Russia’s Spring Offensive in Ukraine Could Include Cyberattacks, Microsoft Says

WASHINGTON — A hacking group with ties to the Russian government appears to be preparing new cyberattacks on Ukraine’s infrastructure and government offices, Microsoft said in a report on Wednesday, suggesting that Russia’s long-anticipated spring offensive could include action in cyberspace, as well as on the ground.

The report also said that Russia appears to be stepping up influence operations outside Ukraine, in a push to weaken European and American support for continuing military aid, intelligence sharing and other assistance to the Ukrainian government. The effort would come as a faction in the Republican Party — and some in the Democratic Party — argues that supporting Ukraine is not a core interest for the United States.

For now Russia’s main influence campaign is concentrated in Europe, but it will shift to the United States “as the year gets closer to a presidential election debate going into fall,” said Clint Watts, the head of Microsoft’s Digital Threat Analysis Center.

Since before the war began a year ago, Russia’s efforts to use its considerable cybercapabilities against Ukraine, and its failure to cripple the government in ways American officials had expected, have been a subject of intense study, and some mystery.

Evidence amassed in recent months shows that Russia often tried to coordinate cyberattacks with physical attacks on the Ukrainian power grid and other targets. But the Ukrainians were often a step ahead of Moscow, and had backup systems in place or rigged new ones, including moving much of the country’s digital operations to the cloud.

Microsoft’s report carries significant weight because the company’s warnings of pending cyberattacks in the run-up to the war were largely accurate. But it also suggests that Russia’s digital warriors, many of whom are linked to the country’s intelligence services, are trying anew in the second year of the war.

In recent months, senior U.S. officials have begun discussing their efforts in late 2021 to help bolster Ukrainian cyberdefenses and a rush to move the operation of government agencies to the cloud in the weeks after the invasion began. That minimized the damage Russia was able to inflict — and allowed President Volodymyr Zelensky of Ukraine to broadcast messages on the internet each day to rally citizens in the fight.

Microsoft said it believed that a group with ties to Russia that it had tracked was conducting actions that could “be in preparation for a renewed offensive,” including reconnaissance, access operations and  data-erasing “wiper” malware, much as hackers did in the opening days of last year’s invasion.

“There is an uptick of trying to gain entry to government targets, trying to gain entry to the critical infrastructure targets to then try and use destructive or modified ransomware attacks,” Mr. Watts said.

Ukrainian officials say they are seeing more than 10 cyberattacks per day, with Russian hackers focused on the energy sector, logistic facilities, military targets and government databases.

“We monitor risks and threats in real time 24/7,” Ilia Vitiuk, the head of the cybersecurity department at the Security Service of Ukraine, known as the S.B.U., said in a statement. “We know by name most of the hackers from the Russian special services working against us.”

But even as Russian cyberoperations appear poised to intensify, Ukrainian defenses, at least for now, remain strong, according to U.S. and Ukrainian officials.

The United States and its allies have at times guided Ukraine’s own cyberforces on how to counterattack against groups seeking to cripple its systems. U.S. officials, though, have provided few details, just as they have declined to talk about the information they give Ukraine to help target its missile and artillery systems.

Mr. Watts said Microsoft’s research showed that Ukrainians had also become more resilient against Russian propaganda and that interest in Russian news sites among Ukrainians fell drastically as the war went on.

Russia has instead turned the focus of its influence operations to Ukrainian refugees in Poland and other countries. Moscow has also targeted NATO audiences, trying to erode support for the war.

“The decisive point for their influence operations now is Western Europe,” Mr. Watts said. “They are trying to use active measures to undermine support for Ukraine in Western Europe.”

For now, Germany remains the most decisive battlefield for Russian influence operations, with Moscow hoping to make it more difficult for Berlin to keep sending additional military aid to Ukraine.

Russian propagandists, according to Microsoft and U.S. officials, have been pushing narratives blaming allied support for Ukraine for driving up inflation and energy prices.

While the effectiveness of influence campaigns is hard to judge, by some measures those efforts have been more successful than cyberattacks.

Russia tried to conduct many cyberattacks on the Ukrainian energy grid last year. But Ukrainian defenders neutralized hundreds of attacks on the energy facilities, and only 30 became critical incidents causing disruption, Mr. Vitiuk said.

Russia’s sustained campaign of missile and drone attacks on the electric infrastructure has also proved far more effective than cyberattacks, plunging much of the country into cold and darkness for days at a time.

Even where cyberattacks on the electric grid succeeded, Mr. Watts said, “Ukraine was very capable of coming back very quickly.”