Dive Brief:
- Russian cyberattacks against Ukraine and its allies have yet to materialize at the scale and severity many expected. Russia’s attack against Viasat's KA-SAT management network during the first hours of its invasion of Ukraine remains its most significant success to date.
- The Russian wiper malware attack on Viasat was “one of the biggest cyber events that we have seen perhaps ever, certainly in warfare,” Dmitri Alperovitch, CrowdStrike cofounder and executive chairman of the Silverado Policy Accelerator, said Tuesday at the RSA Conference. It blocked the Ukrainian military’s ability to communicate in the first days of the invasion, but Russia’s gain was short-lived.
- “As we have seen time and time again, for now almost three and a half months of this war, the Russians are horrible at combined arms,” Alperovitch said. This extends to its traditional military that’s faltered on the ground and in the air due to a lack of coordination.
Dive Insight:
Russia has consistently displayed a lack of foresight and planning in its cyber activities since it invaded Ukraine more than 100 days ago. Despite tactical successes in Ukraine, Russia failed to turn those into potentially more devastating campaigns.
While cyber is an important weapon in warfare, the assumption that it will be such a critical element has been overblown, Alperovitch said. “Even the best tactics, even in cyber, don’t compensate for a really, really bad plan.”
Russia hasn’t, despite expectations, retaliated for the sanctions via cyberattacks against Ukraine’s allies but those attacks may still come. While Russia’s cyberthreat remains lower than expected, the White House and federal cybersecurity authorities continue to caution organizations to remain vigilant.
The Department of Justice in April disrupted the state-backed Russian botnet Cyclops Blink and Attorney General Merrick Garland pointed to the Russian government’s use of similar infrastructure to attack Ukrainian targets.
Sandra Joyce, EVP and head of global intelligence at Mandiant, said her team observed wiper attacks on individuals and Chinese threat actors operating within Ukraine’s networks, but they’re just watching and learning, not deploying malware. Russia has infiltrated networks and dropped malware globally but its impact in Ukraine has been surprisingly limited.
Cyber defenders in Ukraine deserve credit for thwarting more damaging attacks and doing so under hostile conditions and a constantly shifting technical landscape, Joyce said during her global threat briefing with Alperovitch.
Individuals and teams charged with protecting Ukraine’s networks have displayed remarkable resilience amid the chaos of war. Ukrainians routinely endure blackouts, shelling of their positions, locked IP addresses in temporarily occupied territories and the need to set up operations in bomb shelters.
It’s a level of sophistication and resilience that Mandiant has never seen before, Joyce said.
Ukraine was prepared following eight years of Russian cyberattacks, including NotPetya ransomware and the Bad Rabbit variant strain. The repeated resiliency showcased by Ukraine’s cyber defenders is something U.S. organizations should emulate, Alperovitch said.
Ukrainians are rebuilding networks with backups ready to go within hours. That determined agility and speedy recovery isn’t practiced often enough. Most U.S. organizations would take weeks to recover from a similar attack and sustain serious consequences during that downtime.