Russia's dreaded cyberwarriors seem to be struggling in Ukraine

One day after Russian tanks broke through Ukrainian border posts on February 24, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a rare "Shields Up" alertwarning that "every organization large and small must be prepared to respond to disruptive cyber activity."

The expectation was that Russia would attack not only Ukrainebut also Ukraine's western allies.

For some reason, that hasn't really happened in a big way.

"We haven't seen anything that we can directly attribute to Russia turning its sights to Canada," Sami Khoury, head of the Canadian Centre for Cyber Security, told CBC News. "There's been probably spillover effectsin some cases, but we haven't seen anything that is directly targeted at the Canadian infrastructure or Canadian ecosystem."

Instead, Russia has found itself being hacked in one instancewith embarrassing results that surelymust have marred President Vladimir Putin's Victory Day extravaganza.

As RuTube, Russia's version of YouTube, was takendown by hackers,YouTubeitself remainedonline in Russia and continuedsharing videos demonstratingUkraine'sdominance of the information space in thiswar.

Hacktivist groups such as Network Battalion 65 have stolen reams of emails and data from Russian government and corporate sites.In March, for the first time ever, more Russian email credentials were leaked online than those of any other nation.

Russian hackers even failed to disruptvoting in the Eurovision Song Contest. (Ukraine won.)

Just asRussia's armoured divisions entered this conflict with a fearsome reputation that turned out to be wildly overblown, the reach of Moscow'scyber legions may have been overestimated. And just as Russia's war has diminished the reputation of Russian arms, it might alsolead to a reassessment of nations' relative strengths in the virtual world.

Fearing the worst

Ukraine had every reason to expect the worst. Online attacks have been happening there since warbegan in 2014.

A Russian "persistent threat group" known as Sandworm was behind a December 2015 attack on the Ukrainian electrical grid that caused widespread power outages.

A year later, in December 2016,the Ukrainian financial system wastargetedbythe Black Energy malware attack which also causedpower cuts in Kyiv.

Then in June 2017, the same group struck again with apowerful new malware called Petya, causing chaos at government ministries, forcing banks to close, jamming telecom networksand again disrupting Ukraine's electrical grid. Airports and railways were affectedand Chernobyl's radiation monitoring system went offline.

Ukrainian and western officials blamed the attacks on Russia's GRU (main intelligence directorate) and SVR (foreign intelligence service).

Last year, Ukraine's SBU security service reported it had "neutralized" an average of four cyberattacks per day.

So it was widely assumed that an army of bots would act as vanguard for any real invasion by attemptingto cut power and communications, clog transportation linksand generally sow confusion.

Russia did trysomething modest along those lines.

In mid-January, a cyberattack hit about 70 Ukrainian government websiteshours after talks between Russia and NATO failed to produce the concessions the Kremlin was hoping for.

"All information about you has become public, be afraid and expect the worst," said a pop-up screen message. "This is for your past, present and future."It repeated familiar Kremlin tropes about Nazis and persecution of Russian-speakers.

In addition to hitting government and military sites, the distributed denial of service (DDOS) attacks also targeted two banks, shutting down ATMs and credit card transactions.

Hack and attack

Russia launched another cyberattack on Ukraine on the day of the invasion with a piece of malware called Hermetic Wiper that targeted hard drives.

Last week, the Canadian government accused the Russian military of having "directly targeted the Viasat KA-SAT satellite Internet service in Ukraine" in February.The U.K. government says the attack also hit collateral targets such as central European wind farms.

But the trains continued to run and the Ukrainian government continued to function. The attack was much less damaging than the 2007 attack on Estonia, or the attacks that preceded the 2008 invasion of Georgia.

Ali Dehghantanha, Canada Research Chair in Cybersecurity and Threat Intelligence at the University of Guelph, saidRussia may have underused itsoffensive cyber capabilities because it was confident of a swift military victory.

But Ukraine is also better defended after years of successive attacks, he added.

"Because of their previous story with Russia," saidDehghantanha, "going back to the time of the conflict in Crimea, Ukraine with the support of Western allies did a very good job in protecting its physical infrastructure this time."

Western involvement

Those western partners include Canada's digital counter-espionage agency, the Communications Security Establishment.

"While we can't speak about specific operations, we can confirm that CSE has been tracking cyber threat activity associated with the current crisis," the CSE's Ryan Foreman told CBC News.

"CSE has been sharing valuable cyber threat intelligence with key partners in Ukraineand continues to work with the Canadian Armed Forces in support of Ukraine."

CSE also has to worry about Canada's own assets, of course.

For years, major cyberattacks on North American assetshave been landing with some regularity. CISA has compiled a long list of American online assets it sees as coveted targets for Russia's disruption and theft operations, including "COVID-19 research, governments, election organizations, health care and pharmaceutical, defence, energy, video gaming, nuclear, commercial facilities, water, aviation, and critical manufacturing."

"Russia has significant cyber capabilities and a demonstrated history of using them irresponsibly. This includesSolarWinds cyber compromise,COVID-19 vaccine development,Georgia's democratic processand NotPetya malware," Foreman told CBC.

Shotgun tactics

Dehghantanhasaidstate-sponsored hackers are now shifting away from building the most sophisticated malware to employing more of ascattergun approach one that involves installing simpler backdoors into a wide range of less well-defended infrastructure targets.

"Before 2020, we saw a lot of effort on building the best malware or the best wiper or the best exploits," he said."The issue is, if your opponent discovers that malware, they know a lot about you, about your capabilities, all your investments.

"So if you come with the most advanced malware, it may take you two or three years of research and development. But from the moment it's deployed and you start causing the impact, it takes them only a couple of weeks to address it."

Hacktivists on the battlefield

DehghantanhasaidRussian actors have had some success in the emerging field of "social cybersecurity,"where hackers behave more like hacktivists.

"The cost of building fake content that looks very convincing to the wider public is quite low these days," he said. "And I am seeing a quick shift in the activities of the hacking groups in that direction. Instead of trying to impact the capital infrastructure or the IT infrastructure, we can impact the human beings and achieve the same result."

An example of such a "fake hacktivist" attack would bea disinformation campaign designed to sow panic in a particular village or district.

"They try to impact on that micro level,"Dehghantanhasaid.

Ukraine also has warned that it may not have felt the full effects of Russian hacking yet.

The country's top cyber official Victor Zhora said recently that Russia stole Ukrainian government data to give itsforces a list of targets for arrest or murderin the occupied zones. He said hefears that data is already being used.

Underbelly remains soft

Canada remains vulnerable, saidDehghantanha"especially the soft bellies of critical infrastructure like water treatment systems, the agricultural sector, any single supply chainand, of course, pipelines."

More and more, hostile actors have been seeding malware in advance with a view to attacks months or years in the future. DehghantanhasaidCanada should tighten its requirements for private companies that manage critical infrastructure.

"We need to change our policy from blacklisting to whitelisting, which means instead of telling you that you cannot install A, B and C, and anything else is allowed, we need to say you can only work with A, B and C and nothing else is allowed," he said.

"There is no way, no resources for the nation to monitor everything. So it is better that we just limit ourselves to specific suppliers, to a specific product that we know."

Balance can shift quickly

Foreman said the CSEis in constant contact "with Canadian critical infrastructure partners via protected channels," beyond what is seen in its public advisories.

"Now is the time to take defensive action and be proactive," he added.

That means isolating critical systems from the internet, creating and testing backups and testing manual controls to ensure critical systems still function when networks fail, he said.

Dehghantanhasaidhe's reluctant to downplay the threat posed by Russia merelybecause it has underwhelmed in Ukraine.

"The cyber war is not like a balance where you can say that I have bigger guns or more airplanes, so I am superior. It is not the case at all here," he said.

"You could have just ten fantastic cyber attackers that could build an exploit and get access to that critical infrastructure, and they make a significant change."