The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

11 reasons we haven’t seen big Russian cyberattacks yet

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Sinclair Lewis won the Pulitzer Prize for “Arrowsmith” on this day in 1926 — but refused to accept it. Check out this great recent assessment of Lewis in the New York Times Book Review. 

Below: The Conti ransomware gang is shutting down some operations after a devastating data leak, and hackers are targeting groups helping Ukrainian refugees. 

There are many possible reasons why Russia isn't cyber-pummeling Ukraine (yet)

Russia’s brutal military campaign in Ukraine has not been accompanied so far by the sort of cyberwar many experts expected. 

They'd expected the invasion to be accompanied by dramatic hacks shutting off power, jamming communications and bringing industries to a standstill, after years of watching Russia testing some of its most dastardly and damaging cyberattacks in Ukraine.

There have been Russian hacks, to be sure, including some that wiped data from computers at Ukrainian government offices and in key industries — but nothing that’s seriously impeded Ukraine’s ability to mount a resistance. 

Here are 11 theories why Russian cyberattacks haven’t been worse. (Obviously, the truth could be a combination of several of these). 

1. Just keep waiting — they’re keeping the good stuff in reserve.

This is the easiest explanation and a popular one among cyber watchers. We’re just one week into the invasion, after all, and a lot can still change. Russia may be holding some significant cyberattacks in reserve for when it really needs them or to undermine some particular aspect of the Ukrainian defense. 

One problem: If an attacking army is going to use cyberattacks, the most useful moment is probably at the beginning of the operation when it can do the most to undermine, confuse and demoralize the adversary, Jake Williams, a former National Security Agency hacker, told Joseph Menn and Craig Timberg recently.

More from Jay Healey, a cyber scholar at Columbia University:

2. Big hacks are happening that we just don’t know about.

This is another popular theory. Some of the most useful work Kremlin hackers could be doing now is surveillance and reconnaissance for military fighters — a lot of which Ukrainians may not have spotted or might not share if they did. 

However: That still doesn’t explain the absence of disruptive and destructive hacks, such as shutting off electricity and jamming communications that are public by default. 

John Hultquist, threat intelligence lead at the cybersecurity firm Mandiant:

3. Russian hackers weren’t prepared for the invasion.

This could be because the invasion plan was a secret held only by the top ranks of political and military officials and not shared with front-line hackers in Russia’s intelligence agencies. 

Jason Atwell, Mandiant principal adviser for global intelligence: 

4. Russia didn’t think big cyberattacks were necessary.

There are indications that Russian President Vladimir Putin did not expect the amount of resistance Russian troops encountered. His war planners may have believed that major cyberattacks would be an unnecessary distraction from a quick military campaign.

Swarthmore College political science professor Sam Handlin

5. Major cyberattacks just aren’t that useful during a shooting war.

That’s the conclusion of a lot of close observers of recent military conflicts — essentially that a cyberattack is a far more complicated method to do something that could be done more easily with conventional weapons. 

Here’s an except from a forthcoming article shared with me by the scholars Erica D. Lonergan, Shawn W. Lonergan, Brandon Valeriano and Benjamin Jensen:

“The reality is that even the most sophisticated offensive cyber operations do not have the kind of decisive effect on an adversary’s military capabilities when compared to conventional munitions. Put simply, it’s far easier to target the other side’s capabilities with artillery, mortars, and bombers than with exquisite and ephemeral cyber power.” 

The scholars Lennart Maschmeyer and Nadiya Kostyuk made a variation of this argument in a recent War on the Rocks article. They noted that a series of explosive Russian cyberattacks against Ukraine — including one that briefly shut off power for thousands of people in 2015 — have done little to weaken Ukrainians’ desire to lean to the West or served other Russian interests. 

6. Fear of escalating cyber tensions with the West.

This could certainly explain why we haven’t yet seen significant hacks against the United States or its allies in response to several rounds of punishing sanctions. 

It may also make the Kremlin more anxious about indiscriminate cyberattacks that are aimed at Ukraine but could leak out and cause damage elsewhere. That’s what happened with the 2017 NotPetya bug, which Russia aimed at Ukrainian energy firms but leaked out and caused severe damage in other nations. 

However: Putin’s decision to put Russian nuclear forces on alert suggests he’s not overly concerned with escalating tensions now. 

Maggie MacAlpine, security strategist at Cybereason:

7. Russia wants to keep Ukraine’s infrastructure intact for a future occupation.

This could be especially true if Russia is preparing to occupy Ukraine for a long period and is wary of cyberattacks that could do long-term damage to the nation’s industries and economy. 

8. Ukraine’s cyber defenses are working.

The nation has been girding its cyber defenses since the 2014 invasion of Crimea. More recently, U.S. government cyber advisers have helped close some remaining digital gaps. 

But it’s still tough to believe that Kremlin hackers — who are among the most talented in the world — couldn’t cause severe damage if they wanted to. 

9. Global cyber defenders have blunted the worst Russian hacks.

U.S. Cyber Command has made moves to rein in Russian hackers in the past. Most notably, it cut off Internet to the Internet Research Agency troll farm in advance of the 2018 midterm elections. 

But U.S. government hackers tend to be highly precise because of concerns about accidentally damaging things they don’t intend. So it would be difficult to imagine them blocking multiple serious Russian hacking attempts. 

10. Russia’s best hackers are busy spying.

A lot of their focus could be on figuring out how the United States and its allies are responding with sanctions and other punishments and whether there is any tension in the alliance.

Here’s Matthew Olney, director of threat intelligence and interdiction at Cisco Talos: 

“Russia's top cybersecurity teams are likely … obtaining global military and political intelligence versus launching larger visible attacks at this time. We believe cyberattacks aimed at Ukraine have not been the top priority and are instead seeing this actor far more concerned by how the world was coming together to respond.”

11. Kremlin hackers’ hearts just aren’t in the fight.

More from the Wall Street Journal’s Dustin Volz:

The keys

Hackers target groups helping Ukraine refugees

The hackers sent phishing emails to victims all over Ukraine, Forbes’s Thomas Brewster reports. Some of the attacks also targeted European government officials who are working to manage refugee logistics. 

It’s not clear who’s behind the attacks. But there appear to be some connections to a group that was previously tied to Russia’s ally Belarus, researchers at the cybersecurity firm Proofpoint said.

“There was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe,” the researchers wrote. 

The Conti ransomware group shuts down servers but still poses a threat

The group said in leaked chats that it wiped its servers after a massive leak of internal communications, reporter Catalin Cimpanu pointed out on Twitter. A Ukraine sympathizer leaked the files after Conti sided with Russia in its war against Ukraine.

Conti gained notoriety last year for disrupting Ireland’s health-care system. 

Despite the “drama” — an apparent reference to the leaked chats — organizations still need to be on alert for the group’s ransomware, CISA Director Jen Easterly said:

Meanwhile, journalists and researchers continue to sift through the hundreds of thousands of leaked messages. 

The latest revelations: The group’s operations were similar to those of corporations, with employees working five days per week and getting biweekly paychecks, journalist Brian Krebs reports. “Overall, I came away with the impression that Conti is a highly effective — if also remarkably inefficient — cybercriminal organization,” Krebs writes, highlighting the burnout and workforce retention issues plaguing the gang.

Senators fear Russia will use cryptocurrency to evade sanctions

Russia could use ransomware and online marketplaces popular with cybercriminals to “circumvent” U.S. and European sanctions, four Senate Democrats told Treasury Secretary Janet Yellen in a letter per Nextgov’s Mariam Baksh. Yellen addressed the issue at an event Wednesday, saying that federal officials will look into whether there are “leakages” in the sanctions, the Wall Street Journal’s Andrew Duehren reports.

Cryptocurrency analysis firm Chainalysis hasn’t seen major sanctions evasion by Russians on cryptocurrency marketplaces, the firm told Duehren.

The letter was signed by Intelligence Committee Chairman Mark R. Warner (D-Va.), Banking Committee Chairman Sherrod Brown (D-Ohio), Armed Services Committee Chairman Jack Reed (D-R.I.) and Sen. Elizabeth Warren (D-Mass.).

Hill happenings

Portman calls on House to quickly pass major cyber bill

The House needs to “act quickly” to pass a cybersecurity bill that requires critical infrastructure firms to report major hacks to the federal government within three days, Sen. Rob Portman (R-Ohio), said on the Senate floor. Portman, the top Republican on the Senate Homeland Security Committee, co-sponsored the package with Committee Chairman Gary Peters (D-Mich.). The bill unanimously passed the Senate Tuesday.

But the bill is facing some familiar opposition from law enforcement.

The FBI and Justice have long criticized the bill because it funnels cyber incident reports to CISA but not the FBI. That will hamper the FBI from using the reports to investigate crimes and take other actions to aid victims, they say. Advocates for the bill fear looping in law enforcement will raise opposition from industry. 

Deputy Attorney General Lisa Monaco: “This bill as drafted leaves one of our best tools, the FBI, on the sidelines and makes us less safe at a time when we face unprecedented threats. With the right changes, this bill could be a game changer in keeping us safe.”

FBI Director Chris Wray: “The current, well-intentioned bill has some serious flaws. In its current form it would make the public less safe from cyber threats – slowing aid to victims, hampering identification of other companies the same attackers are targeting, and undercutting disruption operations against cyber threats.”

Peters spokesman Jay Bhargava shot back via Politico: “The FBI and DOJ were consulted for months, changes were made to the bill to address their concerns … and 100 senators came together and passed this bill unanimously to move forward with the most significant update to American cybersecurity defenses in our nation’s history.”

Global cyberspace

The propaganda war has eclipsed cyberwar in Ukraine (MIT Technology Review)

Government scan

NSC cyber team joins fight against pandemic fraud (FedScoop)

National security watch

US Navy memo warns of cyber risks amid global tensions (Defense News)

Ukraine conflict spurs questions of how to define cyberwar - CyberScoop (CyberScoop)


  • Top intelligence and law enforcement officials testify before the House Intelligence Committee on worldwide threats on Tuesday at 10 a.m.
  • CISA Executive Assistant Director Eric Goldstein speaks at a Billington Cybersecurity event on March 10 at noon.

Secure log off

Thanks for reading. See you tomorrow.