Headline
Russia’s Cyberwar Foreshadowed Deadly Attacks on Civilians
The Kremlin’s aggression in Ukraine is following a dangerous playbook that began to unfold years ago.
For eight long years prior to Russia’s disastrous and brutal invasion of its neighbor in February, the Kremlin instead waged a limited war in the east of the country, throwing that eastern border region into a state of turmoil, all while raining down cyberattacks on Ukraine’s critical infrastructure far beyond any war zone. Many military and cybersecurity observers around the world warned that Russia’s scorched-earth hacking was demonstrating a playbook that would, sooner or later, be used outside of Ukraine too—a warning that soon proved true, with cyberattacks that struck everything from American hospitals to the 2018 Winter Olympics.
But looking back on nearly a year of Vladimir Putin’s full-blown war in Ukraine, it’s now clear that Russia’s earlier cyberwar in the country also served as a different sort of harbinger: It foreshadowed exactly how Russia would carry out its full-scale physical attacks on Ukraine, with a vastly greater human cost. In 2022’s war, just as in that earlier digital blitz, Russia’s real playbook has proven to be one of ruthless bombardment of civilian critical infrastructure, with no tactical intention other than to project its power and inflict pain hundreds of miles past the war’s front lines.
In the past two months, Ukraine’s power grid has come under relentless bombardment by Russian bombs, taking down as much as half of the country’s electric infrastructure and at times leaving the majority of the country without power. In Kyiv, more than 200 miles west of the ongoing fighting in the region known as Donbas, Ukrainians are reduced to hunting for generators, storing food outside to prevent it from spoiling, charging their phones and computers during the few hours a day of reliable power, and keeping backup food and water supplies in apartment building elevators in case someone is trapped inside during a blackout. Water supplies have been paralyzed at times, too, along with portions of the country’s electrified rail system. And winter, with only a fraction of the country’s heating systems operational, still looms ahead.
“It’s like the central nervous system of the human body: If you mess with it, you put all sorts of systems out of whack,” says Rajan Menon, a director of the Defense Priorities think tank who recently returned from a trip to the Ukrainian capital, speaking about Russia’s power grid attacks. “It’s not only an inconvenience but an enormous economic cost. It’s an effort to create pain for the civilian population, to show that the government can’t protect them adequately.”
Menon notes, however, that every one of his comments could just as easily apply to Russia’s earlier waves of cyberattacks on the country’s internet—such as the NotPetya malware released by Russia’s GRU hackers, which five years earlier destroyed the digital networks of hundreds of government agencies, banks, airports, hospitals, and even its radioactivity monitoring facility in Chernobyl. “They’re different in the technicalities, but the goal is the same,” he says. “Demoralizing and punishing civilians.”
Russia’s practice of carrying out missile and artillery strikes on civilian targets has already become notorious, from the Mariupol theater airstrike in May that killed 600 people to the bombings of multiple sites in central Kyiv that Russia carried out in October in retaliation for the destruction of the Kerch bridge linking the Crimean peninsula to Russia. The repeated failures of Russia’s military to take or hold territory in the face of the Ukrainian counteroffensive seem only to have amplified the Kremlin’s preference for softer, nonmilitary targets: In late November, Ukrainian defense minister Oleksii Reznikov wrote that fully 97 percent of Russia’s 16,000 missile strikes have targeted civilians. “We are fighting against a terrorist state,” Reznikov wrote.
But for anyone involved in fending off Russia’s cyberattacks on Ukraine over the past eight years, Russia’s preference for civilian over military targets has long been apparent, says Viktor Zhora, a senior cybersecurity-focused official in Ukraine’s State Services for Special Communications and Information Protection, or SSSCIP. Zhora, whose cybersecurity firm worked on incident response for Russia’s breach of Ukraine’s Central Election Commission in 2014 before he joined the government, lists the Kremlin’s biggest cyberattacks on his country over the past eight years: that election-focused intrusion, designed to both cripple Ukraine’s electoral body and spoof its results; cyberattacks on electric utilities that caused blackouts in late 2015 and 2016; data-destroying attacks that hit the country’s treasury, railways, and Ministry of Finance; and finally, the NotPetya worm that carpet-bombed Ukrainian networks in 2017 before spreading globally to cause more than $10 billion in damage.
Given that every one of those attacks targeted civilian institutions, it was all too predictable that Russia’s physical war would fall back to the same pattern, Zhora argues. “Without any significant successes on the battlefield, we see that Russia switched to purely terroristic tactics,” says Zhora. “They continue to attack our civilian infrastructure, and in this way, it’s more or less similar to their trends in cyberwarfare.”
Zhora notes that those cyberattacks on civilians haven’t stopped—they’ve only fallen off the radar as vastly more destructive, lethal physical attacks have eclipsed them. The Ukrainian government, he says, has counted hundreds of breaches this year of the country’s energy, telecom and finance sectors.
The purpose of all of that civilian targeting, both cyber and physical, is in part an attempt to weaken Ukrainians’ resolve as a country, says Oleh Derevianko, founder of the Ukrainian cybersecurity firm ISSP. “They want to create a situation where people are not satisfied with what’s going on and exert pressure on the government to engage into negotiations,” says Derevianko—adding that the strategy has badly backfired, instead unifying Ukrainians against the Russian threat more strongly than ever. But he argues that on some level, too, Russian forces may also be responding to pressure to simply do something to contribute to the war effort. “They need to report some success to their chain of their command,” says Derevianko. “They’re frustrated on the battlefield, so they attack civilians.”
SSSCIP’s Zhora, on the other hand, goes further: He believes that Russia’s attacks on civilians may not be a means to an end, but rather Russia’s true goal. He says Russia isn’t merely trying to defeat the Ukrainian military, win a war, or conquer the Donbas, but instead to defeat and destroy the Ukrainian people.
“The intention is to wipe out the whole nation,” says Zhora. He says that motivation to directly attack Ukraine’s population can be seen in the history of the two countries’ relations far earlier than any recent war or cyberwar, stretching back as far as the Holodomor, the man-made famine that starved to death millions of Ukrainians in the early 1930s as Soviet officials ordered Ukrainian grain to be confiscated or locked in warehouses to rot.
“It’s a continuation of genocide,” Zhora says. “It’s one more chance to try to wipe out the Ukrainian people, to restore the Soviet Union, to change the global order.”