Russia's invasion of Ukraine began yesterday morning. The cyber-dimension of the operation has been visible since at least mid-January, with the WhisperGate wiper deployment against Ukrainian government and private organisations in mid-January, and has substantially escalated through the past week. HermeticWiper appeared on the 23rd of February — the day before the invasion — on Ukrainian government, financial, and contractor systems (ESET on HermeticWiper, February 24, Microsoft on FoxBlade and the broader campaign, February 28). IsaacWiper followed shortly after, with subsequent destructive-malware variants emerging through the week. The pattern matches the Ukrainian-grid attacks of December 2015 and 2016 in operational shape but at substantially larger scale and with more sophisticated implementation.
The destructive-malware deployment is the cyber-dimension that is most operationally significant. The wipers are not ransomware — there is no ransom demand, no decryption-key offer, and no apparent operator interest in commercial exit. The deployment is destructive-as-end-state, designed to render affected systems unbootable and unrecoverable. The targeting is concentrated on Ukrainian government, military, and critical-infrastructure operators with the apparent objective of operational disruption during the invasion's early phases. The aggregate effect on Ukrainian operational capability is, on the limited public information of the past 36 hours, substantial but not catastrophic — Ukrainian organisations have been preparing for cyber-conflict for years and the defensive posture has been more robust than would be the case for a typical commercial environment.
The international spillover concern. The 2017 NotPetya operation against Ukraine produced substantial international spillover (Maersk, FedEx-TNT, Merck, and the wider international supply chain) because the destructive-malware was indiscriminate in its propagation. The 2022 Russian operations have, on early evidence, been more carefully scoped to Ukrainian organisations specifically — targeted rather than worm-grade propagation, careful selection of victim organisations, and apparent operator effort to avoid the kind of accidental spillover that NotPetya produced. The international spillover risk is, however, non-zero, and the customer-portfolio briefing this week has incorporated the spillover-readiness conversation explicitly.
For the customer-portfolio response. The customer-organisation operational posture has been on heightened alert since late January, with the CISA Shields Up guidance and the NCSC equivalent providing the structural framework. The specific actions: review of vendor-and-partner relationships with material Russian or Ukrainian operations to identify exposure to cyber-spillover. Verification of incident-response readiness with specific scenarios incorporating destructive-malware response. Backup-and-recovery posture verification with offline backup integrity checks. Detection-content updates for the documented HermeticWiper, IsaacWiper, and FoxBlade indicators-of-compromise. Network-segmentation review with specific attention to lateral-movement controls. The customer-organisation programme work is, in aggregate, in better shape than at any previous geopolitical-tension period, but the operational pressure is sustained and the team workload is high.
The wider strategic point about cyber-as-a-dimension-of-war. The Russian operations of 2022 represent the largest-scale state-cyber-operations-during-armed-conflict that the security community has documented. The lessons being absorbed in real time include: the cyber-dimension does not replace kinetic operations but supplements and shapes them; the destructive-malware capability against state-actor adversaries is operationally relevant in the war's early phases but tapers in significance as the conflict develops; defensive preparation matters substantially and produces measurable operational benefit (Ukrainian defensive posture is materially more capable than would have been the case without sustained pre-war preparation); international cooperation between defensive teams (the Western government-and-private-sector cooperation with Ukrainian defenders has been substantively visible) is producing operational uplift that is shaping the cyber-conflict's trajectory.
The customer-portfolio operational tempo will be sustained through the early weeks of the conflict and beyond. The longer-term strategic implications — for the threat landscape, for the customer-organisation programme work, for the international cyber-policy environment — will develop over months and years. I will write more as the picture firms up. The blog will be more focused on the geopolitical-cyber dimension through 2022 than I would, in other circumstances, have planned.