In the early hours of 24 February 2022, Russian forces initiated offensive, kinetic action against multiple targets across Ukraine. While shocking given the naked brutality of these strikes, this invasion represented the culmination of a months-long build-up, and arguably the final phase of a conflict that started in 2014. As I write this, Russian forces are attempting to encircle and cut off Ukraine’s capital, Kyiv, from the rest of the country, potentially as part of a “decapitation” maneuver targeting the country’s democratically elected government.
There are many tragic elements of this conflict, from its impact on the people and civilians of Ukraine to the unnecessary nature of its origins. In thinking about this event, we as outside observers should not lose sight of the suffering of Ukrainians and how events are impacting them, right now, while we sit comfortably analyzing events from afar.
With the above in mind and in our hearts, the Russia-Ukraine conflict has, since 2014, featured a number of (academically) interesting cyber components:
- The 2014 “CyberBerkut” events linked to Ukrainian elections.
- The 2015 incident targeting several Ukrainian electric distribution sites.
- The 2016 Industroyer/CrashOverride event targeting Ukrainian electric transmission.
- The 2017 NotPetya destructive incident, starting in and likely designed to be focused on Ukrainian institutions, although impacting multiple organizations globally.
The above represent only the “highlight” events and mask a number of widespread, persistent campaigns linked to Russian entities from phishing campaigns to periodic disruptive events such as distributed denial of service (DDoS) incidents. With this background, analysts and commentators anticipated a noticeable, if not significant, cyber component accompanying Russia’s increasing pressure on and subsequent invasion of Ukraine from late 2021 to February 2022.
And yet, aside from continuation of some campaigns (such as the ever-present and admirably persistent Gamaredon), such effects failed to materialize in any substantial fashion. Instead of “cyber fires” taking down communication networks, electric utilities, or air defense systems, the only (known, noticeable) events include the following:
- The January 2022 false ransomware plus wiper (WhisperGate) incident, roughly concurrent with a DDoS and defacement event focused on Ukrainian government and financial institutions.
- Further DDoS events from 15-16 February focusing again on Ukrainian government and financial organizations.
- Another wiper event just prior to invasion, targeting various unspecified entities in Ukraine, as well as potentially Lithuanian and Latvian entities, roughly concurrent with another round of DDoS activity.
While these events are certainly concerning, callous, and disruptive, they appear to fall quite short of past cyber incidents in Ukraine in terms of both extent and impact. Instead of the cyberwar scenarios hyped by commentators and speculative fiction writers, events appeared more “Computer Network Annoyance” than “Computer Network Attack” on discovery and initial analysis. Yet, with the benefit of hindsight (now that the physical invasion of Ukraine is sadly underway), we can better contextualize these events and identify some possibilities that were potentially desired but for one reason or another unrealized.
As stated above, the events in the run-up to Russia’s invasion of Ukraine represent rather limited impact scenarios in isolation. However, if the timing of these events were shifted, matters become more interesting. Instead of taking place absent other, immediate concerns, widespread disruption of government communication mechanisms (e.g., websites) and denial of access to financial resources and systems during an invasion scenario would be quite impactful. This represents the sort of “boosted” cyber incident or “kicked while down” scenario previously discussed on this website, where cyber effects are timed to take advantage of or amplify other crisis scenarios.
In the event of an invasion, among many other items, one can expect the following critical needs for both a government and the wider society:
- The need to maintain accurate communications with the populace to both reassure people as well as to demonstrate the continued efficacy and viability of the government.
- The need for citizens to rapidly increase non-electronic financial resources as part of evacuation, internal migration, or external flight – essentially, the need for hard currency.
With these in mind, the DDoS and wiper actions become more sinister if timed right. Eliminating accessibility to government websites and impacting availability of major financial institutions essentially hits very specific pain points in an emergency scenario. Arguably, the financial impact (limiting or impairing the ability of noncombatants to access funds or withdraw hard currency prior to escaping a conflict zone) represents an especially callous, if not outright brutal, action given its effects.
Obviously, this direct correlation of cyber with physical events (thankfully) did not take place – but was it meant to originally? While definitive answers to this question will need to await either Putin, Naryshkin, Gerasimov, et al standing trial in The Hague (highly unlikely) or some enterprising researcher gaining access to archives long after these ghouls and their heirs have passed on, some informed (and informative) speculation is possible given what we know of events.
First, US intelligence entities (and, to a limited extent, other Western services) have repeatedly gone public with very specific details of Russian operations for months prior to Russia’s attack. While met with derision by some commentators when such actions did not take place, such a view simply demonstrates the ignorance of those speaking. When making a disclosure such as specifics on generating a pretext for invasion or detailed invasion plans, such a statement is not made in a vacuum – the subject of such disclosures is paying attention as well. Based on such disclosures, that subject (in this case, Russia’s national command authority (NCA)) can modify plans so that what was once a true statement or accurate assessment becomes stale and no longer correct. This is arguably an intelligence “win” in shaping adversary behavior, but does tend to make public statements appear “off” to the ignorant or uninformed.
The above is relevant because of the nature of cyber effects execution and planning. Cyber “fires” are not “bolt from the blue” events but require planning, prepositioning, and capability development for success. For example, as described in Symantec’s writeup of HermeticWiper, prepositioning for the February 2022 destructive incident started as early as November 2021. For the rounds of DDoS events, command authorities would need to either build or acquire the botnet resources in advance and identify targets, all actions taking time to prepare. Thus one possibility is that NCA desired and potentially planned for these cyber events to coincide with actual invasion, but disclosure of invasion plans or pretexts in advance resulted in operational changes with cyber “supporting effects” becoming “out of sync” with the broader campaign.
Second, we should not discount the possibility of “operator error” on the part of Russian authorities in executing these events, or timing them wrong. For example, in the 2016 power event, the entities responsible appear to have “rushed” events to coincide with desired timing (roughly one year after the 2015 event) leading to poorly developed, malfunctioning malware. Instead of a desired massive disruption leading to potential physical destruction scenarios, the Industroyer/CrashOverride event resulted in a limited outage, in both magnitude and duration. With this background in mind, lack of communication, or even outright interagency hostility between various intelligence and military services, may have led to cyber effects becoming disjointed from other planning leading to suboptimal results and misplaced timing. This appears especially relevant for the February events, which took place days before the actual invasion when concurrent timing would have been far more disruptive and impactful.
To this point, it appears that cyber effects may have been planned to amplify the impacts of invasion, increase confusion, degrade communications, and inflict greater suffering on the Ukrainian people, but for various possible reasons this failed to materialize. It is thus tempting to say that cyber failed to meaningfully or materially contribute to Russia’s offensive operations in Ukraine – but this statement assumes such operations are complete. Instead, dogged and fierce resistance by Ukrainian defenders transitions what appeared to be a desired quick assault against Ukraine’s main population centers and seat of government into a more deliberate and drawn out affair. This scenario is obviously the worst-case for the people of Ukraine as they endure continued fighting (especially in population centers), but also indicates opportunity for further cyber operations.
Rather than focus on headline grabbing “destructive” operations such as cyber-physical scenarios, any future cyber operations are likely to be more aligned with information operations than material destruction. In this sense, we should anticipate cyber operations to compliment efforts to degrade or shape communications and messaging from Ukrainian authorities, targeting links to both the Ukrainian people as well as to outside audiences. That such effects have not (noticeably) taken place yet may indicate a failure of planning on the part of Russia, or an optimistic assessment in the speed of the invasion (and anticipated Ukrainian collapse). As events drag on though, the desirability of controlling (or in some cases eliminating) communication mechanisms, to degrade command-and-control structures as well as shaping messaging around the conflict, increases substantially.
While scary FICINT scenarios will likely fail to materialize, “cyber” is not done yet in this conflict, although its role may be more traditional and less spectacular than certain academics and vendors would like to see. Influence campaigns, more “classic” information operations actions, and similar will likely emerge to control narratives and shape coverage of the conflict in the days and months to come. Although somewhat boring on a pure technical level, such actions have proven both effective and useful in other conflict scenarios, and we should anticipate their use in the current crisis.
Furthermore, should the conflict spread beyond Ukraine, additional scenarios will emerge where long-running campaigns to infiltrate critical infrastructure and other networks, such as Russian-linked Berserk Bear activity, may go from latent development to active disruption. This would bring the commentator “dream” of “cyber war” closer to fruition, as dormant capabilities and built-up access points are weaponized in an extended conflict. Hopefully we avoid this scenario, but this appears to be the most likely situation for headline-grabbing cyber effects to materialize – and even then, it would do so in conjunction with other, more traditional political and military capabilities in order to achieve the greatest measure of efficacy.
Given the above discussion, we must view cyber as not some magic weapon or capability in isolation, but as one component of overall adversary operations that requires coordination with other elements to achieve maximum efficacy. While Russian cyber operations in Ukraine appear to be of very limited impact so far, more capable timing or better planning and coordination could have easily boosted these “annoying” events into far more disruptive and damaging incidents. With luck, we will not witness Russian or any other entity learning this lesson and applying it to civilian populations any time soon – but me must be wary of when entities become more effective in deploying such capabilities, and plan appropriately.