Russia has been using cyber capabilities for over 15 years to attack its perceived enemies. They have a strategy called “offensive cyber,” where they mix cyber operations with information campaigns and big military actions. The goal is to control Russia’s information space, spread misleading information, and disrupt the infrastructure of their opponents. In 2013, General Valery Gerasimov talked about the blurred lines between war and peace, saying that non-military methods can be more effective in reaching goals.
Russia believes in combining cyber operations with information campaigns and big military actions. One example is the 2007 attacks on Estonia, where they used things like DDoS attacks to disrupt government, banking, and media websites. These attacks were more like online riots than military actions and temporarily stopped Estonia’s normal functioning.
Since then, Russia has continued these operations using DDoS attacks, hacking, data leaks, and spreading misleading information. They target various things, from interfering with international investigations to influencing elections in different countries. The cyber campaigns against Ukraine from 2014 to 2022 were aimed at disturbing the Ukrainian government without using armed force, showing that Russia can disrupt a country without traditional military methods. An example is the “BlackEnergy” malware used to sabotage Ukraine’s power companies.
In summary, Russia has been actively using cyber operations to wage information warfare and influence other nations. They show a readiness and ability to disrupt important systems and political stability without using traditional military methods.
RUSSIA’S STRATEGIC USE OF MALWARE IN GLOBAL CONFLICTS
In June 2017, Russia caused widespread disruption in Ukraine by using popular Ukrainian tax software to spread malware known as “NotPetya.” This affected computers in banks, newspapers, power companies, national railways, postal service, health ministry, and even a nuclear facility. The malware made affected computers unusable while authorities cleaned and rebuilt the related information technology. Approximately 10% of Ukraine’s computers were impacted, affecting around 300 Ukrainian companies.
The attack, called “NotPetya,” spread globally, damaging systems in 60 other countries, including the United States and NATO member states. In 2018, Russia attempted but failed to deploy destructive malware in a plant supplying water purification chlorine in Ukraine.
In earlier conflicts, such as the 2008 war with Georgia and the annexation of Crimea in 2014, Russia also used cyber attacks alongside military operations. These attacks included Distributed Denial of Service (DDoS) attacks, web defacement, and spreading misleading information.
Russia’s use of cyber attacks in the 2022 conflict with Ukraine involved reconnaissance operations and pre-positioning cyber capabilities on Ukrainian energy and communication networks since March 2021. However, the attacks during the invasion mainly replicated those used against Georgia in 2008 and Ukraine in 2014. The Russians targeted Ukrainian government websites and private organizations with web defacement and DDoS attacks. Malware called “WhisperGate” was also activated, affecting Ukrainian and Baltic governmental and financial networks, but the overall impact was limited.
The widespread attacks may have been mitigated by detecting and addressing the malware through Ukrainian government and Western cybersecurity companies’ efforts.
HOW RUSSIA USES CYBER TACTICS IN THE UKRAINE WAR
After the invasion, cyber warfare swiftly manifested through website distortions and denial-of-service attacks, sparking a widespread online battle involving Russians, Ukrainians, and their sympathizers. This digital conflict featured electronic sabotage, the dissemination of fake news, and propaganda efforts aimed at influencing public opinion. Remarkably, Russia refrained from significant attempts to disable Ukraine’s critical infrastructure, potentially learning from previous incidents like NotPetya. The cyber operations were largely low-level disruptions.
As the conflict unfolded, additional electronic dimensions emerged. Russia targeted the Viasat satellite network, causing substantial internet service disruptions in Ukraine and parts of Central Europe. This cyber assault, likely orchestrated by the Russian military intelligence agency GRU, resulted in severe communication losses for Ukraine in the early stages of the war. This attack stands out as a pivotal and successful Russian cyber operation during the ongoing conflict.
The strategic importance of cyber operations to Russia is evident, particularly in targeting specific Ukrainian government, military, and police communications relying on Viasat. Russia’s electronic priorities may extend to gathering personal data on Ukrainian citizens, possibly to identify individuals likely to assist or resist during the occupation.
UNDERSTANDING RUSSIA’S CYBER ACTIONS IN UKRAINE WAR
As the war progressed, the Russians intensified their use of cyber operations to target critical Ukrainian national infrastructure. These efforts included infiltrating one of Ukraine’s largest energy facilities in February, with plans for a destructive impact on April 8 using the same techniques employed by Russia in 2015 and 2016. However, Ukrainian cybersecurity thwarted these attempts. Despite Russian electronic actions in late March against a major Ukrainian internet and phone service provider, causing communication disruptions for several hours, many attacks were repelled. Microsoft tracked over 237 Russian cyber operations against Ukraine since before the invasion, with nearly 40 separate destructive attacks permanently damaging files across numerous Ukrainian organizations. Although Microsoft assessed that Ukraine did not experience widespread, country-wide disruptions as anticipated, the Russians integrated the internet into their broader military operations. Notable instances included wide-ranging Russian electronic attacks on media institutions based in Kyiv, synchronized with a missile strike on Kyiv’s TV tower, and a Russian breach of Ukrainian nuclear energy company networks coinciding with the military occupation of the Zaporizhzhia nuclear power station. However, these incidents appear sporadic, and evidence suggests that, despite Russian military doctrine emphasizing the integration of cyber operations into comprehensive military campaigns, such attempts are rare and, when executed, inefficient. In June 2022, top European electronic officials anticipated that Russia demonstrated a lack of readiness for coordinated cyber warfare, describing their cyber activity against Ukraine as extensive but poorly planned and organized. Jeremy Fleming, the head of the UK Government Communications Headquarters (GCHQ), also concluded that the impact of Russian electronic operations was “less than expected.” Nonetheless, reports from Microsoft, along with other companies like Cisco, Google, Slovak company ESET, and Ukrainian authorities, indicate a significant and sophisticated electronic dimension to the war between Russia and Ukraine.
FACING RUSSIAN ATTACKS DURING WAR
In preparation for a swift and successful war with Ukraine, Russia initially viewed cyber operations as equivalent to those conducted in 2008 and 2014. In a scenario anticipating a “short war,” Russians seemed focused on maintaining Ukraine’s vital national infrastructure for potential use, explaining their emphasis on gathering personal details through espionage. However, during the early stages of the war, it appears that Russia was still trying to ensure a strategic advantage on relevant Ukrainian networks for broader disruptive activities if needed. Russian cyber tactics indicate a lack of initial electronic capabilities to surgically disable Ukrainian weapon systems, relying on traditional military means. Following the failed attack on Kyiv, Russia shifted focus to support separatists in Eastern Ukraine, employing cyber tactics against vital Ukrainian infrastructure more extensively than before. Despite tactical successes, Russia failed to achieve a significant electronic impact for various reasons. Enhanced Ukrainian cyber security, supported by U.S. and U.K. intelligence and agencies, played a crucial role. Investments from the U.S. in Ukrainian cyber capabilities and cooperation with key companies, including Microsoft, Google, and Cisco, contributed to countering Russian cyber threats.
WHY RUSSIA STRUGGLED AND UKRAINE PREVAILD
The main reason for Russia’s cyber failure is Ukraine’s expertise in cybersecurity. While Russia gained experience in attacking Ukrainian networks since 2014, Ukrainians learned a lot about Russian cyber operations. Ukraine likely shared insights with the US and the UK about Russian tactics. Russian private networks faced significant pressure from coordinated attacks by volunteers, such as the Network Battalion 65, Elves, Cyber Partisans, and Anonymous. These groups engaged in theft and leaks of sensitive Russian data, including emails, passwords, and financial information.
Russian governmental organizations, like Roskomnadzor and Rosneft, experienced data breaches and leaks, revealing collaboration with Russian intelligence agencies. DDoS attacks targeted the Kremlin, Russia Today, TASS news agency, and RUTUBE video hosting. The cyber efforts aimed to undermine Russian public support for the war, including hacking Russian TV channels to broadcast pro-Ukraine content. Ransomware attacks also emerged, with a group linked to Russia unintentionally aiding Ukrainian cyber forces in countering Russian operations. By March 2022, Russia became the most targeted state in cyberspace, exposing its cybersecurity vulnerabilities. The extensive global cybersecurity support during the Ukraine-Russia conflict raised concerns about potential cyber escalations and incorrect attributions. Despite the risks, the heightened cyber awareness indicates a growing trend in future cyber conflicts among nations, emphasizing the need for countries to reassess their cyber strategies. The Ukrainian government likely conducted a range of cyber operations against Russian targets, leveraging Russia’s cybersecurity weaknesses, with potential impact.
The U.S. and the U.K. have played a vital role in supporting Ukraine’s cybersecurity
The U.S. and the U.K. have played a vital role in supporting Ukraine’s cybersecurity efforts before and during the war with Russia. Collaborating closely with Ukrainian authorities, they have shared intelligence and aided in securing Ukrainian networks. While it’s unclear if there was cooperation on offensive cyber operations, Russia claims that the U.S. engaged in such activities, referencing an interview with General Paul Nakasone, the U.S. Cyber Command leader. The dispute revolves around the interpretation of “cyber attack” and how nations perceive the use of cyber operations in conflicts. The broader debate includes the various impacts of cyber operations, not only militarily but also in manipulating information and affecting public perception. The uncertainty surrounding the application of international law to cyber operations raises questions about the involvement of the U.S. in the conflict, especially if its cyber support leads to casualties or destruction. However, many types of cyber operations fall outside this qualification, including cognitive and psychological operations designed to disrupt and mislead.
In the middle of the Russia-Ukraine conflict, there’s a debate about whether the U.S. and U.K. conducted cyber operations against Russia. The statements from General Nakasone and the U.S. White House suggest that cyber actions disrupted various Russian activities during the conflict. Russia claims the U.S. engaged in cyber attacks, but the details and legal aspects are unclear. This conflict highlights how cyber operations go beyond hacking, influencing information and public opinion. The U.S. and U.K. likely operated in a legal “gray area” to showcase their cyber capabilities as a deterrent. Despite legal uncertainties, responsible use of cyber power is crucial. Cyber warfare now focuses on online battles for influence, with Russia accused of spreading misinformation. Various actors, from cyber guardians to media organizations, played a role using social media and innovative approaches. Support like Elon Musk’s Starlink and guidance from international broadcasters helped Ukraine. President Zelensky effectively used online platforms, and as of August 2022, Russia seemed to be losing the information war.
The Russia-Ukraine conflict introduces a new and serious dimension: the risk of cyber threats extending beyond intentional targets. Initially worried about unintentional damage to their networks, Western governments became concerned about direct Russian attacks on their networks. Government reports indicate extensive Russian state-sponsored cyber intelligence operations against foreign networks. The Microsoft report in June 2022 revealed cyber attacks on governments, think tanks, companies, and relief groups in 42 countries, with a focus on NATO members, the U.S., and Poland. State-backed Russian groups like Killnet conducted DDoS attacks and disinformation operations against Western targets. The most significant worry was the potential use of destructive malware against vital national infrastructure, capable of causing significant damage. Evidence of such capabilities emerged, with the FBI disrupting Russian cyber activities. New malware, called “Pipedream,” was discovered, capable of disrupting critical infrastructure and industrial operations. As of June 2022, top U.S. cybersecurity officials acknowledged Russia’s capabilities and planned use, posing questions about potential future attacks. Detecting and neutralizing Russian cyber capabilities before activation remains challenging. The enhanced protection of Ukrainian networks could thwart most Russian operations. Western initiatives like the U.S. government’s “Shields Up” and similar warnings from the U.K. emphasize the importance of bolstering cybersecurity defenses to prevent cyber operations during wartime. Robust cybersecurity, combined with strategic planning for flexibility, minimizes the impact of potential cyber threats. For incidents that have already occurred, questions arise about whether they constitute coercive interference, the use of force, or armed attacks, guiding the affected state’s response.
The 2022 cyber dimension of the Russia-Ukraine war marks the first electronic conflict between two states with well-matched cyber capabilities. Despite initial expectations, Russian cyber operations proved less effective, leading to intense cyber battles. The majority focused on cognitive impact operations, including information campaigns. Russia targeted Ukraine’s vital national infrastructure, prompting a back-and-forth struggle. Ukraine, with strong intelligence and cybersecurity measures, successfully defended against most attacks, quickly recovering from breaches. Russia attempted to limit the extension of such operations to neutral networks, avoiding escalation. However, the war exposed weaknesses in Russia’s cyber capabilities compared to the U.S., such as poor coordination with military operations and cybersecurity vulnerabilities. The conflict showcased modern cyber warfare but didn’t involve high-quality offensive electronic capabilities from both sides. The risk lies in the potential escalation beyond cyberspace to a wider confrontation between Russia and NATO, emphasizing the need for international warnings and better understanding of cyber warfare in both wartime and peacetime. The urgency to address legal aspects of cyber conflict has increased, especially in determining the application of international law to cyberspace. The severity of cyber threats underscores the importance of clear warnings and collective responses to protect against escalating tensions.