The Russia-Ukraine Cyberwar’s Unpredictable Future

On one side is Russia, a hacking superpower that began its digital assault on Ukraine months before its tanks rolled across the border, but whose efforts have so far been surprisingly limited. On the other side, Ukraine is a relative weakling in cyberspace that has become the first country to fight back against an invader by publicly calling up an international army of vigilante hackers. The country also has hundreds of thousands of tech workers inside and outside the country who are participating in hacks and cyberattacks on targets in Russia, according to Viktor Zhora, deputy chief of Ukraine’s government agency responsible for cybersecurity.

Professionals who monitor cyber threats, both for governments and corporations, are concerned that the worst is yet to come, in the form of both direct attacks by Russia and collateral damage from attacks by both countries. Those specialists are on high alert because Russia, in particular, has a history of unleashing cyber weapons that wreak havoc far beyond the computers and networks that were their original targets.

The Kremlin has repeatedly denied carrying out malicious cyber operations.

“All of this is unprecedented,” says Jean Schaffer, a chief technology officer at cybersecurity company Corelight who spent more than 30 years working for the U.S. Defense Department, most recently as chief information security officer at the Defense Intelligence Agency. “It is not something we have war-planned and mapped out and said: ‘Hey, this is what we think is going to happen.’ ”

Russia’s first volley

For a glimpse of what has specialists worried, consider a piece of malware dubbed HermeticWizard.

Hackers traced to Russia began at least as early as January targeting Ukraine with “wiper” malware, designed to destroy computers by wiping their contents completely, says Ray Canzanese, director of threat research at cybersecurity company Netskope. New versions of such malware have been discovered since then, each more sophisticated and potentially destructive than the last.

HermeticWizard, which researchers detected in the past week, is the most dangerous yet, a piece of software designed to spread another, HermeticWipe, to any other potentially vulnerable computers in a network, Mr. Canzanese says. Previous Russian wipers—there have been at least three targeting systems in Ukraine since January—weren’t paired with this additional software designed to spread them autonomously. Malware with such “worm” characteristics was behind the devastating NotPetya attack in 2017, the most economically damaging cyberattack in history. Attributed to the Russian state, NotPetya did billions of dollars’ worth of damage to companies like Maersk, FedEx and even Rosneft, the Russian oil company, even though its intended target was Ukraine. “Everyone in cybersecurity is saying they are bracing for the next NotPetya,” he says.

The wiper malware Russia already deployed has targeted computers within Ukraine’s government, and its banks, to erode the country’s capacity to communicate and function, adds Mr. Canzanese. This same malware also struck computers that are part of Ukraine’s border-control systems, according to one security researcher in the region, hampering the processing of refugees leaving the country.

So far, the impact of these wipers has been minimal, compared with past cyberattacks by Russia, according to statements by Mark Warner, Democratic chairman of the Senate Intelligence Committee. Attacks have affected just a handful of Ukrainian government contractors and financial organizations, and seem intended primarily to demoralize defenders in Ukraine.

Another kind of cyber offensive, a “denial of service” attack in which websites and other services are flooded with spam traffic that renders them inaccessible, was launched against Ukraine in February in advance of Russia’s physical invasion. At the time, the White House took the unusual step of quickly declassifying intelligence that pinned the attack on Russia. Mykhailo Fedorov, Ukraine’s minister of digital transformation, has said that these attacks have made government and banking websites difficult to access.

Cyber fortress Ukraine

All that activity notwithstanding, cybersecurity experts are broadly surprised that Russia’s cyberattacks haven’t up to this point been more effective or devastating.

When Russia attacked Georgia in 2008, and again when it attacked Ukraine in 2014, it launched sophisticated cyberattacks that hijacked and rerouted internet traffic. In the case of Russia’s annexation of Crimea, the attacks allowed Russia to take over communications networks.

That hasn’t happened this time in Ukraine, at least as of Friday. “Many of us thought the Russians had pre-positioned themselves inside the networks of a lot of infrastructure to disrupt it long in advance,” says Chester Wisniewski, a principal research scientist at cybersecurity firm Sophos. “But we haven’t really seen that, and it’s been so odd.”

There are many theories about why Russia hasn’t shut down critical infrastructure in this war. It could be that Russia didn’t want to damage systems its leaders thought it would be able to quickly take over in a blitzkrieg. It could also be that Russia tried but that Ukraine learned lessons in the past eight years that allowed it to fortify its systems against damaging intrusion. In any case, the lack of clarity reflects how difficult it is to predict what could come next.

‘Hacktivists’

The situation on Ukraine’s side is also volatile. Thousands of Ukrainians are taking part in cyberattacks on Russia, targeting government services, media, transportation, and payments systems, said Mr. Zhora, the Ukrainian cybersecurity official, in the Friday briefing.

A nation-state calling for vigilantes to attack its enemies during an active conflict can lead to unintended consequences, including impacts for innocent targets, says Mr. Wisniewski.

Vigilante attacks can cause confusion for professionals and states attempting to protect critical assets, because it can be unclear where an attack is coming from, how seriously to take it, and whether damage to systems is intentional or not. Even attacks by ostensible allies can interfere with intelligence gathering and cyberattacks by allied nation-states, adds Mr. Wisniewski.

Gangs of cybercriminals, which historically have been tolerated inside Russia in a way they are not allowed to operate in the U.S. and allied nations, have also pledged retaliatory attacks against Ukraine and its allies. But when one such group, the ransomware collective Conti, said it would attack Russia antagonists, it soon had to contend with the leak online of a huge trove of its internal communications and hacking tools.

And so a cyberwar between groups that aren’t officially connected to the combatants continues to volley back and forth. One result of these cycles of reciprocal attacks is that they can affect systems far beyond those they are intended to target.

For example, hackers might cripple systems, such as communications infrastructure, that they believe are an asset to their foes but that could also be essential to the operation of networks essential to their allies—and thereby hobble their own side’s ability to operate.

“If an affected organization is connected to hundreds of other organizations, how do you make sure your attack doesn’t cause harm to all the connected systems?” says Andrew Rubin, CEO of cybersecurity firm Illumio.

A cyber ‘nuclear option’

The longer the conflict in Ukraine drags on, and the more Western firms pull out of Russia, the more opportunity and incentive Russia has to use its most potent cyber weapons against companies and nations, says Rob Gurzeev, who was one of the chief technology officers at Israel’s Unit 8200—roughly the equivalent of the U.S. National Security Agency.

“When I see a company like Shell exiting Russia, then Russia has a huge incentive to damage Shell so that if other companies also leave Russia, they see that random bad things can happen to them,” he says.

An attack on oil-and-gas companies could have far-reaching impacts in the U.S. and elsewhere.

For example, in May 2021, a group of Eastern European hackers attacked Colonial Pipeline, leading to the shutdown of the main conduit for gasoline and diesel to the U.S. East Coast.

“You worry that they might be holding something like their nuclear-bomb equivalent of a cyberattack, and we just haven’t seen it released yet,” says Ms. Schaffer. Such a weapon has been deployed in the past, albeit in a more narrowly targeted way, when a joint U.S.-Israeli team used a tool called Stuxnet to shut down a key part of Iran’s nuclear-bomb development apparatus in 2010.

Even if Russia doesn’t retaliate directly against the growing roster of companies and countries leaving the country, providing material support to Ukraine, and attempting to hobble Russia’s economy through sanctions, a sophisticated cyber weapon unleashed on Ukraine might go viral, Hence the concern about HermeticWizard.

The forever cyberwar

The apparent disorganization and poor management of many aspects of Russia’s invasion of Ukraine, including its cyberattacks, is a hopeful sign that the country isn’t as fearsome a foe as its previous successes, both military and cyber, would suggest, says Ms. Schaffer.

But complacency in light of Russia’s currently tepid cyber assault on Ukraine and the world would be a mistake, she adds.

Even if even more powerful cyber weapons aren’t ready yet, an isolated and cornered Russia with few other options for retaliating against foes beyond Ukraine has every incentive to continue developing cyber weapons and directly hacking its foes, both corporate and nation-state, says Mr. Gurzeev. “That’s what I would do if I led the cybersecurity unit of Russia,” he adds.

The war in Ukraine has twinned cyberweaponry with tanks and other traditional tools of war in a way we haven’t seen before. The digital attacks started first, and they could well continue even after the shooting stops.

For more WSJ Technology analysis, reviews, advice and headlines, sign up for our weekly newsletter.

Write to Christopher Mims at christopher.mims@wsj.com