Podcast 🎧 & blog: All the lessons from cyber warfare in Ukraine

26.04.2023 | Federico Plantera


We are well over one year into Russia’s ongoing threat to Ukrainian state sovereignty. And from terrain to the digital sphere, it is now clearer than ever before that the aggression has been total. If, in the beginning, the war seemed to take on a more traditional, kinetic shape, cyberattacks have intensified with the passing of the months – and with the staunch resistance of Ukraine’s forces.

This postulates the key takeaway, for international observers and governments alike, that modern warfare features a digital dimension. And who better than e-Governance Academy’s Programme Director of Cybersecurity, Merle Maigre, to take stock of how things have changed for states’ cyberdefense and what are the lessons they carry for governments worldwide.


Maigre: Cyberattacks are not a separate front

Even though it is far-fetched to refer as “wishful thinking” for anything that involves war and conflict, we still had some hopes a year ago. Perhaps that the slow pace of Russia’s aggression would result into failed plans, rather than an increased and diverse intensity of attacks. And as many times throughout this period, worse was instead to be expected.

“I think we can see ourselves as wiser, as today there is much more information out there on Russia’s cyber plans in Ukraine. Back when we discussed the topic a year ago, possibilities to draw conclusions were limited. But today, as we look back to this year of warfare, it is clear that cyberattacks are not a separate front – rather, they represent an extension of the conflict,” Maigre begins with.

Looking at it from a long-term perspective, connecting the dots, we can see how Russia has invested a lot of resources in the scale and sophistication of its cyberweapons. “Since 2014, Ukraine has been the testing ground of Russia’s cyber capabilities. And it’s important to establish that Ukraine continues to absorb a sustained and intensive campaign of operations and network activity from Russia. At least nine new wiper families, and two types of ransomware, have been targeting over 100 private and public sector organizations in the country.”

Attribution does matter, and this is a crucial point for the public to understand. “If we do not attribute and react to these operations, we all become weaker. The risk, here, is excessive optimism and complacency.”


International law applies to cyberspace too – and should keep doing so

In this sense, the public obviously includes governments too. A memo that Kaja Kallas, Prime Minister of Estonia, made sure to clarify just last week from the columns of British newspaper The Economist. While focusing on the mastery and relentlessness of Ukraine’s cyberdefense, PM Kallas hinted too at how the international community should scrutinize and respond to these attacks.

“There is still a sense that bad actors can do what they want in cyberspace. While there have been significant examples in recent years of major cyber-attacks being attributed to foreign governments, it has not necessarily led to a change in behaviour. The complexity of ascertaining who is behind attacks and following up with real consequences still makes some actors see cyberwarfare as an attractive tool,” Kallas said, as per the article. “Existing international law applies fully in cyberspace. […] The digital sphere is not a sideshow but the front line.”

In fact, “the application of international law in cyberspace should not be taken as a separate thing, but rather as a continuation of the regular international law, applying to the regular conflict, and in cyberspace too,” Maigre follows suit in our podcast interview.


Russia’s cyber offense, at a glance

An X-ray of Russia’s cyberwar efforts in Ukraine could better depict the complexity, scale, and diverse nature of the attacking forces. As Maigre explains, analysts have identified three distinct, yet coordinated efforts:

  • One set of efforts focused on destructive cyberattacks within Ukraine;
  • One set aimed at network penetration and espionage;
  • Thirdly, cyber influence operations.

“Russian threat actors have aimed to gain initial access to targets within, as well as outside Ukraine, using the mixed and diverse toolkit cyber hackers usually deploy. They exploit various Internet-facing applications, backdoors, pirated software, and spear phishing. For example, they upload a weaponized version of Windows 10, as it has been observed, to Ukrainian forums – capitalizing on the demand for low cost versions of the software. But in this way, they gain access to government and other sensitive organizations in Ukraine,” Maigre says.

The key actors currently on the digital war theatre can all be traced back to various Russian government-backed groups. Whether for cyber espionage, sabotage of infrastructure, or the spreading of disruptive malware. “And this analysis leads us to the main takeaways from Russia’s cyber offense. Two main ideas come forward,” Maigre highlights.

“Offensive cyber operations, in practice, are actually cyclical by nature. Active periods alternate to gaps in offense. So it is crucial to invest into a layered defense posture that can sustain these attacks. To ensure resilience, in light of a heavier push. Secondly, a notable shift has been triggered in the Eastern European cyber criminal ecosystem. Groups come and go, but the long-term implications of relying on these groups mean an increase in the availability of ransomware as a service, cybercrime as a service.”


Global lessons from Ukraine’s cyber defense

First of all, it is worth highlighting the remarkable resilience Ukraine has demonstrated. “The central lesson to be drawn from Ukraine’s cyber efforts is that it is worthwhile investing into long-term defense. It is clear that Ukraine has been successful at it, because they have started preparing as early as five years ago,” Maigre points out.

“They recognized they were under attack, there was political will, and a clear understanding of who the enemies are. Moreover, they knew that interagency cooperation and coordination was essential, preparing for it to the extent that was possible. Of course, Ukraine’s defense has not been faultless, let’s accept that. But they accepted that no plan survives first contact with the adversary, and it’s their resilience and flexibility that deserves credit.”

“They’ve been forced to make difficult decisions around critical infrastructure, and they’ve been able to do that, for example, by adopting legislation under the war period. Secondly, the ability to absorb external support from EU and beyond has definitely been a factor too,” Maigre explains.

What emerges, is that adequate and resilient preparation in the face of cyberattacks does not come to being overnight. Cyberdefense exercises and drills, such as NATO’s Locked Shields, and international cooperation with virtuous, like-minded actors – they all must play a role in governments’ cyber readiness strategies, crisis-proofing the digital society. The very same wishful thinking, mentioned in the beginning of this piece, would want us to believe that cyberwarfare is only relevant to Ukraine right now. But if the lessons are global, it is because the cyberspace is global – and so are the threats that may come from it.


Interested in improving preparedness and response in the face of cyber crises? Join the discussion Crisis-proofing the digital societyat the e-Governance Conference on 31 May hosted by Merle Maigre, eGA’s Programme Director on Cybersecurity.  And whether in person or online, join us to build better and inclusive digital societies! Together.


Register to the e-Governance Conference!