Why Ukraine Hasn’t Sparked a Big Cyberwar, So Far

ukraine-cyber
The conflict has seen only limited cyber confrontation, with some small attacks from Russia on Ukrainian targets Ilya Naymushin/Reuters

Cyberwar, we have been warned on countless occasions, will be a major part of the next global conflict. So how is it playing out in Ukraine? The answer is: so far, not so bad.

A best-case scenario sees the low-level cyberconflict between the United States and Russia remaining unchanged. This means that hacking attacks aimed at collecting information from government and corporate sources continues, quietly and without serious confrontation.

On the scarier side of the spectrum is a full cyberwar, something the world has never seen. This could involve Russian hackers taking down U.S. civilian infrastructure, like power plants and public transport or going after American banks. American and other anti-Russian cyberwarriors would respond in kind.

Cybersecurity experts say the first scenario is much more likely than the second. So far the conflict in Ukraine has seen only limited cyberconfrontation, with some small attacks from Russia on Ukrainian communications and media targets. But cyberspace is a new front in conflicts between world powers and tensions are escalating following Russia’s annexation of Crimea.

As Crimeans went to the polls on Sunday to vote in a referendum on secession from Ukraine, cyberattacks escalated. Hackers struck several NATO websites, including a nonsecure email server.

What would further cyberconflict look like? The entire world of cyberwarfare is opaque. Hackers operate in the shadows. Governments keep their cyberprograms secret.

“Attribution is extremely difficult in cyberspace,” says John Bumgarner, a former U.S. intelligence officer who now works at the U.S. Cyber Consequences Unit, a research institution. “If you have to have attribution where you can trace back a cyberattack, you have to have better monitoring capabilities than the NSA does.”

The U.S. military has Cyber Command (CyberCom), which shares its headquarters with the National Security Agency in Fort Meade, Md., and has an independent budget of $447 million. CyberCom has been growing exponentially in recent years and is set to get even bigger. But most of the details of its activities are highly classified.

Russia is even more secretive. “All of the offensive cyber activities taking place from Russia are under the purview of the security services, which are in deep secrecy,” says Keir Giles, an expert on Russia’s cybercapabilities.

Russia also subcontracts much of its cyberwarfare to nonstate actors, according to Giles. Often “patriotic hackers” will join in on attacking Russia’s enemies. Sunday's attacks on NATO were attributed to a group that calls itself “cyber berkut” and which many believe is affiliated with Russian intelligence agencies.

“You have a very large population of hackers in Eastern Europe in general and Russia especially,” says Dmitri Alperovitch, co-founder of CrowdStrike, a cybersecurity firm. “A lot of them consider themselves patriotic individuals and will take broad direction from government policies. We don’t know how closely they take orders from the government.”

Nonstate actors tend to be less sophisticated than government-orchestrated hacking, relying on simpler operations like denial-of-service attacks, which bombard a website or computer in order to stop it from connecting to the Internet.

But the Russian government is one of the most sophisticated in the world when it comes to hacking. “They are top-tier actors,” says Alperovitch. “Their capabilities can rival our own. They’ve been spending tremendous resources on this for the last 30 years.”

The fruits of this spending are usually invisible. Much of the hacking that goes on regularly goes unreported, and people outside this shadowy world usually only know about cyberattacks once they have occurred. Ukrainians are getting some experience these days.

The communications channels of Ukraine’s National Security Council and Defense Council suffered a denial-of-service attack last week, as did the state news agency. Russians were also accused of disrupting Ukrainian phone networks.

Malware detections in Ukraine have “maintained a heightened level on a weekly basis” since early 2014 when the crisis in Ukraine erupted, according to Kurt Baumgartner, the principal security researcher at Kaspersky Lab, a cybersecurity firm. News sites, government communications and organizations and activists communications have also been affected, Baumgartner says.

Russian hacking in Ukraine didn’t begin with the current conflict, though.

A very sophisticated Russian malware has been infecting Ukrainian computer systems for years, according to a recent report from BAE Systems, a British defense firm. The malware, known as Snake, allows the attackers to lift data from infected computers and send it back to its point of origin.

While indisputable links to Russian intelligence are hard to draw, the BAE Systems report says Snake operates on Moscow’s time zone and some of the code is in Russian.

Still, experts say, Russia has been fairly restrained in its use of cyberweapons so far.

“Russia didn’t have to launch cyberattacks against media outlets in Ukraine. They didn’t have to launch attacks against military websites. Their objective was to seize [Crimea], and they did that,” says Bumgarner. “They didn’t need cyber to seize the territory.”

Russian cyberattacks were more aggressive in previous conflicts. Russian hackers shut down most of the Georgian government’s communications systems during the conflict there in 2008.

Giles remembers sitting in a meeting room with the U.K. military at the time. A dusty fax machine started buzzing. It was the Georgian government. “It was the only way they could get the message out,” he says.

In 2007 Russia unleashed on Estonia one of the biggest cyberattacks in history. Following the quashing of protests by ethnic Russians in the tiny Baltic state, hackers took down government, bank and newspaper websites. Estonia is one of Europe’s most wired countries, leaving it particularly vulnerable. It was impossible to pinpoint the perpetrators, but Moscow was widely blamed for the attacks.

But serious attacks on the United States seem unlikely at this point, experts say.

Instead, Russia and the U.S. engage in mutual espionage. As government and corporate secrets have moved online, the need for a KGB agent in Washington making surreptitious photocopies has diminished and the role of hacking has increased. Hackers directed by Washington and Moscow collect government emails and private communications and release malware to exfiltrate state secrets.

That’s mostly harmless, says Giles, but “the lines are blurred. At what point does breaking into a computer become sabotage?” Some espionage attacks are designed to steal secrets and at the same time render computers and systems nonfunctional. When Saudi Arabia’s national oil company was hit with malware in 2012, the virus did more than just steal secrets. It shut down nearly 30,000 computers.

For now, though, all is quiet on the cyber front between the U.S. and Russia. The level of cyberespionage that is ongoing has not accelerated in any noted way since the conflict over Ukraine began, experts say. But if the conflict gets worse, so will events online.

In October 2011, then-Defense Secretary Leon Panetta warned of the potential for a “digital Pearl Harbor,” a massive cyberattack on U.S. infrastructure or military installations that could cause serious death and destruction.

Some cybersecurity experts say they could foresee something like that happening in the case of a serious escalation in the Ukraine conflict.

“If a shooting war starts, there will be cyberattacks to go along with that,” says Bumgarner. “It could be basic [distributed denial-of-service] attacks or sabotage stuff. But really, I’d be more worried about a 500-pound bomb falling on my head.”

Others are less sanguine. “I think ultimately if this does turn into cyberwarfare, there could be attacks on critical infrastructure,” says Darren Hayes, a professor at Pace University and an expert in digital forensics and cybersecurity. “If you think about someone hacking into the subway system, that’s a pretty serious blow.”

Then again, that might be counterproductive for everyone. Despite tensions, a serious blow to the U.S. economy would harm Russia and a massive attack on the U.S. could precipitate serious retaliation.

“Imagine Russia had the capability to create a small blackout in the U.S. Escalating a cyberattack would be counterproductive,” says Thomas Rid, a professor of war studies at King’s College in London. “Yes, some of them seem to be quite stupid. But I don’t know if they’re that stupid.”