How the Ukraine War Has Changed Russia’s Cyberstrategy 

Over the years, Russia has built up one of the world’s most formidable cybercriminal ecosystems, with Russian hacker groups linked to disruptive cyberattacks including takedowns of one of the United States’ most critical oil pipelines and the world’s largest meat producer. 

Now, Russia’s war in Ukraine has thrown that ecosystem into disarray, according to multiple new reports. The yearlong war has led to a splintering of many cybercriminal groups in both countries—and in Russian ally Belarus—along political and ideological lines. Russia’s brain drain of technology professionals as a result of the war has further weakened its capabilities, according to a report released Friday by the cybersecurity firm Recorded Future. 

“Cybercrime … is entering into a new era of volatility as a result of Russia’s war against Ukraine,” the report reads. Google researchers reached a similar conclusion in a separate report this month, finding that “[w]hile ransomware groups continue to be disruptive, the ecosystem itself has been disrupted with some groups declaring political allegiances and prominent operators shutting down.”

Ransomware attacks, in which hackers gain control of an organization’s computer systems and demand large sums of money to return access, were among the biggest concerns when Russia invaded Ukraine a year ago. While there were some isolated ransomware attacks on Ukraine and Poland late last year that Microsoft attributed to Russian military-affiliated hackers, attacks on the scale that hit Colonial Pipeline and meat processor JBS in 2021—resulting in millions of dollars of ransom payments—have largely been absent from the conflict. Ransomware payments declined by double-digit percentages across the board in 2022, according to cybersecurity firms and analysis groups. 

“In general, we’ve seen disruptions to every single commodified form of cybercrime,” said Alexander Leslie, a threat intelligence analyst for Recorded Future’s research arm Insikt Group. “It’s pretty incredible to see the scale at which dark web forums, shops, and marketplaces have been disrupted, not only by the conflict but by political differences, by IT brain drain.”

The drop in ransomware attacks is also reflective of a relative shortfall of Russian cyberattacks more broadly in the context of the war. Fears of large-scale digital disruption to Ukrainian and Western infrastructure have thus far not borne out in the first year of the war (though not for lack of trying—Google said Russia increased targeting of Ukrainian users by 250 percent in 2022, compared with 2020, while targeting of users in NATO countries went up 300 percent). 

Experts say this is not necessarily an indictment of Russia’s cybercapabilities but rather an effective Ukrainian cyberdefense, shored up by Western allies—much as on the ground militarily—and private sector companies including Google, Microsoft, and Amazon. 

That support was “crucial” to keeping Ukraine’s cyberspace relatively unscathed, said Nadiya Kostyuk, a professor at the Georgia Institute of Technology whose research focuses on modern warfare and cyberconflict. “Even though Ukraine has been building its cybercapabilities since at least 2014, they are still inferior to those of Russia,” she said, adding that Microsoft and other firms “played an important role defending Ukraine’s cyberspace and building better resilient networks and systems.”

Russia still has tools at its disposal, however, including so-called hacktivist groups that are nominally independent but are increasingly being co-opted by Russia’s military and government. Some Russian lawmakers have reportedly proposed releasing the country’s cybercriminal groups from legal liability, which would effectively make their connection with the Russian state more overt than it has been in the past. 

“Russia for over a decade has said that attackers in a geopolitical conflict or in a period of crisis targeting a Russophobic or an adversarial nation are just cybercriminals—they’re patriotic independent hackers that have nothing to do with the Russian state whatsoever,” Leslie said. 

“When it comes to Ukraine, at least in 2022, the ability to augment Russia’s cybercapabilities with nonstate actors was very limited. … This move for plausible deniability hasn’t really worked.”

And while large-scale destructive cyberattacks have not played as big a role in the conflict, Kostyuk said the effectiveness of Russia’s other cybercapabilities—particularly espionage—is not yet known. “Throughout the war, the Kremlin used the internet to collect information and intelligence,” she said. “Russia’s invasion in Ukraine demonstrated that cyberconflict is less about being an important virtual combat theater but more about being a separate set of intelligence contests and information operations.”

Governments and private companies that have played a key role in defending Ukraine cannot afford to drop their guard as the conflict drags on into its second year, with Russia having shown the ability to play the long game, said Samantha Lewis, the manager of strategic geopolitics at Recorded Future’s Insikt Group.

“There is always the threat that they’ve been withholding capabilities. I would be shocked if we were to find out that Russia had actually used the best of its best,” she said. 

“I don’t think Putin’s threat calculus has changed, and I think that the [Russian] strategy of continuing this protracted conflict until the West gets bored of supporting [Ukraine is] … more likely. But the concern is that if at some point they just decide they are going to launch those withheld operations, if they do exist, that sort of does keep me up at night.”