WASHINGTON — For weeks after the outbreak of the war in Ukraine, American officials wondered about the weapon that seemed to be missing: Russia’s mighty cyberarsenal, which most experts expected would be used in the opening hours of an invasion to bring down Ukraine’s power grid, fry its cellphone system and cut off President Volodymyr Zelensky from the world.
None of that happened. But in a new study released Wednesday by Microsoft, it is now clear that Russia used its A-team of hackers to conduct hundreds of far more subtle attacks, many timed to coincide with incoming missile or ground attacks. And it turned out that, just as in the ground war, the Russians were less skillful, and the Ukrainians were better defenders, than most experts expected.
“They brought destructive efforts, they brought espionage efforts, they brought all their best actors to focus on this,” said Tom Burt, who oversees Microsoft’s investigations into the biggest and most complex cyberattacks that are visible through its global networks. But he also noted that while “they had some success,” the Russians were met with a robust defense from the Ukrainians that blocked some of the online attacks.
The report adds considerable subtlety to an understanding of the early days of the war, when the shelling and troop movements were obvious, but the cyberoperations were less visible — and more difficult to blame, at least right away, on Russia’s major intelligence agencies.
But it is now becoming clear that Russia used hacking campaigns to support its ground campaign in Ukraine, pairing malware with missiles in several attacks, including on TV stations and government agencies, according to Microsoft’s research. The report demonstrates Russia’s persistent use of cyberweapons, upending early analysis that suggested they had not played a prominent role in the conflict.
“It’s been a relentless cyberwar that has paralleled, and in some cases directly supported, the kinetic war,” Mr. Burt said. Hackers affiliated with Russia were carrying out cyberattacks “on a daily, 24/7 basis since hours before the physical invasion began,” he added.
Microsoft could not determine whether Russia’s hackers and its troops had merely been given similar targets to pursue or had actively coordinated their efforts. But Russian cyberattacks often struck within days — and sometimes within hours — of on-the-ground activity.
From the weeks leading up to the invasion through March, at least six Russian nation-state hacking groups launched more than 237 operations against Ukrainian businesses and government agencies, Microsoft said in its report. The attacks were often intended to destroy computer systems, but some also aimed to gather intelligence or spread misinformation.
Although Russia routinely relied on malware, espionage and disinformation to further its agenda in Ukraine, it appeared that Moscow was trying to limit its hacking campaigns to stay within Ukraine’s borders, Microsoft said, perhaps in an attempt to avoid drawing NATO countries into the conflict.
The attacks were sophisticated, with Russian hackers often making small modifications to the malware they used in an effort to evade detection.
“It’s definitely the A-team,” Mr. Burt said. “It’s basically all of the key nation-state actors.”
Still, Ukrainian defenders were able to thwart some of the attacks, having become accustomed to fending off Russian hackers after years of online intrusions in Ukraine. At a news conference on Wednesday, Ukrainian officials said they believed Russia had brought all of its cybercapabilities to bear on the country. Still, Ukraine managed to fend off many of the attacks, they added.
Microsoft detailed several attacks that appeared to show parallel cyberactivity and ground activity.
On March 1, Russian cyberattacks hit media companies in Kyiv, including a major broadcasting network, using malware aimed at destroying computer systems and stealing information, Microsoft said. The same day, missiles destroyed a TV tower in Kyiv, knocking some stations off the air.
The incident demonstrated Russia’s interest in controlling the flow of information in Ukraine during the invasion, Microsoft said.
A group affiliated with the GRU, a Russian military intelligence agency, hacked into a government agency’s network in Vinnytsia, a city southwest of Kyiv, on March 4. The group, which was previously linked to the theft of emails related to Hillary Clinton’s 2016 presidential campaign, carried out phishing attacks against military officials and regional government employees that were intended to steal passwords to their online accounts.
Russia-Ukraine War: Key Developments
The hacking attempts represented a pivot for the group, which typically focuses its efforts on national offices rather than regional governments, Microsoft said.
Two days after the phishing attempts, Russian missiles struck an airport in Vinnytsia, damaging air traffic control towers and an aircraft. The airport was not near any areas of ground fighting at the time, but it did have some Ukrainian military presence.
Russian hackers and troops appeared to move in concert yet again on March 11, when a government agency in Dnipro was targeted with destructive malware, according to Microsoft, while government buildings in Dnipro were hit by strikes.
Parallels also emerged between Russian disinformation campaigns that spread false rumors about Ukraine developing biological weapons and the targeting of nuclear facilities in Ukraine. In early March, Russian troops captured the Zaporizhzhia nuclear facility, Europe’s biggest nuclear power plant. During the same period of time, Russian hackers worked to steal data from nuclear power organizations and research institutions in Ukraine that could be used to further disinformation narratives, Microsoft said.
One of the groups, which is affiliated with Russia’s Federal Security Service and has a history of targeting companies in the energy, aviation and defense sectors, was able to steal data from a Ukrainian nuclear safety organization between December and mid-March, Microsoft said.
By the end of March, Russian hackers were beginning to pivot their focus to eastern Ukraine, as the Russian military began to reorganize troops there. Little is known about hacking campaigns backed by Russia that occurred during April, as investigations into many of those episodes continue.
“Ukrainians themselves have been better defenders than was anticipated, and I think that’s true on both sides of this hybrid war,” Mr. Burt said. “They’ve been doing a good job, both defending against the cyberattacks and recovering from them when they are successful.”