IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

One Year Later: Cyber Battles Still Rage in Ukraine

This past week was dominated with stories surrounding the one-year mark of Russia’s invasion into Ukraine. What have we learned on the global cybersecurity front in that time?

Anti-war protesters outside the White House in Washington, D.C., on Feb. 24, 2022.
Anti-war protesters outside the White House in Washington, D.C., on Feb. 24, 2022.
Shutterstock/Eli Wilson
President Biden made a surprise visit to Ukraine’s capital of Kyiv this past week to meet with Ukrainian President Volodymyr Zelenskyy, and that was just the beginning of a series of meetings with international partners regarding the one-year mark in the Russia-Ukraine conflict.

In the midst of global headlines analyzing which military equipment the U.S. and NATO countries should give to Ukraine, as well as how much financial support will be ongoing, a less publicized cyber war continues unabated.

As I wrote about in detail in my annual cybersecurity review back in December, 2022 was the year the Ukraine war shocked the world. On Feb. 16, Google’s Threat Analysis Group (TAG) wrote an excellent blog entitled “Fog of war: how the Ukraine conflict transformed the cyber threat landscape.” Here’s an excerpt:

“Nearly one year ago, Russia invaded Ukraine, and we continue to see cyber operations play a prominent role in the war. To provide more insights into the role of cyber, today, we are releasing our report Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape based on analysis from Google’s Threat Analysis Group (TAG), Mandiant and Trust & Safety. The report encompasses new findings, and retrospective insights, across government-backed attackers, information operations (IO) and cybercriminal ecosystem threat actors. It also includes threat actor deep dives focused on specific campaigns from 2022.”

Here are some key findings from the 47-plus-page report :
  • “Russian government-backed attackers have engaged in an aggressive, multi-pronged effort to gain a decisive wartime advantage in cyberspace, often with mixed results.
  • “Moscow has leveraged the full spectrum of IO — from overt state-backed media to covert platforms and accounts — to shape public perception of the war.
  • “The invasion has triggered a notable shift in the Eastern European cybercriminal ecosystem that will likely have long term implications for both coordination between criminal groups and the scale of cybercrime worldwide.”

There is a section at the end outlining forward-looking trends, and a quick summary of that section shows that cyber attacks will likely continue and even accelerate in 2023 — against both Ukraine and NATO countries. The fact that NATO members were becoming targets in unprecedented cyber attacks from Russia was clear last year, as I wrote in this blog last September.

The Hacker News added this when commenting on Google’s report:

“Russia’s cyber attacks against Ukraine surged by 250% in 2022 when compared to two years ago, Google’s Threat Analysis Group (TAG) and Mandiant disclosed in a new joint report.

“The targeting, which coincided and has since persisted following the country’s military invasion of Ukraine in February 2022, focused heavily on the Ukrainian government and military entities, alongside critical infrastructure, utilities, public services, and media sectors.

“Mandiant said it observed, ‘more destructive cyber attacks in Ukraine during the first four months of 2022 than in the previous eight years with attacks peaking around the start of the invasion.’

“As many as six unique wiper strains — including WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, and SDelete — have been deployed against Ukrainian networks, suggesting a willingness on the part of Russian threat actors to forgo persistent access.”


One big question that keeps coming up as I discuss these topics around the country is: Where are the anticipated cyber attacks against U.S. and NATO countries’ critical infrastructure? There are a few answers to that question.

A recent report by Recorded Future News’ The Record claims that “Many cyberattacks by Russia are not yet public knowledge.” Here’s an excerpt:

“Although dozens of private sector reports have detailed Russian ops during the war in Ukraine, experts have questioned whether the cybersecurity industry has visibility into the full extent of that activity. The joint report from the Dutch General Intelligence and Security Service (AIVD), alongside its Military Intelligence and Security Service (MIVD), cites two reasons why ‘many of these attempts have not yet become public knowledge.’

“The fact that ‘the pace of Russian cyber operations is fast’ is a big factor, the report said. And the nature of many targeted institutions — such as military and diplomatic agencies — leads to secrecy about their vulnerabilities. …

“NATO members who are providing military support to Ukraine also are common targets of Russian intelligence. The joint report said that the ‘Dutch armed forces, ministries and embassies have also been the target of (unsuccessful) cyber espionage attempts in the past year.’

“Alongside espionage operations, Russian cyber forces have repeatedly attempted to deploy ‘wiper’ malware strains designed to destroy data in computer systems.

“‘Moscow regularly attempts to digitally sabotage Ukrainian vital infrastructure and carries out constant wiper malware attacks. The sustained and very high pressure that Russia exerts with this requires constant vigilance from Ukrainian and Western defenders,’ said the joint report.”

The report goes on to say much more, including that the combined cyber defenses of NATO countries have been very successful so far.

Finally on this topic, this World Economic Forum (WEF) opinion piece describes the view that the world is missing a big message on cybersecurity in Ukraine: “Frankly, cyber attacks don’t have much impact, as counterintuitive as that may feel, given oft-cited catastrophic-level scenarios such as the potential hacking of nuclear weapons or complete disruption of the financial system. Even if the latter were possible, the fundamental limitation of cyber operations would soon be realized — reversibility.

“The major difference between cyber operations and their kinetic alternatives is that when kinetic attacks occur, what goes down is more likely to stay down for longer. To appreciate this point, it helps to look at reversibility — or permanence — of attacks along a spectrum.”


The Hill reported this week on “How the war in Ukraine is shaping cyberspace.”

The Hill also reported that “Russia’s overt influence operations conducted by its state-controlled media has decreased on the platform, [and] attempts at covert activities tied to the war in Ukraine have sharply increased over the last year.”

InfoSecurity Magazine released an article on Feb. 23 that described how new norms in cyber warfare are emerging. Here’s an excerpt:

“In hybrid warfare, the lines between the commercial and military domains are often blurred, particularly when it comes to cyberspace. This can be seen in the Russia-Ukraine war, which has brought with it a range of cyber-related demands for both government and private sector actors.

Infosecurity spoke to defense and cybersecurity analysts about the current cyber landscape in Ukraine, the impact of digital connectivity and whether cyber-Armageddon is still a possibility.

“The war in cyberspace began long before Russian troops staged their all-out invasion of Ukraine in February 2022, noted Dr. Josef Schroefl, deputy director for Strategy and Defense at the European Centre of Excellence for Countering Hybrid Threats (Hybrid CoE) in Helsinki, Finland, an organization that works closely with NATO and the EU on countering hybrid threats. Schroefl said that as of January 2023, Ukraine has registered more than 5000 cyber-attacks on state institutions and critical infrastructure since 2014.”

I also like a piece from the Carnegie Endowment for International Peace that describes “Cyber Operations in Ukraine: Russia’s Unmet Expectations.” Here’s a summary quote from that report:

“A review of academic, doctrinal, and journalistic writing covering the last three decades of Russian military theorizing on cyber-related issues yields three hypotheses that may explain the mismatch between the expectations of many Western observers and the reported impact of Russian cyber operations in the 2022 invasion of Ukraine. By exploring the unique and oft-overlooked facets of Moscow’s conceptualization of ‘cyber,’ this paper provides a foundation for better assessing Russia’s performance in cyberspace in Ukraine in early 2022, along with a more nuanced understanding of its capabilities and possible expectations going forward. These hypotheses are as follows:
  • Russia’s Information Operations Troops—a rough analog to Western military cyber commands—remains in its infancy and appears optimized more for counterpropaganda than for offensive cyber operations. The operational command structure over offensive cyber operations, meanwhile, remains murky and is possibly more political than military in nature.
  • Russia’s premier offensive cyber capacities are housed within agencies focused on intelligence and subversion—the key tool kits used against Ukraine since 2014—rather than combined-arms warfare.
  • Moscow’s secretive and poorly executed February 2022 invasion precluded optimal performance in the initial period of the war, which is particularly pivotal in Russian thinking about effectiveness in the information domain.”


As I read through these reports from various sources, I come to the conclusion that a major force of NATO’s cybersecurity capabilities is being deployed to assist Ukraine in their war efforts. However, many of these efforts and specific tactics remain classified and cannot be shared openly. These substantial capabilities provide the basis for a strong overall cyber defense for NATO countries that have, at least so far, muted the effectiveness of Russian cyber attacks.

Assuming this is true, Ukraine remains a hot battleground and test bed for many new cyber weapons and cyber defense strategies being deployed in the world today. This reality is impacting both the public and private sectors, as is described in a Radware case study on DDoS attacks against Ukraine.

Whether new tactics or new cybersecurity weapons will alter this cyber war narrative in 2023 and beyond remains to be seen. But it appears, at least for now, that the Ukraine-Russia conflict will continue to dominate the cybersecurity landscape (both defense and attack) for the foreseeable future.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.