top of page


Keanna Grelicha, CICYBER Team

Week of Monday, March 7, 2022

Demetrios Giannakaris, Senior Editor

Anonymous Emblem[1]

Russia has been using a hybrid warfare strategy against Ukraine consisting of cyber warfare, such as cyberattacks and disinformation campaigns, alongside conventional military action like on-the-ground troops.[2] An unknown State-sponsored cyber group targeted Ukrainian government agencies and Critical Information Infrastructure (CII), like networks and databases, with a data-wiping malware named WhisperGate which removed and overrode data on the targeted operating system (OS).[3] The cyberattacks on Ukrainian government agencies will very likely lead to the theft of sensitiveinformation from Ukrainian servers, likely allowing for continued breaches and data theft if the OS becomes inoperable. Anonymous, an international hacker group, conducted cyberattacks against Russia soon after Ukraine requested the defense of its cyberinfrastructure.[4] The danger of country-versus-country cyber warfare will almost certainly increase, putting the involved countries’ populations at risk of cyberattacks if State-sponsored cyber groups or other countries get directly involved. The increase of cyber warfare will almost certainly impact other countries’ cyberinfrastructure if other State-sponsored cyber groups or threat actors engage.

Russian State-sponsored cyber groups used WhisperGate malware to attack Ukrainian government agencies and banks during the Russian invasion.[5] The cyberattacks on Ukrainian government agencies will very likely lead to the theft of sensitive information from Ukrainian servers and OS, likely leading to continued breaches if they become inoperable. If threat actors continue implementing Distributed Denial of Service (DDoS) attacks, they could very likely use an undetected backdoor access point on Ukrainian servers to collect data and re-enter the systems in future assaults. DDoS attacks target multiple connected devices, allowing the attacking group to flood the system with malware and create traffic within the target’s OS.[6] Threat actors seeking government data will likely use cyberattacks against Ukrainian CII, likely creating more vulnerabilities within Ukraine’s cyberspace. Vulnerabilities, like open entry points or lack of firewall protection due to CII damage, will very likely allow threat actors to infiltrate Ukrainian government infrastructures by accessing servers with limited system protection. Ukrainian servers will very likely become inaccessible due to cyberattacks, likely leaving Ukraine’s cyber capabilities unable to add software firewall protection or perform counter-attacks.

The cyber group Anonymous conducted cyberattacks against the Kremlin in Russia, the Russian State Duma, and the Ministry of Defense of the Russian Federation, leaving their critical information database inaccessible.[7] Anonymous is known for conducting cyberattacks against Western government agencies and infrastructure, and the Islamic State (ISIS).[8]Anonymous’ cyberattacks on Russian cyber infrastructure almost certainly follow the group’s trend of targeting government agencies and infrastructure to undermine a country’s cyber capabilities. If Anonymous continues to claim attacks against the Russian government, other international or individual hacker groups could very likely contribute to the cyber warfare between Russia and Ukraine. If other hacker groups involve themselves in the invasion, non-State actors that support Russia will likely contribute to the cyber warfare and retaliate against the hacker groups. If cyber warfare escalates, it could very likely involve non-State hacker groups from other countries conducting cyberattacks against other entities. This escalation could likely lead to a cyberwar among different hacker groups stemming from the Russian-Ukraine invasion.

Anonymous and other hacker groups’ cyberattacks could escalate the conflict if they continue targeting Russia in retaliation for cyberattacks against Ukraine and Western countries.[9] The ability of hacker groups to attack Russian government infrastructure very likely demonstrates the capabilities of more groups to target Russian agencies and get involved with the invasion. Increased involvement could very likely lead to an increase in State-sponsored cyberattacks against other threat actors and Ukraine, which would very likely lead to further military and cyber confrontations. Continued military and cyber confrontation will very likely result in other threat actors targeting Ukraine to weaken the country’s critical infrastructure. Increased military confrontation will almost certainly impact Ukraine’s population if Russia gains significant control of Ukrainian critical infrastructure such as energy producing nuclear power plants. Attacking physical infrastructure necessary to the population will very likely lead Ukraine to request aid to respond to Russia militarily and protect local Ukrainian communities. External military aid will almost certainly advance Ukrainian military capabilities, leading to Ukraine likely stalling Russian military confrontations to develop peace talks.

Anonymous used DDoS attacks to flood Russian government entities’ OS with irregular data traffic to shut down the servers.[10] Anonymous developed a website permitting other cyber groups to help with the DDoS attacks by spamming Russian contact information listed on the website’s database.[11] DDoS attacks shutting down Russian OS will very likely create vulnerabilities in Russia’s cyberspace, like impeding Internet and server communications on software programs within the government’s CII, which will very likely allow for other attacks on the disrupted servers. Server communication problems and software vulnerabilities will very likely force Russia to focus its efforts on mitigating the impacts. These issues will very likely provide Ukraine with the timeframe to improve its cyber capabilities of defense tactics like network patches and risk assessments to protect its CII. This will likely allow Ukraine to defend its cyberspace from cyberattacks and retaliate against threat actors with cyberattacks. Anonymous targeting Russian strategic sectors, such as Russian government websites, will very likely leave entry points in the servers accessible for future use to exploit vulnerabilities and conduct cyberattacks as the conflict continues.

After Anonymous claimed credit for the cyberattacks on Russian entities, a malware attack using a new data wiper called HermeticWiper targeted a Ukrainian financial institution.[12] State-on-State cyber warfare is likely to occur as State-sponsored cyber groups target other countries' infrastructure and likely contribute to escalating the Russian-Ukraine conflict. If cyber groups like Anonymous do not claim the cyberattacks, Russia could very likely perceive that other countries who threatened Russian CII in the past and those opposing the invasion are very likely conducting the unclaimed attacks. Russia used a video showing a fake Ukrainian civilian attack against Russia to the international community as a pretext for the invasion.[13] Using disinformation will very likely be replicated by other threat actors or cyber groups to pursue non-state or state targets they deem threats. Involving other countries will very likely negatively impact Russia’s ability to effectively invade Ukraine as opposing countries will very likely assume defensive and retaliatory positions to stop the invasion via cyber warfare. Continuous cyber warfare will very likely set a precedent for future conflicts in conducting hybrid warfare strategies when retaliating against other countries to undermine their cybersecurity.

Iran has expressed interest in strengthening ties with Russia and defending Russia’s stance on security in the region after the EU and US imposed economic sanctions on Russia.[14] The economic sanctions imposed on Russia limit financial measures of investments, trade, and Russian financial institutions, while also freezing assets of Russian government officials and oligarchs.[15] The decrease of financial resources from trade and investments to support the Russian government and economy almost certainly impedes Putin's invasion plans. Threats to Russia’s cyberspace and the sanctions’ impact on the Russian economy will very likely encourage Russia to seek alliances with other countries, like Iran or China, to aid them in supporting their economy. Potential Chinese assistance in monetary funding and fiscal agreements would very likely help Russia sustain the negative financial impact of the sanctions.

The US Department of Homeland Security (DHS) and the US Cybersecurity Infrastructure Security Agency (CISA) advised government agencies and private institutions to “Shield Up,” meaning update their security practices and policies and protect their backups and data due to the continued Russian cyberattacks.[16] The cyberattacks on Ukraine could very likely be replicated in the cyberspaces of countries that supported Ukraine or sanctioned Russia. Without proper cybersecurity measures in practice, organizations will almost certainly be vulnerable to cyberattacks as they will lack the appropriate mechanisms to mitigate the impact. Google’s Youtube platforms[17] and Facebook implemented restrictions that limit and ban posts from Russian State news agencies like RIA Novosti and and mark the content from those agencies as unreliable.[18] The banning of pro-Kremlin content will very likely prompt responses targeting these social media platforms in future cyberattacks. The threat of cyberattacks will very likely garner a protective response from the platforms’ founding country as a cyberattack on the platforms will very likely threaten the country’s population if individuals’ personal data is stolen or used for identity theft to collect further intelligence.

The Counterterrorism Group (CTG) recommends that Ukraine implement State-centric cyber policies concerning cyberspace security. The State-centric cyber policies should almost certainly include regularly conducted threat and risk assessments to determine the system vulnerabilities and update protocols and network security. Implementing these policies will almost certainly allow for capacity-building of cyber defensive and offensive capabilities like firewall prevention measures and anti-virus and anti-malware systems to target irregular traffic within an OS. Firewall prevention measures will almost certainly allow for the defensive protection of the OS to secure data traffic flows within the servers of the CII. The anti-virus and anti-malware systems will almost certainly act as offensive measures to target irregular activity and respond in retaliation to an attack on the OS. The policies will almost certainly help improve current cyber capabilities within Ukrainian CII and increase the country’s security in cyberspace to effectively prevent and mitigate Russian cyberattacks.

The CTG’s Counterintelligence and Cyber (CICYBER) Team will continue to monitor the development of cyber warfare amid the Russian invasion of Ukraine. The CICYBER Team will continue to evaluate existing countermeasures to cyber policies and capabilities that Ukrainian institutions could very likely implement to deter and mitigate attacks from Russian entities. The CTG’s Worldwide Analysis of Threats, Crime, and Hazards (W.A.T.C.H) Officers will remain vigilant on reported cyber threats made by state-sponsored groups or independent cyber actors to help monitor the situation. CICYBER Team's collaboration with CTG’S EUCOM Team will effectively monitor the regional conflict as both teams will provide analysis and recommendations if cyber warfare increases during the conflict.


The Counterterrorism Group (CTG)

[2] What is hybrid war, and is Russia waging it in Ukraine?, The Economist, February 2022,

[3] New data-wiping malware used in destructive attacks on Ukraine, Bleeping Computer, February 2022,

[4]Anonymous: the hacker collective that has declared cyberwar on Russia, The Guardian, February 2022,

[5] New data-wiping malware used in destructive attacks on Ukraine, Bleeping Computer, February 2022,

[6] Distributed Denial of Service (DDoS), Imperva, 2022,

[7] Anonymous: the hacker collective that has declared cyberwar on Russia, The Guardian, February 2022,

[8] Ibid

[9] Anonymous news – live: Hacking attacks and cyber warfare could lead Russia to cut itself off from the internet, The Independent, March 2022,

[10] Anonymous: the hacker collective that has declared cyberwar on Russia, The Guardian, February 2022,

[11] Anonymous leaks database of the Russian Ministry of Defense, Cybernews, February 2022,

[12] Anonymous: the hacker collective that has declared cyberwar on Russia, The Guardian, February 2022,

[13] Russia plans ‘very graphic’ fake video as pretext for Ukraine invasion, US claims, The Guardian, February 2022,

[14] As the world shuns Russia over its invasion of Ukraine, Iran strengthens its ties with Moscow, Atlantic Council, March 2022,

[15] What sanctions are being imposed on Russia over Ukraine invasion?, BBC, April 2022,

[16] Cyber officials urge agencies to armor up for potential Russian attacks, The Hill, February 2022,

[17] Anonymous: the hacker collective that has declared cyberwar on Russia, The Guardian, February 2022,

[18] Russia partially restricts access to Facebook to ‘protect Russian media’, The Guardian, February 2022,



bottom of page