Politics

Russia's dreaded cyberwarriors seem to be struggling in Ukraine

Russia's military attack on Ukraine met a decisive reversal outside Kyiv and is now struggling to gain ground in the country's southeast. Its cyberwar on Ukrainian assets isn't faring any better. Did the world overestimate Moscow's hacker legions the way it did its army?

Russia's hackers — like its military — may not be quite as fearsome as the world thought

Russian President Vladimir Putin looks on during the Victory Day military parade in Moscow on May 9, 2022. Russia's celebration was marred by the news that its online TV schedule page had been hacked — another sign that Russia's cyberwar in Ukraine hasn't been going all that well. (Mikhail Metzel/Sputnik/Kremlin Pool Photo/The Associated Press)

One day after Russian tanks broke through Ukrainian border posts on February 24, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a rare "Shields Up" alert warning that "every organization — large and small — must be prepared to respond to disruptive cyber activity."

The expectation was that Russia would attack not only Ukraine but also Ukraine's western allies.

For some reason, that hasn't really happened in a big way.

"We haven't seen anything that we can directly attribute to Russia turning its sights to Canada," Sami Khoury, head of the Canadian Centre for Cyber Security, told CBC News. "There's been probably spillover effects in some cases, but we haven't seen anything that is directly targeted at the Canadian infrastructure or Canadian ecosystem."

Instead, Russia has found itself being hacked — in one instance with embarrassing results that surely must have marred President Vladimir Putin's Victory Day extravaganza.

As RuTube, Russia's version of YouTube, was taken down by hackers, YouTube itself remained online in Russia and continued sharing videos demonstrating Ukraine's dominance of the information space in this war.

Hacktivist groups such as Network Battalion 65 have stolen reams of emails and data from Russian government and corporate sites. In March, for the first time ever, more Russian email credentials were leaked online than those of any other nation.

The Kalush Orchestra from Ukraine appear on stage after winning the 2022 Eurovision Song Contest in Turin, Italy, May 15, 2022. (Yara Nardi/Reuters)

Russian hackers even failed to disrupt voting in the Eurovision Song Contest. (Ukraine won.)

Just as Russia's armoured divisions entered this conflict with a fearsome reputation that turned out to be wildly overblown, the reach of Moscow's cyber legions may have been overestimated. And just as Russia's war has diminished the reputation of Russian arms, it might also lead to a reassessment of nations' relative strengths in the virtual world.

Fearing the worst

Ukraine had every reason to expect the worst. Online attacks have been happening there since war began in 2014.

A Russian "persistent threat group" known as Sandworm was behind a December 2015 attack on the Ukrainian electrical grid that caused widespread power outages.

A year later, in December 2016, the Ukrainian financial system was targeted by the Black Energy malware attack which also caused power cuts in Kyiv.

Then in June 2017, the same group struck again with a powerful new malware called Petya, causing chaos at government ministries, forcing banks to close, jamming telecom networks and again disrupting Ukraine's electrical grid. Airports and railways were affected and Chernobyl's radiation monitoring system went offline.

Ukrainian and western officials blamed the attacks on Russia's GRU (main intelligence directorate) and SVR (foreign intelligence service).

Last year, Ukraine's SBU security service reported it had "neutralized" an average of four cyberattacks per day.

So it was widely assumed that an army of bots would act as vanguard for any real invasion by attempting to cut power and communications, clog transportation links and generally sow confusion.

Russia did try something modest along those lines.

A laptop screen displays a warning message in Ukrainian, Russian and Polish that appeared on the official website of the Ukrainian Foreign Ministry after a massive cyberattack on January 14, 2022. (Valentyn Ogirenko/Illustration/Reuters)

In mid-January, a cyberattack hit about 70 Ukrainian government websites hours after talks between Russia and NATO failed to produce the concessions the Kremlin was hoping for.

"All information about you has become public, be afraid and expect the worst," said a pop-up screen message. "This is for your past, present and future." It repeated familiar Kremlin tropes about Nazis and persecution of Russian-speakers.

In addition to hitting government and military sites, the distributed denial of service (DDOS) attacks also targeted two banks, shutting down ATMs and credit card transactions.

Hack and attack

Russia launched another cyberattack on Ukraine on the day of the invasion with a piece of malware called Hermetic Wiper that targeted hard drives.

Last week, the Canadian government accused the Russian military of having "directly targeted the Viasat KA-SAT satellite Internet service in Ukraine" in February. The U.K. government says the attack also hit collateral targets such as central European wind farms.

But the trains continued to run and the Ukrainian government continued to function. The attack was much less damaging than the 2007 attack on Estonia, or the attacks that preceded the 2008 invasion of Georgia.

Ukrainian servicemen get ready to fight Russian forces in Ukraine's Luhansk region on Feb. 24, 2022. Russia launched a cyberattack to accompany its invasion. (Anatolii Stepanov/AFP/Getty Images)

Ali Dehghantanha, Canada Research Chair in Cybersecurity and Threat Intelligence at the University of Guelph, said Russia may have underused its offensive cyber capabilities because it was confident of a swift military victory.

But Ukraine is also better defended after years of successive attacks, he added.

"Because of their previous story with Russia," said Dehghantanha, "going back to the time of the conflict in Crimea, Ukraine — with the support of Western allies — did a very good job in protecting its physical infrastructure this time."

Western involvement

Those western partners include Canada's digital counter-espionage agency, the Communications Security Establishment.

"While we can't speak about specific operations, we can confirm that CSE has been tracking cyber threat activity associated with the current crisis," the CSE's Ryan Foreman told CBC News.

"CSE has been sharing valuable cyber threat intelligence with key partners in Ukraine and continues to work with the Canadian Armed Forces in support of Ukraine."

CSE also has to worry about Canada's own assets, of course.

A message demanding money appears on the monitor of a payment terminal at a branch of Ukraine's state-owned bank Oschadbank in Kyiv after Ukrainian institutions were hit by a wave of cyber attacks on June 27, 2017. (Valentyn Ogirenko/Reuters)

For years, major cyberattacks on North American assets have been landing with some regularity. CISA has compiled a long list of American online assets it sees as coveted targets for Russia's disruption and theft operations, including "COVID-19 research, governments, election organizations, health care and pharmaceutical, defence, energy, video gaming, nuclear, commercial facilities, water, aviation, and critical manufacturing."

"Russia has significant cyber capabilities and a demonstrated history of using them irresponsibly. This includes SolarWinds cyber compromiseCOVID-19 vaccine developmentGeorgia's democratic process and NotPetya malware," Foreman told CBC.

Shotgun tactics

Dehghantanha said state-sponsored hackers are now shifting away from building the most sophisticated malware to employing more of a scattergun approach — one that involves installing simpler backdoors into a wide range of less well-defended infrastructure targets.

"Before 2020, we saw a lot of effort on building the best malware or the best wiper or the best exploits," he said. "The issue is, if your opponent discovers that malware, they know a lot about you, about your capabilities, all your investments.

"So if you come with the most advanced malware, it may take you two or three years of research and development. But from the moment it's deployed and you start causing the impact, it takes them only a couple of weeks to address it."

Hacktivists on the battlefield

Dehghantanha said Russian actors have had some success in the emerging field of "social cybersecurity," where hackers behave more like hacktivists.

"The cost of building fake content that looks very convincing to the wider public is quite low these days," he said. "And I am seeing a quick shift in the activities of the hacking groups in that direction. Instead of trying to impact the capital infrastructure or the IT infrastructure, we can impact the human beings and achieve the same result."

An example of such a "fake hacktivist" attack would be a disinformation campaign designed to sow panic in a particular village or district. 

"They try to impact on that micro level," Dehghantanha said.

Ukraine also has warned that it may not have felt the full effects of Russian hacking yet. 

The country's top cyber official Victor Zhora said recently that Russia stole Ukrainian government data to give its forces a list of targets for arrest or murder in the occupied zones. He said he fears that data is already being used.

Underbelly remains soft

Canada remains vulnerable, said Dehghantanha — "especially the soft bellies of critical infrastructure like water treatment systems, the agricultural sector, any single supply chain and, of course, pipelines."

More and more, hostile actors have been seeding malware in advance with a view to attacks months or years in the future. Dehghantanha said Canada should tighten its requirements for private companies that manage critical infrastructure.

The Pickering nuclear plant east of Toronto on August 18, 2003. Power infrastructure is considered a key target for cyberattacks by hostile actors. (Kevin Frayer/The Canadian Press)

"We need to change our policy from blacklisting to whitelisting, which means instead of telling you that you cannot install A, B and C, and anything else is allowed, we need to say you can only work with A, B and C and nothing else is allowed," he said.

"There is no way, no resources for the nation to monitor everything. So it is better that we just limit ourselves to specific suppliers, to a specific product that we know."

Balance can shift quickly

Foreman said the CSE is in constant contact "with Canadian critical infrastructure partners via protected channels," beyond what is seen in its public advisories.

"Now is the time to take defensive action and be proactive," he added.

That means isolating critical systems from the internet, creating and testing backups and testing manual controls to ensure critical systems still function when networks fail, he said.

Dehghantanha said he's reluctant to downplay the threat posed by Russia merely because it has underwhelmed in Ukraine.

"The cyber war is not like a balance where you can say that I have bigger guns or more airplanes, so I am superior. It is not the case at all here," he said.

"You could have just ten fantastic cyber attackers that could build an exploit and get access to that critical infrastructure, and they make a significant change."

ABOUT THE AUTHOR

Evan Dyer

Senior Reporter

Evan Dyer has been a journalist with CBC for 25 years, after an early career as a freelancer in Argentina. He works in the Parliamentary Bureau and can be reached at evan.dyer@cbc.ca.