Cyberattacks will remain a critical component of Russia’s hybrid campaign in Ukraine as an early lever to escalate tensions between the two countries, keeping cyber risks elevated in Ukraine for the foreseeable future. Between Jan. 13-14, an unknown group of hackers defaced around 70 Ukrainian government websites with a message in Ukrainian, Russian and Polish that read "All information about you has become public, be afraid and expect the worst." The extent of Russia’s involvement in the massive cyberattack is still unclear, but the campaign began almost immediately after talks between Russia and Western officials over Ukraine ended in failure on Jan. 12. 

• On Jan. 16, Ukraine’s Ministry of Digital Transformation said that the evidence points to Russia being behind the cyberattack. On Jan. 15, a senior official from Ukraine’s national security and defense council told Reuters they suspected UNC1151, a hacking group linked to Belarusian intelligence, was behind the attack although the official said the tactics were similar to what Russian threat actor Nobelium has done in the past. The official also said that the defacements with the warning message were a cover for other attacks, which he did not elaborate on. 
• On Jan. 15, the Microsoft Threat Intelligence Center (MSTIC) said it had observed a malware campaign targeting multiple organizations in Ukraine that began on Jan. 13, which appear to be the other attacks the Ukrainian defense official referenced earlier in the day. MSTIC said it had not found notable associations between the cluster of activity, which it was temporarily tracking as DEV-0586, and other known threat actors. According to MSTIC, the malware (which it dubbed WhisperGate) initially appears to be a piece of ransomware, but is “intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.” MSTIC warned that although it identified the malware on “dozens” of systems, the number of infected systems could still grow as more infections are discovered and the campaign continues. 

While the extent of Russia (or Belarus)’s possible involvement is still unknown, the attack against Ukrainian government websites is consistent with previous Russian cyberattacks aimed at sowing discontent and boosting Russian propaganda in Ukraine. Russian threat actors have launched defacement and DDoS campaigns against both Ukraine and Georgia during past periods of heightened tensions with each of those countries. The unease and chaos created by such attacks further the Kremlin’s propaganda goals by demonstrating Russia’s influence and undermining the legitimate governments in Georgia and Ukraine. Such cyberattacks can also impose a cost on the targeted organizations and government entities while showcasing their relative inability to prevent such hacks. 

• In March 2014 — just days before Crimea’s annexation referendum was held — a DDoS attack coming from an unspecified group in Russia disrupted some Ukrainian internet services.
• In 2019, Sandworm — an elite Russian hacking group believed to be connected to Russia's GRU military intelligence — defaced nearly 15,000 Georgian websites and forced nearly 2,000 Georgian websites offline amid an uptick in tensions between Georgia and the Russian-backed breakaway territory of South Ossetia. 

Amid the breakdown of negotiations with the United States and Europe, there is an increasing probability of Russia using asymmetric tactics like cyberattacks to pressure the West into limiting NATO activities in Ukraine. Russia remains unlikely to outright invade Ukraine this year. Instead, the Kremlin is more likely to raise the stakes by escalating the Donbas conflict just short of an overt military incursion. Destructive cyberattacks like the use of data wipers or targeting critical infrastructure will likely be a key component of that strategy, as cyberattacks give Moscow a layer of plausible deniability and, compared with a military invasion, are less likely to trigger strong retaliatory responses by Western governments. Cyberattacks also enable Russia to publically remind Kyiv and the West of the kind of constant disruption Ukraine can expect should it continue to welcome NATO support and violate the Minsk agreements. In the event of a broader cyber campaign intending to disrupt Ukraine’s economy, Russia-backed hackers may initially deploy malware against high-profile Ukrainian companies and government targets, though foreign companies in the country would probably be affected as well. In a more significant escalation, Russia may also conduct cyberattacks against other critical parts of Ukrainian infrastructure (i.e. ports, trains, power grid, internet systems and financial institutions), By disrupting services that foreign organizations rely on in the country, such attacks on critical infrastructure would only reinforce fears that Russia may eventually decide to invade militarily, especially if Ukraine’s defense industry or telecommunications sector is targeted. Ukraine would likely try to retaliate with its own cyberattacks on Russian systems, but it is unlikely the West would respond in kind for fear of triggering broader escalation with Moscow. 

• Similar to the recent WhisperGate malware attacks against Ukrainian organizations, the 2017 NotPetya cyberattacks primarily targeting Ukraine (which have been attributed to Russia’s Sandworm hacking group) also deployed data wipers masquerading as ransomware. 
• Russia’s Sandworm also directly targeted the Ukrainian power grid in 2015, leading to power being knocked off for several hours for about 230,000 customers.