WASHINGTON — A new examination of how Russia used its cybercapabilities in the first months of the war in Ukraine contains a number of surprises: Moscow conducted more cyberattacks than was realized at the time to bolster its invasion, but more than two-thirds of them failed, echoing its poor performance on the physical battlefield.
However, the study, published by Microsoft on Wednesday, suggested that the government of President Vladimir V. Putin was succeeding more than many expected with its disinformation campaign to establish a narrative of the war favorable to Russia, including making the case that the United States was secretly producing biological weapons inside Ukraine.
The report is the latest effort by many groups, including American intelligence agencies, to understand the interaction of a brutal physical war with a parallel — and often coordinated — struggle in cyberspace. It indicated that Ukraine was well prepared to fend off cyberattacks, after having endured them for many years. That was at least in part because of a well-established system of warnings from private-sector companies, including Microsoft and Google, and preparations that included moving much of Ukraine’s most important systems to the cloud, onto servers outside Ukraine.
The account of Russia’s cyberattacks and disinformation campaigns showed that only 29 percent of the attacks breached the targeted networks — in Ukraine, the United States, Poland and the Baltic nations. But it points to a more successful effort underway to dominate the information war, in which Russia has blamed Washington and Kyiv for starting the conflict that is now raging in Ukraine’s east and south.
The war is the first full-scale battle in which traditional and cyberweapons have been used side by side, and the race is on to explore the never-before-seen dynamic between the two. So far, very little of that dynamic has developed as expected.
Initially, analysts and government officials were struck by the absence of crippling Russian attacks on Ukraine’s power grid and communications systems. In April, President Biden’s national cyberdirector, Chris Inglis, said “the question of the moment” was why Russia had not made “a very significant play of cyber, at least against NATO and the United States.” He speculated that the Russians thought they were headed to quick victory in February but “were distracted” when the war effort ran into obstacles.
The Microsoft report said that Russia had attempted a major cyberattack on Feb. 23, the day before the physical invasion. That attack, using malware called FoxBlade, was an attempt to use “wiper” software that wiped out data on government networks. At roughly the same time, Russia attacked the Viasat satellite communications network, hoping to cripple the Ukrainian military.
“We were, I think, among the first to witness the first shots that were fired on the 23rd of February,” said Brad Smith, the president of Microsoft.
“It has been a formidable, intensive, even ferocious set of attacks, attacks that started with one form of wiper software, attacks that are really being coordinated from different parts of the Russian government,” he added on Wednesday at a forum at the Ronald Reagan Presidential Foundation and Institute in Washington.
But many of the attacks were thwarted, or there was enough redundancy built into the Ukrainian networks that the efforts did little damage. The result, Mr. Smith said, is that the attacks have been underreported.
In many instances, Russia coordinated its use of cyberweapons with conventional attacks, including taking down the computer network of a nuclear power plant before moving in its troops to take it over, Mr. Smith said. Microsoft officials declined to identify which plant Mr. Smith was referring to.
While much of Russia’s cyberactivity has focused on Ukraine, Microsoft has detected 128 network intrusions in 42 countries. Of the 29 percent of Russian attacks that have successfully penetrated a network, Microsoft concluded, only a quarter of those resulted in data being stolen.
Outside Ukraine, Russia has concentrated its attacks on the United States, Poland and two aspiring members of NATO, Sweden and Finland. Other alliance members were also targeted, especially as they began to supply Ukraine with more arms. Those breaches, though, have been limited to surveillance — indicating that Moscow is trying to avoid bringing NATO nations directly into the fight through cyberattacks, much as it is refraining from physical attacks on those countries.
But Microsoft, other technology companies and government officials have said that Russia has paired those infiltration attempts with a broad effort to deliver propaganda around the world.
Microsoft tracked the growth in consumption of Russian propaganda in the United States in the first weeks of the year. It peaked at 82 percent right before the Feb. 24 invasion of Ukraine, with 60 million to 80 million monthly page views. That figure, Microsoft said, rivaled page views on the biggest traditional media sites in the United States.
One example Mr. Smith cited was that of Russian propaganda inside Russia pushing its citizens to get vaccinated, while its English-language messaging spread anti-vaccine content.
Microsoft also tracked the rise in Russian propaganda in Canada in the weeks before a trucker convoy protesting vaccine mandates tried to shut down Ottawa, and that in New Zealand before protests there against public health measures meant to fight the pandemic.
“It’s not a case of consumption following the news; it’s not even a case of an amplification effort following the news,” Mr. Smith said. “But I think it’s fair to say it’s a case not only of this amplification preceding the news, but quite possibly trying to make and influence the creation of the news of the day itself.”
Senator Angus King, independent of Maine and a member of the Senate Intelligence Committee, noted that while private companies can track Russian efforts to spread disinformation inside the United States, American intelligence agencies are limited by laws that prevent them from peering inside American networks.
“There is a gap, and I think the Russians are aware of that, and it enabled them to exploit an opening in our system,” said Mr. King, who also spoke at the Reagan Institute.
A provision in this year’s defense policy bill being considered by Congress would require the National Security Agency and its military cousin, United States Cyber Command, to report to Congress every two years about election security, including efforts by Russia and other foreign powers to influence Americans.
“Ultimately, the best defense is for our own people to be better consumers of information,” Mr. King said. “We’ve got to do a better job of educating people to be better consumers of information. I call it digital literacy. And we’ve got to teach kids in the fourth and fifth grade how to distinguish a fake website from a real website.”
