What is wiper malware and how is it different from ransomware?

Wiper malware is a type of malicious software designed to permanently erase or destroy data on a computer or network. Unlike ransomware, which encrypts data and demands a ransom payment for its recovery, the sole purpose of a wiper is destruction, with no option for data retrieval.

What was the Viasat satellite attack?

On February 24, 2022, the day of the full-scale invasion, Russian actors launched a cyberattack against the KA-SAT satellite network operated by Viasat. The attack used a wiper called AcidRain to disable tens of thousands of satellite modems, disrupting Ukrainian military communications and causing internet outages for civilians across Europe.

How has Ukraine defended itself against these cyberattacks?

Ukraine's cyber defense has been remarkably resilient due to several factors: years of experience from previous attacks, a hardened defensive posture, rapid incident response, and extensive support from international partners. This support includes intelligence sharing, threat analysis, and direct technical assistance from governments and major tech companies.

Could these types of cyberattacks affect other countries?

Yes, absolutely. The 2017 NotPetya attack is the prime example. It was targeted at Ukraine but spread globally, causing over $10 billion in damages to multinational corporations. This demonstrates that cyber weapons can be indiscriminate and that attacks on one nation's critical infrastructure can have cascading effects on the global supply chain and economy.

Ukraine's cyber front: Analyzing Russia's relentless digital assault

The shadow war behind the headlines

Daily threads on platforms like Reddit document the grim reality of Russia's ground invasion of Ukraine, but behind the kinetic conflict rages a parallel, less visible war. This is the cyber front, a battleground where Russia has been active for years, using Ukraine as a testing ground for some of the most destructive digital weapons ever created. Long before the full-scale invasion in February 2022, Russian state-sponsored actors were systematically targeting Ukraine's critical infrastructure, demonstrating a clear strategy of hybrid warfare where digital disruption is synchronized with military objectives.

The first major warning shots were fired in 2015 and 2016, when the Sandworm group, linked to Russia's GRU military intelligence, successfully attacked Ukraine's power grid. Using malware like BlackEnergy and the highly specialized Industroyer, they were able to remotely trip circuit breakers, plunging hundreds of thousands of civilians into darkness during winter. These were not mere disruptions; they were precedents, proving that cyberattacks could have direct, physical consequences on a civilian population.

A diverse arsenal of digital weapons

Russia's cyber operations against Ukraine are characterized by their diversity and sophistication. The primary goal often appears to be pure destruction, achieved through a class of malware known as “wipers.” Unlike ransomware, which encrypts data and demands payment for its release, wiper malware is designed simply to erase data and render computer systems permanently unusable. Its only purpose is to cause chaos and paralysis.

In the weeks and hours leading up to the February 2022 invasion, Ukrainian networks were hit by a wave of these destructive tools. First came WhisperGate, a multi-stage wiper that masqueraded as ransomware, followed by HermeticWiper, which was deployed just hours before tanks crossed the border. HermeticWiper targeted the Master Boot Record (MBR) of infected systems, the crucial part of a hard drive that allows a computer to start up, effectively bricking the machines.

Perhaps the most strategically significant cyberattack of the initial invasion was the strike against the Viasat KA-SAT satellite network. Just as Russian forces advanced, an attack using a targeted wiper called AcidRain disabled tens of thousands of satellite modems across Ukraine and Europe. This severed a vital communications line for the Ukrainian military and government at a critical moment. The collateral damage was significant, knocking out internet access for thousands of civilians and even affecting the remote monitoring of wind turbines in Germany. The attack was a textbook example of integrating cyber operations to support a conventional military campaign.

The threat actors behind these campaigns are well-known to intelligence agencies:

Sandworm (APT28): A unit of the GRU, this group is Russia’s most aggressive cyber warfare unit, responsible for the power grid attacks, the devastating NotPetya wiper of 2017, and numerous wipers used since 2022, including Industroyer2 and CaddyWiper.
Gamaredon (Primitive Bear): Linked to Russia’s FSB, this actor focuses on persistent espionage, data exfiltration, and maintaining long-term access to Ukrainian government and military networks.
APT29 (Cozy Bear): Associated with Russia's SVR foreign intelligence service, this group typically engages in stealthy, long-term espionage campaigns to gather intelligence.

Impact assessment: From Kyiv to the global supply chain

The targets of Russia’s cyberattacks span the entirety of Ukrainian society. Government ministries, banks, energy companies, telecommunication providers, and media outlets have all been subjected to disruptive Distributed Denial-of-Service (DDoS) attacks, espionage, and destructive wiper malware. The intent is to degrade Ukraine's ability to govern, communicate, and resist.

However, the impact has not been confined to Ukraine's borders. The 2017 NotPetya attack serves as a stark reminder of the potential for global spillover. Initially deployed against Ukrainian organizations via a compromised accounting software update, NotPetya’s worm-like capabilities allowed it to spread uncontrollably across the globe. It crippled multinational corporations like Maersk, Merck, and FedEx, causing an estimated $10 billion in damages worldwide. This incident demonstrated that a targeted cyber weapon can become an indiscriminate global catastrophe.

Despite the intensity of the digital onslaught, many analysts have noted Ukraine's remarkable cyber resilience. Bolstered by years of experience as a primary target and unprecedented support from Western governments and private tech companies, Ukraine's defenders have often been able to quickly restore services and thwart major strategic disruptions. This defensive success has been a critical, if underreported, part of the nation's overall resistance.

How to protect yourself

While most organizations and individuals are not direct targets of Russian state-sponsored attacks, the TTPs used in this conflict are a blueprint for cyberattacks everywhere. The global spread of NotPetya and the use of common vulnerabilities mean that collateral damage is a persistent risk. Adopting a strong defensive posture is essential.

For Organizations:

Patch Aggressively: Many of the most effective attacks, including NotPetya, exploited known vulnerabilities for which patches were available. Timely patch management is a foundational defense.
Enforce Multi-Factor Authentication (MFA): MFA makes it significantly harder for attackers to use stolen credentials to gain initial access to your network.
Segment Your Network: Isolate critical systems, especially Operational Technology (OT) and Industrial Control Systems (ICS), from your main corporate IT network. This can prevent an intrusion in one area from spreading to cripple core operations.
Maintain Immutable Backups: Keep multiple copies of critical data, with at least one offline and one immutable (unable to be altered or deleted). This is your last line of defense against both wipers and ransomware.
Plan and Drill: Develop an incident response plan and regularly test it through tabletop exercises so your team knows exactly what to do when an attack occurs.

For Individuals:

Practice Phishing Awareness: Be skeptical of unsolicited emails and messages, especially those creating a sense of urgency. Verify requests through a separate communication channel before clicking links or downloading attachments.
Use Strong, Unique Passwords: Combine a password manager with strong, unique passwords for every account. Enable MFA wherever it is offered.
Secure Your Connection: Disinformation is a key part of hybrid warfare. When using public Wi-Fi, using strong encryption through a reputable service can protect your data from eavesdroppers.

The war in Ukraine has solidified the role of cyber operations as an integral component of modern state conflict. It has provided a harrowing real-world demonstration of the threats to critical infrastructure and the potential for global contagion. The lessons learned from Ukraine's defense are not merely academic; they are an urgent call for organizations and nations everywhere to bolster their digital defenses against a determined and destructive adversary.