[SahAssar]

It really hasn't to the scale that you imply. Why hasn't ukraine and russia both used this to completely shut down each others infrastructure? Why isn't russia just hacking all the ukrainian COTS drones? Why hasn't anyone hacked a nuclear power plant?

[indolering]

There is power in restricting access and air gapping helps a lot. A drone (for example) can fall back to basic cryptography to limit access.

Air gapping is a baseline requirement in most safety critical systems. Nuclear power plants in particular have lots of redundant layers of safety. AFAIK Russia hasn't physically tried to cause a meltdown, presumably due to the political blow back (although they have attacked Chernobyl's sarcophagus). I assume this limits their digital espionage attacks too.

We do get glimpses of the use of such malware, like when Saudi Arabia hacked Jeff Bezos' phone. But we don't hear about most of it because there is a benefit to keeping a hack secret, so as to keep access.

Finally, it's usually cheaper to social engineer someone into loading a PowerPoint presentation and doing a local privilege escalation. They burn those for things as petty as getting embarrassing political information.

[irundebian]

I doubt that most critical systems are air gapped. Even if there are, most part of Russians economy is not, but is still using IT based on COTS systems. Why wouldn't the Ukraine DoS or compromise the whole non air-gapped IT infrastructure of Russia to hit the economy if they could have easy access to RCE just because they are a government?

[indolering]

I mean, they do all the time. The value is generally in keeping access, however, and operational security and access control is helpful. You can knock a system out but then you just get kicked out and have to start over.

[irundebian]

Do you have evidence for that?