Cyber threats during the Russia–Ukraine war: what can we learn from history to be prepared?
This article describes more than 15 years of Russian cyber activity related to the conflict. It is supplemented by a current overview of the development of cyberattacks linked to the Russia–Ukraine war in 2022.
As Russian forces target Ukraine and distributed denial-of-service (DDoS) attacks periodically disrupt Ukrainian government websites and financial service providers, there is increasing discussion about cyber conflict readiness.
While organizations must always be prepared for attacks from any direction, it can be useful to understand what to watch for when the risk increases. I decided to review the history of known or suspected Russian state cyber activities in order to assess what types of actions to expect and how organizations can prepare for them.
Disruptive denial-of-service attacks
The earliest known activity dates back to April 26, 2007, when the Estonian government relocated a monument commemorating the Soviet liberation of Estonia from the Nazis to a less prominent location. This action angered the Russian-speaking population in Estonia and strained relations with Moscow. Shortly afterward, street riots, protests outside the Estonian embassy in Moscow, and a wave of debilitating DDoS attacks on Estonian government and financial websites followed.
Fully prepared tools and instructions for participating in DDoS attacks appeared on Russian forums almost immediately after the monument’s relocation. These attacks targeted websites belonging to the president, parliament, police, political parties, and major media outlets.
The call for “Russian patriots” to help punish Estonia was hardly spontaneous. It was a mass movement that emerged with tools and target lists already prepared. The same tactics were later used by Anonymous to defend WikiLeaks using a tool called LOIC (Low Orbit Ion Cannon) — an open-source program designed to carry out DoS attacks written in C#.
On May 4, 2007, the attacks intensified, with additional strikes on banks. Exactly seven days later, the attacks stopped as suddenly as they had begun.
Everyone immediately blamed Russia, but attributing distributed denial-of-service attacks in practice is nearly impossible. It is now widely believed that these DDoS attacks were carried out by the Russian Business Network (RBN), a notorious organized crime group linked to spam, botnets, and identity theft. It appears their services were “purchased” for exactly one week to carry out the attacks.
On July 19, 2008, a new wave of DDoS attacks began targeting news and government websites in Georgia. These attacks escalated dramatically on August 8, 2008, when Russian forces entered South Ossetia. Initially aimed at Georgian media and government sites, they later expanded to financial institutions, businesses, education, and Western media.
As in Estonia, a website appeared listing targets along with tools and instructions. Once again, “patriots” were blamed, but much of the traffic originated from a large botnet believed to be controlled by RBN.
Address spoofing and spam
The attacks on Georgia also included website defacements and mass spam campaigns aimed at overwhelming Georgian inboxes. All of this appeared intended to undermine confidence in Georgia’s ability to defend and govern itself and to disrupt communication with citizens and the outside world.
Less than a year later, in January 2009, another series of DDoS attacks began in Kyrgyzstan. This coincided with a decision by the Kyrgyz government regarding the extension of a US airbase lease. Coincidence?
It was again attributed to RBN, but this time without the “patriotic” disguise.
This brings us to one of the most recent conflicts: the invasion of Crimea in 2014.
Disinformation and isolation
Information warfare against Ukraine has been ongoing since 2009, with many attacks coinciding with events perceived as threatening Russian interests, such as NATO summits and EU association talks.
In March 2014, the New York Times reported that the “Snake” malware infiltrated the Ukrainian Prime Minister’s office and several embassies as anti-government protests began. In late 2013 and early 2014, ESET also documented attacks on military and media targets known as “Operation Potao Express”.
As before, a self-proclaimed cyber group known as “Cyber Berkut” conducted DDoS attacks and website defacements, causing limited direct damage but significant confusion — which is often enough during conflict.
At the beginning of the conflict, unidentified soldiers seized control of Crimea’s telecommunications networks and its only internet hub, cutting off information flow. Attackers used mobile network access to identify protest participants and send SMS messages stating: “Dear subscriber, you are registered as a participant in mass disturbances.”
After isolating Crimea’s communications, attackers also hacked mobile phones of Ukrainian parliament members, limiting their ability to respond effectively. As noted in Military Cyber Affairs:
“In one case, Russia paid one individual to manage multiple online identities. A performer from St. Petersburg reportedly acted as three different bloggers across ten blogs and commented on other sites. Another person was hired to post comments on news and social media 126 times every twelve hours.”
Attacks on energy infrastructure
On December 23, 2015, a power outage affected about half of Ivano-Frankivsk, Ukraine. It is widely believed to have been carried out by state-sponsored Russian hackers. The attack began more than six months earlier, when employees at three power distribution centers opened a malicious Microsoft Office document containing a macro that installed BlackEnergy malware.
The attackers gained remote access credentials to SCADA systems and took control of substation equipment, disabling circuit breakers. They also blocked remote control access and deployed wiper malware to disable operator systems, while simultaneously launching a telephone denial-of-service (TDoS) attack on customer support lines.
Almost a year later, on December 17, 2016, Kyiv experienced another blackout. This time the malware, known as Industroyer/CrashOverride, was significantly more sophisticated and capable of directly interacting with SCADA systems. It also erased system components. Attribution pointed strongly to Russian actors.
In June 2016, during the US presidential election campaign, a figure known as Guccifer 2.0 appeared, claiming responsibility for hacking the Democratic National Committee and leaking emails to WikiLeaks. While not officially attributed, it emerged alongside other disinformation campaigns and is widely believed to be linked to Russian operations.
Supply chain attacks: NotPetya
On June 27, 2017, a major malware outbreak known as NotPetya was released.
Disguised as ransomware, it spread via a compromised Ukrainian accounting software supply chain. In reality, it was a wiper — it irreversibly destroyed data rather than encrypting it for ransom.
The attack spread globally within hours, affecting companies operating in Ukraine and causing an estimated $10 billion in damages worldwide.
False flags
During the 2018 Winter Olympics in Pyeongchang, a cyberattack disrupted the entire Olympic network, affecting Wi-Fi and ticketing systems. The malware was removed quickly, but attribution analysis revealed possible false flags pointing in different directions.
Eventually, evidence pointed back toward Moscow.
In 2020, another major supply chain attack targeted SolarWinds Orion software, used by governments and large enterprises worldwide. The breach allowed attackers to deploy a stealth backdoor.
US agencies concluded it was likely a Russian-linked advanced persistent threat conducting long-term intelligence gathering.
Russian cyber conflict in 2022
In 2022, as tensions escalated, Ukrainian government websites were defaced and systems infected with malware disguised as ransomware. In reality, it functioned as a wiper, similar to NotPetya tactics.
On February 15, 2022, major DDoS attacks targeted Ukrainian government, military, and banking websites. US intelligence later attributed responsibility to Russian military intelligence (GRU).
The war began on February 24, 2022. Sophos continues to update information as cyberattacks evolve.
A Russian cyber warfare playbook
Cyber operations are expected to continue regardless of escalation. Ukraine has faced continuous waves of attacks since 2014.
Russia’s 2010 military doctrine states:
“Advance implementation of information warfare measures to achieve political objectives without the use of military force and subsequently to shape favorable international perception of military action.”
This suggests continued pre-conflict behavior and makes DDoS attacks a potential indicator of impending escalation.
Information warfare is used to influence global perception of actions in Ukraine or elsewhere.
False flags, address spoofing, communication disruption, and social media manipulation are key elements of Russian information warfare strategy.
Prepare and defend
The United States and the United Kingdom are attempting to pre-empt disinformation campaigns, but attackers will likely continue.
Organizations in countries bordering Ukraine should be prepared for indirect impact. Past attacks have spilled into Estonia, Poland, and others.
Globally, cybercriminal groups and “patriotic” hackers may increase activity against perceived adversaries.
While direct NATO attacks are unlikely, cyber threats are expected to grow.
Disinformation and propaganda will intensify. Organizations must monitor, detect, and respond to unusual network activity as conflicts evolve.