Russia’s use of cyberattacks and cyber-enabled influence operations during its invasion of Ukraine has been a notable development in modern warfare. The scale of destructive and espionage cyberattacks and the sophistication of the global influence operations are unprecedented. And these cyber-enabled efforts have been coordinated with ground attacks in a manner that demonstrates how military strategy has transformed and likely will continue to evolve in the future. Since the beginning of the war, Microsoft has observed a Russian cyber and influence threat apparatus focused on undermining Ukraine’s infrastructure and sources of support and degrading its will and ability to fight.
Cyberthreat actors associated with Russia’s security agencies were involved in more than 600 instances of observed threat activity against more than 100 government and private-sector Ukrainian organizations in the first year of the conflict. Fortunately, this onslaught has largely been met with firm and effective resilience from Ukraine’s government and its people, as well as the support of international partners across sectors. These events should nevertheless serve as a wake-up call to an international community that will need to grapple with the use of cyber operations in future hybrid conflicts.
Cyber-Military Alignment in Russia’s Invasion
Alignment between Russia’s cyber operations and its military operations on the ground has been evident from the earliest days of the war. Russian tanks started rolling across Ukraine’s borders on February 24, 2022, but Microsoft security teams recognized that strategic Russian cyberattacks against Ukrainian targets had launched the day before. These offensive and destructive cyberattacks were intended to damage Ukraine’s digital infrastructure in the hours before the full-scale invasion. This tactic of leading with cyber operations as the proverbial “tip of the spear” ahead of kinetic military operations—aiming to degrade infrastructure, disrupt supply lines, and/or mislead the public—is now a well-established practice in Russian military planning, dating to its 2008 war with Georgia.
Not only has digital technology been weaponized in this conflict, but digital infrastructure itself quickly became a prominent target. At the outset of the war, Russia successfully attacked Ukrainian satellite internet capability provided by Viasat. And some of the first Russian missiles targeted a government data center. The importance of uninterrupted access to information systems for government functions and national security made the physical locations of government data vulnerable targets. Simultaneously, destructive cyberattacks targeted key government operations and IT providers. Fortunately, Ukraine was able to move quickly to neutralize these threats by leveraging cloud computing to disburse and distribute government data across systems, both within and beyond its borders, creating redundancies that made attacks on any single data center ineffective.
Russia’s military cyber operations in the war have been coordinated by threat actors affiliated with different government agencies, including military intelligence (GRU), the Federal Security Service, and the Foreign Intelligence Service. The use of wiper malware has been prevalent throughout the war. Microsoft has attributed these attacks to a GRU-affiliated threat actor group identified as Seashell Blizzard, otherwise known as Sandworm. To date, there have been at least nine separate variants of wiper malware used against targets in Ukraine, and in more recent months Microsoft has seen the development and use of new forms of ransomware as part of Russia’s cyber arsenal. Meanwhile, other Russian threat actors, including Aqua Blizzard and Star Blizzard (aka Gamaredon and ColdRiver, respectively), have led espionage attacks seeking to compromise organizations—both within Ukraine and outside its borders—responsible for providing critical assistance and support to Ukraine. The chart below provides some insight into the sectors most targeted by Russia’s cyberattacks in the first year of the war.
Partial List of Ukraine Targets
This chart provides a sample of Ukrainian sectors affected by known or suspected Russian state-affiliated network intrusions or destructive attacks, as reflected in Microsoft data between February 2022 and January 2023.
Source: Microsoft Threat Intelligence 2023
Coordination with Missile Attacks
Especially following the retreat of Russian forces from previously occupied territory in Ukraine last fall, there was a documented rise in Russian missile strikes targeting Ukrainian critical infrastructure like energy, water, and transportation systems. Last October, these attacks left 80 percent of Kyiv without running water and more than 10 million Ukrainians without power. Microsoft security teams observed coordinated destructive cyberattacks led by Seashell Blizzard targeting these same sectors. While we cannot know specific communications between the Russian military and its cyber operations, the common targeting and timing between the ground and cyber operations, as reflected in the chart below, provides compelling evidence of a well-aligned war effort being executed simultaneously across multiple domains.
Influence Operations
Finally, influence operations online and in the media have also been a core component of Russia’s invasion—both in Ukraine and in positioning Russia’s objectives to audiences abroad. They have included flooding social media platforms with misleading messaging around the need for the “denazification” of Ukraine and accusing the United States of creating bioweapons in clandestine laboratories in Ukraine. Both of these narratives were intended to create a justification for the invasion. As the conflict has progressed, prominent news outlets backed by the Federal Security Service or other state-affiliated groups, such as NewsFront, have consistently supported anti-Ukrainian propaganda. Meanwhile, websites purporting to be Ukrainian local news have leveraged Russian state media sources to spread pro-Kremlin messaging that targets domestic audiences in occupied regions of Ukraine. Other influence operations have targeted European citizens in an effort to erode support for Ukraine’s defense.
While the cyber tools and tactics employed by Russia in the invasion of Ukraine—destructive malware, espionage attacks, and information operations—are not themselves new or unique, the scale and coordination of their use as strategic components of a large-scale military campaign are truly unprecedented. And although Ukraine, working with partners, has successfully blunted much of the potential impact, we should assume that future conflicts will continue to deploy both cyber and influence weapons in novel ways. As with other military technologies, we should expect offensive capabilities in cyberspace to continue to evolve and become even more dangerous in the future. In response, governments and the international community need to work urgently to improve defenses, increase readiness, and make clear that illegal offensive actions in cyberspace will not be tolerated.
Tom Burt leads a cross-disciplinary team at Microsoft that works to improve customer trust in the safety and security of the digital ecosystem by advocating for global cybersecurity policy, partnering with public agencies and private enterprises to disrupt nation-state cyberattacks and support deterrence efforts, and combatting cybercrime. Customer Security and Trust is also responsible for managing Microsoft’s government clearance and national security compliance.