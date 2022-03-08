When Russia invaded Ukraine in late February, Vladimir Putin seemed to believe Ukrainians would welcome his forces. Meanwhile, Western observers predicted the world’s first cyber war, with hacked power grids, severed internet service and disabled cellular networks paving the way for invading forces.

The U.S. government even warned American businesses to put their “shields up” and be on alert for Russian malware. Instead, in the past two weeks, Ukraine has shown — at bloody cost — that its resistance is fierce, and cyber experts have puzzled over the apparent lack of cyber war.

Why? First, this invasion has not gone as Putin probably expected. Russian strategists, assuming the occupation would be easy, may have wanted to preserve Ukrainian communication and power infrastructure, not disable it with pre-emptive cyber attacks. However, now that Ukrainians have made their resistance abundantly clear, Russian invaders are seizing and destroying infrastructure with bombs instead of malware. Cyber operations are a less attractive tool when kinetic attacks are an option.

Second, the internet now seethes with Ukraine-related misinformation and hacktivism. It’s tricky to determine whether an operation claimed by a Russian online vigilante is independent of Russian government involvement, or not. A notorious online group called Conti, connected to more than 400 ransomware attacks on U.S. entities, recently issued a statement lauding the Russian invasion and threatening Western businesses and governments that support Ukraine — only to have a mysterious pro-Ukrainian source leak thousands of its chats and files, showing evidence of undefined links to Russian authorities.

So, what’s next? From Vietnam to Afghanistan (for both Russia and the U.S.), the last half-century has shown superpowers do not do well when a local insurgency has outside support. As Russia’s assault continues its bloody progress, Putin has to be concerned about Western support for the resistance, from military aid to massive sanctions. With the war dragging on and NATO governments prepping for a long insurgency, the cyber front may expand, representing Putin’s best way to pressure Western countries without actually launching a military attack.

Russian cyber operatives have been laying the groundwork for such operations for the past decade. But it’s important to recognize both the possibilities and the limitations of their cyber options.

For example, from as early as 2011, Russian cyber operators known variously as Dragonfly, Energetic Bear and Crouching Yeti infiltrated U.S. energy infrastructure. They sought information on,and entrée into the Industrial Control Systems of their target facilities. This could have given them the ability to disrupt U.S. power production, according to media reports, in 24 different targeted utilities.

In 2020, the U.S. government detected the same malware targeting aviation, education and election operations, plus state and local governments. However, since revealing this activity in 2017, the public and private sectors have worked hard to secure U.S. networks from the threat.

A direct cyberattack on U.S. energy infrastructure would be highly escalatory. If publicly tied to Moscow, such an attack would force the U.S. government and NATO to respond with more, not less, pressure on Russia. Recognizing the global economy’s dependence on stable oil prices, might Putin instead try to interrupt oil production outside of NATO countries (in the Persian Gulf, for example)?

In 2017, a cyber operation infiltrated Saudi oil infrastructure with so-called Triton malware, designed to destroy parts of the facility. The threat actors accidentally triggered safety shutdowns in the facility while trying to understand how to damage it, thus blowing that particular operation. However, in 2019, these Russia-linked operators resurfaced, targeting U.S. electrical networks through the same piece of equipment they targeted in Saudi Arabia. This time, defenders detected it before any damage was done.

We must remember that not one of these threats, from Conti ransomware to destructive attacks on energy facilities, present an existential threat to the United States. Private companies and the U.S. government have been hunting these operations for years.

But even when detected and eliminated, this malign activity is — though not surprising — frightening. Cyber operations, like terrorist attacks, don’t have to kill thousands of people or wipe out critical infrastructure to be effective. They simply have to produce a psychological effect.

Russia probably hopes continued disinformation, combined with the threat of more disruptive operations, like interfering with energy supply chains or online financial systems, will deter Americans from supporting the Ukrainian resistance. But forewarned is forearmed, and this, too, might turn out to be a miscalculation on Putin’s part.