Since February 2022, I have been keeping track of the role of cyber warfare in the Russia-Ukraine war. I have also been keeping track of the public debate about the role of cyber warfare, what I like to call "the cyberwar war." To do so, I monitor news media mentions of cyber in news media coverage of the war, social media posts and information shared by cybersecurity experts on social media, and reports from both public and private cyber threat intelligence organizations. This is the first of what I hope will be a weekly newsletter detailing what I’ve uncovered about expectations and effects in the ongoing cyber and information/influence components of the war, reasons posited for successes and failures, recently revealed operations, and expectations for the future of cyber and information/influence operations in the current war and beyond.
Expectations & Effects
Ukraine’s deputy cyber chief, Victor Zhora, told Security Boulevard that Ukrainians expected Russian cyberattacks on government and private critical infrastructure, that there has indeed been an increase in attacks, but that the Russian efforts have not been successful so far.
Though there have been cyberattacks against critical infrastructure, The Cyber Wire points out that "In general, kinetic strikes against Ukraine’s energy infrastructure, data centers, and telecommunications have been far more consequential throughout Russia’s war than have cyberattacks."
MeriTalk summarized comments made by Mieke Eoyang, DoD’s Deputy Assistant Secretary of Defense for Cyber Policy, at the November 16 Aspen Cyber Summit in New York City. Eoyang told the audience, "We were expecting much more significant impacts than what we saw, and I think it’s safe to say that Russian cyber forces – as well as their traditional military forces – underperformed expectations." The failure to achieve expected effects via cyberattack have caused Russia to rely instead on kinetic attacks against infrastructure targets.
Cyber News ran a long interview with two Ukrainian academics, Mykola Volkivskyi, International Relations Expert, Founder of the Foundation for the Development of Ukraine in Poland, and Artem Oliinyk, Political Scientist and Researcher at the Academy of Political Science of Ukraine at Coventry University. They assessed the extent and effectiveness of Russian cyber operations. While both acknowledge the the extensive and ongoing effort that Russia has put into its cyber offensive, both say that, surprisingly, these operations have largely failed to this point.
Recently retired chief of the Estonian Foreign Intelligence Service, Mikk Marran, told Foreign Policy that Russian cyberattacks in Ukraine have not lived up to expectations. "I think that cyber is not an equal part of the war compared to the traditional way of fighting. Many Western countries, including Estonia, were kind of disappointed because we were expecting a bit more from Russia. Of course we have had different low-level attacks. We saw some of the cyber ability against Ukraine in the first days of the war; it was intense then. [But] nothing really extraordinary. Both Ukraine and the West were quite well prepared for cyberattacks."
Sir Jeremy Fleming, Director of the UK’s GCHQ, told the Evening Standard that Ukraine has prevailed thus far on the cyber front. The Evening Standard writes, "In the battle of information and disinformation Ukraine is winning, according to Sir Jeremy. Russia so far has failed to co-ordinate the virtual war — the cyber war — with the kinetic war of the battles on the ground."
Experts told The Next Web that the Russian hack of Viasat at the start of the war "sparked fears that a catastrophic cyber war had begun. Ukrainian officials, however, recently said the attack had little impact." Kenneth Geers, an ambassador at the NATO Co-operative Cyber Defence Centre of Excellence said that the attack actually backfired, helping to cement Western support for Ukraine. "Western Europe, NATO, and the EU were sent into alarm mode by the collateral damage," he said. "That may have been a big mistake." And while some Western cyber threat intelligence firms and sympathetic journalists have claimed that Russia has shifted to a new, faster and more destructive form of cyber warfare, Ukraine’s Victor Zhora describes this shift differently: "We continue observing rather chaotic actions, the absence of a particular strategy, and opportunistic operations."
Writing for the Spanish Institute of Strategic Studies, Anda Gavrila, a Political Scientist from the University of Granada, argued that "The big surprise of the Russian invasion has been the apparent absence of a major cyber war. Russia was supposed to first launch an all-out cyberattack that would cripple Ukraine and set the stage for the physical assault that followed. But this did not happen." Nonetheless, this does not mean there has been no cyber warfare, nor that cyber warfare has been unimportant, Gavrila says. The Russia-Ukraine war raises important questions about "under what circumstances cyberwarfare might or might not occur in future conflicts," as well as, "faced with the challenge of the new hacktivists, to determine to what extent states remain the only actors that control cyberspace."
A pair of researchers from RAND argued in The National Interest that Russia’s use of "active measures," including cyberattacks, have uniformly failed in Ukraine. They write, "Russia was outplayed on the social media front, largely failed in its espionage efforts, and was relatively unsuccessful at using cyberattacks."
Explaining Success & Failure
Zhora told Security Boulevard that the reason for Ukrainian sucess is ‘due to what he characterized as the lack of an attack strategy from their adversary. “We see a rather opportunistic behavior,” he said. “The absence of a strategy gives us the opportunity to just fix vulnerabilities, counteract [attacks] and provide incident response and defend our digital borders,” he continued.’
The Ukrainian academics interviewed by Cyber News argued that Russia was not prepared for a cyber fight against a properly trained and professional opponent. "Provided there is another professional counter-group, the Russians will lose. In other words, it can be concluded that Russia is ready only for certain operations where it will remove any form of responsibility for the consequences. At the same time, its readiness to fight against competitive cyber armies is too low, and defensive tactics are very poorly practiced. It can be said that if the need arose, for example, the American, British, or German cyber forces would be able to perform their tasks in Russian space without much difficulty."
For those truly committed to the narrative that cyber warfare has been far more extensive and effective than the dominant sentiment would suggest, one could always argue that perhaps Ukraine is just fooling everyone by hiding the extent of cyber damage they have received at the hands of Russian hackers. The Next Web hints that some have, indeed, been raising that possibility, writing, "Analysts have also suggested that Ukraine isn’t revealing the full extent of the threat, as doing so could give Russia tactical insights."
A new study published by the Royal United Services Institute argues that while Russia enjoyed initial success in its use of electronic warfare (EW) to jam Ukrainian communications and disrupt air defense systems, these same capabilities quickly began to cause "electronic fratricide." As the Russian advance bogged down, the electronic warfare capabilities began to disrupt Russian communications to such a degree that EW efforts to be severely curtailed. Business Insider summarizes the findings, writing, "Moscow’s electronic offensive fizzled for the same reasons that the ground offensive bogged down. Poor planning, lack of coordination, and a general indifference by Russian commanders toward getting the details right doomed what many thought would be easy advance on Kyiv." If traditional, kinetic and EW operations suffered these flaws, it is possible Russia’s cyber operations also suffered similarly.
Role of Western Assistance
Victor Zhora also highlighted the role of cooperation with international partners in Ukraine’s success fending off Russian cyberattacks.
The recently retired Estonian foreign intelligence chief attributes Ukrainian and Western success in fending off Russian cyberattacks to cooperation among nations and with private industry. "Both Ukraine and the West were quite well prepared for cyberattacks. Ukraine has been supported in fending off these attacks by large Western [information technology] companies and governmental bodies. Also, Estonian cyber defense authorities were and are prepared for more sophisticated attacks. So the West has been quite well prepared for these attacks."
Olga Stefanishyna, Ukraine’s deputy prime minister for European and Euro-Atlantic integration, said that "Starlink has been the signal of life for Ukraine," she said. "Our government has been able to be operational because I had Starlink over my head."
Several other pieces this week detailed the efforts by Western IT companies, as well as locals on the ground, to defend Ukraine from the onslaught or Russian cyberattacks.
Though Western companies and governments have been providing a lot of assistance–a fact which Ukrainian officials readily acknowledge–it is important to reiterate a warning offered by Matt Tait, the former GCHQ cybersecurity expert and Lawfare contributor. In a Lawfare podcast interview the week before last, he cautioned against giving Western companies too much credit for the hard work being done by Ukrainians who are putting their lives at risk each day to keep their networks and infrastructures up and running in the face of increasingly brutal Russian missile strikes. In response to a question from Benjamin Wittes about widespread, "self-congratulatory" rhetoric about the role of the U.S. tech industry, Tait responded, "it’s a very ugly thing that, you know, Ukrainians in Ukraine are suffering enormous costs and sort of involved in sort of the manual fixing of, you know, everything and the installation of everything. There’s very few Westerners there. I know that there’s certainly some, but very few that are, you know, actively, you know, going into the danger zone… [It] is very ugly when US firms and, you know, people overseas sort of try and overtly take credit for, you know, what’s often the bravery and diligence of Ukrainians doing difficult work."
Cyber Threat Intelligence Updates
Russian hacker group, Killnet, claimed credit for a series of DDOS attacks against targets in the U.K., many of which do not appear to have actually been hit. The Cyber Wire described these attacks as "nuisance attempts" and saidthe group’s claims of success are "baseless."
A hacktivist group calling itself Anonymous Russia claimed credit for a DDOS attack against the European Parliament following a vote to recognized Russia as a state sponsor of terrorism. The attack seems not to have had much effect. Bleeping Computer reports, "Earlier this month, the FBI said that DDoS attacks coordinated by pro-Russian hacktivists have a minor impact on their targets because they’re attacking public-facing infrastructure like websites instead of the actual services, leading to limited disruption."
Dragos reported that Russian hackers have been conducting "exploratory research" into Dutch natural gas terminals. The Dutch company, ElectricIQ, concurred, saying that it too has seen increased Russian cyber activity directed at Dutch and EU infrastructure. Cybersecurity firm Fox-IT added that, "Particularly in the supply chain for the supply and distribution of LNG. The parties interested in this sector are probably state-sponsored malicious groups, for example, the groups led by the Russian FSB and GRU." Yahoo News added that, "The FBI has revealed that Xenotime and Kamacite have ties to the Russian secret service."
The cybersecurity firm ESET revealed that the Russian military-linked hacking APT group known as Sandworm has been targeting Ukrainian organizations with a new ransomware they have named RansomBoggs. The actual targets and wider impacts of the attacks were not discussed, however.
Information & Influence
Russia appears to have opened a new front in its information and influence operations, this one domestic. In recent weeks, we’ve seen the emergence of Russian milbloggers working with the Kremlin’s tacit approval to drum up domestic support for the war effort.
Recently retired chief of the Estonian Foreign Intelligence Service, Mikk Marran, told Foreign Policy that Russian information and influence operations have not been a success and that the Russian invasion of Ukraine has undermined whatever prior successes they may have had in the information space.
Strategist and recently retired Australian Army Major General, Mick Ryan, wrote for ABC.net.au about the potential effects for Ukraine of Elon Musk’s takeover of Twitter and the potential demise of the platform. He notes the platform’s many helpful uses for Ukraine, from reconnaissance to public messaging. However, he concludes that, "the sun will still rise even if Twitter fails. […] The war in Ukraine will continue regardless of Twitter’s fate. If Twitter dies, we may have access to less information about the conflict. But one less social media feed — regardless of the size of its user base — will not have a significant impact on the current trajectory of the war."
Not everyone is as optimistic as Gen. Ryan. Olga Stefanishyna, Ukraine’s deputy prime minister for European and Euro-Atlantic integration, who expressed concern over the rise in manipulative content on Twitter and the future of Ukraine’s ability to rely on StarLink satellites provided by SpaceX. “Given this huge range of instability in the position of SpaceX CEO, from willingness and then to unwillingness to continue financial support [of Starlink], we’re doing, sort of, a contingency planning for ourselves,” she said.
The U.S. Department of Defense is watching the situation in Ukraine closely and working to learn and incorporate lessons into its new information operations strategy. In particular, Richard Tilley, DOD’s director of irregular warfare and competition, said that the military can learn important lessons from the marketing industry. "We don’t have a good track record of trying to identify this will to resist in these proxy and surrogate and allied populations,. […] This cognitive domain of understanding will someone fight or will they not is qualitative analysis. But I think the private sector is pretty good at it. […] Look at marketing. That is qualitative analysis. What makes people drink Coke, what makes people drink Pepsi? And how do you market to those individuals? I think the private sector has used the information domain through marketing to the Nth degree because that’s how you make money. That’s how you’re profitable. And I think we as a department and in the national security enterprise, need to be able to pull some of those lessons."
The Ukrainian academics interviewed by Cyber News warned not to count Russia out, despite its failures on the cyber front thus far. Both emphasized that Russian efforts are ongoing and not likely to subside even with the end of physical hostilities. Volkivskyi offered a note of optimism, however; "the danger of paralyzing our networks remains. However, due to coordinated work, it is safe to say that the risks of a possible mass shutdown are low."
While most seem to be learning the lesson that traditional, kinetic conflict still dwarfs cyber operations, some still warn of the potential strategic effects of cyberattacks in future conflicts. Retired U.S. General Ben Hodges told Reuters that cyberattacks on key German ports could seriously hamper NATO efforts to reinforce itself or its allies in future conflicts.
Though the retired Estonian intelligence official said that "cyber is not an equal part of the war compared to the traditional way of fighting," he nonetheless warned that we should not yet count Russia out in terms of cyber warfare. "Of course, we shouldn’t be too happy. There is always the possibility that the bigger weapons and attack vectors have not been used yet. The problem with cyber weapons is once you use them, you lose them, so probably the Russian services are also calculating when might be the best time to use them."