Observations on Cyberwarfare: Russia vs Ukraine
David Swan Director, CSCIS Cyber Intelligence Defence Centre (CIDC)
Publisher – CSCIS / David Swan, Director CIDC
Release – March 3, 2022
Observations on Cyberwarfare: Russia vs Ukraine.
This report contains selected cyber-security information from 19th February to 4th March 2022 focused on the cyber aspects of the Russian invasion of Ukraine.
Synopsis
1. Russia has a well-established cyberwarfare plan that has been used on multiple occasions. This time the cyber attacks we have seen were: sometimes badly executed, sometimes technically lacking, and generated low to occasionally moderate impact. Ukraine’s institutions have mostly stayed online. What was unexpected was Ukraine’s counter-offensive in cyber warfare and information operations. Even more remarkable is the surge of technical and hacker volunteers, mostly supporting Ukraine.
Russia
2. Russian CyberWarfare Doctrine: There are Russian academic and military research articles dating back to 1996 that indicate methodical, progressive research into how to exploit the Internet in cyber and information operations. As Vladimir Putin sought to reestablish the Soviet Empire, a cyber doctrine was developed. It was used on a limited scale to punish states that did things that ‘offended Russians’. For example, in 2007 Estonia moved a statue of an unnamed Soviet soldier. Estonia was hit with attacks on its parliament, some government ministries, banks and many media outlets were hit with multiple forms of ‘Denial of Service (DoS) Attacks.
Source: BBC: How a cyber attack transformed Estonia
3. The full power of cyber attacks was unleashed in the Russian seizure of South Ossetia and Abkhazia from Georgia. Websites of the President, Parliament, major government ministries, international portals and media were attacked. Some were defaced while others were jammed by DoS attacks. Multiple banks were attacked with websites attacked and functions degraded, often blocked. Media organizations that attempted to cover the invasion objectively had their websites attacked.
Source: Rondeli Foundation: The Cyber Dimension of the 2008 Russia-Georgia War
As pro-Georgian reports were suppressed, Russian media used their outlets as well as social media to project their version of events.
See also: ResearchGate.net: The 2008 Russian Cyber-Campaign Against Georgia
4. Russia’s Cyber Campaign: Russia’s cyber campaign started with ‘spoiling attacks’ prior to the invasion.
As reported in our Cyber Intelligence Report 220218.
The tactics were the same: websites defaced, DoS attacks with the addition of Ransomware attacks that encrypted the victims’ network. The major difference was that in the spoiler attacks the target sets were limited. The spoiler attacks were notable in their lack of success; they did not disable government communications, disrupt banking services significantly, create problems in the economy or alarm Ukrainians.
Source: Our Cyber Intelligence Report 220218: Page 2, Para 10 refers.
In the event of an invasion we forecasted:
A. Increased DDoS attack, with a more aggressive attack surface,
B. More aggressive attacks on Telecommunications and Financial Institutions,
and
C. A more refined information warfare operation.
- Ukraine Hit with Novel ‘FoxBlade’ Trojan Hours Before Invasion
- Minister: Ukraine websites down in another ‘massive’ online attack
Ukraine crisis: Banks ‘hit by cyber attacks’ as government website home pages ‘inaccessible’
Ukraine crisis: ‘Wiper’ discovered in latest cyber-attacks
5. When Russia invaded Ukraine on 24th February cyber attacks did scale up and would continue to scale up over the next three days. New attacks included: ‘data wiping’ attacks designed to erase all data from hard drives
Source: Security Affairs: Data wiper attacks on Ukraine were planned at least in November and used ransomware as decoy
and ‘FoxBlade’ which tried to use Ukrainian computers in a DDoS campaign. Ukrainian officials described the attacks as the largest DoS attacks they had ever seen. The larger DoS attacks continued to have limited success. Banks were back online after a few hours. Government communications never crashed with websites returning to service within hours.
6. The Russian cyber order of battle appears to be:
A. Military and Intelligence Cyber Operations (Hacker) Units,
B. Information Operation Units (Civilian Government Employees),
C. Cyber Mercenary Groups, essentially criminal hackers for hire. Notable for
excellent OPSEC including leaving no ‘signature’ behind, and top tier cyber
skills,
D. Cyber Criminal Gangs: Restricted to top tier or top capability criminals,
E. Volunteer Criminal Gangs: Currently this includes the ‘Conti’ Ransomware
Gang, and
F. ‘Patriotic Hackers’: Russians, including Russian ex-pats and their supporters.
7. Russian cyber attacks on Ukraine are ongoing. There are unconfirmed reports of continued Russian cyber espionage attacks however the data wiping and DDoS attacks appear to be ineffective. There have been no reports of significant closures or industry failures due to hacking. Analyst’s Observation: Russian attacks have been substantially less effective than previous efforts. Some of that is due to Ukrainian defences. Another factor the Russians did not anticipate was the number of Ukrainians in their ranks. There is no way to track defections from government organizations however a number of criminal gangs have lost key personnel. Some defectors have compromised their former colleagues and gang.
Source: ThreatPost: Ukraine-Russia Cyber Warzone Splits Cyber Underground
Russia appears to deploy digital defenses after DDoS attacks
8. Russia has been forced to deploy their own digital defences as Ukrainian cyber troops and allies have commenced counter attacks. Defensive cyber has been discussed in academic papers, and Russia openly discussed implementing their own version of China’s ‘Great Firewall’. Analyst’s Observation: This has the ‘feel’ of an improvised defence as opposed to the well planned and structured operations discussed by Russian academia.
Ukraine
- How Ukraine’s Internet Can Fend Off Russian Attacks
- EU to mobilize cyber team to help Ukraine fight Russian cyberattacks
9. Ukraine on Defence: According to the Wired magazine article How Ukraine’s Internet Can Fend Off Russian Attacks: “Ukraine’s internet has developed in a decentralized fashion due to market dynamics … When you have a variety of traffic exchange points, you have a variety of internet service providers across the country, a variety of mobile phone operators; it just leads to a more reliable system overall … In Ukraine’s crowded ISP market, all providers have adapted to be fleet-footed and address even the smallest technical snag swiftly and effectively.” In addition, having been attacked by Russia’s cyber forces over a number of years, Ukraine’s Internet providers learned how to cope with attacks and restore services. The result has been an Internet that Russia has not been able to force off-line or dominate.
10. In addition Ukraine has both sought and received support in establishing cyber defences. On February 21st Politico reported that the EU’s Cyber Rapid Response Team was dispatched to “provide assistance to countries under cyberattack”
Source: Politico: EU to mobilize cyber team to help Ukraine fight Russian cyberattacks
11. Ukrainian Information Operations: Ukraine is mounting a dynamic information operation on multiple fronts. It is not clear if this is a ‘managed’ effort or if it is organic. The leadership of their President has been well captured by western media “I need ammunition, not a ride”
Source: Meaww.com: Top Volodymyr Zelenskyy quotes: How Ukrainian president inspired the world with his bravery
. Just as captivating is media coverage of Ukrainian civilians feeding captured Russian soldiers and letting their prisoner’s phone home. In the cyber realm the information operations are equally compelling.
‘Do not send your sons and husbands to certain death’ – Hacked Russian sites display a warning
12. Inside Russia there is a major effort to control the message. ‘The security operation is going well’ … ‘we are happily received’ … etc. This has been countered by the hack of Fontanka, a news outlet based in St Petersburg, state-owned news agency Tass and daily newspaper Kommersant and replacing their headlines with: “Dear citizens. We urge you to stop this madness, do not send your sons and husbands to certain death. Putin makes us lie and puts us in danger. “We were isolated from the whole world, they stopped buying oil and gas. In a few years, we will live like in North Korea. What is it for us? “To put Putin in the textbooks? This is not our war, let’s stop it! This message will be deleted, and some of us will be fired or even jailed. But we can’t take it anymore. “Indifferent journalists of Russia.”
13. Ukraine Cyber Offence: Ukraine has a ‘Signals and Cybernetic Security Troops Command’ however it is not clear what their cyber capability was. What is clear is that in addition to Ukrainian hackers, many hackers from other countries as well as some formed groups such as Anonymous have assembled to support Ukraine / attack Russia. Coordination of cyber attacks is taking place via the ‘Telegram’ application. Communications include recruiting, assignments, target lists, and attack reports.
- Army of Cyber Hackers Rise Up to Back Ukraine
- Ukrainian cyber resistance group targets Russian power grid, railways
Hackers Breach Russian Space Research Institute Website
Anonymous hacked the Russian Defense Ministry and is targeting Russian companies
HACK ATTACK Kremlin websites down & Russian TV channels ‘hacked to broadcast Ukrainian songs’ after Anonymous declares war on Putin
14. Analyst’s Observation: I expected the Russian Ministry of Defence to be better prepared, and much better defended. The scope of successful Anonymous cyber attacks is impressive. To date most of Anonymous attacks could be categorized as information operations however given time, targeted Russian companies are highly likely to be hacked, further disrupting the Russian economy. There are indications that more capable hackers are supporting Anonymous efforts.
Analysis
15. Russian cyber attacks have had at best moderate impact for limited time periods. Most Russian cyber attacks have had low impact. Information operations on Ukrainians and the outside world have failed, rallying opposition. I have the sense that these Russian cyber operations have not received the management of other cyber campaigns. If the invasion of Ukraine is not resolved in the short term, I expect Russia will look to their cyber toolbox, restore leadership and focus. Campaigns will be launched to reassert Russian superiority by making examples of highly visible targets.
16. The creation of an ‘ad hoc’ cyber force supporting Ukraine is a dangerous wildcard. It is a semi-controlled force in a conflict that has the potential to go nuclear.
For more information on the CIDC, this Intelligence Report or to have a dedicated briefing please contact cidc@cscis.org