The battle on Ukraine’s cyber frontline

Kenneth R. Rosen


In this edition, the cyber threat and response landscape–for criminals and governments–has become more robust.

Sign up here to receive Fallout in your inbox.


From the frontlines last year, I wrote a dispatch about the ways in which the war in Ukraine, when it first began in 2014, was one of technological innovation and subversion. As Russian forces moved across eastern Ukraine, among their primary targets was one unique to this century. The occupying forces captured internet infrastructure and routed it back to Russia. It is not enough anymore to annex land and physical space: Complete control is only achieved by annexing cyberspace as well.  

Files leaked this March revealed how a company called NTC Vulkan bolstered Russian President Vladimir Putin’s cyberwarfare capabilities by training operatives, spreading disinformation, guiding Kremlin personnel on how to manipulate and surveil sections of the internet and exercising control over the internet in places it had conquered like Kherson and Donbas.

Russia, essentially, extended the Kremlin’s oppressive internet policing and censorship to include all Ukrainians in the occupied territories. Although it was under near-constant digital — and physical — attack, Ukraine was not the only target of Russia-based or Russia-backed hacker networks. NATO countries and nations supplying weapons and logistical services and lending support to Ukraine also came under fire. Last month, distributed denial of service attacks, which overwhelm servers with requests to cripple the network, hit Finland’s parliament on the day it joined NATO and targeted Hungary after it ratified Finland’s decision to join the alliance. On April 21, European air traffic controllers said they had been fighting off attacks by pro-Russian hackers for a couple of days. 

As Shane Huntley, a senior director at Google Threat Analysis Group, wrote in a recent report: “Russian government-backed attackers have engaged in an aggressive, multi-pronged effort to gain a decisive wartime advantage in cyberspace.” There has been, Huntly told me via email, “an increased focus on critical infrastructure protection,” a realization for the first time in the history of warfare that some of the most critical infrastructure is in cyberspace.


Cyber operations, known sometimes as hybrid warfare or informational warfare, have been both devastating and distracting since Russia launched its war in Ukraine. 

Ukraine had battled digital incursions for years. But the recent trove of leaked NTC Vulkan documents revealed the scale at which those efforts have grown leading up to Russia’s invasion. The company worked with the top three-letter spy agencies in Russia: the FSB, the domestic spy agency and the successor organization to the KGB, the GRU, the intelligence division of the armed forces, and the SVR, Russia’s foreign intelligence organization.

The documents revealed the group’s connection to two blackouts in Ukraine, a disruption at the South Korean Olympic games and the launch of NotPetya, the malware that wreaked economic and financial havoc around the world in 2017. An analyst with Google said that Vulkan was also behind the malware known as MiniDuke used to cyber attack 23 countries a decade ago. The SVR used MiniDuke in phishing campaigns helmed by the military unit known as 33949, which contracted multiple projects to Vulkan.

One significant effect of the invasion, Huntly noted in his report, has been that the “lines are blurring between financially motivated and government based attackers in Eastern Europe, with threat actors changing their targeting to align with regional geopolitical interests.” It’s made rooting out cybercrime more complicated.

“Cybercriminals now specialize in different parts of the attack cycle such as providing infrastructure, providing credentials, installation onto victim machines and handling payments,” Huntley told me. “An operation now may involve a considerable number of individuals so attribution could be difficult.”


Ukraine’s Ministry of Digital Transformation has pledged to offer all of its public services online, including providing digital documents and registrations. When Russian forces began routing internet connections back to Russia, they were simultaneously bombing critical infrastructure, including data centers. The Ukrainian military took to using mobile backup centers to keep the government’s many web-based services online.

Huntley said this was an upside. International cybersecurity cooperation has revealed the important role that cloud-storage and robust contingency backup plans can play to keep governments functioning, even when under severe distress. “Availability and security at scale of hosted services provide reliability unable to be matched,” Huntley said.

The growing political divides between criminals over the war in Ukraine has also created an opportunity to undermine those very organizations. “We saw this during the Ukraine war with divisions between Ukrainians and Russians,” Huntley told me. “In general, we want to make it easier for us defenders to come together to counter these threats and harder for cybercriminals to work together.”

If centralized cybersecurity efforts, like in the European Union where members seek to cooperate over unified cybersecurity standards, continue to be the focus of governments and industries alike, lessons will have been learned from the war in Ukraine. When the fog of war clears, governments will have to learn how to leave fewer vulnerabilities in their supply chains and better protect their citizens.

Sign up here to get the next edition of this newsletter, straight to your inbox.