Russia’s full-scale invasion of Ukraine in February 2022 marked the start of what should be termed – in view of the unprecedented scale and sophistication of the cyber operations that accompanied Russia’s military actions – the world’s first cyber war.
It gave the world insight into how cyber operations would be integrated with the physical battlefield going forward.
Moreover, Ukraine showcased to the international community not only the critical importance of robust cyber defenses but also the complexity involved in their implementation. This complexity arises from the coalition that extends beyond the support of Western governments to include the pivotal contributions of tech companies in strengthening Ukraine’s cyber defenses.
In the months leading up to Russia’s full-scale invasion of Ukraine in February 2022, a series of cyberattacks was launched against Ukrainian targets. On January 13 of that year, Microsoft detected and reported malware that was targeting the Ukrainian Government aand various non-profit organizations and IT companies.
That turned out to be part of a broader pattern of digital aggression attributed to Russia. The following day, Russia escalated its cyber war, conducting a significant cyberattack that affected various Ukrainian government institutions and resulted in dozens of government websites being controlled by hackers.
In response, NATO stepped up its support for Ukraine in the cyber domain, which included providing Ukraine with access to NATO’s system for sharing information about malicious software.
The cyberattacks continued into mid-February, culminating in a distributed denial of service (DDoS) attack that temporarily disabled the online services of several Ukrainian government departments, financial institutions and radio stations. The attacks took down Ukraine’s two largest banks, PrivatBank and Oschadbank. PrivatBank had to release a statement assuring the public that there was no threat to depositors’ funds.
These attacks were intended to create panic and confusion and to destabilize Ukraine and were attributed to Russia’s Ministry of Defense Intelligence Directorate (GRU). On February 24, 2022, one hour before Russia began its full-scale invasion, a cyberattack with a wiper malware called AcidRain was launched against the American commercial satellite internet company Viasat, erasing all the data on its systems.
This attack not only caused outages for thousands of Ukrainian customers but also impacted wind farms and internet users in other European countries. Russia’s primary target was believed to be the Ukrainian military as it wanted to disrupt Ukrainian military communications at the onset of the Russian invasion, hindering Ukraine’s defensive capabilities as Russia invaded the country. Ukraine’s army relied on Viasat’s services for maintaining command and control.
Russia had attempted to coordinate cyberattacks with its ground invasion to maximize its operations on the ground and to showcase the devastating damage that could be caused to critical infrastructure ahead of an invasion. The most devastating attack on Ukraine’s critical infrastructure came in December 2023 when Russia took down Kyivstar, Ukraine’s biggest mobile network operator, damaging much of the telecom company’s IT infrastructure.
This could have been in retaliation for the hacking by Ukrainian intelligence of Russia’s state tax service (this attack happened right before the Kyivstar incident), which completely destroyed the agency’s infrastructure and will impact the functioning of the agency for years to come.
Over half of Ukraine’s people use Kyivstar and, as a result, millions were unable to receive lifesaving air raid alerts. Kyivstar CEO Oleksandr Komarov described the attack as “the biggest cyber attack on telco infrastructure in the world.”
Komarov also pointed out that Kyivstar has repelled over 500 attacks on its infrastructure since the full-scale invasion started.
Around 30% of the cashless payment terminals of PrivatBank – Ukraine’s largest bank – stopped working because they rely on Kyivstar’s mobile network.
The hackers were able to breach Kyivstar via a compromised account belonging to an employee.
The Kyivstar incident underscores a key cybersecurity lesson: even the most fortified infrastructures are vulnerable to breaches – often due to the human factor, which can serve as the weakest link in security defenses. Illia Vitiuk, head of the Security Service of Ukraine’s cybersecurity division, said that the hackers had been infiltrating Kyivstar since at least May 2023. He said that the attack should serve as a “big warning” to the West that no one is untouchable. Kyivstar had invested heavily in protecting itself but the cyberattack “completely destroyed the core of a telecoms operator.”
Following the Kyivstar attack by Russia, Ukraine retaliated with a cyberattack against Moscow-based water utility company Rosvodokanal, destroying the company’s IT infrastructure. Over 50 terabytes of data were deleted, “including internal document management, corporate email, backups, and even cybersecurity protections.”
Ukrainian hackers allegedly affiliated with Ukraine’s security services followed up by striking the Russian internet provider M9com on 9 January 2024; over 20 terabytes of data were deleted and Moscow residents lost internet and TV connections.
The IT Army of Ukraine followed up with an attack on the Moscow-based internet provider, Qwerty, which was taken offline for over three days.
Also, in January 2024, Ukraine’s military intelligence agency conducted a cyberattack on IPL Consulting, a company that supports Russia’s heavy industry and its military-industrial complex, reportedly obliterating the firm’s IT infrastructure.
After infiltrating and deleting over 60 terabytes of data from IPL Consulting’s network, Ukrainian cyber experts destroyed numerous servers and databases, with the total cost of the damage still under assessment. The Russia–Ukraine cyber war is becoming more aggressive than ever and will continue to expand in the future to potentially more devastating critical infrastructure targets.
This is part six of a series, ‘Lessons from the first cyberwar.’ Read part one, part two, part three, part four and part five. NEXT: How Ukraine has resisted Russia’s cyber offensive
David Kirichenko is a Ukrainian-American security engineer and freelance journalist. Since Russia’s full-scale invasion of Ukraine in 2022 he has taken a civilian activist role.
These articles are excerpted, with kind permission, from a report he presented at the UK Parliament on February 20 on behalf of the Henry Jackson Society.