Relentless Russian Cyberattacks on Ukraine Raise Important Policy Questions

Microsoft cybersecurity executive John Hewie explained cyberwar developments and what they mean for Western democratic policy going forward.

SECTOR 2022 -- Toronto — The first shots in the Russia-Ukraine cyberwar were fired virtually on Feb. 23, when destructive attacks were launched against organizations the day before Russian military troops moved into Ukraine. Microsoft was figuratively there, observing the developments — and its researchers were immediately concerned.
The tech giant happened to have pre-positioned sensors within various public and private networks in-country, installed in conjunction with Ukrainian incident-recovery teams in the wake of previous cyberattacks. They were still functioning, and picked up a wide swathe of concerning, snowballing activity as the Russian army amassed on the border.
We saw attacks against at least 200 different government systems starting to run in different areas that we detected in Ukraine, said John Hewie, national security officer at Microsoft Canada, taking the stage at SecTor 2022 this week in Toronto, in a session titled
Defending Ukraine: Early Lessons from the Cyber War
.
He added, We also had already established a line of communication with senior Ukrainian officials across government and also organizations in Ukraine — and we were able to share threat intelligence back and forth.
What emerged from all that intel initially was that the wave of cyberattacks was targeting government agencies, before moving on to the financial sector, then the IT sector, before specifically zeroing in on data centers and IT companies that support government agencies in the country. But that was just the beginning.
As the war went on, the cyber-picture worsened, because critical infrastructure and systems used to support the war effort
ended up in the crosshairs
.
Soon after the onset of the physical invasion, Microsoft found that it was also able to correlate cyberattacks in the critical infrastructure sector with kinetic events. For example, as the Russian campaign moved around the Donbas region in March, researchers observed coordinated wiper attacks against transportation logistics systems used for military movement and the delivery of humanitarian aid.
And targeting nuclear facilities in Ukraine with cyber activity to soften a target prior to military incursions is something that Microsoft researchers have seen consistently throughout the war.
There was this expectation that we were going to have a big NotPetya-like event that was going to spill into the rest of the world, but that didnt happen, Hewie noted. Instead, the attacks have been very tailored and targeted at organizations in a way that constrained their scope and scale — for example, using privileged accounts and using Group Policy to deploy the malware.
Were still learning, and were trying to share some information around the scope and scale of the operations that have been involved there and how theyre leveraging digital in some meaningful and troubling ways, he said.
Microsoft has consistently reported on what its seen in the Russia-Ukraine conflict, largely because its researchers felt that the attacks that were going on there were being vastly underreported, Hewie said.
He added that
several of the players
targeting Ukraine are known Russia-sponsored advanced persistent threats (APTs) that have been proven to be extremely dangerous, from both an espionage perspective as well as in terms of the physical disruption of assets, which he calls a set of scary capabilities.
Strontium, for instance, was responsible for
the DNC attacks
back in 2016; theyre well known to us in terms of phishing, account takeover — and weve done
disruption activities
to their infrastructure, he explained. Then theres Iridium, aka Sandworm, which is the entity that is attributed to some of the earlier [Black Energy] attacks against the
power grid in Ukraine
, and theyre also responsible for NotPetya. This is a very sophisticated actor actually specializing in targeting industrial control systems.
Among others, he also called out Nobelium, the APT responsible for the
SolarWinds-borne supply chain attack
. They have been engaged in quite a bit of espionage against not just Ukraine, but against Western democracies supporting Ukraine throughout the course of this year, Hewie said.
Researchers dont have a hypothesis for why the attacks have remained so narrow, but Hewie did note that the policy ramifications of the situation should be seen as very, very broad. Most importantly, its clear that there is an imperative to establish norms for cyber-engagement going forward.
This should take shape in three distinct areas, starting with a digital Geneva Convention, he said: The world is developed around norms for chemical weapons and landmines, and we should be applying that to appropriate behavior in cyberspace by nation-state actors.
The second piece of that effort lies in harmonizing cybercrime laws — or advocating that countries develop cybercrime laws in the first place. That way, there are fewer safe harbors for these criminal organizations to operate with impunity, he explains.
Thirdly, and more broadly speaking, defending democracy and the voting process for democratic countries has important ramifications for cyber, because it allows defenders to have access to appropriate tools, resources, and information for disrupting threats.
Youve seen Microsoft doing active cyber-operations, with the backing of creative civil litigation, with partnership with law enforcement and many in the security community — things like
Trickbot
or
Emotet
and other types of disruption activities, according to Hewie, all made possible because democratic governments dont keep information under wraps. Thats the broader picture.
Another takeaway is on the defense side; cloud migration should begin to be seen as a critical piece of defending critical infrastructure during kinetic warfare. Hewie pointed out that the Ukrainian defense is complicated by the fact that most of the infrastructure there is run on-premises, not in the cloud.
And so as much as theyre probably one of the best countries in terms of defending against Russian attacks over a number of years, they are still mostly doing the stuff on-premises, so its like hand-to-hand combat, Hewie said. Its quite challenging.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Relentless Russian Cyberattacks on Ukraine Raise Important Policy Questions