Is Russia holding back from cyberwar?
After three weeks of fighting, Russia is beginning to deploy increasingly brutal tactics in Ukraine, including indiscriminate shelling of cities and “medieval” siege warfare. Other elements of its military strategy, however, are conspicuously absent — cyberwarfare among them.
Russia has a history of employing cyberwarfare tactics, which some experts believed could characterize prominently in its invasion of Ukraine. The cyberattacks launched by Russia in the conflict so far have been comparatively minimal though, and far less damaging than they could have been.
While Ukrainian government websites were the target of distributed denial of service (DDoS) attacks shortly before the invasion, for example, a larger attack, possibly knocking out Ukraine’s strength grid or other meaningful infrastructure, hasn’t taken place.
“I think the biggest surprise to date has been the without of success for Russia with cyber attacks against Ukraine,” Stephen Wertheim, a senior fellow in the American statecraft program at the Carnegie Endowment for International Peace, told Vox. “This has not been a major part of the conflict.”
That’s particularly strange since the threat of cyberwarfare by Russian entities was already a major concern for the West, already before the recent escalation of the Russia-Ukraine conflict. It was widely established that Russia may have meaningful cyberwarfare capabilities following subsequent cyberattacks it launched against Ukraine after Russia’s 2014 annexation of Crimea.
Notably, a pair of attacks in 2015 and 2016 took out strength in parts of Ukraine, albeit at a comparatively small extent. Since then, according to a Politico story from February, the United States and allies have attempted to bolster Ukraine’s strength grid, but “nobody thinks it will be enough.”
In 2017, Kremlin-connected hackers launched a different kind of a cyberattack in Ukraine: a ransomware program known as NotPetya, which encrypted any data it reached, leaving the data’s unsuspecting owner locked out from accessing their own files. Victims were told to pay a ransom of $300 in bitcoin if they wanted access to their data returned. But the ransomware attack spread beyond Ukraine’s borders, infecting computer networks of companies around the world. According to a former US official, the attack resulted in more than $10 billion in total loss in damages, and the NotPetya attack is now regarded as one of the worst cyberattacks in modern history.
The US has not been safe from such cyberattacks, either. In 2021, for example, a group of Russia-based cybercriminals hacked into the IT network of Colonial Pipeline, a major oil pipeline system that carries gasoline and jet fuel to the southeastern US. The company was forced to pay a ransom of $5 million in exchange for the extracted files.
Despite the apparent vulnerabilities in Ukrainian and Western cyberdefenses, though, more sweeping cyberattacks haven’t to date been a part of Russia’s war in Ukraine.
Why hasn’t Russia launched major cyberattacks however?
The without of complete-extent Russian cyberattacks is a occurrence that has surprised some experts, including Wertheim.
“On some level,” he said, “the reason Russia launched a complete-extent war against Ukraine is precisely that it didn’t think cyber method were sufficient. But one might have expected the war itself to have involved more cyber operations.”
It’s difficult to know exactly what is behind Russia’s behavior, but experts have speculated about a number of possible reasons why Russia has hesitated to set afloat any stronger attacks. Some have theorized that Russia’s cyberwarfare capabilities may have been inflated, which is why it has not consequently far launched a more complex cyberattack against Ukraine or its Western allies.
However, a more likely reason may be that Russia is nevertheless weighing its options carefully, and is simply waiting for the right time to respond.
“It could be that Russia fears retaliation that would set its cause back, at the minimum at this point,” said Wertheim, noting the relative without of progress by Russia’s armed forces so far. “Perhaps over time, if and when Russian leaders believe that the situation is stabilized then Russia would be better able to absorb retaliation, it could set afloat a cyberattack then. It’s possible.”
Given the setbacks that Russia has encountered on the battlefield, combined with the notable resistance by Ukrainian forces that have held steady against Russia’s attacks for the last three weeks, it may also be a matter of Russia prioritizing its military actions, according to Wertheim.
“There might just simply be a kind of finite attention problem operating for [Russia],” he said.
A member of the Ukrainian Territorial Defense Forces walks past destroyed Russian military vehicles in a forest outside Ukraine’s second-largest city of Kharkiv on March 7, 2022.Sergey Bobok/AFP via Getty Images
According to Olena Lennon, an adjunct professor of political science and national security at the University of New Haven, setbacks for Russia include the loss of junior, and already some higher-level, commanders among its military personnel, which may be affecting its operations on the ground.
“We’re definitely seeing some leadership deficiencies that could explain some of these surprises,” Lennon said.
The US could also be a target of Russian cyberattacks
US authorities were already cautious of a possible cyberattack from Russian hackers as a possible response to US sustain for Ukraine. That concern has only increased following major sanctions imposed on Russia by Western powers, in addition as escalating rhetoric from Russian President Vladimir Putin.
Putin described the sanctions as “akin to declaring war,” and Russian government officials have warned there will be rapid action from Russia in response. US officials warned public and private entities of possible ransomware attacks after President Joe Biden announced initial sanctions against Russia late last month.
“DHS has been engaging in an outreach campaign to ensure that public and private sector partners are aware of evolving cybersecurity risks and taking steps to increase their cybersecurity preparedness,” a DHS spokesperson said in a statement to the press.
But the strong response against sanctions that Russian officials have warned of has however to materialize in the weeks since. Although it’s certainly possible that Russia will react to US sanctions at some future point, the absence of action so far is notable, according to Wertheim.
“It’s very hard to sort of assign exact probabilities to these kinds of things,” Wertheim said. “But it’s notable that there hasn’t been a response. And I think it remains a real possibility that already if the West does nothing more to escalate in a conflict that Russia could do so by undertaking what it believes is retaliation.”
That could be particularly likely as the impact of already-imposed sanctions continues to mount. Sanctions have had an enormous effect on day-to-day life inside the country: The value of the ruble, Russia’s official money, has plummeted to less than 1 cent, and Russian citizens have already seen price surges, particularly for electronic goods and appliances. The early price hike has motivated many residents to stock up on items in case prices continue to rise as the conflict rages on.
“For the past few days, it’s been like Christmas for us,” one electronics-shop staffer told the Financial Times. “People are ready to buy things already [though] we have been raising prices every few hours based on the forex situation.”
With heavy economic sanctions already in place, Wertheim says there are possible risks to pushing Putin further into a corner, which in itself could motivate Russia to take more drastic measures — including, potentially, cyberattacks — as the war continues.
“What I most worry about is a circumstance in which Vladimir Putin thinks that his regime may be teetering and that he has to do something emotional to change the position quo in order to continue his grip on strength,” Wertheim said. “And, consequently, perhaps his own personal survival.”
Correction, March 20, 9 am: A past version of this story misstated the year of the Colonial Pipeline hack. It was 2021.
Click: See details