Pages

10 June 2022

Russia’s Use of Cyberattacks: Lessons from the Second Ukraine War

Mitchell Orenstein

Russia, probably more than any other leading power, launches cyberattacks against other countries as a matter of routine. Sometimes, Russian cyberattacks accompany military action, as in the current war in Ukraine. At other times, Moscow uses cyberattacks to disrupt or weaken societies, for instance during the 2016 US Presidential election. Russia also uses its formidable cyber arsenal to threaten governments in response to a specific event, for instance when Finland welcomed Ukrainian President Volodymyr Zelensky to speak at its parliament in April.

What do Russian actions during the Second Ukraine War (which started in February 2022) reveal about Moscow’s approach to cyberattacks? Do officials in the Kremlin think about cyber activities differently in wartime versus peacetime? What might these differences say about Russia’s vaunted cyber arsenal going forward?

Russian cyberattacks during wartime are more frequent than during peacetime and more targeted toward critical infrastructure. However, Russian cyberattacks are otherwise similar to cyber attacks launched at other times, varying primarily in their intensity. In smaller quantities, cyberattacks may act as warnings (shots across the bow); in medium amounts, as part of a sub-military hybrid war strategy; or on a large scale, as attempts to disable critical infrastructure during armed combat. Since the techniques are remarkably similar, Russia’s intentions may be discerned less by the nature of the cyberattacks themselves and more by their frequency and their context, whether accompanied by diplomacy, disinformation, or military action. The number one target of these attacks is the United States, followed by Ukraine. As a result, should study how and why Russia uses cyberattacks in wartime versus in a hybrid war strategy of disruption—and whether one necessarily leads to another in Russian doctrine.

Russian Cyberattacks in Wartime

Russia’s extensive cyberattacks on Ukraine provide a window into how it deploys cyberattacks in armed conflict and in its hybrid war against the West, when it seeks to avoid provoking an armed response. On April 27, 2022, Microsoft’s Digital Security Unit issued a report that enumerated and analyzed all known Russian cyberattacks on Ukraine in the first months of the war. The report concluded that the Russian military intelligence service (commonly known as the GRU), foreign intelligence service (or SVR), and federal security service (or FSB) “have conducted destructive attacks, espionage operations, or both, while Russian military forces attack the country by land, air, and sea.” The objective, the company added, was “to disrupt or degrade Ukrainian government and military functions and undermine the public’s trust in those same institutions.”

Cyberattacks accelerated dramatically with the outbreak of war. In December 2021, Microsoft observed 15 Russian cyberattacks against Ukraine. This number rose to 125 in March 2022 (see Table 1 of the report). The company assesses that Russia began preparing for Ukraine cyberattacks in March 2021, at the same time that Russia began to deploy troops along its border with Ukraine. Preparatory cyberattacks appear to have aimed at collecting military and foreign policy intelligence and gaining access to critical infrastructure, such as energy and IT service providers. By contrast, Microsoft concludes that “destructive attacks signal imminent invasion.” It noted that Russia unleashed the destructive WhisperGate wiper (that deletes hard drives and renders computers unbootable) on a limited number of Ukrainian “government and IT sector systems” when diplomatic talks between Russia, Ukraine, NATO, and EU nations failed on January 13, 2022. Russia followed with denial of service attacks on Ukrainian government websites.

On the eve of war on February 23, 2022, Russia’s GRU threat group, Iridium, unleashed another destructive wiper, FoxBlade, on hundreds of Ukrainian military and government networks simultaneously. Microsoft also observed connections between specific military actions and cyberattacks. For instance, cyberattacks were geographically concentrated around Kyiv and in Donbas, and targeted Ukraine’s nuclear power company around the same time that Russia occupied Ukraine’s largest nuclear power plant in Zaporizhia. During wartime, Microsoft concluded, cyberattacks are more frequent, more destructive, and coordinated with military action.

Russian Cyberattacks as a Substitute for War

Of course, Russia also deploys cyberattacks in the absence of planned military action. Examples include Moscow’s cyberattacks against Estonian banks, government ministries, and parliament in 2007 and on the 2016 US presidential election. In these instances, the attacks seriously disrupted the politics of both countries. Russia did not rely on cyberattacks alone, but accompanied them with other disruptive methods, such as civil actions, protests, and disinformation campaigns. Nevertheless, in these instances, Russia did not seek to provoke a shooting war.

Russia sometimes uses cyberattacks not to disable critical infrastructure to pave the way for military conquest, but as part of a comprehensive strategy of disruption to degrade enemy capabilities without provoking retaliation. In such cases, Russia has deployed cyberattacks less frequently, but persistently over time, and these include destructive attacks. The Second Ukraine War may cause the West and its allies to take these “hybrid” or “political” war attacks more seriously, since they so obviously parallel Russian actions in wartime.

Russia’s 2007 cyberattack on Estonia, for instance, sought to prevent the relocation of a Soviet-era monument commemorating the Red Army’s “liberation” of Estonia. For many Estonians, the monument represented the Soviet Union’s decades-long subjugation of the country during the Cold War. For Russia, on the other hand, it was a symbol of Soviet sacrifice in defeating the Nazis in World War II.

When diplomacy failed, cyberattacks began. A few weeks after Estonia decided to relocate the Soviet-era statue from the center of Tallinn to a military cemetery, unidentified hackers launched a series of distributed denial-of-service attacks. These attacks against the Estonian government and information systems, coinciding with escalating protests by Russian-speaking Estonians, lasted 22 days. The denial of service perpetrators went as far as to spread tutorial pages—in Russian—on when and how to launch cyberattacks. The situation reached its height when Estonia’s ambassador to Russia was attacked during a press conference in Moscow. The combination of a disinformation campaign, staged protests, and cyberattacks created anxiety and disillusionment among the Russian-speaking Estonian population.

Similarly, Russian cyberattacks contributed to an atmosphere of distrust, polarization, and social fragmentation in the 2016 US presidential election. A group of 12 Russian military officers gained unauthorized access into the computers of the Democratic National Committee, Democratic Congressional Campaign, the Hillary Clinton campaign, and two Republican candidates, and then disseminated the information online. This cyberattack not only damaged the victims’ chances of winning the election, but contributed to Americans’ already-declining faith in democratic institutions. During the election, a Pew Research Survey found that only 20 percent of the American population expressed trust in democracy, a staggering figure for a country seen as the leader of the free world.

In Estonia in 2007 and in the United States in 2016, Russian government actors used cyberattacks not to prepare an imminent violent attack, but rather to weaken an unfriendly nation by infiltrating its politics and undermining trust in democratic institutions. Russia, in these instances, combines cyberattacks with disinformation campaigns and civil actions, rather than military ones.

Russian Cyberattacks as a Threat Signal

Russia also deploys cyberattacks as a poignant warning or threat, often to put more force behind diplomatic actions.

For instance, on April 8, 2022, while Ukrainian President Zelensky gave an invited address to the Finnish Parliament, the Finnish foreign and defense ministries were hit by a distributed denial of service attack. Finnish government systems were back up in an hour, but given the circumstances, this cyberattack appears to have been designed to signal Russia’s displeasure with Finland’s plans to join NATO and its support of Ukraine. This attack was presaged by Russian diplomatic statements warning Finland of “retaliatory steps” to joining NATO. To date, it remains the only significant cyberattack against Finland or Sweden as they planned their applications to join the alliance. This attack bears similarities to other instances where Russia used cyberattacks to emphasize diplomatic warnings.

Following the 2015 doping scandal that resulted in the Russian Olympic team being banned from the Olympics through 2022, Russian military intelligence launched a significant cyberattack against the Swedish Sports Confederation while Sweden was issuing a bid to host the 2026 Winter Olympics. These cyberattacks were part of a “systematic campaign” targeting FIFA, the World Anti-Doping Agency, and the United States Anti-Doping Agency in furtherance of diplomatic goals rather than military or societal disruption.

Three Distinct Uses of Cyberattacks

Russia uses cyberattacks in three different ways. First, it deploys cyberattacks to prepare and facilitate military conflict by attacking critical infrastructure such as government websites, IT servers, banks, media outlets, and power plants. As the Second Ukraine War shows, Russia seeks to disrupt and disable critical infrastructure to advance its military goals.

Russia also deploys cyberattacks as part of a hybrid war strategy that substitutes for war. These attacks may be persistent over longer periods of time. However, Russia deploys cyberattacks in smaller quantities and often combined with other hybrid or political war techniques, such as disinformation campaigns and civil actions in targeted countries. In these instances, Russia does not appear to intend imminent military action, but may seek to degrade defensive capabilities.

Cyberattacks may also be deployed as a more isolated threat signal and complement to diplomatic warnings, when a country takes actions that Russia interprets as unfriendly. For these purposes, cyberattacks are more frequently combined with traditional diplomacy.

In conclusion, Russia uses cyberattacks as a method of disrupting societies and organizations. While in wartime, Russia deploys cyberattacks with greater frequency, and the attacks are often more destructive, the central difference appears to be the accompanying actions. Wartime cyberattacks accompany military action. In political or hybrid war situations, cyberattacks accompany disinformation and civil actions and seek to substitute for military action by achieving some goals without the risks. At other times, cyberattacks accompany diplomatic warnings against other countries and international organizations.

Russia’s invasion of Ukraine in 2022 created an opportunity to shed more light on Russia’s use of cyberattacks in wartime. It also allows analysts to better understand Russia’s cyberattack strategy more broadly. Keeping an eye on the connection between cyberattacks and their context could provide, in future, clues about Russia’s intentions. It also may help defense experts counter the threat in the first place. Given that Russia intentionally uses cyberattacks to disrupt nations without provoking armed response, the United States needs to find ways to respond to these attacks not only during a shooting war (as it has during the Ukraine conflict), but also to the less frequent, but persistent attacks that form part of Russia’s ongoing hybrid war against the West.

No comments:

Post a Comment