• United States



Contributing Writer

Microsoft’s Defending Ukraine report offers fresh details on digital conflict and disinformation

News Analysis
Jun 28, 20226 mins
Critical InfrastructureThreat and Vulnerability Management

Russia will use what it learned from its destructive cyber actions in Ukraine for other operations. "There is no going back to normal."

Last week Microsoft published an in-depth examination of the early cyber lessons learned from the war in Ukraine, offering fresh insight into the scope of Russia’s malicious digital activities and new details about the sophisticated and widespread Russian foreign influence operations surrounding the war. Microsoft has been uniquely positioned to observe the digital landscape in Ukraine since Russia invaded on February 24 and even before then.

Company President Brad Smith noted in March that in addition to funding humanitarian technical relief efforts, Microsoft deployed its RiskIQ platform to identify cybersecurity vulnerabilities in the Ukrainian government system. The company “provided a list of exposed and vulnerable systems to the Ukrainian government that had unpatched high-impact common vulnerabilities and exposures (CVEs) that could provide a foothold for attackers.”

Microsoft security specialists were among the first to discover pre-invasion malware attacks in January that took down around 70 Ukrainian government websites. The company also deployed protections for newly discovered and destructive malware into Microsoft 365 Defender Endpoint Detection (EDR) and Anti-virus (AV) protection on-premises and in the cloud.

In his foreword to the new report, Smith discusses the importance of the first shot of any war, drawing parallels between the current conflict in Ukraine and the 1914 assassination of Archduke Franz Ferdinand, which launched World War I. In the present context, Russia’s first shot against Ukraine was a damaging cyber tool deployed against Ukrainian computers called Foxblade as early as February 23, right before the war began.

Smith said that Russia’s invasion strategy in Ukraine includes “three distinct and sometimes coordinated efforts—destructive cyberattacks within Ukraine, network penetration and espionage outside Ukraine, and cyber influence operations targeting people around the world.”

5 key cyber defense points from Russia’s attack

Based on Microsoft’s analysis, the company draws five conclusions from the war’s first four months:

  1. Military invasion defense requires distributing digital assets and operations across borders. For example, not only did Russia target Ukraine’s defense system in an early missile attack, but it also aimed wiper attacks at on-premises networks. Ukraine made an intelligent defensive move by disbursing digital assets into the public cloud, thwarting these attacks.
  2. Ukraine withstood a high percentage of Russian cyberattacks. Microsoft said the Russian military launched multiple waves of destructive cyberattacks against 48 distinct Ukrainian agencies and enterprises. Those attacks sought to penetrate “network domains by initially compromising hundreds of computers and then spreading malware designed to destroy the software and data on thousands of others.” Threat intelligence advances, including artificial intelligence and internet-connected endpoint protection, made it possible for Ukraine to identify and disable the malware.
  3. Microsoft discovered Russian network intrusion efforts on 128 organizations in 42 countries outside Ukraine. The U.S. was Russia’s number one target, but Poland, the Baltic nations, Denmark, Norway, Finland, Sweden and Turkey were also in Moscow’s digital crosshairs. A quarter of the successful intrusions led to data exfiltration. Microsoft remains concerned about government computers running on-premises rather than in the cloud.
  4. Russian agencies are conducting global cyber influence operations with broader geographic reach, higher volume, more precise targeting, and greater speed and agility. In addition, they are pre-positioning false narratives in ways similar to pre-positioning malware and other software code. The widely disseminated false narrative around supposed biolabs in Ukraine is a prime example of one successful, false narrative operation.
  5. It’s time for “a coordinated and comprehensive strategy to strengthen defenses against the full range of cyber destructive, espionage, and influence operations.” The Russian government does not pursue its operations in a fragmented manner, and the West should likewise not put them in separate analytical silos.

Russia’s cyber maliciousness is robust

Glenn Gerstell, former U.S. National Security Agency (NSA) general counsel and now a senior advisor at the Center for Strategic and International Studies (CSIS), gives Microsoft’s latest report high marks and praises it for laying out Ukraine-related cyber operations in such rich detail. “It illustrates just how robust and comprehensive, sophisticated and integrated Russian cyber maliciousness is,” he tells CSO.

“We are facing a very, very sophisticated adversary in terms of Russia with the known capabilities of the GRU and SVR, a sophisticated adversary that uses destructive cyber, as well as disinformation as a tool of their statecraft to achieve their political goals.” So far, Russia has not mounted cyberattacks that result in “widespread systemic collapses of operational technology, whether it’s in the energy sector or telecommunication sector, or even the banking sector,” Gerstell says.

Ukraine defends itself well

Nevertheless, Ukraine has been subject to some attacks against IT infrastructure that have been successful. Ukraine’s cyber defense savvy has been central to this effort. “The sophisticated levels of defense will continue to present an obstacle to Russian cyber maliciousness,” Gerstell says. Microsoft’s push to the cloud has also proved beneficial to Ukraine. “Microsoft really undertook a Herculean effort right before the invasion to move a substantial portion of the Ukrainian government’s online activities from servers based in Ukraine to the cloud,” he says.

Russia relies on Ukraine’s digital infrastructure

On top of these defenses, the nature of Ukraine’s digital infrastructure and Russia’s continued reliance on that infrastructure for its operations have served to defend the country well, according to Gerstell. “In addition to the strong defense, a reason we haven’t seen a lot of systemic failures in infrastructure in Ukraine is because it’s so dispersed. There are something like 2,000 internet service providers in Ukraine.”

Attacking Ukraine’s internet infrastructure would be self-destructive for Russia, Gerstell says. “Russia has been reluctant to dismantle the cellular network in Ukraine completely, even if they could because they’re relying on it themselves. Their troops and commanders are using Ukrainian cellular technology to communicate with themselves.”

The biggest concern from Gerstell’s vantage point is Russia’s well-honed disinformation skills. “It’s just hard to attack operational technology targets in a successful way with enduring persistent damage, but that’s not true in disinformation. So, they are going to continue to step up their disinformation campaigns. I think that’s what we need to worry about most.”

Russia could be sharpening its skills

Lauren Zabierek, executive director of the Cyber Project at Harvard Kennedy School’s Belfer Center, emphasizes Russia’s ability to leverage its Ukraine experience to advance its destructive cyber capabilities even further. “War always provides opportunity for belligerents to derive operational lessons. Russia will use battlefield knowledge to sharpen their capabilities. There is no going back to normal,” she tells CSO.

When it comes to defensive operations by Ukraine, Zabierek says that she thinks “advances in cyber threat intelligence and endpoint protection, as well as other enabling technologies described in the report, will continue to help with defensive measures, especially as the war progresses and its toll on the Ukrainians behind the keyboards continues.”

Like Gerstell, Zabierek finds Microsoft’s report helpful but not unexpected. “I’m not sure if I find anything particularly surprising, except that the term ‘advanced persistent manipulator’ is new to me, but I am glad to see it. It distinguishes the importance of the threat of influence operations and hopefully enhances discussion and efforts to combat it,” she tells CSO.