By Dustin Volz in Washington and Robert McMillan in San Francisco
Ukrainian and Western intelligence officials feared Moscow's elite corps of state-sponsored hackers would launch crippling cyberattacks to complement its invasion of Ukraine. Instead the cyberwar has been something closer to Internet trench warfare: a grinding conflict of relentless, if sometimes unsophisticated attacks that have taken casualties but had limited impact on the course of the fight.
Some attacks have been bothersome, slowing some Ukrainians' internet service or knocking it out altogether, defacing websites, and destroying files on a small number of computers. Others have accomplished little more than keeping Ukraine's cyber-defenders busy. More recently, as Russia's strategic aims appear to be shifting to eastern Ukraine, new and more alarming attacks on Ukraine's energy sector have been discovered, suggesting the next phase of the war could include a more active cyber conflict.
What Ukraine hasn't seen is a successful type of massive, strategic-level attack on civilian infrastructure, given the aggression and technical ability that Moscow's elite hackers have displayed in the past.
Still, the cyber fight has been "relentless," according to Tom Burt, Microsoft Corp.'s vice president of customer security and trust. Microsoft has seen "at least one order of magnitude increase in the frequency and severity of the attacks since before the invasion," Mr. Burt said.
"This is full-on, full-scale cyberwar," he said.
Moscow has routinely denied allegations of cyberattacks against other countries and said recently its government websites were facing unprecedented cyber disruptions.
While cybersecurity analysts and intelligence officials are working to understand why the scale of the Russian cyber-offenses has been so much more limited than feared, several theories have emerged.
Russian strategists assumed the conventional campaign would wrap up in a matter of days and didn't appear to deploy their toughest cyber weapons, U.S. officials said. Ukraine's cyber defenses have improved in recent years, under constant attack from Russian hackers. Some of Russia's intelligence agencies may be engaged in waging propaganda and disinformation campaigns instead of launching offensive strikes, analysts say. And, as in the conventional fight, Russia may have overestimated its own capabilities and underestimated Kyiv's.
"We're seeing B- or C-team players out of Russia," said Matthew Olney, a director with Cisco Systems Inc.'s Talos cybersecurity division. "It's fairly easy to track these folks -- they are not overly creative."
For Victor Zhora, the state cyberprotection agency's deputy chief, the current cyberwar in Ukraine began on Jan. 14 -- weeks before the first Russian tanks rolled over the border. On that day, hackers took government websites offline and tried to install their destructive "wiper" software designed to render computer systems inoperable.
Since then, Ukraine's government and critical business networks have faced a constant drumbeat of smaller-scale but still tactically significant attacks.
In early February, Cisco technicians watched as an intruder tried to install a remote-access program on a Ukrainian government agency's network. They blocked it, kicking off a weekslong game of digital whack-a-mole with the adversaries who tried again and again to install it.
On Feb. 24, the first day of the conventional war, an attack on satellite internet provider Viasat's KA-SAT network rendered thousands of modems in Ukraine unusable, impairing communications among Ukraine's armed forces, Mr. Zhora said. A spokeswoman for Mr. Zhora's agency said that while disrupting military communications was "most likely" the goal of the attack, there was "no information that it worsened communications within Ukraine's military."
At the end of March, Ukrtelecom, the country's largest landline provider, and a service provider to military systems, was mostly knocked offline due to a cyberattack. The attack didn't affect military operations, according to the state cyberprotection agency. Just days after that, the Ukrainian government's national call center was knocked offline in another cyberattack for about three days, according to Mr. Zhora.
During the conflict, tests of internet services in Ukraine have shown a 16% reduction in connectivity, compared with the weeks before the war started, according to researchers at the Georgia Institute of Technology's Internet Outage Detection and Analysis project, which measures internet outages.
In addition, Ukraine has suffered hacks of government and corporate networks, phishing attacks, cyberattacks on citywide camera systems, near-daily attempts to install wiper software, and even tactical cyberattacks launched in conjunction with military strikes, according to representatives of Ukraine's State Service of Special Communications and Information Protection, and U.S. companies that are helping to defend these systems.
On Tuesday, ESET, a Slovak-based cybersecurity firm, and Ukraine's cybersecurity emergency response team reported that a new strain of malware had been wielded in an attack on high-voltage electrical substations in Ukraine that was scheduled to damage systems earlier this month. The malware was similar to what was used in a previous grid attack in 2016 and was believed to be the handiwork of a notorious hacking unit within Russia's GRU military intelligence agency known as Sandworm, researchers said. Officials didn't name the targeted utility but said it was privately run and that about two million people lived in the region that could have lost power. Though it was unsuccessful in knocking power offline, experts expressed alarm.
"Sandworm is an apex predator, capable of serious operations, but they aren't infallible," said John Hultquist, vice president of intelligence analysis of the U.S.-based cybersecurity firm Mandiant, on the newly detected attack. "It's increasingly clear that one of the reasons attacks in Ukraine have been moderated is because defenders there are very aggressive and very good at confronting Russian actors."
Ukraine has suffered some of the worst cyberattacks on record, and considering Moscow's established prowess in offensive cyberattacks, intelligence officials feared a shock-and-awe campaign of strikes on the electrical grid, government offices, or the national communications networks.
In December 2015, a cyberattack attributed to Sandworm knocked out power in parts of Kyiv for hundreds of thousands of people in the dead of winter. A similar cyberattack a year later plunged swaths of Kyiv in the dark again and was widely seen as a Russian test of powerful malware custom-made to disrupt electric grids.
Perhaps most notably, Russia has been blamed by the West for the devastating NotPetya computer worm that began in Ukraine in 2017 by surreptitiously corrupting the update mechanism for a tax software widely used in the country. That worm rapidly unfurled across the globe, destroying computer systems and costing billions in damages, in what some analysts have said was the costliest cyberattack on record.
Yet, since the Ukrainian war began the worst hasn't come to pass. The Russians haven't taken down the Ukrainian power grid and they haven't caused a global cyber catastrophe like NotPetya.
Defensive assistance from the U.S. has helped, officials have said. The U.S. sent so-called hunt forward teams to Eastern Europe to detect critical cyber vulnerabilities before the Russians could exploit them. The Justice Department announced last week that it had taken a botnet -- a network of infected computers used to carry out malicious cyber activity -- linked to the GRU offline before it was able to become operational.
Messrs. Zhora and Olney said they believe that Russia's top government-sponsored hackers may be otherwise occupied, defending Russia from attacks on its own networks by activists or other hackers or conducting espionage.
All that may be about to change, analysts said.
"This is a result of the military failure of Putin's soldiers who have failed at Kyiv's gate," Mr. Zhora said through a translator Tuesday at a briefing on the newly unearthed attempt to down the power grid. "He has regrouped his army to reconquer the east of Ukraine, and very likely such activity by his lieutenants in the cyber sphere was to buttress and invigorate his soldiers."
Write to Dustin Volz at firstname.lastname@example.org and Robert McMillan at Robert.Mcmillan@wsj.com