What is wiper malware and how is it different from ransomware?

Wiper malware is a type of malicious software whose sole purpose is to destroy data on a compromised system. It overwrites or erases files, boot records, and firmware, making recovery extremely difficult or impossible. Unlike ransomware, which encrypts data and demands a payment for its release, wipers offer no recovery option and are used purely for disruption and destruction.

How has Ukraine been so effective at defending against Russian cyberattacks?

Ukraine's cyber resilience is due to several factors. First, they have over eight years of experience responding to Russian cyber aggression. Second, they undertook significant preparations, including migrating critical government data to the cloud before the invasion. Third, they have received unprecedented support from an international coalition of governments and private tech companies (like Microsoft and Google) providing threat intelligence, defensive tools, and hands-on assistance.

What was the Viasat satellite hack and why was it significant?

On February 24, 2022, Russian military intelligence deployed a wiper malware called AcidRain against Viasat's KA-SAT satellite network. The attack destroyed the software on tens of thousands of satellite modems, cutting off internet access for the Ukrainian military and civilians at a critical moment. It was significant because it was a strategic attack on communications infrastructure with major unintended consequences, impacting thousands of users across Europe and demonstrating the global spillover risk of cyber warfare.

What is the 'IT Army of Ukraine'?

The IT Army of Ukraine is a government-organized volunteer group of civilian cybersecurity specialists, developers, and hacktivists from Ukraine and around the world. They conduct coordinated cyber operations, primarily distributed denial-of-service (DDoS) attacks, against Russian government and corporate websites to disrupt their services and counter Russian propaganda. It represents a novel approach to mobilizing civilian talent in a national cyber defense effort.

Anatomy of a cyber war: Analyzing Russia's digital offensive against Ukraine

Background: The prelude to a hybrid conflict

Long before the first tanks crossed the border on February 24, 2022, the digital battleground in Ukraine was already active. Russia’s cyber operations against its neighbor are not new; they represent a decade-long campaign of attrition, testing defenses, and demonstrating capability. The 2015 and 2016 attacks on Ukraine's power grid, attributed to the Russian GRU unit known as Sandworm, were a stark warning of Russia's ability to disrupt physical infrastructure through malicious code. The 2017 NotPetya attack, a destructive wiper disguised as ransomware, started in Ukraine but quickly spiraled into the most costly cyberattack in history, causing billions in damages globally. Many analysts view these events as rehearsals for the full-scale conflict to come.

In the months leading up to the 2022 invasion, this activity intensified dramatically. In January, Ukrainian government websites were defaced with threatening messages, a psychological operation coupled with a more sinister technical attack. Behind the scenes, a new wiper malware dubbed WhisperGate was deployed, designed to destroy data and render systems inoperable. Just one day before the invasion, another wave of destructive malware, including HermeticWiper and CaddyWiper, was unleashed against Ukrainian government and financial institutions. This was a clear signal: the kinetic war would be fought alongside an aggressive, coordinated cyber campaign.

Technical details: A multi-pronged digital assault

The cyberattacks launched by Russian state-sponsored actors have been characterized by their diversity and coordination with military objectives. The primary goal has been to disrupt, degrade, and demoralize Ukrainian defenses and society.

The Wiper Malware Arsenal

Unlike ransomware, which encrypts data for financial gain, wiper malware’s sole purpose is destruction. Russian actors have deployed a succession of wipers, each with distinct characteristics:

WhisperGate: Deployed in January 2022, this malware mimics ransomware but its true function is to overwrite the Master Boot Record (MBR) and corrupt files, making data recovery nearly impossible.
HermeticWiper: Unleashed just hours before the invasion, this sophisticated wiper uses legitimate drivers to bypass security controls and corrupt data on hard drives. It was often deployed alongside a ransomware decoy to distract incident responders.
AcidRain: This specialized wiper was used in a pivotal attack against Viasat's KA-SAT satellite network. It was engineered to erase the firmware on satellite modems, bricking thousands of devices and severing communications for the Ukrainian military and civilians at a critical moment.

Disruption of Critical Infrastructure

Beyond data destruction, a key objective has been the disruption of essential services. The attack on Viasat is the most prominent example, creating a communications blackout that had spillover effects across Europe, even knocking German wind turbines offline. Later, in March 2022, threat actors attempted to deploy Industroyer2 against a Ukrainian energy provider. This malware is a direct descendant of the tool used in the 2016 power grid attack and is specifically designed to manipulate industrial control systems (ICS) to cause physical disruption.

Espionage and Information Operations

Alongside these destructive attacks, persistent espionage campaigns continue. Actors like APT28 (Fancy Bear) and APT29 (Cozy Bear) use spear-phishing and vulnerability exploitation to steal intelligence from Ukrainian government, military, and NATO-allied entities. This stolen information is often weaponized in disinformation campaigns, which are a central pillar of Russia's strategy. These operations use state media, social media bots, and deepfakes to sow confusion, undermine Ukrainian morale, and influence international opinion.

Impact assessment: Resilience and the global spillover

The primary targets of this campaign are the Ukrainian government, military, and critical infrastructure sectors like energy, finance, and telecommunications. However, the impact has been felt by the entire civilian population through disruptions to services and exposure to relentless propaganda.

Despite the unprecedented scale of the attacks, many experts have noted Ukraine’s remarkable cyber resilience. Years of experience fending off Russian cyberattacks, combined with immense international support, allowed Ukraine to prepare. Before the invasion, government agencies and private companies began migrating critical data and services to distributed cloud infrastructure. This move proved vital, as it made data centers a less viable target for physical or digital strikes. Public-private partnerships have been instrumental, with companies like Microsoft, Google, and Amazon providing threat intelligence, cloud credits, and direct support. CERT-UA, Ukraine's computer emergency response team, has worked tirelessly with international partners to identify and mitigate threats.

The conflict has also demonstrated the significant risk of global spillover. The Viasat attack was a wake-up call, showing how a targeted cyberattack in one country can have unintended consequences for commercial and civilian infrastructure thousands of miles away. It underscores the interconnected nature of our digital world and the difficulty of containing cyber warfare within geographic borders.

How to protect yourself

While the conflict is centered in Ukraine, the TTPs (tactics, techniques, and procedures) used by state-sponsored actors are a threat to organizations worldwide, particularly those in government, energy, and finance. The lessons from this cyber war provide a clear blueprint for improving defensive posture.

Prioritize Patch Management: Russian actors consistently exploit known vulnerabilities in public-facing applications like VPNs and web servers. A rigorous and timely patching program is the most effective defense against these initial access vectors.
Enforce Multi-Factor Authentication (MFA): Phishing remains a primary method for stealing credentials. Enforcing MFA across all services, especially for remote access and cloud accounts, provides a critical layer of defense against credential theft.
Develop a Resilience Plan: Assume a breach will occur. Have a well-documented and practiced incident response plan. Utilize offline, immutable backups to recover from destructive wiper or ransomware attacks. For organizations with critical data, migrating to secure cloud environments can enhance resilience against both physical and digital threats.
Segment Your Network: Isolate critical systems from the broader corporate network. This is especially important for operational technology (OT) environments in critical infrastructure. Network segmentation can prevent an intruder from moving laterally from an IT network to sensitive control systems.
Enhance Monitoring and Threat Hunting: Implement robust logging and monitoring across endpoints and networks. Proactively hunt for indicators of compromise (IOCs) published by agencies like CISA and trusted security partners. Protecting your personal data in transit with tools like a VPN service can also reduce your exposure to network-level snooping.
Educate on Disinformation: All staff should be trained to critically evaluate information sources. Be wary of emotionally charged narratives and verify information through multiple reputable sources before sharing.

The cyber dimension of the war in Ukraine has provided a sobering look at the future of conflict. It has highlighted the power of digital resilience, the importance of international cooperation, and the persistent danger that cyberattacks pose to critical infrastructure and societal stability far beyond the front lines.