Why Russia Hasn’t Launched Major Cyber Attacks Since the Invasion of Ukraine

In the relatively short and rapidly evolving history of cyber conflict, perhaps nothing has been established with greater certainty and more widely accepted than the idea that Russia has significant cyber capabilities and isn’t afraid to use them—especially on Ukraine. In 2015, Russian government hackers breached the Ukrainian power grid, leading to widespread outages. In 2017, Russia deployed the notorious NotPetya malware via Ukrainian accounting software and the virus quickly spread across the globe costing businesses billions of dollars in damage and disruption. In the months that followed the NotPetya attacks, many people speculated that Ukraine served as a sort of “testing ground” for Russia’s cyberwar capabilities and that those capabilities were only growing in their sophistication and reach.

As tensions escalated between Russia and Ukraine, many people were expecting the conflict to have significant cyber components—the United States Department of Homeland Security even issued a warning to businesses to be on high alert for Russian cyberattacks, as did the U.K.’s National Cyber Security Centre. What is surprising is that—so far, at least—the devastating Russian cyberattacks everyone has been expecting have yet to materialize. There’s no guarantee, of course, that a large-scale cyberattack on Ukraine’s electrical grid or global banks or anything else isn’t just around the corner. Russia has proven time and again that it has few compunctions about targeting critical infrastructure and causing considerable collateral damage through acts of cyber aggression.

But as the invasion continues with few signs of any sophisticated cyber conflict, it seems less and less likely that Russia has significant cyber capabilities in reserve, ready to deploy if needed. Instead, it begins to look like Russia’s much vaunted cyber capabilities have been neglected in recent years, in favor of developing less expensive, less effective cyber weapons that cause less widespread damage and are considerably easier to contain and defend against. For instance, many of the cyberattacks directed at Ukraine in the past month have been relatively basic distributed denial-of-service attacks, in which hackers bombard Ukrainian government websites and servers with so much online traffic that those servers cannot respond to legitimate users and are forced offline for some period of time. Denial-of-service attacks can be effective for short-term disruptions but they’re hardly a new or impressive cyber capability—in fact, they’re what Russia used to target Estonia more than a decade ago in 2007. Moreover, launching these types of attacks requires no sophisticated technical capabilities or discovery of new vulnerabilities, and they typically have fairly contained impacts on the specific, targeted computers. Similarly, recent reports that Belarusian hackers are trying to phish European officials using compromised accounts belonging to Ukrainian armed services members suggests that not only are these efforts relying on fairly basic tactics like phishing emails, they are not even being carried out by Russian military hackers directly.

Read More: The World Is Watching Russia Invade Ukraine. But Russian Media Is Telling a Different Story

Somewhat more worryingly, Russia has also used wiper malware to delete data held by Ukrainian government agencies and Microsoft has also reportedly detected wiper programs attributed to Russia in recent weeks and shared that information with the U.S. government as well as other countries concerned about Russian cyberattacks. NotPetya was a form of wiper malware and its ability to delete data caused massive damage, so the discovery of new Russian wipers is certainly cause for concern. But unlike NotPetya, the wiper programs that have been the focus of the latest wave of alerts—including the FoxBlade program identified by Microsoft—have shown little ability to spread quickly via common, difficult-to-patch vulnerabilities like the EternalBlue vulnerability in Microsoft Windows that NotPetya exploited back in 2017.

It’s likely that the combined efforts of Microsoft, the U.S., and many other countries and companies to ramp up cyber defenses both in and outside of Ukraine has undoubtedly helped curb the damage caused by these efforts. But if Russia really had on hand a stockpile of previously undetected vulnerabilities and sophisticated malware designed to exploit them, these lines of defense simply would not be enough to prevent some significant damage and disruption. Updating critical infrastructure networks and systems is slow, expensive, complicated work and it’s impossible that every potential target has been hardened to the point where it is no longer vulnerable to Russian cyberattacks—unless those cyberattacks were never all that impressive to begin with.

Moreover, many of the early theories for why Russia might have voluntarily abstained from more serious cyberattacks look increasingly implausible as the conflict continues for an extended period. For instance, one explanation for why Russia left Ukrainian electricity distribution and communication networks intact was that Putin wanted the rest of the world to see Russia’s swift, decisive victory in Ukraine via a steady stream of images and videos that might have been hampered by such an attack. But as it becomes increasingly clear that no swift, decisive victory is forthcoming, it makes less sense that Russia would continue to leave that infrastructure untouched unless they were truly unable to take it out. This interpretation seems further supported by the Russian decision to strike a TV tower in Kyiv, rather than trying to disrupt media and communications systems more effectively and less violently via cyber capabilities.

Read More: Ukraine’s Secret Weapon Against Russia: Turkish Drones

Given Russia’s past willingness to deploy cyberattacks with far-reaching, devastating consequences, it would be a mistake to count out their cyber capabilities just because they have so far proven unimpressive. And it’s all but impossible to prove the absence of cyber weapons in a nation’s arsenal. But the longer the conflict goes on without any signs of sophisticated cyber sabotage, the more plausible it becomes that the once formidable Russian hackers are no longer playing a central role in the country’s military operations—whether because they no longer have the resources they once did to purchase and develop tools for computer intrusion and exploitation, or because the government can no longer attract and retain technical talent, or simply because Russia has decided that cyberattacks, for all the damage they can do, are not an effective means of achieving its larger goals in Ukraine.

Of course, even if Russia has no particularly sophisticated cyber weapons to fall back on right now, that doesn’t mean they won’t go on to develop some new ones in the future. But the current lack of any significant cyber conflict is an important reminder of how little we actually know about any country’s cyber capabilities. Many of our beliefs about which countries have the most impressive hacking tools and Russia’s cyber dominance are based on incidents several years in the past—and an awful lot can change in just a few years.