The last year of Russian cyber aggression has never prompted the all-out cyber war many feared, calling into question how cyber tools will realistically be used in future wars.

The big picture: A year into the invasion, Russia's most aggressive cyberattacks have stayed inside Ukraine — rarely taking a highly anticipated turn toward Western allies.

• When the war began, government officials and security experts warned of possible electric grid takedowns and another unintentional global malware attack similar to the 2017 NotPetya incident that affected businesses in more than 60 countries.

Instead, Russia's cyber aggression has been a "mixed bag," Ciaran Martin, managing director at Paladin Capital Group, told Axios.

• Russian government-backed hackers targeted people in Ukraine more than they targeted people in any other country last year, according to a Google report released last week.
• Russia launched disinformation campaigns, conducted espionage, and targeted organizations with lower-level phishing emails and malware wipers throughout the year, experts told Axios.
• But "for all its murderous thuggery in Ukraine, Russia has not, to my knowledge, taken overly aggressive steps against the West," said Martin, who is also the former CEO of the U.K.'s National Cyber Security Centre.

Why it matters: The war in Ukraine is the first physical war that's involved a top-tier cyber adversary, setting a template for what cyber's role in future wars could look like.

• The war has shown that most military cyber operations aren't similar to firing a shell from an artillery piece, said Daniel Thanos, head of Arctic Wolf Labs.
• More sophisticated attacks take years to plan, and lower-level techniques work better as psychological warfare against the people of Ukraine, John Hultquist, head of threat intelligence at Google-owned firm Mandiant, told Axios.

Between the lines: Experts have several theories for why Russia hasn't pursued the global attack most people predicted.

• Russia knows that launching destructive attacks against Western countries would invite more sanctions and military strikes from the West that it lacks the resources to fend off, Martin said.
• Russian military and intelligence officials have hyperfocused on their operations inside Ukraine, leaving little time to plan attacks on the West, Emily Harding, deputy director and senior fellow at the Center for Strategic and International Studies, told Axios.
• Russian officials could be struggling to break through Western cyber defenses and plan bigger attacks, making them eager to pursue smaller attacks that require fewer resources, Hultquist said.

Yes, but: Russia has still targeted the West through low-level distributed denial-of-service website disruptions and cyber espionage, Hultquist said.

• Russian hacktivist group Killnet has become notorious for overloading Western organizations' websites with bot traffic.
• In terms of cyber espionage, "there's just more now than there's ever been," Hultquist said.

The intrigue: Ukraine has put up a strong fight against Russian aggression, experts said.

• Ukraine's sophisticated cyber defense — which was bolstered by support from Western governments and large technology companies — could have prevented Russia from being able to take resources away from targeting the country.
• For instance, in April, the Ukrainian government said it had thwarted a Russian attempt to damage its electric grid.

Threat level: Russian forces turning their attention to Western organizations is still a real possibility.

• Russian officials could decide to launch more destructive cyberattacks against NATO organizations if they get frustrated with the continued support from the military alliance, said Harding, a former top Senate Intelligence Committee aide.

The bottom line: U.S. and European organizations still need to remain vigilant against Russian threats — even if Russian cyberattacks, so far, haven't had much impact outside of Ukraine.

Russia's cybercrime underground is starting to recover from the disruptions caused during the ongoing war, which could spell bad news for U.S. companies, experts told Axios.

The big picture: Before the war started, some still hoped Russian President Vladimir Putin might crack down on the deluge of ransomware gangs in his country.

• President Joe Biden and Putin had held semiregular phone calls to discuss the ransomware problem, among other issues.
• A month before invading Ukraine, Putin arrested several alleged members of the REvil ransomware gang, which targeted U.S. critical infrastructure in 2021.

Why it matters: The war has killed off any incentive Putin may have had to stop cybercrime operations from targeting Western organizations.

• Instead, given the lax relationship between Russian state-sponsored hacking groups and cybercrime gangs in the country, Putin has more reason to spur them on.

Flashback: When the war started, factions formed within cybercrime forums between those who supported Russia's war and those who stood with Ukraine.

• A prime example of this was when a Ukrainian member of the Conti ransomware gang leaked its internal files after the group pledged allegiance to Russia.
• Many Russian hackers fled to neighboring countries to avoid the military draft, according to a report from Recorded Future released this morning.

What's happening: Initial slowdowns in the Russian cybercrime underground have proven to be only blips, experts told Axios.

• "There's still plenty of them that have got their operations back running and are conducting crime again," Mandiant's Hultquist said.
• Hultquist said several Russian state-sponsored hackers have also been purchasing initial access to an organization from cybercriminal groups.

Between the lines: Even Russian cybercriminals who have fled their country to avoid the draft are seemingly starting to deploy ransomware attacks, Thanos said.

• Thanos' organization, Arctic Wolf, has seen an uptick in so-called anonymous attacks, where a solo actor attacks an organization, never claims public responsibility for the attack, and demands a small payout to decrypt the files.

The intrigue: By enabling cybercrime gangs, the Russian government can claim it wasn't responsible for any of the groups' attacks while reaping the benefits of seeing Western organizations hindered.

Russian disinformation campaigns have become less successful on a platform once near and dear to the Kremlin: Facebook.

Driving the news: Meta said in a quarterly threat report released Thursday that Russian state media outlets had "significantly reduced their activity on our platforms" during the first year of the war, instead turning to alternatives like Telegram.

• Meta attributed this to new measures the company implemented at the beginning of the war limiting the reach of Russian state-sponsored media.
• Russian influence campaigns also lacked their typical sophistication. Instead, they followed what Meta called a "smash-and-grab" playbook and created as many accounts as possible to avoid detection.

Between the lines: "This activity bears a closer resemblance to what you might see from a spammer's playbook rather than the more stealthy and sophisticated Russian influence operations we've disrupted in the past," Nathaniel Gleicher, Meta's head of security policy, said during a call with reporters this week.

Catch up quick: Historically, the Russian government had relied heavily on Meta's platforms, Facebook and Instagram, to spread disinformation about current events.

Details: In the report, Meta said it took down two disinformation networks focused on the war in Ukraine over the last year. Both primarily targeted users inside Ukraine.

• The two campaigns — dubbed "Cyber Front Z" and "Doppelganger" — had more accounts, groups and pages tied to them than any other campaigns Meta had disrupted since 2017.

The intrigue: Gleicher expects Russian entities to keep adjusting their disinformation techniques to try to evade Meta's crackdown.

• "We would expect them to keep trying to adjust their tactics to try to find an approach and to shift away from our platforms as they get caught more," he said.

@ D.C.

🪖 The Pentagon and Microsoft are investigating a flaw that left at least a terabyte of military emails exposed. (Bloomberg)

📲 The European Commission has banned staff from having TikTok on work devices. (The Guardian)

@ Industry

📉 Venture capital investors poured $18.5 billion into cybersecurity companies last year, down nearly 40% from the $30.3 billion in investments in 2021. (The Record)

🧬 Google claims it has made a breakthrough in developing quantum computer error correction, one of the biggest barriers to this technology. (Financial Times)

📹 Tesla will issue a software update to cars in the European Union so its external security cameras are disabled by default after regulator pushback. (Wall Street Journal)

@ Hackers and hacks

🍎 The Los Angeles Unified School District admitted that current and former students' psychological assessments were leaked on the dark web following last fall's ransomware attack. (The 74)

🍍 A ransomware attack temporarily shut down production at some of produce giant Dole's facilities earlier this month. (CNN)

📦 Royal Mail says it has restored its international shipping services more than a month after a ransomware attack impacted its production. (TechCrunch)

🐻 For anyone else out there who plans to see "Cocaine Bear" this week, this Q&A with a literal person who studies bear behavior is a MUST.

• I will never get over this sentence: "Cocaine is also expensive. I don’t think people who like cocaine are just casually handing it out to bears."
• If you have no idea what I'm talking about, please watch the trailer here. Happy Friday!