WASHINGTON – A new study of how Russia used its cyber capabilities in the first months of the war in Ukraine contains a number of surprises: Moscow carried out more cyber attacks than was aware at the time to strengthen its invasion, but more than two-thirds of them failed, repeating its poor performance on the physical battlefield.
But the study, published by Microsoft on Wednesdaysuggested that President Vladimir V. Putin’s government succeeded more than many expected with its disinformation campaign to establish a narrative about the war that was favorable to Russia, including making the case that the United States secretly produced biological weapons inside Ukraine.
The report is the latest effort by many groups, including US intelligence services, to understand the interplay between a brutal physical war with a parallel – and often coordinated – battle in cyberspace. It indicated that Ukraine was well prepared to ward off cyber attacks after enduring them for many years. This was at least in part due to a well-established system of alerts from private companies, including Microsoft and Google, and preparations that included moving a large part of Ukraine’s most important systems to the cloud, to servers outside Ukraine.
The report on Russia’s cyber attacks and disinformation campaigns showed that only 29 percent of the attacks broke the targeted networks – in Ukraine, the United States, Poland and the Baltic nations. But it points to a more successful effort underway to dominate the information war, in which Russia has accused Washington and Kiev of starting the conflict that is now raging in Ukraine’s east and south.
The war is the first full-scale battle in which traditional weapons and cyber weapons have been used side by side, and the race is underway to explore the never-before-seen dynamics between the two. So far, very little of that dynamic has evolved as expected.
Initially, analysts and officials were struck by the absence of crippling Russian attacks on Ukraine’s electricity grids and communications systems. In April, President Biden’s National Cyber Director, Chris Inglis, said the “question of the moment” was why Russia had not made “a very significant game with cyber, at least against NATO and the United States.” He speculated that the Russians thought they were heading for a quick victory in February, but were “distracted” when the war effort encountered obstacles.
The Microsoft report said Russia had attempted a major cyber attack on February 23, the day before the physical invasion. This attack, which used malware called FoxBlade, was an attempt to use “wiper” software that wiped data on public networks. At about the same time, Russia attacked the Viasat satellite communications network in hopes of paralyzing the Ukrainian military.
“We was, I think, among the first to witness the first shots fired on February 23, ”said Brad Smith, Microsoft’s president.
“It has been a formidable, intense, even violent set of attacks, attacks that started with some kind of wiper software, attacks that are really being coordinated from different parts of the Russian government,” he added on Wednesday at a forum at the Ronald Reagan Presidential Foundation and the Institute in Washington.
But many of the attacks were thwarted, or there was enough redundancy built into the Ukrainian networks for the effort to do little harm. The result, said Mr. Smith, is that the attacks have been underreported.
In many cases, Russia coordinated its use of cyber weapons with conventional attacks, including the dismantling of the computer network at a nuclear power plant, before moving its troops in to take over, Mr. Smith. Microsoft officials declined to identify which plant Mr. Smith referred to.
While much of Russia’s cyber activity has focused on Ukraine, Microsoft has detected 128 network intrusions in 42 countries. Out of the 29 percent of Russian attacks that have successfully penetrated a network, Microsoft concluded that only a quarter of them resulted in data being stolen.
Outside Ukraine, Russia has concentrated its attacks on the United States, Poland and two aspiring members of NATO, Sweden and Finland. Other alliance members were also affected, especially as they began to supply Ukraine with more weapons. However, these breaches have been limited to surveillance – indicating that Moscow is trying to avoid bringing NATO nations directly into the fight through cyber attacks, as well as refraining from physical attacks on these countries.
But Microsoft, other technology companies and officials have said that Russia has paired these infiltration attempts with a broad effort to deliver propaganda around the world.
Microsoft followed the growth in consumption of Russian propaganda in the United States in the first weeks of the year. It peaked at 82 percent just before the invasion of Ukraine on February 24 with 60 to 80 million monthly page views. That number, Microsoft said, competed with page views on the largest traditional media sites in the United States.
One example, Mr Smith mentioned, was Russian propaganda inside Russia, which pressured its citizens to be vaccinated, while its English-language messages spread anti-vaccine content.
Microsoft also tracked the rise of Russian propaganda in Canada in the weeks before a truck convoy protesting against vaccine mandates tried to shut Ottawa down, and that in New Zealand before protests there against public health measures to combat the pandemic.
“It is not a question of consumption following the news; it’s not even a case of a reinforcement effort after the news, ”said Mr. Smith. “But I think it’s fair to say that it’s not just a case of this reinforcement that precedes the news, but possibly trying to create and influence the very creation of today’s news.”
Senator Angus King, independent of Maine and a member of the Senate Intelligence Committee, noted that while private companies can track Russian efforts to spread disinformation inside the United States, U.S. intelligence services are restricted by laws that prevent them from looking into U.S. networks.
“There is a gap and I think the Russians are aware of that and it enabled them to exploit an opening in our system,” said Mr. King, who also spoke at the Reagan Institute.
A provision in this year’s congressional defense policy bill would require the National Security Agency and its military cousin, the United States Cyber Command, to report to Congress every two years on electoral security, including the efforts of Russia and other foreign powers to affect the Americans.
“Ultimately, the best defense is that our own people become better consumers of information,” Mr. King. “We need to do a better job of educating people to become better consumers of information. I call it digital proficiency. And we need to teach children in fourth and fifth grade how to distinguish a fake website from a real website. ”