‘They are fighting like lions’

Maria Zolkina grew up in the Donbas, that southeastern region of Ukraine that Moscow claims asked for a special military operation to protect Russian speakers there. Zolkina’s parents lived in an apartment block that was on the Ukrainian side of the border, and they lived there right up until the end of last month. 

“My parents are very famous patriots on the ground, so they have never left the region,” Zolkina said. Even when Russian troops marched in and took over the region in 2014, her parents stayed in their apartment, Zolkina’s childhood home. But last month, as the fighting intensified, they decided to leave. 

“My mom wants to join the volunteer forces because she is not sure she will be able to fight, but she thinks she can help another way,” Zolkina said. “The men in my family understand what they have to do now.”

They are joining the fight. They are part of the national resistance movement known as the Territorial Defense Forces, which have slowed Russia’s advance on major cities in Ukraine, much to the surprise of just about everyone, including the invading Russian armies.

“They thought it would be an easy walk,” Zolkina, who is a Ukrainian political analyst, said. “They thought they will capture Kyiv and major cities and that they will be met with the flowers by Ukrainians.” 

Instead, Russian forces have tangled with people like Zolkina’s parents and her brother. “They are fighting like lions,” she said.

So that is the first surprise in the days after the Russian invasion of Ukraine. 

The second is how Moscow has decided to wield its cyber capabilities. Most military and cybersecurity analysts were bracing for a big cyberattack – something that would turn out the lights or cut off the flow of information. And neither of those things have happened yet, though Zolkina, who is a researcher who focuses on disinformation campaigns with the Democratic Initiatives Foundation, said it is too early to breathe easy “because we know that it still may come.”

As fighting intensifies in Ukraine, U.S. officials say the West needs to brace for cyberattacks.  

“Americans watching today, everybody should go to work and change their passwords and update their security systems,” Beth Sanner, a former senior official at the Office of the Director of National Intelligence who also served as former President Donald Trump’s primary intelligence briefer, told CNN. “Russia is and has been inside of our cyber, our critical infrastructure for years” and they may choose this moment to strike.

Online outflanking

As Russian President Vladimir Putin’s forces step up their fighting in Ukraine, the Kremlin has been using an army of online trolls whose sole job is to control the narrative and portray the Russian forces as peacekeepers trying to protect Russian-speaking Ukrainians.

Over the weekend, Russia’s communications regulator ordered Russian media outlets to remove any reports that describe Moscow’s attack on Ukraine as an “assault, invasion or declaration of war.” It also began restricting platforms like Facebook and Twitter.

Ukrainian President Volodymyr Zelensky, in addition to calling for volunteer fighters from both inside and outside the country, has surprised Ukrainians by outflanking Putin online. Among other things, Ukraine has ordered its phone carriers to block network access from phones registered in Russia and Belarus, which has meant that invading forces can’t get online, post videos from the front, or send messages home. 

Ukrainian officials used Facebook to instruct citizens to remove local road signs so Russian troops wouldn’t know where to go. The nation’s cybersecurity force, for its part, has been building bots and then publicizing them on Telegram so ordinary Ukranians can report Russian troop movements and put pins on a map for all to see..

When Russian news outlets reported that Zelensky was telling his forces to lay down their weapons, the Ukrainian leader responded with a video showing him on the street near the presidential headquarters in Kyiv. 

Zelensky told his listeners that the reports were fake and he wasn’t going anywhere. The Ukrainian-language video drew millions of views on Facebook and Telegram. 

“Telegram channels are very popular as a source of information in Ukraine,” Zolkina said, adding that Zelensky’s team is doing everything right to control the narrative. “From a communication point of view, he is also very effective now. No one has the idea that he can escape or he has escaped somewhere. And following the logic of his actions, I'm pretty sure he won’t.”

What she means is it is clear that Zelensky has decided to remain in Ukraine and rally his people. 

“This will be the last aggressive attempt of the current Russian Federation because the Ukrainian state generally will never surrender, never,” Zolkina said.

‘Retro’ cyber attacks

The cyber portion of the Russian invasion started small, with a series of distributed denial-of-ervice attacks. Russia’s targets were the obvious ones: servers hosting the websites for Ukraine’s defense ministry, army and two of its two largest banks. The attackers overloaded the servers with so many requests, the servers shut down.

Given how skilled Russia has proven to be at cyberattacks in the past, a DDoS attack is a  surprisingly restrained – even retro – move, according to Jason Healy, a senior researcher in cybersecurity at Columbia University. 

“[DDoS] is not advanced and you’d think if the Russians really care, they would be using zero-day exploits in amazing intrusions,” Healy said, but those haven’t happened. 

(Zero-day exploits are flaws in software or hardware systems that no one knows about. They tend to be hard to find, expensive, and aren’t deployed lightly because they can only be used once.)

Healy said Russia opted to go with a safer, less expensive cyber play because that’s all they needed. 

“It may not necessarily be militarily effective,” he said. “But if they want it to suppress Ukrainian communications, keep them down, keep the defenders scrambling, then a denial-of-service attack is a very easy way to do that without burning capabilities.”

So that could explain why Russia lobbed small attacks into Ukrainian cyberspace. In the days leading up to the invasion hundreds of computers in Ukraine were hit with wiper malware, which was disguised as a ransomware attack. While officials scrambled to unlock their systems, the payload was wiping their hard drives clean. 

The relative restraint on Russia’s part is unexpected because Moscow hasn’t been shy about using digital weapons to attack its neighbors in the past, and Ukraine has been in those crosshairs before. In 2015, hackers used the so-called BlackEnergy malware to destroy part of the electrical grid in Eastern Ukraine. Two years later, it was the NotPetya attack, which crippled Ukrainian utility companies, banks, airports and government agencies.

Most analysts see those two attacks as harbingers of things to come – as test cases for attacks that Russia would launch later. 

Cyber ‘knows no geographic boundaries’

What worries Sen. Mark Warner (D-Va.), the chairman of the Senate Intelligence Committee, is that a cyberattack launched against Ukraine will end up sweeping up others in its path. 

“If Russia unleashes its full cyber power against Ukraine, once you put malware Into the wild in a sense that it knows no geographic boundaries,” he told CBS News over the weekend. “So if the Russians decide they're going to try to turn off the power all across Ukraine, very likely that may turn off the power in Eastern Poland and Eastern Romania. That could affect our troops. If suddenly hospitals are shut down.”

He added: “”If NATO troops, American troops, somehow get into a car accident because the stop lights don't work” then NATO might have to step in.

The prospect of NATO intervening might explain why Russia is keeping its cyber powder dry. 

“They'll probably avoid for as long as possible cyber actions against Western targets because they don’t want to escalate the conflict,” said Jim Lewis, a cyber security expert with the Center for Strategic and International Studies, a think tank in Washington, DC. “The only thing that might change is the Russians have been mumbling threats to take revenge for sanctions. And so they might look for some cyber component to that. They have the capability. We shouldn't have any doubt about that.”

Lewis said the decision to hold off on deploying cyber forces is a strategic one. 

“They haven’t done anything because it's not in their interest right now, military or political,” he said. “What does it get them? Putin's goal is to take over Ukraine, apparently. Not what we were expecting, and a cyberattack on the U.S. doesn't get any closer to achieving that.”

Three cyber scenarios

There are three likely cyber scenarios according to Lewis and three U.S. cyber officials who spoke to The Record on the condition of anonymity. The first is that Russian intelligence services — like the FSB and GRU — will mobilize their cyber forces and attack critical infrastructure, such as power grids in Europe and the U.S. Doing that would move Russia closer to a direct conflict with the U.S. and NATO, which it appears to be loath to do.

A less aggressive path would be instructing Russian intelligence agencies to act as disruptors, not destroyers. So they might lock up some of the same sectors in the U.S. and Europe that the sanctions are targeting in Russia – most notably energy and finance.

Or three — and this, Jim Lewis  said, seems the most likely — Russia would reprise something like the Colonial Pipeline attack last May. In that case, Colonial became a victim of a ransomware attack that shuttered its oil pipeline operations for nearly a week. The hackers had slipped into some of the company’s billing systems and were then able to affect the company’s ability to deliver oil products.

There was a whiff of Russian attribution, but it was hard to tell exactly who was behind it. President Biden said at the time that there was no evidence of Russian government involvement in the attack, but there were signs it originated in Russia. 

“I think the Russians really enjoyed Colonial Pipeline,” Lewis said. “It wasn't the Kremlin, but seeing panicky Americans line up to stockpile toilet paper probably got a good laugh in Moscow. And so the question for them is: Do they unleash the criminal gangs and let ransomware pick back up?”

Criminal gangs would give Russian plausible deniability so they could get even for sanctions against their country and not get caught, according to Beth Sanner, the former Deputy Director for National Intelligence. She spoke with CNN. Sanner said Putin eventually won’t have any choice but to turn to cyberattacks.

“These sanctions are significant enough that, um, he's going to start seeing some real pain and what else does he have to do short of pushing a button?” she said.

Sean Powers and Will Jarvis contributed reporting to this story.