The Russia Ukraine war in the cyber domain

The Russia Ukraine war in the cyber domain has turned out very differently than expected. Before the invasion of Ukraine by Russia, this state was already noted for the hyperactivity and lack of stealth in its cyber activities. NotPetya, SolarWinds, Colonial Pipeline, were just some examples that allowed us to observe the offensive capabilities that Russia had in cyberspace. Although this situation has been considerably altered by the Russian-Ukrainian conflict, since Russia has seen war as a way of testing its abilities in the cyber domain on a large scale, it is also true that, far from what they could have thought a lot of experts, the “cyber-armageddon” has not occurred.

In fact, one of the big questions that has been formulated since the invasion began – and to which we will try to answer in the following lines – is: “where is the cyber war?”. Jason Healey, a senior fellow at the Cyber ​​Statecraft Initiative at the Atlantic Council, predicted before the Russo-Ukrainian war that if Russia were to invade Ukraine “the initial salvo was likely to be a display of offensive cyber capabilities”; RAND’s William Courtney and Peer A. Wilson warned of “massive use” of cyber weapons to create a commotion that would “fear the Ukrainians and break their will to fight”; and some other experts went further and did not rule out that Russia only attacked Ukraine in the cyber domain considering that the Russians could achieve the same effect without having to cross the border.

Simplifying, we can say that there are three schools of thought on the strategic role and value of cyber operations in an armed conflict within a multidomain framework:

• In the first place, there is a current of thought that considers that cybernetic operations will replace kinetic actions in military conflicts in the medium and long term, believing the possibility of carrying out far-reaching strategic attacks capable of paralyzing the enemy’s action to be probable.

• Secondly, there is another current of thought, perhaps more attached to the reality imposed by current technology, that sees cybernetic operations as complements to force. In other words, it considers the use of the cybernetic domain as a means favorable to the interruption of command and control and communications systems, prone to deploying measures to sabotage equipment and infrastructure, and especially useful for disseminating disinformation and implementing psychological warfare measures against the morale of enemy troops (and society).

• Finally, there is a third perspective of thought that suggests that the cybernetic spectrum is only –and especially– relevant in the stages prior to open armed conflict, that is, during the development of strategies in the “grey zone” of conflicts. In other words, from this point of view, cybernetic operations are seen as instruments of power capable of influencing and weakening the actions of the adversary before the conflict begins, giving them the benefit of the doubt as to whether or not they would be capable of allowing the achievement of of strategic objectives without entering into the classic situation of war. In short, this third school of thought suggests that the effects that we can extract from the deployment in the fifth domain are gradual and cumulative (Maschmeyer & Kostyuk, 02/2022).

The possibility of a global cyber war, the doom that lack of connectivity would entail in a hyper-connected world, and the risk of a “cyber Pearl Harbor” tend to evoke fears from the past. In practice, however, cyber warfare at this level appears to have been a failure (at least in the Russo-Ukrainian war), as cyber operations in the conflict have tended to be an irrelevant variable on the battlefield, compared to kinetic activities.

Therefore, it would be easy to think that when the possibility of using artillery is available and when missiles and bombs come into play, kinetic space completely displaces cyber space, since, in an open conflict scenario, the aggressor State will always to prefer the use of heavy weapons over cyber weapons.

Given the, Russian cyber operations have failed to produce significant strategic value to date, the logical thing would be to think that the cybernetic domain does not offer instruments as effective and powerful as the kinetic one, otherwise why did the Kremlin choose to mobilize its troops to the front with the economic, political and military cost that this entails?

However, the truth is that, if we think of the cybernetic domain as an independent, exogenous space and not related to the rest of the domains, we would be betting on a biased and poor vision of reality, since, once the actions in the gray zone and entering a situation of open armed conflict, the cybernetic spectrum comes to be considered as one more scenario in which to act, entering a multidomain war scenario, in which the deployment of cyberattacks and the implementation of disinformation attacks behave as actions to support the kinetic facet of the conflict (Veprintsev et al, 2015).

In other words, action in war from our point of view must be understood as the implementation of offensive and defensive activities in all domains, since, ultimately, all of them interact with each other, merging into a unified whole. .

Proof of the existence of considerable Russian cyber activity can be found in the fact that, in recent months, the technical reports of the Microsoft company number more than thirty successful intrusions of Russian activities against Ukraine and Western states. that support kyiv, with attacks on states such as Denmark, Norway, Finland, Sweden or the United States increasing (VoaNews, 06/2022).

In order to see if the empirical record of the Ukrainian conflict does indeed suggest that cyber operations can in practice have significant strategic value in the conflict (either as a complement to force or as stand-alone tools), we will now study the main milestones that have occurred so far in the invasion of Ukraine by Russia, trying to elucidate to what extent Ukraine is being a gigantic testing laboratory for Russian cyber claims.

Diary of the Russia Ukraine war in the cyber domain

In January 2022, in a climate of growing geopolitical tension and in a scenario of political negotiations at the highest level aimed at defusing the tension of a rising conflict, the Ukrainian government cyber infrastructures suffered constant destructive attacks through the use of cleaning malware (windshield wipers).

At the same time, Western experts were trying to determine whether these attacks were still part of Russia’s strategy of deterrence in cyberspace, or whether, on the contrary, they could be part of a larger-scale comprehensive offensive.

On February 23, a day before the Kremlin’s so-called “special military operation” began, and just 10 hours before artillery began to be deployed on the Ukrainian border, a large-scale windshield wiper attack took place, affecting to a large number of Ukrainian government agencies and private companies: the one known as WhisperGate (Foundling, 02/2022).

Just two days after this first attack, on February 25, the Ukrainian authorities reported a windshield wiper attack targeting border control stations with the aim of slowing down the process of fleeing Ukrainian refugees crossing the border. border to Romania.

On March 28, a major Ukrainian network connectivity provider confessed that it had been attacked, resulting in service interruptions across the country.

There is also evidence of another windshield wiper attack directed at electrical substations on April 8, whose objective was to deprive approximately two million people of electricity supply – this one was frustrated by the Ukrainian authorities (Raffray, 06/2022 ).

The truth is that, in the first days of the invasion, it was already shown that the Russian army and the cyberattacks carried out by the so-called patriotic hackers not only had the same objectives (mainly the Ukrainian media), but also continued the same pattern and seemed to work in coordination. Thus, at the same time that the Russian army was bombing radio towers and seizing communication companies, they were being attacked in cyberspace.

Russian hackers also launched a series of denial-of-service (DDoS) attacks on the various virtual infrastructures that supported institutional services of the Ukrainian government, while trying to disrupt Ukrainian communications by attacking the Ukrainian network with AcidRain (a malware wiper). Viasat’s KA satellites.

In addition, the efforts of the Russian offensive to destroy Ukrainian railway lines have recently been observed, through artillery attacks at the same time as cyberattacks have been registered on the companies responsible for the Ukrainian railway service (McLaughlin, 06/2022).

Since January, a total of six different wiper-type malware have been identified in use in Ukraine (WhisperGate / WhisperKill, HermeticWiper, IsaacWiper, AcidRain, CaddyWiper, DoubleZero). However, although it has been proven that all of them were aimed at damaging government entities and financial, energy and telecommunications companies, the truth is that, until now, it has not been possible to estimate the impact that these attacks have had on the defense Ukrainian, as it has rarely been publicly reported by the Ukrainian government (Raffray, 06/2022).

The different cyber attacks that have been seen in Ukraine can be classified into four types depending on the objective pursued: destructive, disruption, data leakage and disinformation.

• Destruction attacks (mainly windshield wipers) have been aimed at permanently deleting data and damaging systems with the aim of rendering them unrecoverable.

• Disruption cyberattacks, as their name suggests, try to cause a temporary interruption of services. In the Russian-Ukrainian conflict, DDoS attacks targeting Ukrainian telecommunications and Internet services and those aimed at disabling Ukrainian government websites have played a major role.

• Data leak attacks are those aimed at obtaining private data as a result of cyberespionage activity, and unlike other attacks, to a large extent, cyberattacks of this type that have come to public attention have been carried out by hacktivist groups against Russian public and private organizations. But the phishing, fraud and malspam campaigns deployed by Russia with the aim of capitalizing on the vulnerabilities of the Ukrainian civilian population are also noteworthy. Likewise, given its possible relevance, it is also worth noting the leak made by the Russian hacktivist group RaHDIT on June 14, which would have leaked more than a thousand identities.

• Finally, disinformation attacks focus on the spread of false information and propaganda through the network with the aim of manipulating the information space and affecting the morale of the troops. In this regard, in the conflict we have been able to see from SMS spam campaigns that spread false information, to cyber-attacks against television services to alter news tickers and broadcast fake videos; and even social engineering and email attacks aimed at gaining control of the social media accounts of relevant Ukrainian figures with the aim of publishing false information – in this regard, Ukrainian officials have undoubtedly been an important “ target” for the constant barrage of disinformation tactics. The best example of this type of tactics could be seen on March 16, when Ukrainian television channel 24 reported that President Zelensky was urging the Ukrainians to stop fighting and lay down their weapons. Obviously, this teletype had been falsified through a cyberattack on the television network that had resulted in control of it and the deployment of a disinformation campaign that simulated messages broadcast by President Volodímir Zelesky (Raffray, 06/2022) .

It is true that these types of actions are difficult to quantify, since it is not possible to measure in a conflict situation such as the current one to what extent false information influences the morale of the troops. However, a report by the Microsoft company estimates that successful Russian cyber influence operations aimed at “undermining Western unity and deflecting criticism of war crimes committed by the Russian military” increased by 216% in Ukraine and by a 82% in the United States (VoaNews, 06/2022).

From these few examples, we can draw three conclusions: firstly, that Russian cyberattacks on Ukraine have been a constant during practically the entire conflict; second, that the main concern regarding Russia’s performance in the cyber domain is not so much the possibility of a particular large-scale incident (a cyber Pearl Harbor), but rather the existence of a convergence between cyber attacks and the kinetics; and third, that cyberattacks are not only limited to the cyber terrain, but also penetrate the human psyche through the use of disinformation tactics.

The Russia Ukraine war in the cyber domain and the Ukrainian cyber defense

As we have seen so far, the intensity of the conflict in the cyber domain is frantic and Ukrainian cybersecurity officials have to face a constant barrage of attacks.

Ukraine has largely succeeded in impeding Russian activity in cyberspace, and its cyber defense is proving to be generally more resilient than first appeared. The success of this defense is mainly due to three fundamental facts: firstly, to the skill that experience has brought to the Ukrainian defenders, secondly, to the restraint that Russia seems to be showing in the use of cyber weapons, and in thirdly, to the obvious role that kinetic actions reach in a territorial military invasion .

Ukraine learned the lessons it was able to draw when it was hit hard by the NotPetya malware in 2017, and since then government institutions have launched a powerful campaign to raise awareness of the importance of computer backups and the need to have them available to rebuild quickly attacked services (Fowler, 06/2022).
In fact, on March 16, the Ukrainian government, aware that in a war situation physical servers could be destroyed, not only repealed the law that prevented Ukrainian agencies from storing their vital files in the cloud, but also In addition, it signed agreements with the main US technology companies so that they could support them in the data transition and migration process (McLaughlin, 06/2022).

It is verifiable, in view of the data provided, that there have been many cyber attacks against Ukraine by Russia since the start of Vladimir Putin’s Special Military Operation, and yet, to date, NotPetya and WhisperGate remain practically the only ones recorded cyberattacks that we can consider to have significant strategic value in and of themselves. So, it is interesting to ask ourselves, why is Russia – which has already demonstrated the capacity to inflict attacks of this entity – not using them in the context of the Russo-Ukrainian war?

From our point of view, this question has two possible answers that are not mutually exclusive, on the one hand, because, since the beginning of the war, Moscow has sought to geographically limit the scope of its cyberattacks on Ukraine, while the Kremlin is cautious about possible response that could be expected from Ukraine’s allies in the event that a Russian-made malware seriously harms the interests of third states by spreading beyond Ukraine’s borders.

While this already happened with NotPetya in 2017, it is obvious that the geopolitical context is not the same as it was then, and a response from states suffering this “collateral damage” would be much more likely today than in 2017. OR In other words, a greater internationalization of the conflict and an increase in the actors involved in it would not be ruled out in the event that Russia accidentally damaged infrastructures outside of Ukraine.

Proof of this is found in the fact that WhisperGate , despite sharing certain similarities with NotPetya, differed from it by having a more limited propagation mechanism that prevented the possibility of accelerated and massive propagation (Expósito, 02/2022) .

The second answer would be found in the escalation of the military conflict itself, since in a situation of territorial invasion, it is expected that kinetic actions acquire greater relevance against the cyber domain.

In this sense, we also believe it is important to highlight, in the face of the argument that defends the uselessness of cyber operations in the Russian-Ukrainian war, the fact that up to now, the war in Ukraine has become the scene of the largest conventional war since the Iraqi-Iranian war of the 1980s.

In this regard, once the political and military barriers to the use of traditional military power have been overcome, actions at the cybernetic level become more of a support to the rest of the activities (integrating into the set of tools aimed at the implementation of war) more that in an end in itself.

In other words, the use of cyber attacks seems to be an extension of war itself, a tool designed to disrupt the enemy’s command and control efforts in order to gain advantages on the battlefield. Sabotaging critical infrastructure to impede communications and undermine public trust through disinformation appears to be the primary use of these tools in Russia’s invasion of Ukraine.

The strategic role of cyber operations

From our point of view, observing the Russia Ukraine war in the cyber domain, two of the three currents of thought that we advanced at the beginning of the article can be validated.

On the one hand, it is evident that cybernetic operations have not been able to replace the use of conventional force, consolidating the cybernetic domain as one more scenario in which to act in a multidomain conflict (in other words, the first of currents of thought does not seem to be validated at the moment, ruling out the possibility that a cyber attack is capable of completely replacing conventional arsenals).

The interruption of command and control systems and communications, the sabotage of enemy support infrastructures and the deployment of disinformation and propaganda tactics to affect the morale of troops and citizens seem to be the main milestones of use of cyber weapons in an armed conflict with the characteristics of the Russian-Ukrainian.

On the other hand, the cyberattacks directed at Ukraine’s allies as independent and less intense alternatives to the use of conventional military force reinforce the third line of thought, as they can be considered as attack vectors in the gray zone of conflicts, whose objective would be to influence and weaken the favorable position of the Ukrainian allies.

In general, we can conclude this article stating that the cyber domain is being used in the Russian-Ukrainian war in a combination of two aspects: in the military field as support to the force and in a broader spectrum as an influence campaign in the gray area.

Bibliography

• EFE Agency. (06/2022). Russian ‘hackers’ publish a list of a thousand Ukrainian intelligence agents. Journal of Seville. Available at: https://www.diariodesevilla.es/mundo/Hackers-rusos-publican-listado-inteligencia-ucraniana_0_1699331468.html

• Associated Press. (06/2022). Microsoft: Russian Cyber Spying Targets 42 Ukraine Allies. VoaNews. Disponible en: https://www.voanews.com/a/microsoft-russian-cyber-spying-targets-42-ukraine-allies/6628417.html

• Hacke. (06/2022). Russian hacktivists take down Norwegian government sites in DDoS attacks. Enhacke.com. Available at: https://www.enhacke.com/2022/06/hacktivistas-rusos-derriban-sitios-del-gobierno-de-noruega-en-ataques-ddos/

• Foundling, J. (02/2022). WhisperGate: A surgical cyber attack against Ukraine. Armies Magazine. Available at: https://www.revistaejercitos.com/2022/02/23/whispergate/

• Fowler, B. (06/2022). Ukraine Successfully Defends Its Cyberspace While Russia Leans Heavily on Guns, Bombs. CNET. Disponible en: https://www.cnet.com/tech/services-and-software/ukraine-successfully-defends-its-cyberspace-as-russia-relies-on-conventional-weapons/

• The vanguard. (07/2022). A cyber attack crashes an institutional database in Latvia. The vanguard. Available at: https://www.lavanguardia.com/vida/20220726/8432966/ciberataque-blocka-base-datos-institucional-letonia.html

• Lennart Maschmeyer, L. & Kostyuk, N. (02/2022). There Is No Cyber ‘Shock and Awe’: Plausible Threats in the Ukrainian Conflict. Waron the Rocks. Disponible en: https://warontherocks.com/2022/02/there-is-no-cyber-shock-and-awe-plausible-threats-in-the-ukrainian-conflict/

• Martellucci, E. (07/2022). Hackers grant 5 days to the Revenue Agency. Cryptonomist. Available at: https://cryptonomist.ch/2022/07/26/attacco-hacker-agenzia-entrate/

• McLaughlin, J. (06/2022). A digital conflict between Russia and Ukraine rages on behind the scenes of war. NPR. Disponible en: https://www.npr.org/2022/06/03/1102484975/a-digital-conflict-between-russia-and-ukraine-rages-on-behind-the-scenes-of-war?t=1660033064691

• Raffray, E. (06/2022).Ukraine: 100 days of war in cyberspace. Cyber Peace Institute. Disponible en: https://cyberpeaceinstitute.org/news/ukraine-100-days-of-war-in-cyberspace/

• Veprintsev, V., Manoylo, A., Petrenko, A., & Frolov, D. (2015). Operations of information and psychological warfare, Hotline – Telecom

• Vicens, Aj. (07/2022). Cyber criminals attack Ukrainian radio network, broadcast fake message about Zelensky’s health. CybersCoop. Disponible en: https://www.cyberscoop.com/hackers-infiltrate-ukrainian-radio-network-broadcast-fake-message-about-zelenskys-health/