How Ukraine has resisted Russia’s cyber offensive

Paul Chichester, Director of Operations at the UK’s National Cyber ​​Security Center (NCSC), describes the cyber war between Russia and Ukraine as “the most sustained set of cyber operations coming up against the best collective defense we have seen.”

Ukraine’s cyber defenses have proven to be exceptionally robust, effectively preventing what could have been Russia’s “cyber Pearl Harbor” – a devastating surprise cyberattack intended to cause widespread disruption.

Ukraine has effectively countered Russia’s cyber threat by demonstrating a level of defensive strength and resilience that mirrors its tenacity on the battlefield. It has been reported that Russian hackers conducted at least 260 million attempts to break into Ukrainian systems between the start of the full-scale invasion and June 2023.

Learning from past experiences, Ukraine has been able to develop a robust cyber defense to withstand Russia’s onslaught. However, it is important to note that a critical factor in this success has been the extensive cyber support provided by Western governments. This support extends beyond mere diplomatic backing, encompassing technical and strategic assistance to bolster Ukraine’s cyber capabilities.

Equally important has been the role of technology companies. These entities have provided vital resources and expertise, contributing significantly to the strengthening of Ukraine’s cyber defenses. In March 2020, the Cyber ​​Defense Assistance Collaborative for Ukraine (CDAC) was established to coordinate assistance from Western tech companies to support Ukraine.

The organization helped to establish an “inventory of the potential services and products and tools foreign companies can offer to Ukraine and then also coordinate with different Ukrainian agencies and understand their needs as quickly as possible.”

In December 2021, a few months before Russia’s full-scale invasion, the US military Cyber ​​Command sent a team to Ukraine to analyze Ukrainian systems and whether Russian hackers had already penetrated them.

Their mission was to “hunt forward” and identify computer networks that had already been penetrated to help bolster Ukraine’s defense amid Russian aggression. As a result, Ukraine has fared better on the cyber front than many expected in the initial days of the war. Much of the cyber support provided by the West is done in secrecy and is likely to be far greater in scope than has been reported in the news.

Ukraine’s experience 2014–2022

Ukraine has had extensive experience fighting Russia on the cyber battlefield since 2014. As one Ukrainian official put it: “With their nonstop attacks, Russia has effectively been training us since 2014. So, by February 2022, we were ready and knew everything about them capabilities.”

Russia’s constant cyberattacks against the country have also increased societal awareness of cybersecurity and the role that civil society would need to play in cyber resilience.

Russia also underestimated Ukraine’s cyber abilities to resist. As Yurii Shchyhol, head of Ukraine’s State Service of Special Communications and Information Protection, explained:

Ukraine’s experience over the past year has underlined that cyberattacks require both time and knowledge to prepare. This helps explain why there have been fewer high-complexity cyber offensives following the initial failure of Russia’s invasion strategy in spring 2022. Russia simply did not expect Ukraine to withstand the first big wave of cyberattacks and did not have sufficient plans in place for such an eventuality.

The role of the West’s private sector

The private sector in the West has played an important role in helping keep Ukraine online. The involvement of Western private sector entities, primarily major technology and cybersecurity firms, has played a significant role in helping keep Ukraine online.

These companies have provided expertise, resources, and sometimes direct assistance in securing Ukraine’s digital infrastructure. Anti-DDoS assistance provided by companies like Cloudflare and Google was crucial for keeping much of Ukraine’s infrastructure up and running against the onslaught of Russian distributed-denial-of-service attacks.

Companies like Amazon and Microsoft helped move Ukrainian governmental operations and data into the cloud and, as a result, minimized the impact from both kinetic and cyber wiper attacks from Russia. Georgii Dubynski, Ukraine’s deputy minister for digital transformation, believes that Ukraine’s partnerships with private entities in the West have played a crucial role in its cyber defense and resilience.

Nick Beecroft from the Carnegie Endowment highlighted that:

A further defining feature of the defensive effort has been the integration of large American technology providers, particularly Amazon, Cloudflare, Google, and Microsoft. These companies’ ability to migrate Ukrainian government data and services to distributed cloud servers; provide automated protection of massive networks, coupled with dedicated protection of high-risk users; as well as continually update threat intelligence drawn from global telemetry has added defensive depth and resilience far beyond that which Ukraine could have achieved independently.

As a result, over 10 million gigabytes of Ukrainian Government and economic data were saved by taking it out of Ukraine and putting it into the cloud.

Ukraine’s deputy prime minister and minister of digital transformation Mykhailo Fedorov even stated that Amazon Web Services “made one of the biggest contributions to Ukraine’s victory by providing the Ukrainian government with access and resources for migrating to the cloud and securing critical information.”

Microsoft will continue to offer cloud services to Ukrainian Government institutions, including the military, schools, universities and hospitals, free of charge through 2024, according to Fedorov.

This extension is part of the US$540 million in free services, technical support, equipment and grants provided by Microsoft to Ukraine. Beyond financial savings for the state budget, this support has been crucial in digitizing Ukraine’s government and protecting key government information from being destroyed or lost in Russian attacks.

As a result of being a strong supporter of Ukraine, providing extensive support for its cyber defense, Microsoft itself has been a target of Russian cyberattacks. Microsoft recently announced that the Russian state-sponsored hacker group Nobelium, known for the sophisticated SolarWinds attack, targeted its corporate systems. The company reported that Nobelium accessed the email accounts of some senior leadership team members late last year.

Western support for Ukraine’s cyber defenses

Western investment into Ukraine’s cyber defenses since 2014 has helped Ukraine withstand Russian attacks. Western countries have provided Ukraine with advanced technological tools and infrastructure to strengthen its cybersecurity.

This has included sophisticated software for detecting and mitigating cyber threats, hardware to bolster network security, and platforms for enhanced monitoring and analysis of cyber activities, with companies like Microsoft providing threat intelligence data to Ukraine.

A significant factor in Russia’s failed cyber offensive was its underestimation of Ukraine’s cyber defense capabilities. Western support and investments in Ukraine’s cyber infrastructure since 2014 have significantly strengthened its defenses.

Russian cyberattacks didn’t fail outright. Rather, nearly 10 years of cyber war and significant Western investment, including public-private partnerships, have helped forge a strong defense.

Therefore, Ukraine’s ability to respond quickly to and mitigate the effects of Russian cyberattacks has diminished the impact these attacks might have had. David Luber, deputy cybersecurity director at the US National Security Agency (NSA), in commenting on the strategy of defending forward, highlighted that:

As United States Cyber ​​Command deployed their troops to train (Ukrainians) prior to the invasion, we worked very closely with them as they looked at that defense. And as they found malicious software and malicious activity, we worked with them to (ensure) that information is shared broadly with both government and industry, not only to protect Ukraine, but also to protect NATO, to protect other allies and the US.

Protecting Ukraine’s networks also protects Western networks. Since 2014, the United States has significantly contributed to enhancing Ukraine’s energy security, providing over $160 million in technical assistance.

This collaboration saw the US Department of Energy working closely with the Ukrainian Government to fortify the resilience of Ukraine’s energy infrastructure and improve national response strategies, particularly in the wake of cyberattacks targeting the country’s electric grid.

These efforts led to a marked reduction in the effectiveness of Russian cyberattacks, which had previously caused considerable damage following Russia’s initial invasion of Ukraine in 2014.

By 2022, thanks to these strengthened defenses, Ukraine’s energy infrastructure remained robust against the cyber threats. As a result, Russia resorted to the use of cruise missiles and drones in an attempt to disrupt and destroy Ukraine’s power grid.

Russia’s failure to integrate cyber and conventional attacks

Russia has failed to successfully integrate cyber and conventional attacks on the battlefield. One of the primary issues was the apparent lack of synchronization between Russia’s cyber operations and its ground forces.

Effective integration requires that cyberattacks be timed and targeted to complement and enhance the effectiveness of physical military actions. But while Moscow aimed to utilize cyberattacks to gather intelligence in Ukraine, “Russian brutality and incompetence” reduced their ability to take advantage of the intelligence,” according to a Carnegie Endowment study.

Russia’s inadequate preparation to create coordinated strikes on critical targets provides lessons on what not to do in cyber war. Cyberattacks, says a CSIS study, are most effective “when combined with other weapons, including conventional delivery systems, precision-guided munitions, unmanned aerial vehicles, and electronic warfare. This combination can cripple command networks and advanced weapons systems and contribute to the attrition of opposing forces.”

The robust cyber defense ecosystem

With Western support, defense has proven to be king in the cyber war between Russia and Ukraine. Russia’s cyber war against Ukraine has faced a robust global response, with countries and international organizations providing to Ukraine extensive cybersecurity assistance that has helped the country thwart Russia’s offensive.

Microsoft President Brad Smith believes that the Russia-Ukraine cyber war has showed that “a new form of collective defense” has “proven stronger than offensive cyber capabilities.”

Ukraine’s cyber defense has relied on a coalition of partners supporting its defense, including governments, private companies and NGOs, versus Russia as a major cyber power.

Private companies predominantly own and manage the world’s computer code, equipment and network infrastructure, and they invest heavily in network surveillance to ensure those are kept running. Simultaneously, academic institutions, governments and nonprofit organizations diligently seek out software bugs, providing regular updates to these companies about any shortcomings or vulnerabilities they discover.

As a result, there are robust ecosystems in place to assist with cyber defense – even more so in Ukraine’s case, where Western governments and private companies have bolstered their defense. Developing a sophisticated cyber weapon can take years, but it can take seconds to delete the code that hosts the vulnerability.

David Kirichenko is a Ukrainian-American security engineer and freelance journalist. Since Russia’s full-scale invasion of Ukraine in 2022 he has taken a civilian activist role.

This is the seventh and final part of a series, “Lessons from the first cyberwar.”Read part one, part two, part three, part four, part five and part six. These articles are excerpted, with kind permission, from a report the author presented at the UK Parliament on February 20 on behalf of the Henry Jackson Society. The original report includes extensive footnoting to show the sourcing of facts and quotations.