By Konstantinos Fouzas,
Have you ever wondered how wars start? Sure, there might be some tension between countries, or one might declare war to another, but when does it really start? For most people, wars would most likely start with the first act of aggression. If we look back, in the previous century, we can see this pattern on several occasions. The First Balkan Wars would not start for Greece, if Greek Divisions had not taken part in the Battle of Elasson on the 6th of October 1912, even though war was declared on the Ottoman Empire a few days ago. Similarly, the World War I would not begin, if it wasn’t for the assassination of the archduke of Austro-Hungary in 1914, in the streets of Sarajevo. Moreover, if you were a German soldier guarding a radio station in the German Polish borders in 1939 you would be surprised to see Polish soldiers firing at you – later revealed that SS troops dressed up as polish soldiers staged the attack to justify the invasion of Poland. The Russo-Ukraine war is no different than the examples presented above… or is it?
We all know that on February the 24th, 2022, Russia begun a “special military operation” against Ukraine. Russian ground troops advanced in Ukrainian territory, missiles were fired on Ukrainian targets and a fierce war started that lasts 3 years later, even as I write these words. But what most people don’t know is that the first “shots” were fired hours before. On February the 23rd, malicious actors launched a cyber attack against Ukraine. The cyber weapon used was called Foxblade aka HermeticWiper, an eraser program, that would attack Ukrainian systems – and if successful – completely delete their hard drives. But could we consider this attack of similar importance to a bombardment or a beach landing operation?
To answer this, we need to examine recent conflicts and what cyber-warfare capabilities have been developed. The first one would be the Russo-Ukraine conflict. Cyber operations didn’t start in 2022. The most notable one was in 2015, when BlackEnergy trojan was deployed against a power grid in western Ukraine. This malicious application would cause denial of service (DoS) to the infected machines. Another devastating attack worth mentioning would be the malware NotPetya (2017). It started from Ukraine and spread across multiple countries, due to the movable nature of the malware. If you were a victim, you would experience a black screen with red letters telling you not to power off your computer because the “C:\” drive is repairing itself. Five minutes later you would find out the truth and prepare to buy a new system. Of course, Russia denies any relation to these attacks, while Ukraine and the USA directly blame her. The blurry nature of these attacks also relies on the fact that many hacktivist groups (pro-Russian or not) claim them to be theirs. Up to this day these attacks can’t be attributed to anyone with certainty.
During the last 2 years many reports have shown that Russia uses cyber operations in coordination with conventional warfare. One example is on February 28, 2022, a malicious threat actor compromises a Kyiv-based media company. One day later Russia performs missile strikes against the Kyiv TV tower. Later, the same day, Kyiv based media companies face destructive attacks and data exfiltration. Another example would be the attack on supply chains and logistics that happened in May of the same year. At first, the IRIDIUM group (Russian hacker group attributed to the GRU agency) launched a destructive attack on an Lviv-based logistics provider on April 19. On April the 29th, IRIDIUM strikes again, conducting reconnaissance against the transportation sector network in Lviv. Four days later, on May 3rd, Russian missiles strike railway substations, disrupting transport services. This coordinated method seems to be the most effective for cyber operations.
On the other hand, research has shown that Ukraine was not ready for this kind of warfare but quickly adapts to it. In the early days of war Russia targeted Ukrainian data centers with air and missile strikes. This proved to be a huge problem for the defending side, since their “Confidential” network was not cloud-operated. All the information was stored on premises. Microsoft saved the day when it offered to store all the data in its cloud. In addition, Microsoft helped Ukraine fight back by providing Incident Response services, continuously monitoring the attack surface and patching vulnerabilities in critical infrastructure. We can deduce that public and private sector cooperation is a must, in these situations.
The most interesting aspect of cyber warfare in this conflict are the targets. One would think that military infrastructure and systems (counterforce) would be the primary objective. The truth is, most of the attacks target government services, media, telecommunications, energy production and banking/financial services (countervalue). The army does not even make it to the top 5. The reason is that the main goal of the attackers would be to use cyber attacks mainly for propaganda and espionage reasons. Destructive cyber operations, as fancy and impressive as they might seem, are very difficult to achieve 100% of their goal. As a result, the offensive side would prefer to keep access silently in a compromised network and gather important information, rather than trying a huge blow and revealing itself. Cyberwarfare is not offense dominant, but as the war progresses it might become defense dominant. Defenders patch their systems, monitor their network, learn the attackers’ habits and apply more defenses. As such, malicious actors find it more difficult to operate.
Finally, hacktivism has played a crucial role in this conflict. Conventional warfare might involve 2 sides. Cyber warfare doesn’t. There are hacker groups that support Ukraine, there are others that support Russia and of course there are those with their own agenda. The most well-known APT group, Anonymous has claimed to have performed at least 3 hacks and 24 data leaks against Russia since the beginning of the war. They have openly come out in favor of Ukraine and support the country with such offensive operations. Cyber was introduced in 2018 as a new war domain by the USA DoD, highlighting its growing importance. Although, cyber operations are in an early stage and there is no doctrine to define their most effective usage, countries like Russia, Israel, Iran and the USA try to get an initial foothold and prevail in this new domain. Conventional warfare will never be abandoned due to the nature of war, but who knows? Maybe 20 years from now, when even keyholes are connected to the internet, a soldier might only need USB thumb drives instead of crowbars or rams to breach a secure position…
Sources
Vlad, G. (2022) ‘The World Joins the Full-Scale Cyber War as Russia Invades Ukraine’, SOC Prime, 2 March, Available at: https://socprime.com/blog/latest-threats/the-world-joins-the-full-scale-cyber-war-as-russia-invades-ukraine/ , (Accessed: 19 May 2025)
Microsoft Corporation, (2022) ‘Defending Ukraine: Early Lessons from the Cyber War’, Chapter 2, pp. 6-9
Mueller, G., Jensen, B., Valeriano, B., Maness, R. and Macias J., (2023) ‘Cyber operations during the Russo-Ukrainian War’
Bateman, J., (2022) ‘Russia’s Wartime Cyber Operations in Ukraine’
Ribeiro, A. (2022) ‘Microsoft connects Russian Iridium hackers to Prestige ransomware attacks targeting Ukraine, Poland organizations’, Industrial Cyber, 14 November, Available at: https://industrialcyber.co/news/microsoft-connects-russian-iridium-hackers-to-prestige-ransomware-attacks-targeting-ukraine-poland-organizations/ (Accessed: 25 May 2025)
Paganini, P., (2019), ‘Russia-linked STRONTIUM APT targets IoT devices to hack corporate networks’, Security Affairs, 06 August, Available at: https://securityaffairs.com/89473/apt/strontium-abuses-iot-devices.html, (Accessed: 25 May 2025)
Microsoft Threat Intelligence, (2021) ‘Breaking down NOBELIUM’s latest early-stage toolset’, Microsoft, 28 May, Available at: https://www.microsoft.com/en-us/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/?msockid=2d02487d62ab6a10301e5c8163b76bf2, (Accessed: 25 May 2025)
Baran, G., (2024) ‘Russian APT Hackers Tools Matrix Unveiled’, Cyber Security News, 23 September, Available at: https://cybersecuritynews.com/russian-apt-hackers-tools/, (Accessed: 25 May 2025)
James, L., (2022) ‘Cyber War and Ukraine’, Center for Strategic and International Studies
MITRE ATT&CK, (2024) ‘Gamaredon Group’, MITRE ATT&CK Framework, 23 September, Available at: https://attack.mitre.org/groups/G0047/, (Accessed: 25 May 2025)
Przetacnzik, J. and Tarpova, S., (2022) ‘Russia’s war on Ukraine: Timeline of cyber-attacks’, European Parliamentary Research Service
Wilner, A., Williams, G., Thuns-Rondeau, M., Beaulieu, N. and Cossette-Sharkey, V., (2024) ‘Offensive Cyber Operations and State Power: Lessons from Russia in Ukraine’, International Journal, Vol. 79(1) 138–148
Hakala, J. and Melnychuk, J., (2021) ‘RUSSIA’S STRATEGY IN CYBERSPACE’, NATO Strategic Communications COE and NATO Cooperative Cyber Defense COE, June
Givens, A., Gorbachevsky, M. and Biernat, A., (2023) ‘How Putin’s Cyberwar Failed in Ukraine’, Journal of Strategic Security, Vol. 16, No. 2, pp. 96-121
ACLED, (2025), Available at: https://acleddata.com/conflict-index/, (Accessed: 15 May 2025)
Wikipedia, (2023) ‘Anonymous and the Russian invasion of Ukraine’, November, Available at: https://en.wikipedia.org/wiki/Anonymous_and_the_Russian_invasion_of_Ukraine, (Accessed: 27 May 2025)
Kolodii, R., (2024) ‘Unpacking Russia’s Cyber-Incident Response’, Security Studies
Microsoft Corporation, (2023) ‘Microsoft Digital Defense Report 2023’
Howard, L., (2023) ‘The Ukraine War & Cyberattacks Targeting Refugees and Humanitarian Organizations’, 7 August, The Henry M. Jackson School of International Studies, University of Washington, Available at: https://jsis.washington.edu/news/the-ukraine-war-cyberattacks-targeting-refugees-and-humanitarian-organizations/, (Accessed: 03 June 2025)
Lyngaas, S., (2022) ‘Aid groups helping Ukraine face both cyber and physical threats’, 23 April, CNN Politics, Available at: https://edition.cnn.com/2022/04/23/politics/humanitarian-aid-ukraine-war-cyberattacks/index.html, (Accessed: 03 June 2025)
