Security Operations

Six months on: Looking back at the role of cyberattacks in the Ukraine War

When Russia invaded Ukraine on February 24th 2022, none of us knew what role cyberattacks might play in a full-scale invasion. Russia had been conducting cyberattacks against Ukraine since it had occupied Crimea back in 2014 and it seemed inevitable that these tools would play a role, especially after the attacks on Ukraine’s power grid and unleashing the NotPetya worm on the world.

One of the challenges when trying to assess the efficacy or impact of computer attacks is to try to see how they fit into the “big picture.” When you’re in the middle of the conflict the fog of war often obfuscates and distorts our view as to any given action’s effectiveness. So now,  more than 6 months into this war, let’s take a look back with our 20/20 hindsight and try to determine the role of cyberweapons up to this point.

According to the Ukrainian State Service of Special Communications and Information Protection (SSSCIP), Ukraine was attacked 1,123 times since the war’s inception. 36.9% of the targets were Government/Defense related and the attacks were 23.7% malicious code and 27.2% information gathering.

The cyber component of the war began nearly 24 hours before the land invasion. In my daily diary on the conflict I noted that DDoS attacks and wiper attacks began on February 23rd around 1600 local time. Immediately thereafter things began to get very confusing, as a multitude of attacks and techniques were deployed in parallel.

Let’s break these down into a few categories and then analyze their intensity, effectiveness and goals. I see them falling into four broad categories: destruction, disinformation, hacktivism, and espionage.

Destructive

Considering how the war has had to evolve as it diverged from Russia’s original plan, some of these techniques have been used differently in distinct phases of the war so far. The first and most obvious was the destructive malware phase.

Beginning in January 2022, according to SSSCIP Russian and pro-Russian attackers began unleashing wiper and boot sector altering malware, designed to erase the contents of a system or make it inoperable. They primarily targeted Ukrainian service providers, critical infrastructure, and government agencies.

These attacks continued throughout the first six weeks of the conflict and then tapered off. Most of this activity was focused between February 22nd to February 24th, leading up to and through the invasion. This preparatory harassment certainly had impacts, but ultimately does not appear to have had any positive impact on the success of Russia’s land invasion.

A few days before these attacks, the Ukrainian government moved many of their official online functions to cloud infrastructure managed and controlled by non-combatant third parties, thereby avoiding disruption and allowing Ukraine to maintain services and communicate with the world. This is reminiscent of Georgia moving essential government websites to third countries during Russia’s DDoS attacks on them in 2008.

Another destructive attack was on the Viasat satellite communications modems, in use throughout central and eastern Europe, just as the invasion began. According to Raphael Satter of Reuters, a senior Ukrainian cybersecurity official stated that it resulted in “a really huge loss in communications in the very beginning of the war.” This attack also imposed collateral damage on NATO members, disrupting the operation of more than 5,800 wind turbines in Germany.

This is likely the most impactful of all the attacks conducted during the war thus far. Considering most experts have speculated that Russia had planned for a 72-hour war, disrupting military communications could have had a significant early impact. Fortunately, Ukrainian commanders were able to regroup and establish alternative communications to minimize the disruption; over the long term, the evidence is that Russia has struggled far more with chain-of-command communications than Ukraine.

Perhaps in part due to the assistance of tech companies such as Microsoft and ESET, as well as US intelligence agencies, Ukraine’s success in stopping destructive attacks has been impressive.

One of the most sophisticated malware threats targeting critical infrastructure was detected and neutralized when it was discovered on the network of a Ukrainian energy provider. Known as Industroyer2, the malware was a combination of traditional wipers targeting Windows, Linux, and Solaris and ICS specific malware targeting the operational technology (OT) used to control and monitor the power grid.

Microsoft has pointed out in a recent report that many Russian cyberattacks appear to have been coordinated with conventional attacks in Dnipro, Kyiv, and at the Vinnytsia airport. But there is still no evidence that the cyber component contributed to any obvious progress in the Russian offensive.

By my estimate, destructive cyber operations have had close to no impact on the outcome of any battles in the war so far. They have made a lot of folks have a very bad day, have provided extra work for cybersecurity providers – many of whom are donating their time and knowledge – and have made a lot of headlines, but what they haven’t done is tangibly influence the direction of this war.

Disinformation/Information warfare

Russia is no stranger to using disinformation as a weapon to achieve political outcomes. Their original mission appears to have envisioned a quick victory by storming in and installing a puppet government. With this plan, disinformation would be key in two spheres of influence initially, and as things dragged on, in three.

The most obvious target is the Ukrainian people, to convince them that Russia was a liberator and to eventually accept a Kremlin-friendly leader as their own. While the Russians seem to have tried numerous influence operations over SMS and traditional social media networks, there didn’t seem to be much appetite for it in an increasingly patriotic Ukraine.

Russia has had much more success at home, its second most important target. It has largely banned foreign and independent media, blocked access to social media, and criminalized calling the invasion a war.

It can be hard to judge the impact of these actions on the general population, although surveys suggest the propaganda is working – or at least the only opinion that can be publicly expressed is support for the “special military operation.”

The third target for disinformation as the war has dragged on is the rest of the world. Trying to influence non-aligned states like India, Egypt, and Indonesia may help keep them from voting against Russia in United Nations votes, as well as potentially sway them to support Russia.

Planting stories about US bioweapon labs, denazification, and alleged genocide by the Ukrainian army are all designed to cast doubt on Western media’s portrayals of the conflict. Much of this activity appears to originate from pre-existing disinformation-generating personae, rather than compromised accounts or any type of malware.

US intelligence agencies seemed to play a critical role in debunking many of these claims leading up to the war, often preempting Russian plans to disseminate disinformation. This has transitioned into citizen debunkers like Bellingcat utilizing open-source intelligence to verify claims made on social media.

Disinformation is clearly having an impact, but similar to destructive attacks, in no way is it directly affecting the outcome of the war. Civilians are not welcoming Russian troops as liberators and Ukrainian forces are not laying down their arms and surrendering. The US and Europe are still supporting Ukraine and the Russian people seem to be wary, but not revolting. Most notably, in recent days Ukrainian forces have retaken territory under Russian control and have even been welcomed as liberators by some civilians near Kharkiv.

Hacktivism

Would the well-known, very skilled hackers throughout Russia and Ukraine take up cyberarms and unleash damaging waves of attacks supporting each of their sides? It certainly looked like that might be the case at the outset.

Some well-known cybercrime groups such as Conti and Lockbit immediately declared they were for one side or the other, but most of them declared they didn’t care and would continue with business as usual. But we observed a marked decline in ransomware attacks for about six weeks after the initial invasion. Normal volumes of attacks resumed around the beginning of May, suggesting that the criminals had supply chain disruptions just like the rest of us.

One of the most notorious groups, Conti, issued threatening statements against the West on their leak site, which led to leaks from a Ukrainian researcher about their identities and practices, ultimately leading to their dissolution.

On the other hand, hacktivists on both sides kicked into high gear in the early days of the war. Web defacements, DDoS attacks and other trivial hacks were targeting just about anything that was vulnerable and clearly identifiable as Russian or Ukrainian. It didn’t last long and didn’t seem to have any lasting impact. Research shows they got bored and moved on to the next distraction.

That isn’t to say there are no hijinks going on, more that it isn’t having a material impact on the war. In recent days, for example, someone allegedly hacked Yandex Taxi and ordered all the cabs to central Moscow creating a traffic jam.

Espionage

The last category is the most difficult to quantify. It can be exceedingly difficult to assess the impact of something that is, by design, covert. The primary method of estimating how extensive espionage has been in this war is to look at the times it has been discovered and attempt to extrapolate how often attempts may have been successful, considering how often they were not.

Unlike destructive attacks, the secretive nature of espionage attacks, and the difficulty of attributing them, make them more useful against all adversarial targets, not just Ukraine. Like disinformation, there is far more activity in this space targeting Ukraine’s supporters than other types of attacks that might bring US and NATO allies into the ground war.

Claims of attacks on non-Ukrainian entities must be carefully considered. It is nothing new that Russia targets the United States, European Union and NATO member states with malware, phishing attacks, and data theft. In some cases there is convincing evidence that attacks are motivated specifically by the war in Ukraine.

In March 2022, Google’s Threat Analysis Group (TAG) published a report noting Russian and Belarusian phishing attacks targeting US-based non-governmental organizations (NGOs) and think tanks, the military of a Balkan country, and a Ukrainian defense contractor. Proofpoint also published research showing EU officials working on assisting refugees were targeted in phishing campaigns originating from a Ukrainian email account allegedly previously compromised by Russian intelligence.

Of course, Russia isn’t immune to information collection and compromise. As James Andrew Louis of the Center for Strategic and International Studies pointed out, Russian communications technology was sparsely deployed and dysfunctional during the early part of the invasion.

This led him to conclude: “Second, relying on an opponent’s communications system creates numerous possibilities for exploitation. Many speculate that one reason for the high casualty rate among Russian senior officers was that their vulnerable communications allowed their location to be pinpointed. “

Russian attacks on Ukrainian targets have not let up and have gone so far as to use the latest vulnerabilities as they are publicly announced. In July 2022, for example, Russia-based threat actors were one of the threat actors to widely use a new vulnerability in Microsoft Office dubbed “Follina”. It appears one of the targets for malicious documents in this campaign were media organizations, an important tool during a war.

Conclusion

The war in Ukraine will be taught and talked about for a long time and is teaching us a lot about the role cybersecurity and cyberattacks can play in wartime. Russia was under prepared and could have used cyberattacks to a far more impactful way.

The early stages of the war appeared to focus on destabilization, destruction, and disruption. That seems to have lessened in importance as the resolve of the Ukrainian people has allowed them to take the war into a prolonged state necessitating a migration to focusing on espionage and disinformation.

It remains to be seen how things will evolve with Russia controlling so much of the energy supply in Europe as we head into winter. Will disinformation kick into higher gear to put pressure on European leaders to soften sanctions? Will criminal groups focus on attacking European energy providers, as we have already witnessed at small scale?

The war is not over and the role of cyberattacks may evolve in new and unforeseen ways. What is unlikely is that it will play a decisive role. In this conflict at least, it is another tool to be used in conjunction with other weapons and tools of war – and as with any other aspect of war, a strong defense is often the best offense.

Leave a Reply

Your email address will not be published.