HELSINKI–At the start of Russia’s invasion of Ukraine, the odds of Russian malware traversing government computers in Kyiv seemed even higher than the chances of Russian tanks rolling down that city’s streets. 

But much as Russia’s armed forces failed to take Ukraine’s capital, its digital attacks have yet to leave much of a dent.

“Russia’s attacks have failed surprisingly much, both in the online world and in the real world,” WithSecure Chief Research Officer Mikko Hyppönen said in a talk Wednesday at the Sphere conference(Opens in a new window) here hosted by that firm, an enterprise-focused spin-off of the longtime security company F-Secure. 

The one successful cyberattack he pointed to, a disruption of Ukrainian border-control computers by wiper malware(Opens in a new window) that led to 24- to 36-hour lines for fleeing Ukrainian refugees, happened at the start of the unprovoked invasion. 

“This, my friend, is what cyberattacks look like in war,” Hyppönen said. And it makes sense from a strategic perspective to engage in them, as he noted at the start of the talk: “Cyber weapons are effective, affordable, and deniable.”

(In a presentation to media earlier Wednesday, Hyppönen said Russia’s adoption of deniable attacks now includes at least two cases of running fake front companies that advertise work-from-home penetration-testing jobs at high salaries that lure Western “pen testers” into doing the regime’s dirty work.)

But a drastic increase in the rate of attacks has yet to inflict close to a corresponding level of damage. For example, Russian hackers tried to shut down a power plant with malware in April, but Ukraine’s government thwarted the attack. 

Hyppönen credited Kyiv’s successful defenses to the experience it’s built up since the start of hostilities on the ground in 2014(Opens in a new window), followed by such cyberattacks as the Dec. 23, 2015 malware sabotage of a power plant(Opens in a new window) that left 230,000 people in the dark. 

“Ukraine hasn’t been playing make-believe for eight years,” he said. 

He also credited US tech firms, naming Microsoft and Google parent Alphabet in particular, for going beyond normal customer support to defend their customers in Ukraine.

“In the middle of all this, Ukraine continues to function,” Hyppönen observed. “I’m getting better connections to Kyiv than to Stockholm.”

Meanwhile, Russian President Vladimir Putin escalating from digital attacks to those carried out with guns and bombs, in the process uniting the West in revulsion at his actions, has effectively ended his most successful online offensive: the use of influence operations to confuse and divide Western governments and societies. 

Said Hyppönen: “He had the winning cards in his hand, and he threw them to the trash on the 24th of February.”

Disclosure(Opens in a new window): WithSecure covered airfare and hotel costs for Sphere attendees, myself included