WASHINGTON — In the final days of 2015, lights went out over part of Ukraine as Russian hackers remotely took over a power company’s control center, shutting down one power plant after another, while the company’s operators stared helplessly at their screens.
The following year, the same thing happened, this time around Kiev, the capital.
Now, the United States and Britain have quietly sent cyberwarfare experts to Ukraine in hopes of better preparing the country for what they believe to be Russia’s President Vladimir V. Putin’s next move, as he recaptures the former Soviet republic threatens: not an invasion with the 175,000 troops it gathers at the border, but cyber-attacks that disable the electricity grid, the banking system and other critical components of the Ukrainian economy and government.
Russia’s goal, according to US intelligence assessments, would be to make Ukrainian president, Volodymyr Zelensky, look inept and defenseless — and perhaps provide an excuse for an invasion.
In a sense, Russia’s cyber campaign against Ukraine has never stopped, US officials say, though it continued at a low level until recently. But in interviews, US officials and experts say the action has stepped up in the past month, even as public attention is focused on troop-building.
“It’s a widespread campaign targeting numerous Ukrainian government agencies, including internal affairs — the national police — and their electric utilities,” said Dmitri Alperovitch, a leading researcher of Russian cyberactivity and the chairman of Silverado Policy Accelerator, a new Washington research group.
Alperovitch, who immigrated to the United States from Russia as a child, said the Russian leader sees the cyber attacks as “battlefield preparation”.
US officials say a military invasion is far from certain. “The current assessment of the US government is that it has not made a decision,” Jake Sullivan, President Biden’s national security adviser, told the Council on Foreign Relations. Sullivan didn’t talk about Russia’s cyberactivity, but it has attracted a lot of attention from the White House, the CIA, the National Security Agency and the United States Cyber Command, whose “cyber mission forces” are deployed to identify vulnerabilities around the world. .
Russia’s cyberactivity was discussed by about a dozen officials, who asked for anonymity because the information was derived from classified intelligence and sensitive discussions about how to mitigate the Russian threat. Those talks centered on whether Mr Putin thinks a paralysis of Ukraine’s infrastructure could be his best hope of achieving his primary goal of overthrowing the Ukrainian government and replacing it with a puppet leader.
According to a senior intelligence official, the calculation would be that for such an attack he would not need to occupy the country — or face the same amount of sanctions that would almost certainly follow a physical invasion.
Mr Putin has already worked to build support at home and in Africa and South and Central America. Russian-led information campaigns aimed at denigrating the Ukrainian government and accusing its leader of causing a humanitarian crisis in the east of the country, where Ukrainian government forces have been battling Russian-led separatists for years, US and allied officials said .
US officials declined to describe the cyber teams deployed in Ukraine. In a statement, the Biden administration said only that “we have long supported Ukraine’s efforts to strengthen cyber defenses and increase its cyber resilience”.
A British government spokeswoman said the aid provided by Britain and its allies was of a defensive nature.
While neither government would provide details, officials said the United States is considering a larger deployment, including resources from US Cyber Command. But it’s unclear how much good a bigger team could do besides showing support.
“There’s too much to patch,” said a US official.
The Ukrainian grid was built in the days of the Soviet Union, connected to that of Russia. It has been upgraded with Russian parts. The software is known to both attackers and operators. And while Ukraine has repeatedly vowed to fix its system, Mr Putin’s hackers, or at least teams loyal to him, have shown time and again that they know how to bring parts of the country to a halt.
In an interview, Sean Plankey, a former Energy Department cyber expert and now an executive at DataRobot, said Russian hackers understand every link in the design — and most likely have insiders who can help them.
As the Ukrainians have learned, a cyber attack on critical infrastructure is particularly difficult to deter. In the cyber world, there is no broad consensus on what constitutes an act of war, nor agreement on how deeply Mr Putin could harm Ukraine without provoking a Western response. In the past, his attacks on Ukraine have provoked almost no response.
The 2015 attack, which began in late December, was particularly instructive. It was targeted at a major operator of the Ukrainian grid. Videos captured during the attack show a skeleton of operators — the attackers knew the holidays would be a particularly vulnerable time — struggling to understand what happened when remote hackers took over their screens. Substations were shut down. Neighborhood by neighborhood the lights went out.
“It was overwhelming for us,” said Andy Ozment, who led the cyber emergency response for the Department of Homeland Security at the time and helped investigate the attacks. “The exact scenario we were concerned about wasn’t paranoia. It happened before our very eyes.” The hackers had one last bloom: The last thing they turned off was emergency power in the utility’s operations center, leaving Ukrainian workers cursing in their seats in the dark.
With the holidays approaching again, US officials say they are on high alert. But if Mr Putin launches a cyber-attack, either as a stand-alone action or as a precursor to a physical attack, it will most likely come after Orthodox Christmas, at the end of the first week in January, according to intelligence officials. .
Understand the escalating tensions over Ukraine
US and allied officials have discussed several sanctions that could potentially deter Russia. But any measures that could potentially cut deep enough for Russia to take care of would also hurt Europe, which relies heavily on Russia for winter energy supplies.
Senator Angus King of Maine, a member of the Senate Intelligence Committee, said in an interview that if an invasion occurs, it will be the first sign in cyberspace.
“I don’t think there’s the slightest doubt that if there is an invasion or any kind of incursion into Ukraine, it will start with cyber,” said Mr. King, an independent who has caucuses with the Democrats.
Mr. King has long argued that the United States and its allies need to think more deeply about deterring cyberattacks. The United States, Mr King said, should issue a declaratory policy on what the consequences of such attacks will be.
“So the question is,” said Mr. King, “what are our tools to deter that?”
Representative Mike Gallagher, Republican from Wisconsin, who, along with Mr. King, who heads the Cyberspace Solarium Commission, said the United States should try to prevent a cyberattack on Ukraine by making it clear that it would provoke a strong response.
“We should prepare our own cyber response,” said Mr. Gallagher. “We have very powerful weapons in the cyber realm that we can use against Putin if he chooses to move forward. It seems we seem divided, but there are many options we have to prevent this from turning into a full-blown crisis.”
A cyber operation retains allure for Moscow over a full military operation, because Russia can operate under a thin veil of denial. And Mr Putin has shown over the past decade that the smallest disguise is good enough.
In previous cyber attacks on Ukraine, Russian agents made the raids look like the work of criminal groups.
“In retrospect, you can be pretty sure what we saw was state activity, using the false flag of criminal activity,” said Jim Richberg, the former national cyber intelligence manager and now a vice president at Fortinet, a security firm. “They wanted it to have a broad impact on critical infrastructure in Ukraine and make it look like it was a criminal thing gone wrong.”
For Mr Putin, a cyber attack that he can officially deny, but which no one doubts is his handiwork, is the best of both worlds.
“For someone like Putin, part of it is on display, to get a message across,” said Mr Richberg. “They may be good, but being good doesn’t mean they want to be invisible.”