- A cyberattack Russia launched before it attacked Ukraine "had an outsized impact," a top US intelligence official said.
- The attack hit a large number of satellite communication stations, affecting hundreds of thousands of people outside Ukraine.
- US and Russian officials are both wary of the escalation that could follow a large-scale cyberattack.
Russia is known for its potent cyber-warfare capabilities. So it is no surprise that Moscow launched cyberattacks against Ukrainian targets in the lead up to its invasion in late February.
Russian hackers went after a variety of Ukrainian targets in the private and public sectors, but one cyber weapon aimed at a specific military target spilled over and affected tens of thousands of devices outside Ukraine.
AcidRain run amok
A few hours before the Russian invasion began on February 24, Russian hackers launched a cyberweapon against Viasat, an American satellite communications company that has been providing communication services to the Ukrainian military.
Named "AcidRain," the cyberweapon was a kind of malware known as a "wiper" that targeted Viasat modems and routers and erased all their data before permanently disabling them.
The cyberattack targeted commercial satellite communications networks in an attempt to disrupt the Ukrainian military's command and control and sow chaos among Ukrainian units on the battlefield as Russian forces crossed the border.
The attack is one of the first examples of cyber used as part of a combined-arms operation, much like a military might use aircraft to soften a fortified target before tanks and infantry attack it.
However, the Russian hackers appear to have let AcidRain run amok, either not able or not caring to limit the attack to Ukrainian devices.
Avril Haines, the US director of national intelligence, told lawmakers this month that the Russian cyberattack "had an outsized impact" and affected a large number of ground satellite communication stations, also known as Very Small Aperture Terminals, or VSATs.
As a result, hundreds of thousands of people outside Ukraine were affected in several ways, including losing internet services and power.
Such an outcome is more likely than not when it comes to cyber weapons. To focus a piece of malware on a specific target, hackers need to design it specifically to do so, and that requires extra work.
For example, the famous Stuxnet virus that targeted the Iranian nuclear program in the late 2000s was designed to remain dormant should it encounter a computer device that didn't meet the criteria set by its designers, widely believed to be the US and Israel.
Thus far, most Russian hackers have followed the usual playbook and mainly launched three kinds of cyberattack: wipers to delete data from devices, website defacement to discredit and ridicule targets, and distributed denial-of-service attacks to bring networks and websites down by overwhelming them with traffic.
Cyber and intelligence
Despite its potent cyberwarfare capabilities and a well-documented willingness to use them, even against Western targets, Russia hasn't launched the great cyber Armageddon many expected — even as the US and its allies have increased their support for Ukraine by providing billions of dollars in military and humanitarian aid.
Russia has launched cyberattacks during the conflict, but nowhere near to the level that was anticipated before the invasion.
"We have a variety of different sort of theories for why that might be the case, including the fact that we think that they may have determined that the collateral impact of such attacks would be challenging for them in the context of Ukraine," Haines said.
According to Haines, Moscow has a "long-standing concern" about likely escalation should it directly target the US in cyberspace, but that doesn't mean US intelligence agencies aren't worried about a Russian cyberattack against the US in the future.
Haines offered another explanation for why Russia hasn't launched large-scale cyberattacks against the US and NATO: Moscow might want to maintain collection opportunities in Ukraine and elsewhere.
Cyberwarfare and intelligence collection often cross paths. Officials tasked with those respective duties, in Russia and elsewhere, are highly likely to share targets — though they have their own, often conflicting objectives for those targets.
"It's kind of competing in some sense because of the 'intel gain, intel loss' mantra," a former US intelligence officer with a background in signals intelligence told Insider.
"Every time there is a node destroyed, that's one less node the IC [intelligence community] can tap into and squeeze for intelligence," the former intelligence officer said, speaking on the condition of anonymity to avoid compromising ongoing work with the government.
For example, US Cyber Command might want to take out a Russian military communications node to impose costs should Russian launch a destructive cyberattack against a NATO target, but the NSA might have tapped that same node to suck up valuable intelligence about Russian military movements.
In such scenarios, policymakers have to decide which task is more urgent and how their strategic objectives are served in the near- and long-term.
"That node could have been a valuable intelligence source, but then again, you might be taking down a primary network but you help discover or identify secondary networks and alternative communications nodes," the former US intelligence official said. "Then you start building plans to understand and learn more about those networks as well, get some insight, understand their vulnerabilities and learn when and why they are used."
Stavros Atlamazoglou is a defense journalist specializing in special operations, a Hellenic Army veteran (national service with the 575th Marine Battalion and Army HQ), and a Johns Hopkins University graduate.