Cyber Security

Cyberwarfare in Russia-Ukraine Military Conflict: Lessons to be Learnt

Cyberattacks are indeed a critical component of a conflict but their success depends on multiple variables, such as early access to adversary’s systems, effective concealment, right timing, shock and surprise elements, and preparedness of the opponent.  There are, therefore, differing opinions on the effectiveness of cyber ops in a combat situation. Some hold a view that they have little if any significant impact on the outcome of a conflict. Yet others feel that Cyberwarfare could play a far more decisive role in a conflict especially if the hacking victim has put less effort into its cyber defense than Ukraine.

by Prasad Nallapati

Russian military invasion of Ukraine began as localized skirmishes but soon acquired all proportions of a mini-world war with the Western powers coming in aid of Kyiv against Moscow, which has indirect support from many of its allies, mainly China and Iran. Its impact is felt all over the world disrupting supply chain logistics that led to shortages and high prices of essentials like food and energy.

The role of `Cyber power and Information warfare’ in the Russia-Ukraine war is of great interest to countries around the world since it was widely believed that a stronger Cyber power would easily knock out its rival without even resorting to major military deployments. This notion now lays shattered. This has particular significance to China which is closely following the war to learn lessons as it fixated on reunification of Taiwan.

Russia, in the past decade, had acquired a super aura of an `invincible’ Cyber power. Its exploits of hacking systems of Hillary Clinton’s Presidential campaign that had cost her the 2016 US election are still held in awe.  American cyber defense contractor, Edward Snowden, who had spilled secrets of US cyberwarfare, is now Russian citizen. Moscow’s cyberattack on Estonia in 2007 and Ukraine power grids in 2015 had literally brought them to a halt for almost a month. Cyber operations downed critical services as Russia moved in to occupy Crimea in 2014.

Russian Cyberattacks as it prepared for military invasion of Ukraine

Russia, therefore, was expected to make a pulp of Ukraine through cyber operations even before its forces marched in on February 24.  It launched destructive malware on January 14 wiping out computers of key agencies and temporarily taking down their websites, including the Foreign Ministry site where it left a message “Be afraid and expect the worst.”

Further attacks followed in earnest. Satellite network of the US-based Telecom provider, Viasat Inc, which has huge subscribership in Ukraine and Europe, was shut down as the invasion began. Modems of tens of thousands of customers in Ukraine and Europe were taken off affecting even wind turbines in some countries. Ukrainian military is among its clients. Soon Ukrainian mobile operator, Kyivstar, providing service to almost 26 million people, had faced a barrage of Russian cyber-attacks. UkrTelecom, Internet Provider to Ukraine’s military forces, faced persistent cyber assault.  Russia had in fact improvised its tool kit, modifying `Industroyer 2 malware’, to repeat a 2015-type power grid attack. A steady stream of attacks thus continued.

Moscow-linked hacker groups pre-positioned for the conflict as early as March 2021, almost a year before the invasion, trying to gain access to systems of several organizations in Ukraine. A Microsoft report stated that nearly 40 discrete attacks permanently destroyed files in hundreds of systems across dozens of organizations in the first month of the invasion. The Turla group has created several apps, such as Cyber Azov app, impersonating Ukraine’s far-right military unit `Azov Regiment’ which is a malicious app containing a Trojan, for compromising Ukrainian and western organizations. IBM reported that another group, Trickbot, launched at least six separate campaigns between February and June against targets inside Ukraine.

The core leadership of the group is also believed to be part of another Russian ransomware collective, Conti, which openly declared support to Russia but had to retreat as other members of the group, who are either Ukrainians or those sympathize with it, leaked 60,000 internal Conti messages that showed its connections to the Russian intelligence agency, FSB. Another pro-Russian hacker group, Killnet, brought down several government websites in Italy, including that of the Foreign Ministry, and overwhelmed Lithuania’s public services with DoD attacks.  Italy was a friendly country to Russia but changed stance after the invasion and supported arms supplies to Ukraine. Lithuania prevented Russian goods under EU sanctions from going to Russian enclave of Kaliningrad.

Deception and misinformation are the core of `information warfare’ and Russia is quite adept at it. It framed the military assault as a peacekeeping operation to secure Russian speakers of the eastern Ukraine from a supposedly `neo-Nazi’ regime. Pictures released showed roadside bombs killing children there. A hacker group, known as Secondary Infektion, compromised the Ukraine 24 TV website to stream a fake message of surrender from President Zelenskyy. Russian hackers also executed wiper variants, CaddyWiper, Junkmail, etc., on Ukrainian networks a few hours before Zelenskyy delivered his speech to the US Congress, according to Mandiant cybersecurity company. Another group, Ghostwriter apparently aligned with Belarus state interests, was responsible for an array of misinformation campaigns, phishing attempts, and assaults against Ukrainian targets. APT 28, also known as Fancy Bear, posted content on Telegram channels aimed at weakening Ukrainians’ confidence in their government.

Ukraine, backed by US and NATO, well prepared to counter Russian cyber ops

Ukraine has shown extraordinary resilience, recovering fast from Russian assault and repulsing further attacks while launching its own onslaught on Russian heartland networks. It is helped in the task by the US and NATO allies and loose hacker groups who were well coordinated and guided by Ukraine’s national agencies.

The January 14 attack was proved to be a huge miscalculation on the part of Moscow as it prematurely exposed its covert access to Ukrainian networks. It gave enough time for Kyiv and its western allies to recover and patch up vulnerabilities that denied Russia any advantage as they marched into Ukraine a month later. Ukraine’s experience of dealing with Russia’s past cyberattacks on power grids and Crimean critical services came in handy to neutralize hundreds of such assaults in the current conflict. Kyivstar, UkrTelecom and Viasat Inc are all well assisted in identifying and repelling Russian attacks.

Support from Ukraine’s Western allies is unprecedented. In anticipation of Russian invasion, technical experts from the US, UK and Estonia arrived in Ukraine in December last to strengthen its cyber defences.  US Cyber Command, Pentagon’s offensive cyber wing, was in the forefront. Other US agencies like the FBI, USAID, Department of Energy (DOE) and Cybersecurity and Infrastructure Security Agency (CISA) have played a coordinated role in assisting their Ukrainian counterparts with timely sharing of technical details of Russian malware and guiding to mitigate them. Global technology giants – Microsoft, Alphabet, Facebook and others – have also pitched in support of Ukraine, identifying threats, patching vulnerabilities and sharing information.

Volunteer hackers have gotten a first-of-its kind boost from the government of Ukraine, which endorsed their efforts and directed them to targets through `IT Army’ channel on Telegram.  Roughly 400,000 cyber experts and students have joined Ukraine’s `IT Army’ to defend Ukraine and launch digital ops of their own against Russia. They circulated easy to use exploits to laymen who became a force multiplier overwhelming Russian operators. Members of hacktivist group, Anonymous, hit Russia’s central bank and state media, as well as companies.

Outmatched in military might, Ukraine has excelled in the information war. While Kremlin’s information operations and propaganda focused on deception, censorship and false narratives such as `denazification’, Zelenskyy, a seasoned TV star himself, has overseen an extraordinary communications campaign that has proven crucial in marshalling global support to Ukraine’s fight against Russia. By playing up Russian brutality and military stumbles, deftly using social media, and appealing to foreign leaders’ emotions while challenging their policies, Zelenskyy has steered an information offensive that has yielded greater Western arms donations and wider backing of unprecedented economic sanctions against Russia.

This was made possible by the staff of Starlink, a satellite-based internet service provider.  It proved to be the key in keeping the online services open, allowing continued communications and enabling to get information out to the world that contradicted Russia’s messaging. It’s success in fact prompted a Chinese researcher to suggest tracking Starlink satellites and disabling them.

Ukraine’s ingenuity in making its citizens a vital part of its information warfare has proven to be highly effective.  Their spreading of footage of realities of the war immensely damaged Russian narratives. In response to Russian fake TV streaming of Zelenskyy’s purported surrender, the citizenry presented genuine video of his calling Russian soldiers to lay down their arms. Volunteer hackers outmaneuvered Russian internet censors to reach out to its people with messages of Russian brutalities and deaths of its own soldiers. Antiwar messages showed up on smart TVs and platforms run by Russian IT giant Yandex, on Victory Day when Russians commemorate the Soviet Union’s role in defeating Nazi Germany.

Important Lessons

The first casualty of the cyberwarfare Is the Russian `halo of invincibility’.  As anticipated, it has gone big with cyberattacks on satellite links, telecom operators and power grids that could have shut the country off to the outside world. None of it happened. What Moscow thought to be a cakewalk turned out to be an encompassment. Russia faced a formidable cyber-force of not just of Ukrain, but also that of the entire US government cyber machinery and a well-coordinated loose groups of volunteer hackers. When the cyber capabilities are equally matched, and the victim side is well prepared, cyber ops have limited utility in a major war scenario.

Russia squandered its advantages by following a cyber philosophy of `big bang’ disruptions perhaps to show off its prowess and browbeat its adversaries. Its high-profile exploits of 2016 US Presidential election campaign and European parliamentary polls, attacks on power grid systems or telecom networks have had only limited and short-term impact. The victims could recover fast and harden their systems against repetition of such assaults. In contrast, other major cyber powers like the US, China or Israel operated much quietly to use the exploits for espionage, deception, subversion and psywar purposes.

Cyberwarfare is a painstaking effort that takes months, if not years, to get covert access to adversary’s networks and maintain it unnoticed. Any premature exposure of the access can make all the effort futile, and the cyber tools used may become unusable anymore. Russia showed its hand much ahead of its military invasion through its disruptive activity in January this year, thus giving Ukraine and its allies ample time to shut them out and make their tools redundant for use anywhere.

Like in a conventional war, it is again proven in this case that a resolute leadership could grab and turn any opportunity to his advantage even being on the brink of defeat.  Had Russia succeeded in blocking Zelenskyy from rallying his people and the rest of the globe online, that might have swayed the course of the conflict. Ukraine has won the information war, thanks to Starlink operators, who worked tirelessly to keep online services open. Presence of international media in the country also helped in exposing Russian brutalities. It’s the media, messaging and persuasion that have seen Ukraine sail through safely out of an impossible situation.

It was an extraordinary feat for the Zelenskyy’s administration to coordinate and guide hundreds of thousands of professional hackers, both nationalists and criminals, and laymen without any previous skills, under the `ITArmy’, who have not only checkmated Moscow’s cyber advances, but also successfully maneuvered around to carry a message to Russian people to oppose the `unjust war’ imposed by Moscow. Global technical giants, Microsoft, Alphabet, Mandiant, Facebook and a host of others, played a significant role in cyberdefense working overtime to identify threats to Ukraine, patch vulnerabilities and share information

Conclusion

Cyberattacks are indeed a critical component of a conflict but their success depends on multiple variables, such as early access to adversary’s systems, effective concealment, right timing, shock and surprise elements, and preparedness of the opponent.  There are, therefore, differing opinions on the effectiveness of cyber ops in a combat situation. Some hold a view that they have little if any significant impact on the outcome of a conflict other than being useful in espionage, subversion and propaganda efforts. Yet others feel that Cyberwarfare could play a far more decisive role in a conflict especially if the hacking victim has put less effort into its cyber defense than Ukraine.

(The writer, a former Additional Secretary to Government of India, heads the Deccan Council for Strategic Initiatives, a think-tank based in Hyderabad)