The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Did Russia mess up its cyberwar with Ukraine before it even invaded?

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! “How Fast Did T. Rex Run?” is one heckuva book title and an appealing-sounding tome, but saved you a click: It didn't run very fast, and you probably could get away from it pretty easily.

Below: Pelosi's visit to Taiwan is still stirring things up on the cyber front, and senators hear about threats to election workers.

Ukrainian officials say Russia jumped the gun in cyberspace

Jan. 14 was a rough day for the Ukrainian government: Destructive malware wiped out computers at two agencies, and hackers temporarily took down dozens of agency websites and left a message on the Foreign Ministry site to “Be afraid and expect the worst.”

Now, though, Ukrainian officials say that the assault was a huge miscalculation on the Russians’ part. They actually undermined potential future digital sabotage campaigns by exposing the covert access they had gained, and the incident made it easier for Ukraine to recover from attacks once an invasion began in earnest one month later, the officials say.

“They could have waited for the beginning of the war and if it had happened it would have been a disaster,” said Victor Zhora, deputy head of Ukraine’s main cybersecurity agency, the State Service of Special Communications and Information Protection.

Zhora spoke to my colleague Ellen Nakashima and myself in a pair of recent interviews. Illia Vitiuk, who heads the state security service’s cybersecurity department, also spoke to Ellen.

Their accounts could shed some light on the mystery of why Russia hasn’t overwhelmed Ukraine in cyberspace, although independent experts differ on the plausibility of the Ukrainian claims. And the Ukrainian officials didn’t attribute the minimal Russian cyber operations to the mistakes of Jan. 14 alone, citing outside defensive help, among other factors. 

Zhora said Russian hackers had access on Jan. 14 to Kitsoft, an IT vendor that has developed websites for the Ukrainian government. (Kitsoft has said not all the hacked sites ran its software.) “It’s really fantastic access they got and they burned it,” he said.

Russia-based, government-affiliated hacking groups shared their digital access with military intelligence, Vitiuk said — an unusual situation. “They combined everything,” he said.

“They burned all their accesses,” he said. “After that, they started to achieve new ones and burned those as well.”

He explained that now the Russians are constantly working “off the cuff,” which, he said, makes it difficult to regain access without having time to prepare and with the Ukrainians having raised their defenses.

“The hacks gave us some lessons in terms of how to respond, how to coordinate,” Zhora said. “So it was a good exercise for us.”

Russia’s thinking

Both officials could only speculate why Russia did what it did on Jan. 14. Zhora said it amounted to a “psyops” mission targeting the Ukrainian public in an attempt to sway Ukrainians into thinking that Russia was too strong.

“So the idea was to indicate that, ‘We have great power. We can do anything in cyber, battlefield, whatever,’ ” Zhora said. Russia underestimated the kind of fight Ukraine would put up, instead expecting an easy invasion, so there was no need to hold anything in reserve, Zhora and Vitiuk said. U.S. intelligence officials have likewise concluded that Russia anticipated less resistance.

Those Jan. 14 missteps have had a lasting impact on Russia’s cyber operations, the pair said. When Ukraine’s “IT Army” (a group of hackers the Ukraine government says it has no connection to) took down Russian YouTube clone RuTube for three days in May, Russia didn’t retaliate.

“If they had accesses, something in their pockets, aces in their sleeves, once RuTube was embarrassing for them, they should have a response, like, ‘Don’t do that again,’ ” Vitiuk said. “But there were no responses from them, there were no significant cyberattacks after this … So probably if they could do something they would. So they have nothing ready for now. That’s how I see it.”

That doesn’t mean Ukraine should rest easy in cyberspace, Vitiuk said.  

“We don’t know how the situation may change in a year, two years, five years,” he said. “So we have to be aware and prepared. Saying, ‘Oh Russia, they cannot do anything’ — that wouldn’t be wise. We can’t let our guard down.”

Ukraine remains focused on protecting government operations, energy companies, financial services firms and telecom providers, Zhora said. He also said Russian hackers have still shown signs of innovation, such as with the modified Industroyer 2 malware, an update of the malware Russia used to take down the Ukrainian power grid in 2016.

Foreign allies and private sector companies also have helped fortify Ukraine against Russian cyberattacks, Zhora said.

Cyber experts differ on how much of a role Russia’s Jan. 14 burnt accesses have played since.

  • “In that characterization, it sounds a bit over-exaggerated. I would not characterize that statement as a broad generalization,” said Eric Chien, a security researcher for the Symantec Threat Hunter Team, citing a steady stream of successful attacks during the invasion.
  • “That’s consistent with a lot of different possible theories,” said Jon Bateman, a senior fellow in the Technology and International Affairs Program at the Carnegie Endowment for International Peace and a former Pentagon cybersecurity official. Citing reports on Russia’s lack of “reserve” cyber capabilities, Bateman said, “I think that [burned access] is one good explanation for what’s happening.”
  • “It doesn’t strike me as plausible,” said Dmitri Alperovitch, chairman of the Silverado Policy Accelerator. “Access is easy to reacquire.”
  • “It’s possible,” said John Hultquist, Mandiant’s vice president of intelligence analysis. “When you’re carrying out these sort of overt incidents you trade covert access.”
  • Said one U.S. official, speaking on condition of anonymity because of the matter’s sensitivity: “The burning of the access was immaterial because if access is easy to achieve and regain, then burning it brings a minimal cost.”

The keys

Nominee for cyber ambassadorship gives vision for post

Nate Fick, who President Biden nominated to be ambassador at large for cyberspace and digital policy, argued in his nomination hearing that the State Department should play a greater role in international technology and cybersecurity policy, CyberScoop’s Suzanne Smalley reports. If confirmed, Fick would take over a new office at a time of significant cybersecurity challenges and threats, this newsletter previously reported.

The State Department should work to partner with allies to integrate secure infrastructure in their networks, try to boost diplomats’ digital skills and play an important role at the interagency table when it comes to cybersecurity and tech policy, Fick said at the hearing.

Several government agencies have a role in cybersecurity policy. “CISA has a strong presence here, the White House has a strong presence here, the Defense Department has a strong presence here,” Fick said. “The State Department has not, and I believe that diplomacy should be our tool of first resort.”

More hacktivists react to Pelosi’s Taiwan visit

Hackers who said they were affiliated with Anonymous defaced a website belonging to the Heilongjiang Society Scientific Community Federations to say that Taiwan “welcomes” House Speaker Nancy Pelosi (D-Calif.) to the self-governing island that China considers its own territory, Motherboard’s Lorenzo Franceschi-Bicchierai reports. Meanwhile, a Taiwanese rail station and convenience stores on the island were defaced with messages calling Pelosi a “war monger” and “old witch,” the island’s national news agency reported.

The hacks came after the website of Taiwan’s presidential office was knocked offline — probably by “hacktivists” using the low-skill technique of overloading a website with fake traffic.

Taiwan expects to see increased use of “psychological warfare” to sway people’s opinions, cabinet spokesman Lo Ping-cheng told reporters, per Reuters. “We are seeing psychological warfare that is stronger than ever before, and it will intensify in the coming days,” Lo said.

Cybersecurity firm Mandiant today released information on a campaign involving at least 72 “suspected inauthentic news sites” and social media personas that spread content criticizing the United States and promoting narratives aligned with the Chinese government. It notably linked the campaign to a Chinese public relations firm, a potential indication that information operations are being outsourced to third-party firms that make it harder to tell who is behind the campaigns.

Election workers reported more than 1,000 threats over the past year

The threats led to federal prosecutors pressing charges in five cases and getting one conviction, my colleagues Perry Stein and Tom Hamburger report. Those stats were laid out at a Senate Judiciary Committee hearing on the findings of a Justice Department task force focused on threats to election workers. Officials say that the threats have sharply risen since former president Donald Trump and his allies falsely claimed that the 2020 election was stolen. 

Kim Wyman, a senior election security adviser for the Cybersecurity and Infrastructure Security Agency, grew emotional as she detailed the importance of election workers and the challenges they face,” Perry and Tom write. “New Mexico Secretary of State Maggie Toulouse Oliver (D) testified that many people no longer want to be election workers and said she fears some states won’t have enough poll workers to run a fair election in the upcoming cycles.”

Government scan

NIST, CISA finalizing guidance for identity and access management post-SolarWinds (FCW)

Privacy patch

Kids are back in classrooms and laptops are still spying on them (WIRED)

Global cyberspace

UK parliament closes TikTok account a week after launch (Financial Times)

Cyber insecurity

Thousands of Solana wallets hacked in crypto cyberattack (Wall Street Journal)

Environmental hacktivists publish 2 terabytes of mining company emails (CyberScoop)

Hill happenings

Corporate lobbying could imperil sweeping data privacy bill (The Hill)


  • The Senate Judiciary Committee holds a hearing on oversight of the FBI today at 10 a.m. 
  • The Center for a New American Security hosts an event on U.S.-South Korea cooperation on cyber-enabled financial crime on Tuesday at 9 a.m.

Secure log off

Thanks for reading. See you tomorrow.