Intelligence brief: Russian invasion of Ukraine and its cybersecurity impact

Andrew Fogelis
March 1, 2022 by
Andrew Fogelis

Disclaimer: The current ongoing situation is developing rapidly, and information presented might quickly become out of date. For the most up-to-date information, continue to monitor alerts sent out from the Cybersecurity and Infrastructure Security Agency (CISA) and information from trusted media sources.

On February 24, 2022, Russian President Vladimir Putin announced a “Military Operation in Ukraine” proceeded by the movement of Russian troops into Ukrainian territory.

Background on the invasion

In April 2021, Russia sent approximately 100,000 troops to Ukraine’s border. At the time, this troop movement was believed to pertain to military exercises. Ukraine President Volodymyr Zelenskyy, concerned about the potential for escalation, proceeded to request that NATO leadership outline a timeline for Ukraine’s membership. Ukraine’s admittance into NATO has long been opposed by Russian President Vladimir Putin. Late into the month, Russia began a phased reduction of its military presence along the border, however, tens of thousands of troops remained.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Starting in November 2021, satellite imagery revealed a significant buildup of troops along the border of Ukraine. In Early December 2021, U.S. intelligence found evidence the Kremlin was planning a multi-front offensive to take place in early 2022. During this time, it is believed Russia increased its cyber operation efforts both in Ukraine and abroad to launch both a disinformation/propaganda campaign and an offensive campaign to infiltrate infrastructure critical to Ukraine.

In early January 2022, the Biden administration began to announce that Russia was planning to launch a “False Flag” operation to justify an invasion into Ukraine. The U.S. and Russia continued to engage in diplomatic talks, with the main source of contention being NATO’s expansion in Europe. The State Department, towards the end of the month, ordered the families of embassy staff to leave Ukraine, and NATO placed forces on standby. The U.S. ordered 8,500 troops located within the U.S. to be ready to deploy.

Russian troop presence continued to build throughout February, encompassing a significant portion of Ukraine’s border. As diplomatic efforts increased, the U.S. began the movement and deployment of additional troops, to assure NATO allies they would be protected. In the regions of Donetsk and Luhansk, fighting escalated between the Russian-backed separatist and the Ukrainian forces, with Vladimir Putin making the unsubstantiated claim that “what is happening in Donbas today is, in fact, genocide.” On February 21, Putin formally recognized the independence of Donetsk and Luhansk, and ordered Russian military troops to deploy there under the guise of a “peacekeeping” mission.

Global response to the invasion

Russia’s invasion of Ukraine has been met with sanctions and airspace restrictions designed to cripple the Russian economy, make it difficult to produce critical infrastructure, and target the finances of those closest to and including Vladimir Putin himself. The United States' block on technology will severely limit Russia’s ability to advance its military and aerospace sectors. While these packages aim to weaken the Russian economy and place pressure on those closest to Putin, there will be ripple effects felt across the globe. Supply chain shortages and increased energy costs are expected, but the full effects could take years to play out. 

These sanctions could also elicit a response from the Kremlin. While there has been escalatory rhetoric from Vladimir Putin on Russian nuclear readiness, the U.S. has continued to signal that Russia was “under no threat” and has continued to seek de-escalation. 

Increase in Russian cyber activity

At the time of writing, there are no credible cyber threats to the U.S. homeland. This is, however, subject to change. It should be noted that due to the destabilizing actions by Russia in Ukraine, along with the sanctions imposed, the potential exists for Russia to engage in destabilizing actions outside the region. Organizations, regardless of size, should take a heightened posture when it comes to cybersecurity. Organizations in sectors such as banking, energy and transportation (aviation) are likely to be targeted in the event of a cyber attack launched by Russia.

It has been uncovered that a web service linked to GRU hackers and acting as a command-and-control center, hosted cloned copies of various Ukrainian government websites. According to Bellingcat, “a cloned version of the Ukrainian President’s website included a clickable ‘Support the President’ campaign that, once clicked, downloads a package of malware to the user’s computer.” It is unclear the intent of the malware payload, and whether it was operational or just a placeholder. Due to the target audience, it is believed that this could have been intended to co-opt all computers infected into a distributed DDoS attack or to be used to steal credentials for social media as part of a larger disinformation campaign to discourage military resistance.

It should also be of note that Russia has continued to engage in sophisticated disinformation campaigns abroad, using social media and Russian state-sponsored media sources to further Russian interest. When reading information online, it is critical to investigate the source and to take an active approach to stop the spread of disinformation. Russia has also been known to utilize spearphishing, brute force and vulnerability exploits to gain initial access.

CISA Shields Up guidance

CISA has created a page providing guidance for organizations and their members to ensure a proactive approach to cybersecurity. 

Organizations should:

  • Ensure all software is up to date to shore up potential known vulnerabilities.
  • Take steps to lower their reporting threshold to senior management and the U.S. government.
  • Prepare to defend against critical threats with this CISA checklist.
  • Remain vigilant towards common Russian TTPs.

Employees should:

  • Review their personal and work logins to ensure that passwords are difficult to predict, the same password isn’t reused on multiple websites, and that multi-factor authentication is enabled when possible. 
  • Exercise caution when clicking links, downloading files and sharing content.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.


Andrew Fogelis
Andrew Fogelis

Andrew Fogelis is a publication specialist at Infosec with a background in political science. At Iowa State University, he took a strong interest in deterrence theory and examined international states’ security policies using empirical data to determine likely outcomes of conflicts in both traditional and non-traditional (cyber) threat environments. He also examined foreign policies of selected powers in terms of their relative structural positions in the international system, their comprehensive national power bases, their decision-makers' personalities, and their current and future domestic and foreign policy priorities. Utilizing coursework in aerospace engineering and physics, he was able to evaluate emerging technologies and their impact on future defense strategy and intelligence issues. While enrolled at Iowa State University, Andrew was a member of the USSTRATCOM Deterrence and Assurance Academic Alliance.