Cyberwarfare: Russia vs Ukraine
David Swan Director, CSCIS Cyber Intelligence Defence Centre (CIDC)
Publisher – CSCIS / David Swan, Director CIDC
Release – April 1, 2022
Cyber Intelligence Report
Cyberwarfare: Russia vs Ukraine
This report contains selected cyber-security information from 19 March to 1st April 2022.
1. Russia’s cyber forces have recovered from their initial issues. They are targeting Ukrainian government communications, websites and organizations while conducting probes against western targets. Ukrainian cyber forces continue to defend against Russian attacks while providing intelligence support to their army units. Ukrainians continue to work social media, denying Russian disinformation, and providing videos of the war. Both sides are focused on the ground battle for Ukraine.
2. The White House is one of several governments warning of Russian cyber reconnaissance as probes for future attacks.
Most Likely Scenario: Russian cyber forces will launch global cyber attacks as ‘consequences’ for nations that opposed Russia’s invasion of Ukraine.
Worst Case Scenario: President Putin decides to select one country to focus Russia’s cyber attacks on. Canada would be an obvious choice of a country to target. Assessed as POSSIBLE but NOT PROBABLE.
Best Case Scenario: Russia decides NOT to use its cyber forces, allies and associates against western countries. Assessed as UNLIKELY.
3. Observations: There are reports that indicate Russia’s initial cyber attacks had some significant impacts. A satellite ground station and supporting services operated by an American company were forced off-line.1 This included a major data feed to Ukrainian air defence, as well as the control systems for some German wind farms and various German and Polish organizations.2 The ars technical report says that services to businesses have not been fully restored a month after the attack on February 24th.
4. Russian cyberattacks on Ukrainian Internet Service Providers (ISP) are ongoing. On 29th March the BBC reported that the major Internet supplier to the Ukrainian government, Ukrtelecom, had been reduced to 13% of pre-war connectivity.3 Reports do not agree on the impact of the attacks, however, even the most optimistic reports suggest that services are only gradually being restored to civilian businesses and organizations.4 A few Ukrainian ISPs have reported attacks resulting in minor service interruptions. The Russian attackers are again displaying high skill levels.
5. Ukrainian government officials have confirmed that at least four types of malware are in use by Russian cyber forces. “The attackers focus on critical infrastructure, both state-owned and private, and mainly with a connection to land-to-air invasion. Especially weighing are attacks on the logistic circuits and supply of the food and humanitarian support for the cities, where civilians are shelled and bombed,” Victor Zhora, deputy chief of Ukraine’s information protection service, explained.5
6. President Putin continues to warn there will be ‘severe consequences’ for countries that oppose Russia.6 Multiple governments including the White House are warning that there are indications of cyber reconnaissance by Russia.7 The UK, France and Canada have all issued similar warnings. The inference is that scans, probes and other forms of cyber reconnaissance are indicators of a cyber attack.
7. Summary: Russia has reorganized and ‘deployed’ its cyber troops. Russian doctrine is to disable government and supporting infrastructure. This translates to attacks on: ISPs providing services to Ukraine, Ukrainian government websites and communications, supporting media, and organizations perceived (by Russia) to be providing in-country support (to Ukraine). Supporting the direct war effort is the massive Russian ‘Information Operation’. Although many Russian social media accounts have been disabled8, Russia has shifted its social media distribution to third party countries including China and several South American countries It has resumed its production of alternative narratives, disinformation and Information Operations.
8. Analysis: Russia’s primary focus will continue to be on the battle in Ukraine. Expect Russia’s cyber warriors to be doctrinal, continuing attacks on similar targets. The warning from the White House and western Intelligence organizations suggests that cyber attacks will shift from Ukraine to western countries. When the shift will come is unknown. There is agreement from governments and cyber security companies that the cyber attack will be unlike anything we have previously seen.9
Ukraine’s Cyber Operations
9. Observations: Ukraine is refusing to release any information on its cyber operations except to say it is NOT attacking Russian targets. Mainstream media has shown video of civilians, filming Russian tanks and vehicles from their windows. We know those videos are being uploaded as they show up on YouTube and various forms of social media. Western media such as Channel 4 News (UK) and German Network, DW have shown civilian drone operators working with teams of Ukrainian soldiers. The teams close Russian positions, launching drones in order to precisely locate those positions for Ukrainian artillery and/or airstrikes. Edited into the same video features were shots of destroyed Russian vehicles in the middle of what had been a grove of trees. Closely spaced impact craters surrounded the Russian positions, indications of accurate artillery fire, thanks to good targeting information.
10. Comment: The process described above is called ‘targeting’. Targeting is the process of identifying: who, what, where and when the enemy is, in order to attack them. It is manpower intensive and requires a great deal of coordination. Given Ukraine’s lack of: reconnaissance units, satellites, aircraft, and limited drones, it is evident that a massive effort is going into intelligence collection, unit identification and geolocation, in order to ‘target’ and effect the destruction of many Russian Army units.
11. Ukrainian security services are also running cyber operations to identify and dismantle Russian social media campaigns. On March 28th the Security Service of Ukraine (SBU) announced it had destroyed five “enemy” bot farms engaged in activities to frighten Ukrainian citizens. “The bot farms had an overall capacity of at least 100,000 accounts spreading misinformation and fake news surrounding Russia’s invasion of Ukraine … the bot farms “tried to inspire panic among Ukrainian citizens and destabilize the socio-political situation in various regions.”10
12. If Ukraine has anyone managing their social media campaign, they are undetectable. The Canadian Broadcast Corporation (CBC) showed ‘artists’ filming, editing and broadcasting, video and commentary. No control or co-ordination was visible. European media have shown similar videos of civilians working social media on their own. European News media verify social media content before they use it, increasing its reach and impact.
13. The hacker group ‘Anonymous’ is becoming a significant cyber force in this conflict. As early as February 26th Anonymous ‘declared war’ on Russia11 and sent recruiting calls to participate in the groups hacking efforts. Although Anonymous can make outrageous claims – but have an insignificant impact, this time is different. Almost all Anonymous claims have been independently confirmed.
A. Russian government departments were hacked and their files were released.
B. Russian state media was interrupted with anti-Putin messaging.12
C. Western Companies operating in Russia were threatened13 and then hacked if
they did not cease operations.14
D. Russian critical Infrastructure has been hacked including:
i. Russian Central Bank15
ii. Pipeline company Transneft16
iii. Investment company Thozis Corporation.
iv. 92 corporate databases.
Anonymous has noted the lack of response or in some cases denial of the hacks despite GigaBytes of stolen material. In response, Anonymous is preparing to attack Russia’s physical infrastructure.17 The group has not defined what that means.
14. Other unidentified hackers have joined the Ukrainian cause, but are operating independently. For example, code was inserted in a popular developers package that “when an IP address geolocated to either Russia or Belarus, the new version wiped files from the machine and replaced them with a heart emoji.”18 A number of attacks on Russian businesses are unclaimed and Anonymous says they did not conduct those attacks. This tells us there are other hackers, operating independently against Russia.
15. Summary: Ukraine’s cyber operations are professional and accomplishing their objectives. Third party radio intercepts indicate that Russian soldiers don’t like being targeted. Craters and wreckage on the ground suggest that the targeting teams are doing a quality job. Defensively, most of Ukraine’s Internet and cellular towers remain in operation. Government broadcasts over social media continue unabated. Russian social media networks are being identified and dismantled. Ukrainian government cyber forces are proving highly effective.
16. ‘Anonymous’ and independent hackers supporting Ukraine are problematic. They are operating without constraints. What physical infrastructure will Anonymous attack? What damage are they looking to cause? What happens if a third party hacker causes a pipeline breach, a pipeline fire with loss of life?
17. Final Thoughts: The war is making the global cyber environment more complex and dangerous. In the background, China appears to have increased its attacks on NATO countries by 116%.19 Iran has been mounting its own cyber campaigns including attacks on Israel. The Indian government is under attack by Pakistani hackers. Criminal hackers have returned to work, spreading malware and mayhem. Other countries are busy growing their own cyber capabilities. Our Prime Minister continues to attract attention to Canada, despite our poor cyber readiness. Interesting times.
For more information on the CIDC, this Intelligence Report or to have a dedicated briefing please contact firstname.lastname@example.org