The cyberwar in Ukraine

The well discussed “fog of war” goes doubly for cyber space. By its nature, it is often opaque, difficult to attribute and prone to be both exaggerated and understated. With this in mind, this article is intended to provide a summary of what has been reported already, but is likely to only scratch the surface of the cyber war in Ukraine, as well as including inadvertent inaccuracies.

As we head into the 3rd week of the war in Ukraine, a parallel war has been taking place in cyberspace. It has been simultaneously predictable and unexpected, with reprisal attacks from Russia against Western countries in response to sanctions being muted, whilst the global response from hacktivists has matched the global support for Ukraine demonstrated in global protests and marches.

The Russian offensive

For years, the Russia-Ukraine asymmetric war has raged online, perhaps the most significant attack — highly likely to be from Russian attackers — was conducted on Ukrainian electricity companies.

Everything We Know About Ukraine's Power Plant Hack

Russia has a long been judged to have sophisticated offensive cyber capability, and includes a complex list of hacking groups within the country operating out of the intelligence and military, two well known groups are APT29 — believed to be behind the SolarWinds attack, and the breaching data from the US Democratic National Committee. Along side this are another group APT28 — infamous as the group allegedly responsible for attempted interference with the US 2016 Election campaign.

Experts in the cybersecurity industry had predicted that the invasion of Ukraine would involve a ‘hybrid’ war, combining traditional military power — e.g. bombs and bullets — with an escalation in the war taking place online. The days of the war seemed to confirm this, with Symantec reporting within hours of the ground invasion that ‘wiper’ malware was being deployed on targets inside Ukraine, seemingly targeting finance, defence, aviation and IT.

Ukraine: Disk-wiping Attacks Precede Russian Invasion

The attack was destructive in nature, wiping users machines and corrupting the boot partition in order to prevent the PC from working thereafter. This type of malware and its targets may suggest their goal is to disrupt the ability for Ukraine to mount a defence against Russian invasion, or perhaps its targeting of financial institutions are aimed at causing more general chaos. Whatever the motivation, the malware appears to have been in place as early as November 2021 many months in advance of the ground invasion.

Not yet catastrophic

The initial volleys against Ukrainian systems was not followed up with any particularly devastating attack by Russias cyber forces, either on Ukraine or on Western nations supporting Ukraine. Given Russia’s history in conducting cyber warfare, this is somewhat surprising.

'Catastrophic' cyberwar between Ukraine and Russia hasn't happened (yet), experts say

A number of theories of why the Russian invasion has not been followed up with a devastating attack on Ukrainian utility suppliers have been put forward. One theory points towards a concern about escalation and provoking a NATO response against Russia, another is that the industry is much better prepared for cyber attacks than in previous years. One idea in particular has been put forward that the cyber war has followed the same lack of preparation as the ground invasion. Talks of a short war, with Russian soldiers only being given supplies for three days, may point to the fact that Russia did not lay the ground work for a sophisticated cyber offensive which would certainly explain the seeming silence in cyber space

Russia wasn’t ready — high-impact attacks take time, skill, luck; it’s much harder than often portrayed to achieve this type of impact. — Ciaran Martin — former head of Britain’s National Cyber Security Center

Much like the escalation in air and missile attacks in the ground war, this may be short lived whilst state and criminal groups regroup and focus their attention on bringing the war to the online world. Unfortunately, the worst may yet be to come.

Why Hasn't Russia Launched a Major Cyberattack on Ukraine?

Anonymous and hacktivst groups

At the time of writing, there has been no credible attribution of cyber attacks conducted on Russia by Western nations. Despite this, a different type of army has declared war on Russia. The hacker group Anonymous which grew out of a messaging board called ‘4chan’ in 2003 is a decentralised, international hacker group which has conducted attacks on a number of governments across the world since its inception. A tweet on the 24th of Feburary from the official Anonymous twitter account declared war on Russia

Since then, a number of attacks — in particular disruptive DDoS (Distributed denial of service) attacks on Russian state websites have been claimed by the group. Attacks on the Kremlin and Russian ministry of defence website took those sites offline, whilst other sites like Russia today are claimed to have been hacked, and pro-Ukrainian content has been posted. They have also claimed responsibility for leaking information from Belarusian weapons manufacturers and attempting to disrupt Russian internet service providers.

Global hacking group Anonymous launches 'cyber war' against Russia

These types of attacks are disruptive and un-coordinated in their nature, and as with similar attacks against other governments and organisations over the year are primarily aimed at causing disruption to the government in any way possible. Leaks of information, and defacing websites that are seen by the Russian public work in parallel with another type of asymmetric warfare that is being fought — the information war (more below) - but the decentralised nature of attackers like Anonymous and other hacktivsts (person who gains unauthorised access to computer files or networks in order to further social or political ends) may have serious consequences in the rapidly evolving landscape of cyberspace. Ordinary Russian citizens may suffer as a result of data leaks, and the wider call for people across the world to become involved in cyber attacks — for example by installing DDoS software on their machines — may be installing ‘backdoors’ onto their machines that can be exploited later on.

A DarkOwl analyst is quoted as saying the hackers are leaking “sensitive corporate information… You’ve got shipping addresses and account numbers… This can be used in more strategic espionage activity.” (Ref: https://dotesports.com/general/news/report-hacktivists-take-action-online-for-ukraine-cybersecurity-experts-cautious)

Even the Ukrainian government co-ordinated ‘IT Army of Ukraine’, organised through the secure messaging Telegram, has encouraging attacking of civilian as well as military infrastructure. Suggested targets on the channel include the Belarusian railway, Russian banks and the Russian version of GPS “GLONASS”. These kind of indiscriminate attacks have alarmed security analysts who warn that the consequences of such widespread targets are difficult to predict, and many worry that the efforts may be counter productive.

Ukraine's 'IT army' targets Belarus railway network, Russian GPS

The information war

Much ink has been spilled already on the information war, US and British intelligence leaking of Russian invasion plans for weeks before the first shots were fired in the latest invasion were intended to prevent the Russian use of false flag attacks as an excuse for war, and the battle for hearts and minds online has continued with a constant barrage of photos and videos posted on social media. For many years, the information war has been waged with news networks like Russia Today spreading the Kremlin’s narrative along with armies of Russian troll bots on social networks like Twitter (https://en.wikipedia.org/wiki/Russian_web_brigades).

Early indications are that the Russians have lost control of this aspect of the war, with an unprecedented response globally in condemnation of the Russian invasion and an inability to prevent the robust Ukrainian resistance from taking hold, the Russian state has resorted to blocking facebook and twitter in order to limit the Russian’s access to alternative sources of information about the invasion.

Russia blocks access to Facebook and Twitter

Ironically as bombs rain down, the Ukrainian internet — partly as a result of ubiquitous satellites — has remained online allowing Ukrainians to share their stories and continue to win international support. By contrast, Russian forces has resorted to un-encrypted communications and the growing restrictions on internet companies are leading to reduction in Russian access to the internet

Russia, Blocked From the Global Internet, Plunges Into Digital Isolation

An evolving situation

There are many more aspects to the ongoing war that we have not discussed, from the Russian use of cryptocurrency to bypass sanctions, the Ukrainian use of the same cryptocurrency to receive international donations through to a focus on European and American cyber defence should the cyber war gain momentum and spread. The situation online is as chaotic, unclear and fast paced as the one on the ground and will continue to evolve alongside the conventional war. As long as the bombs and bullets fly in Ukraine, we can expect to see leaks, espionage and denial of service both for and against the Russian government continue. In fact, it’s highly likely that the cyber war will outlast the physical one.