As the war in Ukraine progresses, there have been several offensive cyber operations linked to Russian organizations against Ukrainian civil, military, and corporate infrastructures. Cybersecurity and intelligence professionals were initially surprised by the lack of large-scale and complex cyber attacks in support of Russia’s kinetic activities at the outset of the war. Yet while Russia has so far refrained from conducting or failed to achieve the kind of large-scale attack as when it shut down a portion of Ukraine’s electrical grid in 2015, Russian-linked cyber operators did disrupt Ukrainian communication services in February by hacking Viasat’s satellite network.

Viasat is an American corporation that provides ground and space-based broadband communication services, with a significant market presence in Europe. While cybersecurity agencies such as the National Security Agency (NSA) and the French National Agency for the Security of Information Systems (ANSSI) continue to investigate the Russian government’s involvement, with others formally attributing the attack to Moscow, the Viasat communication disruption appears to have preempted the military assault on Ukraine by only a few hours. Security and intelligence officials should take note, as even though the impact of this incident was contained, it demonstrates how technically advanced adversaries are committed and capable of leveraging offensive cyber activity as an enabler of physical operations preceding and at the onset of conflict.

Technical Analysis and Anatomy of the Attack

The attack became public on Feb. 24, 2022, after thousands of Viasat ground terminals—which house modems that act as a conversion bridge between satellite communications and Internet-based networks—were taken offline by an apparent software supply chain attack delivering a Wiper malware variant to the Viasat modems. It is not yet clear how the hackers breached subsidiary resources associated with Viasat’s networks, but it appears that a malicious software package was uploaded to a server where customers could either retrieve firmware updates for the modems or where automated patches were pushed to customer devices. In either case, the package contained an Executable and Linkable Format (ELF) binary capable of deleting data from a range of storage devices. The malware attempts to perform an in-depth wipe of several file systems, and if the code is running as root–which is considered a privileged top-level system access–the malware dubbed “AcidRain” executes a broader overwrite function that can delete data that it can access.

The technical impact of the attack prevented thousands of Viasat modems from accessing the company’s European KA-SAT network—backboned by the geostationary KA-SAT communications satellite. Customers with impacted modems were abruptly disconnected from the network, with Viasat confirming that a segment of the attack targeted customer premise equipment (CPE) physically located in Ukraine. CPE resources are typically associated with terminal, network, or telecommunications gear that sits at the subscriber’s premises beyond the provider’s wider network.

In March 2022, Victor Zhora, Ukraine’s Deputy Chairman of the State Service of Special Communications and Information Protection, noted that the cyber attack resulted in a “huge loss in communications in the very beginning of the war.” Viasat confirmed publicly that this cyber incident resulted in 30,000 new modems being distributed to impacted customers in addition to “several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe” losing network service.

Explanations for Limited Cyber Disruptions in Ukraine

Military analysis and cybersecurity literature for years predicted scenarios where armed conflict would be preempted or paralleled by significant cyber activity targeting critical infrastructure, government, and military systems. This has certainly occurred during the Russia-Ukraine war and by several measures a parallel cyber conflict is also ongoing. Yet the scope and scale of the Viasat attack—among many others—have not yet reached a level of strategic disruption many would have expected.

There are many plausible explanations for Russia’s limited cyber operations in Ukraine to date.

First, large-scale cyber operations require significant resources. Russia’s attack on Ukraine’s electrical grid in 2015, for example, was a highly orchestrated IT and industrial engineering operation that required significant time, human capital, and technical resources—not only for execution but also for development. The strategic gain of expending resources on a cyber operation when similar results could be delivered via a kinetic strike changes the decision nexus of military and intelligence leaders. This is a factor that may reduce the utility of cyber attacks in the context of an active armed conflict in the current war and in future conflicts.

Relatedly, planning and executing complex cyber attacks may divert resources away from other important war-sustaining activities, such as intelligence collection, counterintelligence, and defensive cyber activities. Even assuming that Russian operators have the technical capability to launch sophisticated cyber attacks, decision makers must weigh the resources devoted to executing and sustaining these attacks with other policy priorities.

Finally, Moscow may hesitate to launch strategic-level cyber campaigns in Ukraine due to the “use-and-lose” proposition–the notion that making a piece of malicious code, exploit, or tool public after use invariably leads to its availability for security analysis. While many organizations lack the resources needed to thoroughly analyze cyber operations–including through cyber threat intelligence programs, deep software, and hardware asset inventory awareness and comprehensive patching procedures–sophisticated cyber powers likely would be able to do so. As a result, it is possible that Russian cyber actors are saving novel exploit kits or zero-day vulnerabilities for future conflicts against peer or near peer adversaries.

It is also worth noting that the Ukrainian security services have significantly improved their cybersecurity defenses against Russian attacks, in part due to training and cooperation from western partners. As a result, even though Russia has sought to achieve strategic-level cyber disruptions, these attacks have either failed to achieve a large-scale impact or been prevented altogether. Indeed, Ukraine’s own cyber security reposturing post-2015 has directly raised the opportunity costs for Russia to execute sustained disruptions, which may have subsequently reduced the capability gap that existed previously.

Bottom line for Cybersecurity Leaders

National security and intelligence officials need to understand the Viasat attack for what it truly represented—a demonstration of adversaries looking to induce strategic-level cyber disruptions preceding armed conflict. While that objective may not have been achieved in this attack, or across this war to date, resilience and redundancy measures for key systems, services, and infrastructures should be developed under the assumption that there will be technically-capable and persistent efforts to induce IT disruptions at a national scale. Policymakers have begun to prioritize this matter, as evidenced by the infrastructure security improvements in Ukraine since 2015 or the creation of the Cybersecurity and Infrastructure Security Agency (CISA) in the United States in 2018. These are important advancements that are occurring around the world, and countries such as Australia, Canada, and the United Kingdom are already participating in intelligence-sharing and communications operations to warn critical infrastructure operators about possible threats. The challenge still remains at the operational level, however, where there are thousands of private and public infrastructure operators with different IT and industrial operational technology systems that differ in security and functionality across sectors, companies, and countries. The positive change occurring at the policy level will now need to be reflected at the technical level across multiple critical industries.

Anticipating the existence of offensive cyber activity preceding and at the onset of conflict is an important first step for leaders, but improving resilience for vital national systems will require more technical, human, and financial resources than are currently being committed. The impact of the Viasat disruption should be taken as a warning of the potential for cyber warfare activities in the context of traditional armed conflict, rather than a failure to induce a prolonged strategic impact in Ukraine.

All views and opinions expressed in this article are the author’s own. 

Image: Futuristic server room and data (via GettyImages).