Russia-Ukraine Cyberwar: Five Things We Learned

As Russia keeps shelling Ukrainian targets, and millions of refugees flee the battlefields, a parallel, no less devastating war is taking place in the cybersphere. Several elements were anticipated and the U.S. has been building Ukraine’s cyberdefenses to address them: advanced attacks on government websites and infrastructure such as rail systems (to prevent mass evacuation of citizens), border-crossing IT systems in neighboring countries, as well as the use of offensive tools to launch influence campaigns.

Russian cyberattacks vary from so-called distributed denial of service attacks (also known as DDos), “wipers” (which delete your databases and system files) and increased ransomware attacks on Western targets by state-backed cybercrime groups, such as Conti and RagnarLocker. Another expected, though severe, move was Russian attacks on telecom systems (such as ViaSat).

Several developments, however, are new to the cyberwarfare and cybercrime ecosystems. These mark a tectonic change in the field after cessation of hostilities.

First and foremost is the overwhelming collapse of the Ruski-Mir (the Russian world) of cybercrime. An early call from Ukraine to establish an “IT army” drove hundreds of Ukrainian and supportive hackers to abandon Russia-backed threat actors, and to  expose Russian cyber tools, codes and offensive infrastructure, at least temporarily.

Moreover, the quick and unified response by Big Tech firms like Google, Amazon, Microsoft that came to Ukraine’s defense and pulled out of the Russian economy.

Finally, backed by Western capabilities, this IT Army, as well as hacktivist group Anonymous, launched a retaliatory cyber campaign against Russian targets: from the symbolic hack of Russian state TV (broadcasting Ukrainian songs on Russian primetime) to the infiltration and leaking of data from Yandex, SberBank and other leading Russian companies. This should not be underestimated. For years Russian companies felt immune from cyber-attacks. It was well known that ransomware attacks don’t touch computers with Russian language keyboards. Hence, the West-backed counterattack has exposed both their weak cyber security and their lack of preparedness.

These developments entail a massive shift for the cyber world. Five key insights, which should guide future strategic, technological, and financial efforts of both government and private sectors, emerge from these events.

1. Cyber gangland  

First, the war evidently exposed the well-known link between various ransomware groups and the Kremlin. The Conti leak allowed analysts and researchers to deeply understand this most notorious ransomware group and its ties to Russia’s security services.

Check Point Research (CPR) analysis of Conti, the notorious Russian ransomware group
Check Point Research (CPR) analysis of Conti, the notorious Russian ransomware groupCredit: Check Point

This poses a significant challenge to the U.S. administration: If they include these Russian cybercrime groups in the sanctions list (OFAC) due to their connections to the Kremlin, thousands of U.S. businesses that chose to pay ransom when they are attacked could now be subject to sanctions themselves.

2. Shifting cyber power

Second, the West’s retaliatory attack on Russian companies and infrastructures, as well as the alliance of the big tech companies in favor of the West signals a shift in the balance of cyber power.

Until the war, Russian cyber might was admired. Today, with the risk of making a premature assessment, we can argue that Russian deterrence in cybersphere has been significantly damaged.  As a result, once the war is over the West might face a massive Russian cyberattack, in the form of ransomware and other means, in order for Russia to restore its damaged deterrence.

3. China and cyber-covid

Third, a direct implication of the previous point is the end of the era of Russian organizations’ cyber immunity: So-called cyber-covid has reached the Russian market, which is now exposed like the rest of the world was during the pandemic, with remote working leaving many organizations exposed.

This will force Russian human capital to shift focus from developing offensive tools to hardening and improving Russian and Russian allies’ defenses. In the long-run, we might see a powerful technological Sino-Russian axis, which would pose a challenge to the West’s technological advantage.  

4. Digital propaganda

Fourth, the propaganda front: Disinformation has long been a Russian “claim-to-fame asset”. However, the famed Russian ability to launch effective influence campaigns faced a dramatic setback in the last two weeks. Russia has built a reputation for being able to influence the masses and control the social and public narrative.  

Now it seems that the Ukrainian president is teaching the Kremlin a lesson in how to win hearts and minds. In spite of these, there is still an incredible amount of “fake-news” being generated by all sides.

5. New era of war  

Fifth, the war in Ukraine is the first full scale hybrid war. It will not end, like classic wars with a ceasefire or peace agreement, followed by the economic reconstruction of Ukraine. It might be followed by a Russian cyber retaliation attack or any other non-kinetic moves intended to save face.

The lessons learned from the effectiveness of offensive cyber campaigns now being fought in achieving political objectives will be taught in the years to come.

It is indeed too early to draw any final conclusions, yet an interim analysis suggests that balance of cyber power, and its effective deployment, has significantly shifted in favor of the West. For Israel, with our plausible future military escalation, learning these lessons and modifying our hybrid war-plans is of particular importance.

Moty Cristal is a professional cyber negotiator and strategic consultant.

(published at on March 13, 2022)