The persistent cyber war: Four years into the Ukraine invasion

A conflict fought on two fronts

As the kinetic war in Ukraine grinds past its 1,500th day, a parallel conflict continues to rage in the digital realm. Four years after the full-scale invasion began on February 24, 2022, Russia's cyber operations against Ukraine have not abated. Instead, they have evolved into a persistent, grinding campaign of disruption, espionage, and psychological warfare. This silent war, fought with malware and malicious code, targets everything from power grids and government servers to the smartphones of ordinary citizens, demonstrating a deep integration of digital and physical military strategy.

The cyber dimension of this conflict is not merely an adjunct to the fighting on the ground; it is a critical front in its own right. It serves as a laboratory for new cyber-physical attack methods and a stark reminder of how interconnected global systems can suffer from collateral damage.

The long prelude to a digital war

Russia's cyber aggression against Ukraine did not begin in 2022. The groundwork was laid over more than a decade. The 2014 annexation of Crimea was accompanied by a significant escalation in cyberattacks targeting Ukrainian infrastructure. The most alarming precedents were the 2015 and 2016 attacks on Ukraine's power grid, where threat actors deployed malware like BlackEnergy and Industroyer to cause physical blackouts, a pioneering moment in cyber-physical warfare.

In 2017, the NotPetya attack further showcased the potential for catastrophic spillover. Disguised as ransomware, this destructive wiper malware was unleashed on Ukraine but quickly spread across the globe, crippling multinational corporations like Maersk, Merck, and FedEx and causing an estimated $10 billion in damages. It was a clear signal that digital weapons, once released, do not respect national borders.

In the weeks leading up to the February 2022 invasion, a barrage of attacks sought to destabilize the country. Data-wiping malware, including WhisperGate and HermeticWiper, was deployed against government and financial institutions, while distributed denial-of-service (DDoS) attacks flooded websites with junk traffic to knock them offline.

The anatomy of a modern cyberattack

Throughout the conflict, a handful of Russian state-sponsored Advanced Persistent Threat (APT) groups have been the primary drivers of malicious activity. These groups, often linked to Russian intelligence services, employ a sophisticated and varied arsenal of tools and techniques.

• Sandworm (APT44): Attributed to Russia's GRU, this group is infamous for the NotPetya attack and the power grid disruptions. They continued their focus on critical infrastructure with the Industroyer2 malware in an attempted attack on a Ukrainian energy provider in April 2022.
• APT28 (Fancy Bear): Also linked to the GRU, this group specializes in spear-phishing and intelligence gathering, relentlessly targeting Ukrainian government and military entities to steal credentials and sensitive data.
• APT29 (Cozy Bear): Associated with Russia's SVR, this group is known for its stealthy, long-term espionage campaigns, targeting diplomatic entities and organizations within NATO member countries to gather intelligence on support for Ukraine.
• Gamaredon (Primitive Bear): A high-volume, FSB-linked actor focused almost exclusively on Ukraine, using widespread phishing campaigns to maintain persistent access to a vast number of Ukrainian organizations for intelligence gathering.

These groups leverage a common set of attack vectors. Spear-phishing emails with malicious attachments or links remain a primary method for initial access. They also exploit vulnerabilities in public-facing software, such as email servers and VPN appliances, to breach networks. Once inside, their primary weapons are destructive wiper malware designed not for financial gain, but to erase data, destroy systems, and sow chaos. The attack on the KA-SAT satellite network on the day of the invasion, which disrupted communications for the Ukrainian military and thousands of civilians across Europe, highlighted the strategic focus on crippling communications infrastructure.

The cascading impact of digital warfare

The targets of this cyber war are broad and strategic, affecting nearly every segment of Ukrainian society.

• Critical Infrastructure: Energy, telecommunications, and transportation sectors are under constant threat of disruption, aiming to demoralize the population and hamper military logistics.
• Government and Military: Espionage campaigns seek to steal state secrets, military plans, and intelligence on allied support, while destructive attacks aim to paralyze government functions.
• Civilians: Disinformation campaigns spread through social media and hacked news outlets are designed to erode trust and create social division. Citizens are also indirectly affected by service outages and directly by malware targeting their personal devices.
• Global Allies: The conflict has significant global implications. Allied governments, NGOs, and humanitarian organizations providing aid to Ukraine are frequent targets of Russian espionage. The risk of another NotPetya-style spillover event, where an attack escapes its intended target and affects global supply chains or financial markets, remains a persistent concern for security agencies worldwide.

A global test of cyber resilience

Despite the unprecedented scale and intensity of the attacks, Ukraine's cyber defenses have proven remarkably resilient. As Victor Zhora, former deputy chief of Ukraine's State Service of Special Communications and Information Protection (SSSCIP), has noted, this resilience is built on years of preparation, rapid adaptation, and extensive international cooperation. Public-private partnerships and intelligence sharing with allies and cybersecurity firms have been instrumental in identifying and mitigating threats.

Brad Smith, President of Microsoft, described the conflict as featuring "a relentless and destructive wave of cyberattacks" but also highlighted the strength of a collective defense. The conflict has become a crucible, forging new doctrines for cyber warfare and defense. Nations globally are re-evaluating their own critical infrastructure protection and the imperative of international collaboration in the face of state-sponsored threats.

How to protect yourself from digital fallout

While the primary targets are in Ukraine, the borderless nature of cyber threats means individuals and organizations everywhere should remain vigilant. The tactics used in this conflict are often repurposed for broader cybercrime and espionage campaigns.

For Organizations:

• Implement Multi-Factor Authentication (MFA): This is one of the most effective controls to prevent unauthorized access, even if credentials are stolen.
• Aggressive Patch Management: Promptly apply security updates for all software, especially for internet-facing systems like VPNs and web servers.
• Employee Training: Educate staff to recognize and report phishing attempts. Conduct regular simulations to keep them alert.
• Network Segmentation: Isolate critical systems from the general corporate network to contain the blast radius of a potential breach.
• Incident Response Plan: Have a well-documented and practiced plan for how to respond to a security incident to ensure swift recovery.

For Individuals:

• Use Strong, Unique Passwords: Employ a password manager to create and store complex passwords for each of your online accounts.
• Enable MFA Everywhere: Turn on MFA for your email, social media, and banking accounts.
• Be Skeptical of Unsolicited Messages: Be wary of emails or messages that create a sense of urgency or ask for sensitive information, especially those related to the conflict.
• Keep Your Devices Updated: Ensure your computer, smartphone, and other devices have the latest security updates installed.
• Secure Your Connection: Using strong encryption and privacy protection tools can help shield your internet traffic from prying eyes, especially when using public Wi-Fi.