in the future. When a war isn’t going on, Russia will likely get more aggressive in its actions.

In the meantime, it’s worth noting the lessons the war offers about the difference between cyber operations in peacetime and those during a kinetic war, where cyber capabilities need to be layered into a nation’s tool set, along with land, sea, air and space forces.

In terms of cybersecurity, it also holds some lessons about the importance of a unified national defense. The cybersecurity industry has lent support to efforts to help Ukraine and prevent Russia from doing harm. That type of cooperation is an emphasis of the White House’s Executive Order on cybersecurity from May 2021, which pushes for greater public-private information sharing on cyber threats.

Attacks like NotPetya may be dormant at the moment, but they’ll likely return. Bolstering defenses against such attacks should still be a priority.

About the author: Adam Flatley is the Vice President of Intelligence at Redacted. With over 20 years of cybersecurity and intelligence operations experience, Flatley leads the [redacted] Intelligence Cell, also known as [rTIC Ghost Group, the team whose work is the foundation for all [redacted] solutions. Prior to [redacted], Flatley served as Global Intelligence Operations Manager for the Cisco Talos Threat Intelligence & Interdiction team. In addition to his private sector experience, Flatley served for 14 years at the National Security Agency (NSA) in various operational capacities, most recently as the Director of Operations, responsible for incident response, red teaming, vulnerability assessments, and threat hunting on critical networks. Flatley further distinguished himself at NSA by founding several organizations to meet emerging threats or technology changes to support counterterrorism, counterproliferation, and cybersecurity missions.