Since February 2022, I have been keeping track of the role of cyber warfare in the Russia-Ukraine war. I have also been keeping track of the public debate about the role of cyber warfare, what I like to call "the cyberwar war." To do so, I monitor news media mentions of cyber in coverage of the war, social media posts and information shared by cybersecurity experts on social media, and reports from both public and private cyber threat intelligence organizations. This weekly newsletter details what I’ve uncovered about expectations and effects in the ongoing cyber and information/influence components of the war, reasons posited for successes and failures, recently revealed operations, and expectations for the future of cyber and information/influence operations in the current war and beyond.
Expectations & Effects
NATO cyber threat analyst, Dan Black, asserted this week that Russian cyber operations have reached "a critical mass of pressure," that volume is key to the Russian strategy. (https://twitter.com/DanWBlack/status/1598079024458526720)
Lorenzo Franceschi-Bicchierai had a nice piece at the MIT Technology Review examining "What’s Next in Cybersecurity." Naturally, the Russia-Ukraine War provided fodder for lessons learned. It quotes Eva Galperin of the EFF saying she’s more convinced now than before that cyberwar is a real thing, that it’s not all just espionage. The article reminds us, however, that while there were expectations of cyberattacks causing physical damage prior to the war, that did not end up happening, at least as far as we know from public reporting. Lesley Carhart from the cybersecurity firm Dragos said that the Ukraine war shows that cyber, while important, is only a part of warfare. Computer engineering professor Stefano Zanero concurred, saying that the Ukraine war shows that the term "cyberwarfare" is misleading and that cyberwar as we’ve understood it to this point "will not really happen." (https://www.technologyreview.com/2022/11/28/1063703/whats-next-in-cybersecurity/)
Though not as critical as Prof. Stefano, the Mandiant analysts that joined a recent episode of the company’s Defender’s Advantage Podcast did, nonetheless, cast serious doubt on the effectiveness of Russian cyber operations in Ukraine. Analyst Tyler McLellan told listeners that Ukrainian defense has "really mitigated a lot of the destruction that people were anticipating out of these attacks" and that "attacks haven’t really spread as wide as people were anticipating early on." The host noted that there was fear at the start of the war about possible destructive Russian cyber attacks spilling over and impacting targets in the West and asks how much of that we have actually seen. In response, McLellan said that the APT 29 has mainly done "more of the same" with respect to targeting outside of Ukraine, that we have not seen a shift in their operations. https://share.snipd.com/episode/f7dfcede-bb2e-4ee2-ba2f-4d90b34783d5
Rob Joyce, director of NSA’s cybersecurity directorate, told Politico that Russia has demonstrated restraint and caution in their use of cyberattacks and have "constrained their impacts inside Ukraine." Attacks like the one on Viasat, which impacted other customers in Europe, are the exceptions that (so far at least) prove the rule. (https://www.politico.com/newsletters/weekly-cybersecurity/2022/11/28/nsa-cyber-director-talks-threats-opportunities-00070894)
The Economist ran two pieces last week analyzing the cyberwar in Ukraine. The first examined the "Lessons From Russia’s Cyber-War in Ukraine." They note that while Russia has tried hard and cyber operations have been an important part of the war, cyber "does not seem to have been the killer app, as it were, that some expected." Though they acknowledge that the Ukrainians might just be keeping a tight lid on the true effects of Russian cyber attacks, they add, "Even so, the visible effects of Russia’s campaign have been surprisingly limited." For example, it’s widely assumed that one of the goals of Russian cyber operations was to undermine Ukrainian support for their government. If this is truly the case, The Economist concludes that "it failed." Similarly, though there is evidence that the Russians have attempted to coordinate cyber and kinetic strikes, the director of GCHQ says those operations have been plagued by simple mistakes that have diminished their effectiveness, a point that was echoed by the Mandiant analysts mentioned above. Russian performance so far leads some, like former head of the UK’s National Cyber Security Centre, Ciaran Martin, to conclude that rather than Russia failing to live up to expectations, it is our expectations that have failed. Our expectations, he said, were shaped by events like the Stuxnet attack, which he likens to the "Moon Landing" of cyber attacks. But most cyber attacks are much more mundane and limited in what they can accomplish, especially during time of war. His point echoes one made by Matt Olney of Talos back in September, who said, "I don’t think there’s a failure here on the Russian side in terms of cyber activities. I think there’s just a general disinterest in using it in the ways that we have fantasized it being used in the West." (https://www.economist.com/science-and-technology/2022/11/30/lessons-from-russias-cyber-war-in-ukraine)
The second examined "Why Russia’s Cyber-Attacks Have Fallen Flat." Like Ciaran Martin and Matt Olney, The Economist says that our expectations of what cyber warfare could achieve had been shaped by cyber Pearl Harbor scenarios and exquisite, real-world incidents like Stuxnet and the Russian cyber attacks on the Ukrainian power grid in 2015 and 2016. But, they argue, "when a full-blown cyberwar came to Ukraine, the result was modest." As a result, another dominant expectation has been challenged, and that is the supposed dominance of cyber offense. Instead, Ukraine has "shown that even one of the planet’s best-resourced cyber-powers can be kept at bay with a disciplined and well-organised defence." (https://www.economist.com/leaders/2022/12/01/why-russias-cyber-attacks-have-fallen-flat)
Last, but not lease, Microsoft released a new report warning about potential future Russian cyber operations over the coming winter. It also includes some additional insights on what Russian hackers have been up to and with what effects. For example, while we know that Russia has launched several barrages of missile strikes against Ukrainian critical infratructure targets recently, Microsoft says those strikes have been accompanied by destructive cyber attacks too. The report did not provide an assessment of the cyber attacks’ impacts or what value they added to the kinetic strikes. Earlier in November, however, the Ukrainian Chief of the SSU Cyber Security Department, Illia Vitiuk, acknowledged that strikes on energy facilities were accompanied by cyber attacks, but that "The SSU expected this – hence, none of them were effective." Microsoft repeated its claim from prior reports that these kinetic and cyber attacks were coordinated, adding that just over half of Ukrainian organizations hit with wiper malware were critical infrastructure organizations. Again, little is offered as to wider impacts of such attacks except to say that "IRIDIUM’s [a.k.a. Sandworm] success in the Prestige destructive attack was limited." (https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/)
Explaining Success & Failure
Experts like those who spoke to MIT Technology Review continue to point to the strength of the Ukrainian cyber defenders alongside lack of preparation by their Russian adversaries as the reason why cyber operations have not played a bigger and more visible role in the war. Dragos’ Lesley Carhart said, "in the whole conflict, we saw Russia being underprepared for things and not having a good game plan. So it’s not really surprising that we see that as well in the cyber domain." (https://www.technologyreview.com/2022/11/28/1063703/whats-next-in-cybersecurity/)
Likewise, Mandiant analysts John Wolfram and Gabby Rancone argued that Russia overplayed its hand in cyber just as did in the physical conflict. The reason we have not seen a more visibly destructive cyberwar is because the Ukrainians have consistently thwarted Russian attempts. Gabby Rancone put it well, saying, "a lot of people have been asking the question, ‘Where is the cyber war?’ and it’s like, ‘Oh, the Ukrainian defenders are stopping the cyber war.’ Like the reason why the outside world isn’t seeing wiper attack after wiper attack, why the GRU has been thwarted so many times, are because of those defenders. So it’s really amazing work coming from them." (https://share.snipd.com/snip/3a990804-f024-41d7-8569-e84fd5bc517e)
Of course, the Ukrainians have not limited their cyber operations to only the defense. A post by Recorded Future, for example, mentioned a recent government-organized National Defense Hackathon that involved 300 invited cybersecurity specialists. At the event, "they worked together on services that could help Ukraine fight Russia on the cyber front — for example, systems for collecting and analyzing large volumes of data to identify Russian soldiers." (https://therecord.media/should-ukraine-rein-in-its-patriotic-hackers/)
Similarly, the Ukrainian Minister of Digital Transformation, Mykhailo Fedorov, tells the Washington Post that Ukraine’s volunteer IT Army has been able to distract Russian cyber defenders because Russian internal cybersecurity is "terrible" and is exacerbated by a brain drain of IT specialists leaving Russia. (https://www.washingtonpost.com/politics/2022/12/02/ukraine-gets-by-cyberspace-with-little-help-its-friends/)
Finally, The Economist weighed in on reasons for success and failure in the Russia-Ukraine cyberwar in both of its pieces. They quote the head of the UK’s GCHQ as saying that Ukraine’s has been "arguably…the most effective defensive cyber-activity in history." They reminded us of the NATO intelligence head’s analysis from April, which was that "judging a cyber-campaign by the volume of malware is like rating infantry by the number of bullets fired." Volume of attack, contra Dan Black’s assertion above, is not everything. Like others, experts interviewed by The Economist said that Russian cyber attacks did not fail due to lack of capacity but because of hubris, just like the rest of the invasion. After the first week of war, Russia turned to tactical and opportunistic attacks because more sophisticated attacks take more time and resources to prepare. As a result, Russian cyber attacks on critical infrastructure have been full of errors, imprecise, or got exposed prematurely. Daniel Moore, author of the book, Offensive Cyber Operations, said, "There were significant operational failings in almost every single attack that they have ever carried out in cyberspace." Finally, The Economist points out that once the shooting starts, "munitions can often do the job more easily and cheaply" than cyber attacks. (https://www.economist.com/science-and-technology/2022/11/30/lessons-from-russias-cyber-war-in-ukraine)
The second of the two pieces last week from The Economist echoed this same point, adding that "elaborate cyber-offensives are often needed the most when raw violence is off the table. If a war is raging anyway, why use exquisite code when a missile will do?" Finally, they note that it could very well be the case that such attacks are just not as important as we had assumed, writing, "The most important cyber-operations are not those aimed at shutting down banks and airports, but those which quietly carry on intelligence-gathering and psychological warfare." (https://www.economist.com/leaders/2022/12/01/why-russias-cyber-attacks-have-fallen-flat)
Role of Western Assistance
If a reason for Russia’s underperformance on the cyber front is because of the Ukrainian efforts, then Western assistance has played no small role in aiding the Ukrainian cyber defense. The biggest story of the week in that regard is a post from U.S. Cyber Command (USCYBERCOM) about the assistance it has provided to Ukraine beginning even before the war. USCYBERCOM sent hunt forward teams to Ukraine from Dec 21 to March 22 that helped Ukraine identify and mitigate threats. Those teams were present in Ukraine when destructive Russian cyberattacks began even before the start of the physical invasion on February 24. Though USCYBERCOM teams are not physically present in Ukraine now, the organization continues providing remote assistance to Ukraine and other European allies. (https://www.cybercom.mil/Media/News/Article/3229136/before-the-invasion-hunt-forward-operations-in-ukraine/)
Cyber News speculated that USCYBERCOM assistance may explain why "Russia failed to take down Ukrainian computer systems at the beginning of the year, despite many analysts’ predictions." (https://cybernews.com/news/us-cyber-command-cyber-defensive-operations-ukraine/)
Ukrainian digital transformation minister Mykhailo Fedorov told the Washington Post that the American media turned out to be an unexpected source of assistance. "We ended up getting a lot of information about cyberattack vectors and other related information from the media. […] And that is how we were able to prevent attacks on our energy infrastructure back in December." (https://www.washingtonpost.com/politics/2022/12/02/ukraine-gets-by-cyberspace-with-little-help-its-friends/)
Ukrainian cybersecurity official Victor Zhora once again singled out the assistance his country has received from private cybersecurity companies, including Microsoft and ESET in particular. (https://www.economist.com/science-and-technology/2022/11/30/lessons-from-russias-cyber-war-in-ukraine)
Writing for Lawfare, however, Stephanie Pell from Brookings notes that there are pitfalls to relying on private companies to report the facts of Russia’s cyber success or failure in Ukraine. Responding to expert criticism of its June 2022 report, she argues that Microsoft, as a key reporter on Russian cyber operations and Ukraine’s defense, must do a better job sharing data and using precise language to convey its findings. (https://www.lawfareblog.com/private-sector-cyber-defense-armed-conflict)
Finally, not all Western companies have been as helpful to the Ukrainians and some others seem to be wavering in their support. Fedorov, the Ukrainian official, told the Washington Post that Facebook has been an obstacle to getting its message out and that "The situation is better now than it used to be, but it is still difficult." Finally, there is continued concern whether Elon Musk’s Starlink will continue the support it has provided to this point. The company doubled prices for terminals and is also raising subscription prices for consumers in Ukraine and Poland as mobile networks suffer under Russian missile attacks on critical infrastructure.
Cyber Threat Intelligence Updates
ESET reported a new wave of ransomware attacks targeting Ukrainian organizations that they attribute to the Sandworm APT group. First detected on November 21, they named the ransomware RansomBoggs. They did not provide details on which organizations were targeted or what the wider impacts were of the attack. (https://www.welivesecurity.com/2022/11/28/ransomboggs-new-ransomware-ukraine/)
Ukraine was not the only party to the conflict targeted by destructive malware, however. Kaspersky identified a new wiper–called CryWiper–targeting Russian organizations. Again, it was not clear what the wider impacts of the attacks were. (https://www.bleepingcomputer.com/news/security/new-crywiper-malware-wipes-data-in-attack-against-russian-org/)
Known or suspected Russian hacktivists were believed to be responsible for a number of DDOS attacks. Killnet and associated Russian hacktivists claimed credit for DDOS attacks against the Starlink, White House, and Prince of Wales websites, but achieved limited effects. Other involved threat groups included Anonymous Russian, Msidstress, Radis, Mrai, and Halva. Security company Trustwave called the attacks "low skill" and said "it remains to be seen whether the group can graduate to attacks that cause damage, exfiltrate data, or do more." (https://www.darkreading.com/threat-intelligence/killnet-gloats-ddos-attacks-starlink-whitehouse-gov)
Several Vatican websites also came under DDOS attack, which remained offline for most of a day. Euronews reported that "The suspected hack came a day after Moscow rebuked Pope Francis’s latest condemnation of Russia’s invasion of Ukraine." Andrii Yurash, the Ukrainian ambassador to the Vatican, tweeted, in part, "Russian terrorists today touch the sites of the Vatican State: many web pages of different structures of the Roman Curia have become inaccessible." (https://www.euronews.com/2022/12/01/vatican-hit-by-suspected-cyber-attack)
And finally, every conflict gets exploited to promote scams, fraud, and spam. The Russia-Ukraine War is no different. Thus, Johannes B. Ullrich, Ph.D. , Dean of Research at SANS.edu, warned about Twitter videos of the Ukraine war being used to spread scareware/malware, specifically pushing dodgy VPNs. (https://isc.sans.edu/diary.html?storyid=0)
Information & Influence
On the information and influence front, Stanisław Żaryn, Government Plenipotentiary for Security of the Information Space of the Republic of Poland, wrote for Newsweek that Russia is using disinformation campaigns in an attempt to undermine Western support for Ukraine. The Ukraine war, he says, shows the importance of strategic communication and defense against information operations are no less important than conventional warfare. (https://www.newsweek.com/russias-war-ukraine-extends-information-space-opinion-1763292)
Microsoft President Brad Smith said that Russia is most sophisticated at cyber-influence operations, which he says deserves more attention. "Perhaps the single area where I feel the Russians are the most sophisticated is the combination of not just military operations as we conventionally understand them, but cyber-influence operations," he said. Senator Angus King (I-ME) went even further. C4ISRNet reported, "Cyberwar doesn’t just consist of denial of service attacks to take down critical infrastructure such as electrical grids, King said. It also includes disinformation efforts, which he said may be an even more serious problem." (https://www.c4isrnet.com/cyber/2022/12/05/government-private-sector-cooperation-vital-in-cyberwar-senator-king/)
It is perhaps unsurprising, then, that information and influence figured prominently in Microsoft’s most recent report warning about a coming Russian winter cyber offensive. Microsoft says Russia is using a multi-pronged approach to undermine support for Ukraine. Despite Brad Smith’s bullishness on Russian information operations, the report assess that efforts "to undermine elected officials and democratic institutions…have had only limited public impact." (https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/)
Finally, while much of the discourse about the Russia-Ukraine cyberwar focuses on what the Russians are or are not doing, the Ukrainians continue with information and influence operations of their own. The BBC reported about how a Ukrainian hotline started in September that uses messenger apps and phone lines to encourage Russians to surrender. "This is, of course, part of the information war," the BBC said. It is an attempt "to weaken Russian morale. […] For outnumbered Ukraine, it’s also hoped it will soften the belly of their larger invader." (https://www.bbc.co.uk/news/world-europe-63782764.amp)
Next Moves & Lessons Learned
There was quite a lot of commentary this last week about what comes next and what we can learn from what we’ve observed so far. Of course, the biggest entrant in that regard was the Microsoft report. Microsoft predicted more Russian cyber attacks against Western allies and cyber-enabled influence operations meant to undermine support for Ukraine. They also said that there continues to be high risk of Russian cyber attacks against critical infrastructure in Ukraine. (https://blogs.microsoft.com/on-the-issues/2022/12/03/preparing-russian-cyber-offensive-ukraine/)
Mandiant analysts also offered their predictions for what we might see next. Gabby Rancone speculated that a recent Russian cyber attack against Polish logistics companies is the result of their effort in Ukraine "falling apart" and wondered if we will see more such attacks outside of Ukraine against other NATO members. She also predicted that Russia may turn to economic cyber espionage to offset its tech brain drain and mounting effects of sanctions. John Wolfram predicted continued targeting of diplomatic targets by APT 29. Tyler McLellan agreed with Rancone that Russia may target more broadly outside Ukraine with Prestige ransomware. But he has doubts whether such attacks will be particularly effective or will just be used to garner media attention. (https://share.snipd.com/episode/f7dfcede-bb2e-4ee2-ba2f-4d90b34783d5)
In terms of ongoing impacts of sanctions and technology brain drain, Russian tech giant Yandex announced plans to potentially leave Russia due to the war in Ukraine and the fact that many employees are already fleeing the country. "Russian state-controlled news agency TASS has characterized the announcement as Yandex departing Russia." For his part, however, CEO Eugene Kaspersky of Russian cybersecurity firm, Kaspersky Labs, says his company is staying put. "The Russian government has recognised IT as one of the key, strategic industries, and gave us this deal [no corporate income tax]. It’s paradise," he said. (https://www.itweb.co.za/content/VgZeyqJlm4l7djX9)
The MIT Technology Review says that the Ukrainian IT Army shows that hacktivists will continue to play a role in future wars. But we don’t need to wait for the future. Hacktivists continue to play a role in the current war. Killnet and associated Russian hacktivist groups have vowed to continue their attacks on Urkaine’s allies, warning "that the UK healthcare system would be next… Killnet also threatened future attacks against the London Stock Exchange, the British Army, and more."
Finally, The Economist remains concerned that the future may hold something more ominous than mere DDOS against websites. They warn that the Nord Stream sabotage and waves of missile attacks on critical infrastructure show Russian risk tolerance is growing. "There are signs of this in the cyber-domain, too" and Russia’s more serious cyber "capabilities might yet be unleashed." They also provide the caveat that much will remain unknown about the role of cyber in the current war, likely for decades to come. They remind us, "The Allied decryption of Germany’s Enigma cipher machines in the second world war did not come to light until the 1970s. The ultimate impact of cyber-operations in Ukraine may remain obscure for years." (https://www.economist.com/science-and-technology/2022/11/30/lessons-from-russias-cyber-war-in-ukraine)