Ukraine Conflict: Cyberattacks, Frequently Asked Questions

CyberPeace Institute
  1. What are the main types of cyberattacks on Ukraine since the Russian invasion ?

The CyberPeace Institute is tracking cyberattacks that target critical infrastructure essential for the survival of the civilian population and civilian objects, and targets that have been impacted by cyberattacks as a result of the war and its associated economic and geopolitical context.  This information is publicly available on the Cyber Attacks in Times of Conflict Platform #Ukraine.

The war in Ukraine has seen the use of cyberattacks and kinetic weapons against both military and civilian targets.  Such attacks are not new but the number of attacks and the use against critical infrastructure is cause for alarm.  It is the combination of kinetic and cyber – that is having such an impact as they influence the information space, disrupt access to information, and destabilize cyberspace and the civilian population.  This contributes to the conditions which cause people to flee their homes.

While cyberattacks aren’t playing a major role in tactical advances of either side – cyberattacks are used as a means of destruction, disruption, and data weaponization, in addition to being used as a means to spread disinformation and propaganda.  The conflict has seen a number of cyberattacks on critical infrastructure, such as communication services and electric power stations, in violation of International Humanitarian Law. The energy, mining and financial sectors are seeing significant numbers of attacks, both in Ukraine and Russian, as governments across the world impose and/or increase sanctions. 

So-called “hacktivist collectives” have played a significant role during this conflict with the primary type of attack undertaken by these actors being hack and leak-style attacks by anti-Russian actors and Denial-of-Service attacks (DDoS) on Ukrainian allies by pro-Russian actors. 

Beyond traditional means of propaganda, cyberattacks are being used to spread disinformation and control the flow of information relating to the war. 

  1. Were there cyberattacks on Ukraine before the Russian invasion on 24 February and could they be related to the conflict?  

Several cyberattacks occured in the days predating the military invasion of 24 February that could be related to the invasion as they temporarily disrupted access to these important Institutions.  Examples of such attacks are:  

  • DDoS attacks on websites taking a number of Ukrainian websites offline, including those of the Ministry of Defense and Ministry of Foreign Affairs, 
  • DDoS attacks on two of the largest state banks on 15-16 February 2022 
  • DDoS attacks on 23 February on websites of Ukrainian banks and government Ministries including Foreign Affairs, Defense, Internal Affairs and Security Service, Cabinet of Ministers, as well as several banks

Attacking important government and state institutions causes disruption, including the disruption of people’s access to reliable information and services necessary for civilians; this can create uncertainty and panic.  

Wiper malware attack campaigns have been identified targeting Ukrainian entities and organizations. Such malware attack campaigns have been synonymous with the Russian-Ukrainian war. Since January, 6 significant strains of data-wiping malware – WhisperGate / WhisperKill, HermeticWiper, IsaacWiper, AcidRain, CaddyWiper, DoubleZero – have been identified targeting Ukrainian entities and organizations. Three of these were first observed to be deployed on the day before or of the invasion. The impact of these attacks has rarely been publicly reported yet it appears that they have been primarily deployed against public institutions, financial and energy companies and telecommunications providers in Ukraine. 

The AcidRain wiper malware attack on Viasat’s KA satellite network in Ukraine on the day of the Russian invasion impacted a major German energy company who lost remote monitoring access to over 5,800 wind turbines. 

Ukraine has been the victim of cyberattacks for several years before the February military invasion.  The CyberPeace Institute has documented cyberattacks dating back to May 2014 in its publicly available Timeline of Cyberattacks.  

  1. Which successful attacks are thought to have had the biggest impact on the war?

It is the combination of kinetic and cyber – that is having such an impact as they affect the information space, access to information, and are disruptive and destabilizing.  

While cyberattacks aren’t playing a major role in tactical advances of either side – cyberattacks are used as a means of destruction, disruption, and data weaponization, in addition to being used as a means to spread disinformation and propaganda; they have led to the destabilization of cyberspace.

The conflict has seen a number of cyberattacks on critical infrastructure, such as communication services and electric power stations, in violation of International Humanitarian Law.  This is a cause of alarm as critical infrastructure is essential for the survival of the civilian population. 

The information and communication technology (ICT) sector is one of the most visible sectors to have been targeted during the war so far.  We have documented a number of cyberattacks or campaigns specifically against telecommunication service providers in Ukraine.  This takes away the ability for people to get reliable information on the situation in Ukraine.   The energy sector has also been targeted, in particular with attacks affecting other countries, beyond Ukraine and the Russian Federation. 

The AcidRain wiper malware attack on Viasat’s KA satellite network in Ukraine on the day of the Russian invasion impacted a major German energy company who lost remote monitoring access to over 5,800 wind turbines. 

  1. How effective has the Ukrainian IT Army been in cyberattacks on Russia? 

As background, the Minister for Digital Transformation of Ukraine announced the creation of an army of IT specialists to fight for Ukraine in cyberspace.  The Government of Ukraine declared that in the week of 9-15 May, more than 240 Russian online resources were attacked by their IT Army.  In their website, which is updated every 10 minutes, at any one time they report taking a large number of target websites offline as a result of DDoS attacks; on 14 June 2022 at 15:56 this number is at over 680. 

Beyond this, there are attacks by collectives who have publicly declared their allegiance to one party or the other, and these collectives are committing cyberattacks at a rate and scale rarely seen before.  For example, since 26 February, a transparency collective known as Distributed Denial of Secrets began to publish hundreds of gigabytes of data from predominantly Russian organizations.  The Anonymous collective has been particularly active in committing hack and leak operations against Russian and pro-Russian organizations since the start of the year.  The CyberPeace Institute has documented dozens of incidents self-attributed by Anonymous.  

  1. What are the risks when cyber collectives engage in cyber attacks? 

Cyber collectives have played a significant role in cyberspace during this conflict with the primary type of attacks undertaken by these actors being hack and leak-style attacks by anti-Russian actors but also DDoS attacks on Ukrainian allies by pro-Russian actors.  Many of these attacks are taking place in the geopolitical and economic contexts relating to sanctions, weapons supplies, and ongoing NATO membership negotiations.

The participation of loosely affiliated individuals in conducting cyberattacks during an armed conflict sets a dangerous precedent for any future conflicts, and poses many challenges, including the risk of escalation.  It is critical that the laws of war are respected, as these are the basic rules of humanity.  This is an obligation for all parties to the conflict. Respecting the law is important to save lives and reduce suffering.

International humanitarian law makes a clear distinction between civilians and military armed forces and provides modalities on what it means for a person to participate directly or indirectly in an armed conflict. 

According to the International Committee of the Red Cross (ICRC) 2009 Interpretative Guidance on Direct Participation in Hostilities, “Persons take a direct part in hostilities when they commit acts aimed at supporting one party to the conflict by directly causing harm to another party, either by directly inflicting death, injury or destruction, or by directly harming the enemy’s military operations or capabilities. If and for as long as civilians commit such acts, they take a direct part in hostilities and lose their protection against attack.” 

  1. Could cyber warfare escalate and what might the consequences be?

What is extremely worrying is that with cyber the potential of escalation of attacks is huge. It is important to document such attacks wherever they are occurring as they pose real threats to people, critical infrastructure and the functioning of society.  Attacks on infrastructure such as energy, water and sanitation facilities, healthcare, financial institutions, transport and communication services can have devastating consequences on the civilian population. Beyond the risks to critical infrastructure and civilian objects, cyberattacks sow distrust and limit access to accurate information or spread false information.

With the use of cyber, the challenge is that because of the interconnected nature of infrastructure, the inherently dual nature of infrastructure, and the difficulty to assess the impact (and unintended consequences of attacks using cyber tools) it is extremely difficult to assess potential harm to civilians.

Cyberattacks conducted in the context of this war have wide ranging consequences on the safe, secure and trusted use of technology. 

Advancing responsible State behavior in cyberspace is essential to ensuring an open, free, stable and secure cyberspace. 

  1. What does the armed conflict between the Russian Federation and Ukraine mean for the work of the CyberPeace Institute?

Through the Cyber Attacks in Times of Conflict Platform #Ukraine which broadens the scope of monitoring and replaces the  Ukraine: Timeline of Cyberattacks, the CyberPeace Institute is tracking how cyberattacks and operations are, and have been, targeting critical infrastructure and civilian objects. This is important in order to identify harm and risks to civilian populations. 

It is important to document such attacks as they pose real threats to people, critical infrastructure and the functioning of society. 

The targeting of critical infrastructure raises particular concern as this infrastructure is essential for the survival of the civilian population. Attacks on infrastructure such as energy, water and sanitation facilities, healthcare, financial institutions, transport and communication services can have devastating consequences on the civilian population.

Beyond the risks to critical infrastructure and civilian objects, cyberattacks sow distrust and limit access to accurate information or spread false information. They can also be highly disruptive and create a sense of fear and uncertainty and even lead to the displacement of people.

Collecting information about cyberattacks and operations is important to call for people to be spared from attack, to recall the applicable legal obligations that parties to conflict must adhere to, e.g. the rules of international humanitarian law, and to document the harm to people.  In the future, it will be important to use the information to call for important developments or clarifications in relation to the use of cyber operations in armed conflicts, and for accountability.

Cyberattacks and operations have important risks beyond the actual conflict in Ukraine due to the interconnectedness of cyberspace. Because of the indiscriminate nature of cyberattacks,  a cyberattack in Ukraine could affect other countries, for example, the use of malware which can spread to other countries.  It is also highly likely that cyberattacks may originate from individuals or groups that are not direct parties to the hostilities. Such attacks may be considered as direct participation in the hostilities, and thus subject to the rules of international humanitarian law.

  1. Does the law prohibit the use of cyber as a weapon?

Some states have developed offensive cyber capabilities, and thus cyber operations are a reality of armed conflicts today. Like any other weapon used in armed conflict, the use of cyber tools is subject to restrictions. International Humanitarian Law (IHL) applies to cyber operations during armed conflicts.

International Humanitarian Law has been formulated in a way it applies to all forms of warfare and to all kinds of weapons. The basic rules are clear and apply to any weapons, including cyber operations, in armed conflict: targeting civilians and civilian objects is forbidden, indiscriminate weapons and attacks must not be used, attacks which are disproportionate (i.e. expected to cause excessive harm) are prohibited, medical services must be respected and protected. This law aims to save lives and reduce suffering.

To give an example, this means that a party to an armed conflict is prohibited from using a missile or other weapon to attack a hospital, and it is prohibited from cyberattacks against a hospital e.g. to destroy its computers, disable medical equipment and networks, destroy or steal data, etc.

  1. What is the CyberPeace Institute calling for?

The CyberPeace Institute calls upon all actors to spare civilians, civilian objects and infrastructure which are ensuring the delivery of essential services in line with commitments, norms and international humanitarian law.

Parties to the armed conflict in Ukraine have a responsibility under international humanitarian law  to respect the civilian population and other protected persons, civilian objects and infrastructure essential to survival. (This means parties to the armed conflict must respect the four Geneva Conventions of 1949 and the first Additional Protocol of 1977.) 

The important legal principles of distinction (distinguish at all times between military objectives and civilian objects) and proportionality (prohibit attacks expected to cause excessive civilian harm) must be respected. These principles also have a direct bearing on cyber operations during armed conflicts in order to protect the civilian population against the effects of such operations.

In addition, the CyberPeace Institute is calling for restraint in the use of cyber, as well as in other attacks. 

During armed conflict harm to civilians, during military cyber operations, must be avoided. With the use of cyber, the challenge is that because of the interconnected nature of infrastructure, the inherently dual nature of infrastructure, and the difficulty to assess the impact (and unintended consequences of attacks using cyber tools) it is extremely difficult to assess potential harm to civilians and hence to do the calculation as to whether the harm caused to civilians is proportionate or excessive to the military objective.

© Copyright 2023: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.

Donation

Support the CyberPeace Institute

Individual lives can be changed dramatically by the acts of cyber criminals. We need your support to assist victims of cyberattacks in the NGO, humanitarian and healthcare sectors.

Newsletter

Subscribe to our newsletter

Receive monthly news on what’s happening at the Institute: our impact, publications, events and important milestones.