How does Russia’s approach to cyberattacks differ in war versus peace? What might these differences say about Russia’s vaunted cyber arsenal going forward?
Russia’s 2022 re-invasion of Ukraine reveals that its cyberattacks during war are more frequent than during peacetime and more targeted toward critical infrastructure. However, they are otherwise similar to those launched at other times. In smaller quantities, cyberattacks act as warnings; in medium amounts, as part of a sub-military hybrid war strategy; or on a large scale, as attempts to disable critical infrastructure during armed combat.
Since the techniques are remarkably similar, Russia’s intentions may be discerned primarily by their frequency and their context, whether accompanied by diplomacy, disinformation, or military action.
Russian cyberattacks in wartime
On April 27, 2022, Microsoft’s Digital Security Unit issued a report that analyzed all known Russian cyberattacks on Ukraine in the first months of its 2022 re-invasion. The report concluded that three Russian intelligence agencies (GRU, SVR, and FSB) “have conducted destructive attacks, espionage operations, or both, while Russian military forces attack the country by land, air, and sea.” The objective was “to disrupt or degrade Ukrainian government and military functions and undermine the public’s trust in those same institutions.”
Cyberattacks accelerated dramatically from 15 in December 2021 to 125 in March 2022 (see Table 1 of the report). Russia reportedly began preparing Ukraine cyberattacks in March 2021, at the same time that Russia began to deploy troops along its border with Ukraine. Preparatory cyberattacks aimed at collecting military and foreign policy intelligence and gaining access to critical infrastructure. By contrast, Microsoft concludes that “destructive attacks signal imminent invasion.” It noted that Russia unleashed the destructive WhisperGate wiper (that deletes hard drives and renders computers unbootable) on a limited number of Ukrainian “government and IT sector systems” when diplomatic talks between Russia, Ukraine, NATO, and EU nations failed on January 13, 2022.
On the eve of war on February 23, 2022, Russia’s GRU threat group, Iridium, unleashed another destructive wiper, FoxBlade, on hundreds of Ukrainian military and government networks simultaneously. Microsoft observed connections between specific military actions and cyberattacks. For instance, cyberattacks were geographically concentrated around Kyiv and in Donbas, and targeted Ukraine’s nuclear power company around the same time that Russia occupied Zaporizhia.
Russian cyberattacks as a substitute for war
Russia also deploys cyberattacks without planned military action. Examples include Moscow’s cyberattacks against Estonian banks, government ministries, and parliament in 2007 and on the 2016 US presidential election. In these instances, Russia accompanied its cyberattacks with civil actions, protests, and disinformation campaigns.
Russia’s 2007 cyberattack on Estonia, for instance, sought to prevent the relocation of a Soviet-era monument commemorating the Red Army’s “liberation” of Estonia. For many Estonians, the monument represented the Soviet Union’s decades-long subjugation of the country during the Cold War. For Russia, it was a symbol of Soviet sacrifice in defeating the Nazis in World War II.
When diplomacy failed, cyberattacks began. A few weeks after Estonia decided to relocate the Soviet-era statue from the center of Tallinn to a military cemetery, unidentified hackers launched a series of distributed denial-of-service attacks. These attacks coincided with protests by Russian-speaking Estonians that lasted 22 days. At its height, Estonia’s ambassador to Russia was attacked during a press conference in Moscow. The combination of disinformation, staged protests, and cyberattacks created anxiety and disillusionment among Russian-speaking Estonians.
Similarly, Russian cyberattacks contributed to an atmosphere of distrust, polarization, and social fragmentation in the 2016 US presidential election. A group of 12 Russian military officers gained unauthorized access into the computers of the Democratic National Committee, Democratic Congressional Campaign, the Hillary Clinton campaign, and two Republican candidates, and disseminated information online. This damaged the victims’ chances of winning the election and contributed to Americans’ declining faith in democratic institutions.
Russian cyberattacks as a threat signal
Russia also has deployed cyberattacks as a poignant warning or threat, often to put more force behind diplomatic actions.
For instance, on April 8, 2022, while Ukrainian President Zelensky gave an invited address to the Finnish Parliament, the Finnish foreign and defense ministries were hit by a distributed denial of service attack. Finnish government systems were back up in an hour, but given the circumstances, this cyberattack appears to have been designed to signal Russia’s displeasure with Finland’s plans to join NATO and its support of Ukraine.
Three distinct uses of cyberattacks
In conclusion, Russia uses cyberattacks as a method of disrupting societies and organizations. While in wartime, Russia deploys cyberattacks with greater frequency and the attacks are often more destructive, the central difference appears to be the accompanying actions. Wartime cyberattacks accompany military action. In political or hybrid war situations, cyberattacks accompany disinformation and civil actions. At other times, cyberattacks accompany diplomatic warnings against other countries and international organizations.
The author gratefully acknowledges the research assistance provided by Alex Schrier in the preparation of this article.
A prior version of this article was published by Foreign Policy Research Institute, where Professor Orenstein is a Senior Fellow.
Mitchell A. Orenstein
Professor of Russian and East European Studies
University of Pennsylvania
USA
