Tom Burt, a vice president at Microsoft who manages the digital crimes unit.
Caption

Tom Burt, a vice president at Microsoft who manages the digital crimes unit. / Meron Menghistab for NPR

SEATTLE — On the sidelines of a conference in Estonia on Wednesday, a senior U.S. intelligence official told British outlet Sky News that the U.S. is running offensive cyber operations in support of Ukraine.

"My job is to provide a series of options to the secretary of defense and the president, and so that's what I do," said Gen. Paul Nakasone, the head of the National Security Agency, who also serves as the chief of the Pentagon's digital branch, the U.S Cyber Command.

While he did not give any further detail, it was the first time the spy chief alluded to the U.S. government's efforts to launch counterattacks against Russia in cyberspace, in addition to helping defend Ukrainian agencies.

The so-called "cyberwar" in Ukraine hasn't always been front and center of news coverage, but it's one of the things that might most directly impact the West. It's still a real possibility that U.S. companies or critical infrastructure could become collateral damage if Russian hackers decide to retaliate, according to cybersecurity officials.

Even as the U.S. government is a key ally to Ukrainian defenders, the private sector might have a more complete picture of what's going on at any given time, because of their access to the digital systems in Russian hackers' crosshairs. The relationship between the U.S. private sector and Ukraine has only deepened as the war drags on into its third month.

During an interview with NPR in Seattle last week, Microsoft head of customer security and trust Tom Burt detailed what his team has been seeing throughout the war, beginning a couple months prior to the official start of the physical invasion.

Microsoft Corporation logo is seen on a top of a building in Kyiv, Ukraine, on Jan. 31, 2022.
Caption

Microsoft Corporation logo is seen on a top of a building in Kyiv, Ukraine, on Jan. 31, 2022. / NurPhoto via Getty Images

The buildup

In January, according to Burt, Microsoft witnessed several "destructive attacks against a number of Ukrainian government agencies." This was the first time Microsoft and others observed what's become a major feature of Russia's digital strategy during the war — using wiper malware designed to destroy data within Ukrainian agencies. Burt said his team was trying to determine if the attacks might be a part of a broader offensive, or if it was yet another example of Russia testing out digital attack techniques in Ukraine, something the Kremlin has been doing for years.

"That's the experimental zone for Russian cyberattacks," he said.

Before publicly revealing what Microsoft had seen and attributing those attacks to Russia, Burt said he reached out to U.S. and Ukrainian government partners, to make sure Microsoft didn't "disrupt what might be very delicate conversations that were happening at the time." However, Burt said, both governments gave the green light — just one example of how public officials have been more open about disclosing sensitive information during the war in an effort to expose Russian aggression.

It became obvious to Burt that an invasion was imminent on February 23, a day before Putin announced the "special military operation," he said.

"So it's commonly believed that the invasion of Ukraine started on February 24th. But from our viewpoint, it really started on February 23rd, about 10 hours before the missiles were launched and the tanks rolled across the border," said Burt. "There was a huge wiper attack across 300 different systems in government agencies and private sector companies in Ukraine."

According to Burt, at the beginning of the invasion, Microsoft only really had a pinhole view into what was happening in Ukraine. While some Ukrainian companies and agencies were using Microsoft products, where the company is routinely looking for threats, very few were using the cloud, where Microsoft has the most insights. Before the war, there was actually a law that prevented Ukranian agencies from using the cloud. That position was reversed on March 16, when the Ministry of Digital Transformation announced that state authorities are now allowed to store data using cloud services. According to Burt, Microsoft has been helping these agencies make the transition, and has become more able to detect threats as a result.

There are still limitations, but the cloud had other benefits, says Burt.

"We've been working with Ukrainian government agencies to completely move them to the cloud ... at least as a backup means of operating in case they get compromised on premises," he explained.

Debris and rubble after Russia strikes targeted the TV tower in Kyiv, capital city of Ukraine, on Thursday, March 3, 2022. It comes after Russia said it would strike communications infrastructure in the capital to stop information attacks.
Caption

Debris and rubble after Russia strikes targeted the TV tower in Kyiv, capital city of Ukraine, on Thursday, March 3, 2022. It comes after Russia said it would strike communications infrastructure in the capital to stop information attacks. / EYEPRESS via Reuters Connect

The cyber and the physical

Throughout the war, Burt says his team has noticed a pattern — Russian hackers will often have similar objectives to the Russian military on the ground. While he couldn't definitively say the two groups were actively coordinating, it was clear to Microsoft analysts that they were working from the same playbook.

In the first days of the invasion, both the Russian military and hackers were targeting Ukrainian media and communications.

"They bombed radio towers. They physically invaded and seized media companies. And at the same time, they were engaged in cyber attacks on media companies," he said.

Russian hackers also launched a series of denial-of-service attacks on official government websites and financial institutions, stirring panic about the public's ability to access official information as well as their own bank accounts. Meanwhile, behind the scenes, Russians were targeting European satellite company Viasat as well as several other satellites across Europe, disrupting Ukrainian military communications temporarily.

Ultimately, those early, fairly unsophisticated public attacks were mostly unsuccessful in achieving long-term effects. Websites were quickly brought back online, and no one was prevented from withdrawing money for long. Ukrainian military officials were able to rely on alternative methods of communication. Even so, the attacks contributed to a sense of panic and unease in the early days of the invasion.

Ultimately, Burt said, he believes Microsoft was able to alert Ukrainian media companies, for example, in the early phases of those attacks and help them install countermeasures.

"Russia has not been successful in shutting down media communications to Ukrainian citizens," he concluded.

Burt said that Microsoft has detected several examples of Russian hackers stealing information about Ukrainian cities in espionage-style attacks before launching physical attacks, likely in an effort to find information valuable to troops on the ground.

There have also been combined cyberattacks and physical assaults on energy and IT infrastructure, from nuclear power plants to tech companies, Burt said.

More recently, Burt told NPR, Microsoft has seen Russia targeting Ukrainian railways with both cyberattacks and missiles. In this phase of the invasion, there's an effort to disrupt Ukraine's ability to resupply and move vital goods around the country.

Additionally, Microsoft noted that Russia is even weaponizing the trauma caused by their own military operations. Microsoft detected at least one operation in which a Russian actor pretended to be a victim from Mariupol, a sieged Ukrainian city, to try to spread disinformation about how Ukrainian officials had abandoned the city in an effort to pressure citizens to surrender.

"And so we see, again, of course, sponsoring both the cyberattack and the kinetic attack in in support of what is clearly a hybrid war where the Russians are using all those resources in combination," Burt said.

Microsoft has detected several examples of Russian hackers stealing information about Ukrainian cities in espionage-style attacks before launching physical attacks.
Caption

Microsoft has detected several examples of Russian hackers stealing information about Ukrainian cities in espionage-style attacks before launching physical attacks. / Meron Menghistab for NPR

Working with Ukrainians on the front lines

On the ground in Ukraine, Ukrainian cybersecurity officials face a constant barrage. On Tuesday, Ukrainian mobile communications operations in the south in Kherson reported communication outages, which they linked to Russia.

"It is not the first attempt to make it impossible for Ukrainian citizens in the temporarily occupied areas to get in touch with their loved ones, call an ambulance or rescuers, access the true information on the developments in the war and the situation in the country," representatives from the Ukrainian State Service of Special Communication and Information Protection said in a statement.

It's a constant struggle. While Ukrainian officials were able to get communications back online by routing internet traffic through a Russian internet provider, according to Net Blocks, an organization that tracks internet disruptions, that opens those communications up to even further surveillance and disruption by Russia.

Burt recalled one instance where his team was trying to alert one Ukrainian company to a possible cyberattack, when they received a message back that the company couldn't respond because the building was surrounded by Russian tanks.

"If you are Ukrainian, this has been a relentless, unending cyber war that has been launched in correspondence with the physical war in what is clearly the world's first major hybrid war," said Burt.

Copyright 2022 NPR. To see more, visit https://www.npr.org.