Microsoft’s report reveals how Russia is waging cyber war against Ukraine (and the whole Western world)

Microsoft has published a new intelligence report, Defending Ukraine: Early Lessons from the Cyber War, which represents the threat landscape in the ongoing cyber war against Ukraine, and the whole Western world. AIN.Capital has selected the most interesting findings that explain why it is important to help Ukraine defend itself in order to save the democracy and liberty all around the world.

Brief overview

  • The Russian invasion relies in part on a cyber strategy that includes at least three distinct and sometimes coordinated efforts—destructive cyberattacks within Ukraine, network penetration and espionage outside Ukraine, and cyber influence operations targeting people around the world.
  • On several occasions the Russian military has coupled its cyberattacks with conventional weapons aimed at the same targets in Ukraine.
  • Microsoft detected Russian network intrusion efforts on 128 organizations in 42 countries outside Ukraine. The most efforts of Russian cyber troops were concentrated on the strongest allies of Ukraine: the United States, Poland, Baltic countries, Scandinavia, and Turkey.
  • Since the start of the war, the Russian targeting has been successful 29 percent of the time.
  • The report also unveils detail about sophisticated and widespread Russian foreign influence operations being used among other things, to undermine Western unity and bolster their war efforts.
  • Many current Russian cyber influence operations currently go for months without proper detection, analysis, or public reporting.

Cyber War in Ukraine

While most reports state that the war in Ukraine started on February 24 of this year, in fact the first cyberattacks were fired the day before. The first weapon to be fired was the wiper software that we call “Foxblade.” Microsoft’s Threat Intelligence Center (MSTIC) has detected its launch against 19 government and critical infrastructure entities across Ukraine. It was developed and launched by the same group associated with Russian military intelligence that developed and launched the NotPetya attack against Ukraine in 2017.

Since the war began, MSTIC has detected multiple attempts to use eight distinct malware programs—some wipers and some other forms of destructive malware—against 48 different Ukrainian agencies and enterprises.

On several occasions the Russian military has coupled its cyberattacks with conventional weapons aimed at the same targets. Like the combination of naval and ground forces long used in an amphibious invasion, the war in Ukraine has witnessed Russian use of cyberattacks to disable computer networks at a target before seeking to overrun it with ground troops or aerial or missile attacks.

Russia attacks the whole World

As a coalition of countries has come together to defend Ukraine, Russian intelligence agencies have stepped up their network penetration and espionage activities targeting governments outside Ukraine. Not surprisingly, this increase appears to be most focused on obtaining information from inside the governments that are playing critical roles in the West’s response to the war.

Since the war began, MSTIC has detected Russian network intrusion efforts on 128 targets in 42 countries outside Ukraine.

While these targets are spread around the globe, 63 percent of this observed activity has involved NATO members.

  • Russian cyber espionage efforts have focused on targets in the United States more than any other country, with American targets representing 12 percent of the global total outside Ukraine.
  • At the top of this list is Poland, with 8 percent of intrusions, where the delivery of a majority of military and humanitarian aid is coordinated.
  • The Baltic countries of Latvia and Lithuania represent a combined 14 percent of total intrusions outside Ukraine. (In contrast, in Estonia, the third Baltic border country, where the country has adopted cloud services, we’ve detected no Russian cyber intrusions since the onset of the Ukraine war.)
  • Russian cyber activities have also actively targeted Denmark, Norway, Finland, and Sweden. These collectively represent nearly 16 percent of all the observed Russian attacks globally.

Since the start of the war in Ukraine, MSTIC’s detections have found that Russian actors have been successful 29 percent of the time. In a quarter of these successful intrusions, MSTIC identified incidents that led to the successful exfiltration of an organization’s data.

Russian Cyber Influence Operations

Russian agencies are deploying cyber influence operations that are designed to support its war aims. These involve sophisticated and coordinated efforts to use digital technologies and the internet to create and spread false narratives to advance multiple goals. 

The Soviet Union long invested in and even excelled in sowing doubt, chaos, or confusion in other countries. One of numerous examples involved work in the early 1980s to blame the United States for the spread of AIDS. For example, in July of 1983, an anonymous letter appeared in The Patriot, an obscure Indian newspaper. The letter stated that the United States was moving its lab operations to Pakistan, thus putting the Indian people at greater risk.

To support the war in Ukraine, the Russian government is deploying a new generation of technology and tactics to support cyber influence operations. And, unfortunately, especially when pursued with patience and persistence, these cyber influence operations are almost perfectly positioned to take advantage of the longstanding openness of democratic societies and the public polarization that is characteristic of current times.

The Russian government currently is deploying an expanding cyber influence operation to support its war efforts in Ukraine. These appear to be focused on four distinct audiences.

  • They target the domestic Russian population with the goal of sustaining support for the war by portraying Ukraine’s military as responsible for the conflict.
  • They target the Ukrainian population with the goal of undermining confidence in the country’s willingness and ability to withstand Russian attacks.
  • They target American and European audiences to diminish Western unity and deflect criticism of Russian military war crimes.
  • And they target nonaligned countries to support Russian efforts at the United Nations and in other venues, combining longstanding narratives demonizing democracy and Western intentions and with emerging efforts to blame the west for potential food shortages.

Agencies across the Russian government are targeting each audience in textbook fashion through cyber influence operations. 

The tactics developed by the KGB over several decades are nowadays combined with new digital technologies and the internet to give foreign influence operations a broader geographic reach, higher volume, more precise targeting, and greater speed and agility. 

For instance, this approach was applied beginning in late 2021 to support the Russian false narrative around purported bioweapons and biolabs in Ukraine. This narrative was first uploaded on to YouTube on November 29, 2021, as part of a regular English-language show by a Moscow-based American expatriate who claimed that US-funded biolabs in Ukraine were connected to bioweapons. The story went largely unnoticed for months.

On February 24, 2022, just as Russian tanks crossed the border, this narrative was sent into battle. A data analytics team at Microsoft has identified 10 Russian- controlled or influenced news sites that simultaneously published reports on February 24 pointing back to “last year’s report” and seeking to give it credence. Russian- sponsored teams then worked to amplify the narrative on social media and internet sites more broadly.

The two graphs below show that consumption of narratives from Russian-controlled and -sponsored sites across the internet rose sharply in both Ukraine and the United States in the initial weeks after the war began. The surge in Ukraine represents an increase of 216 percent, while the spread of Russian propaganda in the United States increased by 82 percent.

Using internet data and these techniques, it’s also possible to identify the social media, search, and other sites that are being used to encourage and channel traffic to these stories. And it’s possible to identify, as shown below, the specific reports and narratives that attain the highest consumption levels in specific geographies and time periods.


The lessons from Ukraine call for a coordinated and comprehensive strategy to strengthen defenses against the full range of cyber destructive, espionage, and influence operations. As the war in Ukraine illustrates, while there are differences among these threats, the Russian government does not pursue them as separate efforts and we should not put them in separate analytical silos. In addition, defensive strategies must consider the coordination of these cyber operations with kinetic military operations, as witnessed in Ukraine.

  • The first defensive tenet should recognize that Russian cyber threats are being advanced by a common set of actors inside and outside the Russian government and rely on similar digital tactics. As a result, advances in digital technology, AI, and data will be needed to counter them.
  • Reflecting this, a second tenet should recognize that unlike the traditional threats of the past, cyber responses must rely on greater public and private collaboration.
  • A third tenet should embrace the need for close and common multilateral collaboration among governments to protect open and democratic societies.
  • And a fourth and final defensive tenet should uphold free expression and avoid censorship in democratic societies, even as new steps are needed to address the full range of cyber threats that include cyber influence operations.

The war in Ukraine provides not only lessons but a call to action for effective measures that will be vital to the protection of democracy’s future.

Check out the full version of the report, Defending Ukraine: Early Lessons from the Cyber War.