Russia operates in the grey zone against Ukraine.
Microsoft said last Saturday that it hadn't been able to draw connections between Friday's cyberattacks against Ukraine and any of the threat actors it tracks. It is, however, confident that the attack involved the use of a wiper, malware whose intent was the destruction of data, not their temporary denial (as in a conventional ransomware attack) or their theft. The operation is being called "WhisperGate." Microsoft has given the threat actor the temporary tracking identifier DEV-0586.
The Wall Street Journal sees last week's cyberattacks against Ukrainian targets as pointing to a broader risk of more general cyberwar. WhisperGate was, like NotPetya a few years ago, a pseudo-ransomware attack that delivered a wiper behind defacements and spurious ransom demands. It was, however, less sophisticated than its predecessor, and in particular it lacked the self-propagating worm features that made NotPetya a general danger.
Security firm Mandiant has outlined the form it expects Russian cyber operations to assume. 'Russia and its allies will conduct cyber espionage, information operations, and disruptive cyber attacks during this crisis. Though cyber espionage is already a regular facet of global activity, as the situation deteriorates, we are likely to see more aggressive information operations and disruptive cyber attacks within and outside of Ukraine."