The invasion of Ukraine started online long before troops marched on Kyiv
Note: This story is written from the perspective of reporter Daryna Antoniuk, currently temporarily displaced by the Russian invasion of Ukraine, with reporting support from Andrea Peterson in Washington, DC.
Riga, Latvia—I left Ukraine on Feb. 18 for a journalism training in Riga feeling uneasy.
Just days before, I covered yet another cyberattack — this one targeting Ukrainian government websites and national banks, striking after months of rising tensions in the region.
Yet even while constantly checking my phone for news updates as my plane left Kyiv, I didn’t realize I was about to become a refugee reporting on the invasion of my own country from the outside.
On Feb. 24, I woke up in the middle of the night to watch YouTube videos of Russian troops entering Ukraine — I’ve hardly slept since.
While my friends and colleagues were hiding in bomb shelters, I was working nonstop to cover the news from afar, and my phone became my window into Ukraine.
Through social networks and through online media outlets, I was trying to grasp what was happening in Ukraine, to distinguish who was lying and who was telling the truth. This story — which I originally intended to focus on propaganda botnets — seemed to connect so much of what is happening.
Finishing it, I realized I’ve been covering the frontlines of a digital war that started in Ukraine much earlier than most people think — one waged online through disinformation, cyberattacks, and misinformation. And I also realized that a major reason Ukraine is still standing — despite Russia’s overwhelming military muscle and well-oiled propaganda machine — is the resilience of its local internet infrastructure and the Ukrainian people’s strategic use of it.
In just days, a global movement online has grown to include self-described hacktivists and create internet folk heroes of the Ukrainian defense, including its President Volodymyr Zelensky — a comedian-turned-politician who galvanized Europe and other allies into action in the form of financial sanctions and significant military aid.
The invasion of Ukraine is part of a much larger hybrid warfare strategy that Russia has been deploying online for years, including its influence campaigns during U.S. elections — and reporting the truth may be the only way to stay ahead of it.
Ukraine’s recent history, off and online
Modern Ukraine is defined by its revolutions: the so-called granite revolution in 1990 marked Ukraine’s departure from the Soviet Union; during the 2004 Orange revolution, Ukrainians fought for the democratic government.
But for Kremlin propagandists, the 2014 Revolution of Dignity — a popular uprising that toppled Russian-aligned President Viktor Yanukovych — was crucial because it started with online organizing and proved that Ukrainian internet infrastructure was resilient.
Even then, Ukraine’s internet was a robust ecosystem that included major national providers, but also smaller regional and local internet service options that provided back-up, said Doug Madory, a longtime global network monitor and the Director of Internet Analysis at Kentik.
However, the security of the networks, systems, software, and online communities that rely on that infrastructure in Ukraine is less resilient — and has been the subject of ongoing bombardment in recent years, especially following sanctions after Russia’s first invasion of eastern Ukraine and the annexation of the Crimean peninsula in 2014.
Russia pushed back online, starting a digital campaign against Ukraine allegedly attacking its power grid in 2015 and 2016 and unleashing a wiper tool called NotPetya, which was disguised as ransomware, on Ukraine’s financial sector in 2017.
These online attacks caused offline chaos.
“Financial and energy industries are the hackers’ priorities because the life of many people depends on them,” Serhii Demediuk, the Deputy Secretary of Ukraine’s National Security and Defense Council, told The Record.
Manipulating the online conversation is another way to manipulate the world offline — and it can be done in many ways, including through censorship, disinformation or leveraging misinformation.
This is the evolution of an extensive propaganda machine Putin has built over decades to create a closely-controlled cult of personality and push nationalist narratives around the Russian leader similar to those cultivated by the Soviet Union heads of state.
Ukraine took a number of steps to limit Russian official propaganda’s influence over the years, including banning Russian online news outlets and social networks.
But that didn’t mean Russian propaganda disappeared — the Kremlin just turned to different tools, including bots spreading disinformation and misinformation, as well as cyberattacks.
And Russia’s online propaganda efforts are not exclusive to Ukraine — they affect users everywhere. According to a Facebook threat report released last May, Russia’s biggest disinformation campaigns targeted the U.S., Ghana, and Mexico.
For outsiders, it seems that these fakes are easy to recognize and avoid. But for the countries targeted by Russian propaganda for decades, the boundaries between fiction and reality have become blurred.
Farming for influence
Years before Russian troops marched into Ukrainian territory, Russia’s virtual army of bots "invaded" Ukraine’s internet.
Bots are primarily used to promote products, brands and ideas, but also to spread propaganda and fake news, said Nikita Knysh, CEO at Ukrainian cybersecurity company HackControl.
In Ukraine, bots have historically been used by local politicians to spread propaganda and offensive content against their rivals, as well as by Russian hackers to sow panic and sway public opinion in Ukraine.
The so-called bot farms are relatively easy to run: they can spread content without human involvement, but look and write like real humans.
Ukraine has been among the major sources of bot activity on Facebook in recent years, but the top source of identified coordinated influence campaigns is Russia, according to the company. In May 2021, Facebook banned hundreds of fake accounts linked to Ukrainian lawmakers and top officials. They published content about corruption, politics and COVID-19.
Almost all of them supported Zelensky’s Servant of the People party and criticized ex-president Petro Poroshenko and Kyiv Mayor Vitaly Klitschko.
Now, for ordinary users, it is hard to tell the difference between the content posted by real humans and bots as they promote fakes along with the content copied from real news websites — as well as whether the information they are sharing is true or false.
Russians started to use bots years before Ukrainian politicians, according to Knysh.
Their main battlefield is Facebook, which is the most popular social media platform in Ukraine, where it’s used by 16 million people.
Facebook’s global rise was driven, in part, by the promise of personal connection. Then it kept people hooked by engineering for maximum engagement to sell ads. This resulted in its systems highlighting controversial topics — at times to devastating effects.
Countries also realized they could use this to their geopolitical advantage.
For example, Russia ran extensive social media influence campaigns on Facebook and other platforms during the 2016 and 2020 presidential election.
President Donald Trump was later impeached by the U.S. House of Representatives in late 2019 after a whistleblower alerted that he had illegally withheld $400 million in aid to Ukraine in an alleged attempt to have Zelensky investigate Joe Biden’s son. (Trump was acquitted by the Republican majority Senate, then impeached by the House again over the Jan. 6, 2021 attacks on the Capitol during his final days in office and acquitted after he left.)
Social media platforms say they’ve taken steps to crackdown on inauthentic traffic, but it continued to be a major industry in Ukraine up through the invasion. In July 2021, for example, Ukraine’s State Security Service (SBU) detained a Ukrainian national suspected of setting up a bot farm in his house in Ivano-Frankivsk, a city in the west of Ukraine using 12,000 SIM cards from Ukrainian and Russian mobile operators.
In February this year, SBU busted two bot farms associated with 18,000 fake accounts in Lviv after reports involving fake bomb threats. Their customer, according to SBU, was Russia.
After the invasion on Feb. 27, Facebook’s parent company Meta announced that it has uncovered a network of bots run by people in Russia and Ukraine targeting Ukraine.
Cyberattacks
Cyberattacks targeting Ukraine’s financial and state institutions have continued unabated, according to Demediuk.
In December, Ukraine registered 135 attacks. In January it was 262. The total number of cyberattacks in 2022 has increased sevenfold compared to the same period the previous year, according to data obtained by The Record from Ukraine’s information security service.
The main goal of these attacks is to sow panic and mistrust in the government, multiple sources in the Ukrainian cybersecurity agencies told The Record. Hackers’ main targets are the Ukrainian government and local authorities, security and defense services and the financial industry.
I covered the digital onslaught as cyberattacks defaced government websites in January, then flooded Ukrainian military and financial websites with traffic in mid-February, just before I left for Riga.
Then on Feb. 24, on the day of the invasion, Russian hackers stormed Ukrainian cyberspace for the whole night, Ukrainian Digital Transformation Minister Mykhailo Fedorov wrote on Telegram.
The cyberattacks have continued since then.
Among the most active groups are UNC1151, whose members are officers of the Belarusian Ministry of Defense, Victor Zhora, deputy director of Ukraine's State Services for Special Communication and Information Protection, told The Record.
During the invasion, digital attackers sent phishing emails targeting private ‘i.ua’ and ‘meta.ua’ accounts of Ukrainian military personnel. Ordinary Ukrainians have also received phishing emails and fake messages, including what appeared to be false warnings about internet outages and messages claiming to come from the SBU, but featuring links that could infect devices with malware if clicked.
Even as Ukraine’s networks are still being flooded with attacks, the internet itself has been fairly stable so far with the exception of some areas facing heaving fighting despite some dire warnings in the lead-up to the attack, some of which appear to have been based on technical misunderstandings.
The country has only faced regional or localized outages so far because it has a highly developed telecom infrastructure, according to Madory, with multiple land-based fiber connections providing online connectivity to the rest of the world through the west.
From what he can see from access to servers around the world, overall web traffic in Ukraine has been down during the invasion likely due to localized disruptions and people being less online because they are taking active defense measures.
But the connectivity is also being used to fight back.
Ukraine fights back, off and online
As the Russian invasion force has faced bloody resistance on the ground in Ukraine, it has also faced pushback online, as well as through more traditional diplomatic routes and where those intersect.
Amid the attack, Ukraine’s government put out a call for its IT force and hackers to join Ukraine’s digital defense and urged cryptocurrency exchanges to cut off Russian users.
Some international researchers, including former New York Times and Freedom of the Press Foundation expert Runa Sandvik, are providing security support to local journalists by providing them with free VPN access.
Cybercriminal groups also started to take sides while the hacking group Anonymous claimed credit for a series of DDoS attacks that flooded some Russian websites with traffic.
A key factor in global response appears to be the powerful way the internet has allowed Zelensky and the people of Ukraine to display their situation.
The Ukrainian President’s personal appeal to European leaders in a video call was what turned the tide in favor of major sanctions, the Washington Post reported. He’s also engaged in public digital diplomacy on Twitter, using it as a vector for coalition building with other leaders online while becoming a meme online — to Ukrainians for direct updates from the frontlines of Kyiv and to people around the world who discover his literal turns as the winner of the Ukrainian version of Dancing With The Stars.
Zelensky has also contributed to the digital mythos around other defenders in Ukraine, including the forces stationed on Snake Island — a small, but strategically important piece of land in the Black Sea. Alleged audio of the border guards on the island cursing at a Russian warship went viral online in the first days of the invasion, with Zelensky at first confirming their apparent demise in news reports. However, on Monday the Ukrainian Navy confirmed that the guards were alive and taken captive.
Other online Ukrainian memes have emerged, inspiring hope although their full context or veracity isn’t unclear. One is the alleged “Ghost of Kyiv,” an unnamed pilot said to be taking down Russian planes over the city in an MiG-29 fighter jet, which was promoted by Ukraine’s national Twitter feed. Another is a widely circulated video of a woman confronting a heavily-armed Russian soldier, urging him to put sunflower seeds in his pockets so at least Ukraine’s national flower would grow from where his body fell.
Meanwhile, as Time Magazine reported, Russian state media appears committed to spreading a false narrative about the invasion — referring to it instead as a “military operation” and spreading misleading information about civilian and Russian casualties.
It remains hard, at times, to tell fact from fiction online, especially during the digital fog of war — but one thing that can ground you in what is right or wrong is the human connection behind the screen.
Every second I see my friends' messages popping up on the screen, discussing airstrikes, shelling, long lines in front of half-empty supermarkets.
I know that I'm lucky to be far away from the battlefield, but I feel guilty for not being in Ukraine — like a soldier who abandoned their military duty.
And yet, I decided to make the most out of my staying here — to keep witnessing and sharing the truth about Ukraine.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.
Andrea Peterson
(they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.