Defending Ukraine: Early Lessons from the Cyber War

Russia not surprisingly targeted Ukraine’s governmental data center in an early cruise missile attack, and other on premises servers similarly were vulnerable to attacks by conventional weapons. Russia also targeted its destructive “wiper” attacks at on-premises computer networks. But Ukraine’s government has successfully sustained its civil and military operations by acting quickly to disburse its digital infrastructure into the public cloud, where it has been hosted in data centers across Europe.

This has involved urgent and extraordinary steps from across the tech sector, including by Microsoft. While the tech sector’s work has been vital, it’s also important to think about the longer-lasting lessons that come from these efforts.

Because cyber activities are invisible to the naked eye, they are more difficult for journalists and even many military analysts to track. Microsoft has seen the Russian military launch multiple waves of destructive cyberattacks against 48 distinct Ukrainian agencies and enterprises. These have sought to penetrate network domains by initially compromising hundreds of computers and then spreading malware designed to destroy the software and data on thousands of others.

Russian cyber tactics in the war have differed from those deployed in the NotPetya attack against Ukraine in 2017. That attack used “wormable” destructive malware that could jump from one computer domain to another and hence cross borders into other countries. Russia has been careful in 2022 to confine destructive “wiper software” to specific network domains inside Ukraine itself. But the recent and ongoing destructive attacks themselves have been sophisticated and more widespread than many reports recognize. And the Russian army is continuing to adapt these destructive attacks to changing war needs, including by coupling cyberattacks with the use of conventional weapons.

A defining aspect of these destructive attacks so far has been the strength and relative success of cyber defenses. While not perfect and some destructive attacks have been successful, these cyber defenses have proven stronger than offensive cyber capabilities. This reflects two important and recent trends. First, threat intelligence advances, including the use of artificial intelligence, have helped make it possible to detect these attacks more effectively. And second, internet-connected end-point protection has made it possible to distribute protective software code quickly both to cloud services and other connected computing devices to identify and disable this malware. Ongoing wartime innovations and measures with the Ukrainian government have strengthened this protection further. But continued vigilance and innovation will likely be needed to sustain this defensive advantage.

At Microsoft we’ve detected Russian network intrusion efforts on 128 organizations in 42 countries outside Ukraine. While the United States has been Russia’s number one target, this activity has also prioritized Poland, where much of the logistical delivery of military and humanitarian assistance is being coordinated. Russian activities have also targeted Baltic countries, and during the past two months there has been an increase in similar activity targeting computer networks in Denmark, Norway, Finland, Sweden, and Turkey. We have also seen an increase in similar activity targeting the foreign ministries of other NATO countries.

Russian targeting has prioritized governments, especially among NATO members. But the list of targets has also included think tanks, humanitarian organizations, IT companies, and energy and other critical infrastructure suppliers. Since the start of the war, the Russian targeting we’ve identified has been successful 29 percent of the time. A quarter of these successful intrusions has led to confirmed exfiltration of an organization’s data, although as explained in the report, this likely understates the degree of Russian success.

We remain the most concerned about government computers that are running on premises rather than in the cloud. This reflects the current and global state of offensive cyber espionage and defensive cyber protection. As the SolarWinds incident demonstrated 18 months ago, Russia’s intelligence agencies have extremely sophisticated capabilities to implant code and operate as an Advanced Persistent Threat (APT that can obtain and exfiltrate sensitive information from a network on an ongoing basis. There have been substantial advances in defensive protection since that time, but the implementation of these advances remains more uneven in European governments than in the United States. As a result, significant collective defensive weaknesses remain.

These combine tactics developed by the KGB over several decades with new digital technologies and the internet to give foreign influence operations a broader geographic reach, higher volume, more precise targeting, and greater speed and agility. Unfortunately, with sufficient planning and sophistication, these cyber influence operations are well-positioned to take advantage of the longstanding openness of democratic societies and the public polarization that is characteristic of current times.

As the war in Ukraine has progressed, Russian agencies are focusing their cyber influence operations on four distinct audiences. They are targeting the Russian population with the goal of sustaining support for the war effort. They are targeting the Ukrainian population with the goal of undermining confidence in the country’s willingness and ability to withstand Russian attacks. They are targeting American and European populations with the goal of undermining Western unity and deflecting criticism of Russian military war crimes. And they are starting to target populations in nonaligned countries, potentially in part to sustain their support at the United Nations and in other venues.

Russian cyber influence operations are building on and are connected to tactics developed for other cyber activities. Like the APT teams that work within Russian intelligence services, Advance Persistent Manipulator (APM) teams associated with Russian government agencies act through social media and digital platforms. They are pre-positioning false narratives in ways that are similar to the pre-positioning of malware and other software code. They are then launching broad-based and simultaneous “reporting” of these narratives from government-managed and influenced websites and amplifying their narratives through technology tools designed to exploit social media services. Recent examples include narratives around biolabs in Ukraine and multiple efforts to obfuscate military attacks against Ukrainian civilian targets.

As part of a new initiative at Microsoft, we are using AI, new analytics tools, broader data sets, and a growing staff of experts to track and forecast this cyber threat. Using these new capabilities, we estimate that Russian cyber influence operations successfully increased the spread of Russian propaganda after the war began by 216 percent in Ukraine and 82 percent in the United States.

These ongoing Russian operations build on recent sophisticated efforts to spread false COVID-19 narratives in multiple Western countries. These included state-sponsored cyber influence operations in 2021 that sought to discourage vaccine adoption through English-language internet reports while simultaneously encouraging vaccine usage through Russian-language sites. During the last six months, similar Russian cyber influence operations sought to help inflame public opposition to COVID-19 policies in New Zealand and Canada.

We will continue to expand Microsoft’s work in this field in the weeks and months ahead. This includes both internal growth and through the agreement we announced last week to acquire Miburo Solutions, a leading cyber threat analysis and research company specializing in the detection of and response to foreign cyber influence operations.

We’re concerned that many current Russian cyber influence operations currently go for months without proper detection, analysis, or public reporting. This increasingly impacts a wide range of important institutions in both the public and private sectors. And the longer the war lasts in Ukraine, the more important these operations likely will become for Ukraine itself. This is because a longer war will require sustaining public support from the inevitable challenge of greater fatigue. This should add urgency to the importance of strengthening Western defenses against these types of foreign cyber influence attacks.

As the war in Ukraine illustrates, while there are differences among these threats, the Russian government does not pursue them as separate efforts and we should not put them in separate analytical silos. In addition, defensive strategies must consider the coordination of these cyber operations with kinetic military operations, as witnessed in Ukraine.

New advances to thwart these cyber threats are needed, and they will depend on four common tenets and — at least at a high level — a common strategy. The first defensive tenet should recognize that Russian cyber threats are being advanced by a common set of actors inside and outside the Russian government and rely on similar digital tactics. As a result, advances in digital technology, AI, and data will be needed to counter them. Reflecting this, a second tenet should recognize that unlike the traditional threats of the past, cyber responses must rely on greater public and private collaboration. A third tenet should embrace the need for close and common multilateral collaboration among governments to protect open and democratic societies. And a fourth and final defensive tenet should uphold free expression and avoid censorship in democratic societies, even as new steps are needed to address the full range of cyber threats that include cyber influence operations.

An effective response must build on these tenets with four strategic pillars. These should increase collective capabilities to better (1) detect, (2) defend against, (3) disrupt, and (4) deter foreign cyber threats. This approach is already reflected in many collective efforts to address destructive cyberattacks and cyber-based espionage. They also apply to the critical and ongoing work needed to address ransomware attacks. We now need a similar and comprehensive approach with new capabilities and defenses to combat Russian cyber influence operations.

As discussed in this report, the war in Ukraine provides not only lessons but a call to action for effective measures that will be vital to the protection of democracy’s future. As a company, we are committed to supporting these efforts, including through ongoing and new investments in technology, data, and partnerships that will support governments, companies, NGOs, and universities.

To learn more, read the full report.