The cyber war in Ukraine

Aapo Cederberg
CEO
Cyberwatch
Finland

aapo@cyberwatchfinland.fi

Ukraine is currently waging the world’s first cyber war. However, cyberwarfare is not an isolated entity; its events and goals follow the course of physical war. At the moment, it seems that Ukraine has achieved a defensive victory in cyberspace, but it is difficult to draw final conclusions while the war is still ongoing. Assessing the efficacy of cyberwarfare is challenging because parties only share information beneficial to their own interests. Information related to cyber defense is sensitive and thwarted attacks are generally not reported openly to obscure defensive capabilities. The same applies to offensive operations, for example, attempts are made to conceal successful intrusion into the enemy’s information networks.

Successful cyber defense of Ukraine

When the Russian war of aggression began, many experts expected Russia’s supposedly superior cyber performance to lead to significant results and extensive disruptions to Ukrainian networks. However, as the weeks turned into months, there has been no signs of major successful cyberattacks. The success of cyber defense can be observed, but it is more difficult to understand the underlying reasons. The reality of how many and how large-scale attacks Ukraine has managed to repel will become clear only after the end of the war, or not at all. One can, with caution, judge the factors that have significantly contributed to the success achieved so far.

One of the most important factors to the success has been the importance of international allies. Even before the war, Ukraine received substantial support for its cyber defense from western countries. This assistance increased even more after the invasion began. In addition to the assistance provided by major states such as the USA and the UK, many international companies have contributed to the success of the defense with their support. The threat information shared by Microsoft and the satellite connections maintained by Starlink are good examples. Moreover, for several years before the February invasion, Ukraine had been the target of a significant amount of Russian cyberattacks, thus, know-how and experience in countering attacks are at a high level.

Another factor that played a pivotal role was Ukraine’s ability to physically move its critical servers beyond Russia’s influence and make effective use of various cloud services to back up data. Initial missile strikes on data centres in the early part of the war were partly ineffective, as the most critical servers had been moved to neighbouring countries or outside the missile range. In addition, many nationally important online services operate entirely in a cloud environment.

Throughout the war, various experts have speculated that Russia has not yet used its most powerful cyber weapons but has saved them for a situation where the impact would be maximized. The most powerful cyberweapons are often disposable or single-use in nature, so their utilisation is naturally carefully considered. Throughout the summer and autumn, it has been speculated that either sooner or later Russia will have to employ all its remaining resources. When no significant increase in the level of cyberattacks is observed, it can be concluded that the most powerful weapons either have in fact been used earlier in war or never existed at all. However, none other than Russia knows how much capacity it has in its reserve.
It should be noted that there is a stark difference between winning singular battles and winning the war. Cyber defense differs from offensive operations in that it must be continuous in nature. The aggressor can often decide the time and place of the battles. Even if there is a ceasefire in traditional warfare, cyberattacks can sustain the conflict. The defender must constantly prepare for new types of attacks, while the attacker can plan and prepare his actions in relative peace. Ukraine must therefore maintain and develop its own capabilities even further. It is also critical that Ukraine can justify to its allies its need for continued support in cyberspace despite Ukraine’s seeming upper hand.

Ukraine’s counterattack in cyberspace

Counterattacks are an essential part of defense in cyberwarfare. Most of Ukraine’s cyber capabilities are supposedly tied to defense and maintaining its own operational capability. There has been hardly any signs of offensive cyber operations carried out by the Ukrainian armed forces in open sources, but this does not mean that they do not happen. Despite a majority of resources being tied up in defense, it is possible that the Ukrainian armed forces will also carry out their own cyberattacks against Russian military targets. It is likely that these operations will not publicly discussed.

Cyberattacks for the benefit of Ukraine have been carried out not only by the armed forces but also by a wide range of volunteers from all over the world. As it is relatively challenging for outsiders to participate in the defense, volunteer activities generated by international media attention were used for cyberattacks against Russia. The cyber war has involved not only existing hacker collectives (the most famous of these being Anonymous) but also individual volunteer citizens from different Western countries. To coordinate the activities of volunteers of varying skill levels, Ukraine set up the Ukrainian IT Army, which coordinates attacks and distributes tools and instructions for their implementation. Indeed, the IT army and external hacker collectives have been responsible for numerous, now thousands, cyberattacks against Russia.

In the early stages, the attacks were largely denial-of-service attacks on Russian services (banks, online stores) or momentary takeovers or harassment of means of communication (TV channels). The purpose of these was to make the war palpable and visible to Russian citizens. As the war has continued, operations have been developed and expanded. The effectiveness of denial-of-service attacks has been improved by precisely timing them to the moments when the targeted service would have been most needed. Examples of these inventive denial-of-service attacks include widespread outages in Russian tax services moments before tax returns are filed, or the inoperability of online services selling equipment in October, as thousands of forced recruits seek to acquire equipment when they go to war.

The IT army of Ukraine is developing its activities; creating more effective and new types of attacks. This became concrete when, at the beginning of November, it announced that it had carried out several successful data breaches of Russian civilian and military targets. Data breaches differ from denial-of-service attacks, in that they require more advanced expertise and knowledge of target systems. The constantly evolving operations reflect both the growing competence of the implementers and the ongoing motivation to continue efforts as the war continues.

Russia’s accelerating but blunt cyberweapon

The expected sophistication of Russian cyber operations presented by Western threat assessments before the war was higher than what its operations in Ukraine have indicated. This does not mean that all Russian cyberattacks were bad or unsuccessful. According to Microsoft, some of the cyber weapons used have been highly advanced and have produced results. Notwithstanding, the successes of the Ukrainian defense and the rapid recovery from the blows have kept the effects moderate.

In February 2022, and prior, Russia sought to cripple Ukraine’s readiness with malware that destroys data and information systems. As in the Russian ground offensive, momentary and regional impacts were achieved, but the goal of an attack crippling society was not met. During the summer, as the front lines stabilized, cyber intelligence took a larger role alongside destructive attacks. In the autumn, Russia supported its missile attacks on Ukraine’s critical and energy infrastructure with cyberattacks – although the effects have not been significant. Victor Zhora, head of Ukraine’s cyber defense agency, said that during the offensive phase, the attacks were more sophisticated and continuous, but currently have become aimless and opportunistic.

Long-term cyberwarfare can be thought of as favouring the defender. When it comes to the most efficient weapons, the aggressor’s reserves are quickly depleted, and the development of new ones does not happen overnight but requires intelligence and creativity. On the other hand, a well-functioning and up-to-date cyber defense system are more time resistant. Already at the end of the summer it was estimated that Russia’s cyberweapons are starting to become dull and are only slightly modified versions of previously used malware. Russia has already used the footholds in Ukrainian networks it had previously obtained at the beginning of the war and has not been able to penetrate back as effectively.

From the outside, the effectiveness of cyber weapons can only be assessed in the cases that have been reported or have caused visible effects. When considering Russian cyberattacks, source criticism in both directions should be considered. Its own normally exaggerated propaganda has been surprisingly moderate regarding cyberattacks. It is also not in the interests of Ukraine or Microsoft – a strong supporter- to detail the losses or attacks that have bypassed the national cyber defense.

While Russian hacker groups have carried out visible cyber sabotage or attacks in Ukraine, Russia has used fewer external actors than estimated in its cyber operations. According to the information security company Trustwave, the cyber operations have mainly been carried out by Russian intelligence services or by various security authorities, mainly under the auspices of the GRU.

Mandiant estimated in November that the war has significantly changed the GRU’s cyber operations. The cycle between intrusion into systems and the actual destructive effect has accelerated because of the desire to get effects faster in cyber warfare. Straightforwardness is reflected in the simplification of malware, which in addition is not sought to be hidden and disseminated, but only to achieve the desired effect on a particular system. In the long run, increasing the speed will dull the impact of cyber operations and affect Russia’s ability to develop new cyber weapons.

The escalation of cyberwarfare

The cyber war between Ukraine and Russia has had a lot of ramifications. However, it has so far been more local and limited than anticipated. Before the beginning of October, destructive cyberattacks outside Ukraine’s borders had not been seen, or at least could not be clearly attributed to Russia.

In its report, Microsoft estimated that the Prestige ransomware campaign targeting Polish logistics operators from March to October was the first destructive cyberattack of the Ukrainian cyberwar outside the country’s borders. According to Microsoft, the attack was carried out by IRIDIUM, a Russian actor linked to the Sandworm group under the GRU. What makes a destructive attack is the impact on the target’s systems, the loss of data leading to disruptions or the inhibition of operation. In cyberspace, the spill over effects of the war in Ukraine has been seen in the past in the form of denial-of-service attacks carried out by Russian hacker groups such as Killnet in countries such as Norway, Lithuania, and the United States. However, their impact has been more in the information dimension, i.e., visibility and fearmongering.

Russia has tried to influence aid to Ukraine unsuccessfully, both by means of using energy distribution as a weapon and by economic intimidation and pressure. Interfering with humanitarian and armed assistance outside Ukraine may be the next step, and in this direction, the utilisation of the cyber dimension is probably more likely than kinetic influence. Logistics critical to assisting Ukraine in Poland and Eastern Europe is therefore a potential stage to which cyberwarfare can spread.

The identification of cyberwarfare operations is challenged by their separation from cybercrime. Since the actors and forms of attack are the same in Russia, the real purpose can be hidden behind the shadow of crime. Thus, the fog of war challenges the creation of a cyber situational picture. The fog conceals both criminal and state threat actors who can operate whilst attention is elsewhere. This is true not only in Ukraine and Russia but also on a global level: the threat of cyber espionage and operations by traditional threat actors such as China, Iran, North Korea, or terrorist organisations must be prepared for as before. However, the final analyses and lessons learned assessments will not be available until after the end of the war when actors can more openly report their findings.

References:

Ukraine: Russian cyber attacks aimless and opportunistic (techtarget.com)

New “Prestige” ransomware impacts organizations in Ukraine and Poland – Microsoft Security Blog 

Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless | WIRED

Microsoft Digital Defense Report 2022 Executive Summary

https://carnegieendowment.org/2022/11/03/evaluating-international-support-to-ukrainian-cyber-defense-pub-88322

Expert article 3311

>Back to Baltic Rim Economies 5/2022

To receive the Baltic Rim Economies review free of charge, you may register to the mailing list.
The review is published 4-6 times a year.