8 October 2022

Cyber and Information Warfare in Ukraine: What Do We Know Seven Months In?

Christopher Bronk, Gabriel Collins, Dan Wallach

Introduction

The Ukraine war is in its seventh month.[1] At the outset of hostilities, many figured that Moscow’s bold gamble to storm Ukraine by force and seize the country’s capital would succeed as similar operations did in Hungary (1956), Czechoslovakia (1968), and Afghanistan (1979). Before the invasion commenced, it was hard to predict how effectively Ukraine’s military would fight. That will to fight answers a great information question of warfare. Once the shooting started, we learned that Ukraine’s military was indeed motivated and fought well. With a form of stalemate now in place, we believe it is wise to consider less tangible forms of action that have occurred and how they may shape future fighting. There have been some real surprises in this war, not least in our areas of expertise—cyber and information operations. An accounting of both is provided here, as well as how information and cyber action may influence the outcome of this war, whether it ends in a negotiated settlement, capitulation, or collapse.

Our thinking about the unexpected turns of the Ukraine war has yielded observations that cover communications, logistics, operational art, and a variety of other topics. Many, if not most, of these involve information and computation. From propaganda to air defense, this war is one in which the proliferation of computation and information technologies has produced a battlefield environment far different from earlier conventional engagements of the post-Cold War period. There are many issues we wish to cover, although some more briefly than others, because we are unaware of the classified operations undertaken by the belligerents and their supporters. We receive hints—say of information sharing by the U.S. (Harris and Lamothe 2022) or supportive cyber action by the Chinese (Milmo 2022)—in the public record, but these anecdotes suggest that there will be some interesting reads months or years down the road as more information is revealed.

The Cybers

Among the items that surprised us at the commencement of hostilities was the absence of a crippling cyberattack on the Ukrainian telecommunications infrastructure. In the earliest hours of fighting, the world watched as armored columns streamed by Ukrainian border checkpoint cameras that passed their images over the internet unimpeded. Ukraine stayed online as Russia invaded. Both Russian and American military doctrine now include the use of cyber effects alongside traditional “kinetic” warfare. We know the Russians certainly tried to cause cyber effects, including Russian attacks on ViaSat’s modems (O'Neill 2022), which were mitigated by new connectivity via SpaceX’s StarLink orbital information network. Subsequent Russian attacks on StarLink were unsuccessful (Kan 2022). Russia attempted to close off Ukraine from cyberspace, and failed to do so.

The failure of Russian cyber operations in the early portion of the war clearly played in Ukraine’s favor, with Ukraine maintaining both internal communications and the means to get their message out to the world, whether through traditional news channels or through YouTube, TikTok, and other online forms of media. Also, while we would not know until later, the U.S. had established secure communications from Ukraine to the U.S. military’s European Command (Harris, et al. 2022).

A related surprise was the absence of a massive set of cyberattacks aimed at Ukraine’s critical infrastructure. In 2015 and again in 2016, Russia conducted against Ukraine some of the cleverest hacks of electricity infrastructure seen anywhere thus far (Assante 2016). A year later, Russia launched Petya/NotPetya, a massively destructive set of false ransomware attacks against Ukrainian government and commercial targets. Petya had a far-reaching impact on firms beyond Ukraine as well, not least the well-documented destructive attack against international cargo carrier Maersk (Greenberg 2018). We have not seen the same sort of enormously destructive cyberattack launched against Ukraine this year, although it is possible that such attacks may have been launched and were either unsuccessful or were rapidly repaired.

Before the war, there was an assumption that cyber action would be at the center of any Russian kinetic campaign (Hofmann 2022). This was the case when Russia attacked Georgia in 2008. But now we proffer a new hypothesis: that Russia went for broke with cyber action in its earlier campaigns in Ukraine (2012) and in Syria (2015). Lessons learned (by Ukraine and others) have been applied in Ukraine in 2022, blunting the impact of the cyberattacks now. For example, IBM’s Security X-Force group has documented “at least six” Russian campaigns targeting Ukraine and has published a list of security indicators to help prevent them. And, of course, there have been many other documented cyberattacks, both before and after the invasion began (Harding 2022). This suggests that cyber’s role in Russian military planning is a form of “icing on the cake.” It is nice to have, but it is not a prerequisite for launching a kinetic attack.

In addition, there is ample evidence that the global IT industry in general, and Ukraine’s IT community in particular, were more prepared for destructive Russian cyberattacks now than a few years ago. Nonetheless, Microsoft asserts with a great degree of confidence that during this war Russia has launched “destructive cyberattacks within Ukraine, network penetration and espionage outside Ukraine, and cyber influence operations targeting people around the world” (Smith 2022). Although some experts feel Microsoft’s claims are overblown (Smalley 2022), the pattern of cyberattacks against Ukraine being discovered and mitigated seems clear. The Defense Department’s U.S. Cyber Command made contributions by releasing cyber indicators of compromise valuable to the Ukrainians and available by Pastebin to everyone else (“Ukraine Network IOCs” 2022).

We are less convinced of effective Russian or Ukrainian battlefield cyber action. If it is happening, it is not making the news. We are curious about where the Fancy Bear/APT 28 Russian cyber group, “believed by U.S. intelligence officials to work primarily on behalf of the GRU,” is applying its efforts and if it can do so effectively (Volz 2016).

Communication Breakdown

We expected the Russians to do much to confuse and confound the Ukrainians with cyber action, with strategic and battlefield communications at the top of their target list. We did not anticipate a manifold breakdown in Russian communications among units moving into Ukraine and attempting to coordinate complex operational maneuvers in multiple thrusts across hundreds of kilometers of frontage (Cranny-Evans and Withington 2022). We saw ample evidence of Russia not having secure communications at the tactical and operational level. Russian encrypted communications were an abysmal failure (Myre 2022). This was clear when a staff officer in the field had to report the death of his commander, Maj. Gen. Vitaly Gerasimov, to their headquarters in Tula, Russia. His request for a secure line was rebuffed, as his commander stated that the encrypted telephones did not work. The message was intercepted and then shared with the world (Borger 2022).

Faced with unsecure and nonfunctioning battlefield communications, Russian commanders shifted to what worked—chiefly cellular telephones (Schogol 2022), often operating on the Ukrainian phone network (Horton and Harris 2022). This allowed Ukraine access to these calls, some of which they have published, and of course, to geolocate those phones. In at least one instance, the tactic was used to target and kill a Russian general (Schmitt 2022). Conversely, we might have expected Russia to hack the Ukrainian cellular networks, giving them the same advantages—particularly when we have known for years that among other Russian electronic warfare capabilities (Kadam 2022), Russian unmanned aerial vehicles (UAVs) are capable of acting as fake cellular base stations (Peck 2017). It is possible that U.S. cyber assistance has helped blunt or defeat Russian cyberattacks in this arena (Srivastava, Murgia, and Murphy 2022). It is also possible that Ukrainian troops have been more disciplined in their phone use; for example, Ukrainian troops are instructed to walk 400 to 500 m away from their position before using a phone (Devine 2022).

Other experts have considered that Russia might have an advantage in keeping the Ukrainian cellular network operational, both for its own communications and to hack Ukrainian targets (Sabin and Cerulus 2022). Certainly, maintaining a posture of quiet surveillance over Ukrainian communications could be advantageous to Russia’s military. Cellular communications are still an important piece of tactical intelligence, not least for their importance to reconnaissance and attack by drone.

It is also possible that the shift in Russia’s strategy, from trying to control the entire country to a more limited operation in Ukraine’s East, has made it easier for Russia to deploy its electronic warfare systems (Clark 2022). These will make life harder, as anything from Ukrainian air defense radar to communications may be degraded in their effectiveness.

Drone Hell

In his study of military innovation, author Max Boot offered reminders that new weapons could remake the conduct of war. Of import in the Ukraine war, perhaps more than any other, is unmanned aircraft. A lesson from the most recent Armenia-Azerbaijan conflict is that the side that masters the employment of drones (a.k.a. unmanned aerial vehicles) may hold a critical advantage over the side that does not (Dixon 2020). Before fighting broke out, drones were identified as an important equalizer for Ukraine (Bronk and Collins 2021). This has definitely been the case. Two forms of drone, the cheap quadcopter and the heavier medium-endurance UAV, have transformed the information picture that is battlefield situational awareness. Each deserves some attention.

Cheap quadcopters have made an incredible impact in tactical reconnaissance in the region surrounding the forward line of troops. For example, the widely available DJI Phantom 4 Pro (“Phantom 4 Pro V2.0,” n.d.) offers tremendous observation capability with a 20 megapixel camera producing 4K video recorded or 1080p video live streamed, while operating at a distance of 10 kilometers, with an endurance of 30 minutes. Fully equipped, the Phantom 4 Pro costs about $2,000, or one-fortieth the cost of a Javelin fire-and-forget anti-tank missile. Given the prominent role of artillery in the war, these cheap drones have radically improved battlefield situational awareness, targeting, and damage assessment. We have also seen videos from drones, either locally improvised in Ukraine by hobbyists or produced by the Ukrainian military’s Aerorozvidka reconnaissance organization (“Aerorozvidka,” n.d.), being used to drop grenades on tanks and other armored targets (Hambling 2022), something that also carries propaganda value.

Also involved in strikes against Russian forces and infrastructure targets are Turkish-supplied Bayraktar TB2 UAVs. While the TB2 looks a bit clunky next to U.S. military UAVs, Ukraine has used them to great effect, both for surveillance and as a platform for launching missiles. The shift from manned aircraft to unmanned UAVs in reconnaissance and close air support has already proven effective in Iraq and Afghanistan, but analysts were concerned about whether they would be as effective in areas with more sophisticated air search radars and electronic warfare. The answer appears to be that they are indeed effective, or at least expose another Russian failure: their inability to control the radio spectrum in Ukraine and jam such drones, although that may be changing (Bryen 2022).

Intelligence and the Information War

Russia’s intelligence operations’ presumably massive penetration of Ukrainian political and economic structures failed at the most basic level to yield accurate intelligence about Kyiv's willingness to stand and fight. Had the Russians received or accepted better information and been able to premise their assumptions on something closer to reality, they might have structured an entirely different attack plan and been more successful in preparing troops and selecting attack vectors.

In the West, intelligence regarding the war has been abundant, accurate, and publicly disseminated. For example, the U.K.’s Ministry of Defense has been publishing daily summaries on its Facebook page. Furthermore, in the days prior to Russia entering Ukraine, American and British public statements accurately predicted Russian actions in advance of their taking place (Sabbagh 2022). Demonstrably, Russia was unable to protect the confidentiality of its planning and deliberation process, with U.S. intelligence operations having thoroughly penetrated Russia’s political leadership, spying apparatus, and military (Harris et al. 2022). Russian denials at the time proved false, damaging Russian credibility with respect to other statements that they have made since, while bolstering the legitimacy of NATO information releases.

While the U.S. and its allies have not disclosed their sources or methods, which is to be expected, the scope and breadth of their disclosures were certainly a surprise. “It doesn’t have to be solid intelligence,” one U.S. official said. “It’s more important to get out ahead of [the Russians], Putin specifically, before they do something” (Dilanian, et al. 2022). This rapid dissemination represents a significant change in how intelligence is processed, leading to a variety of benefits—including allegedly causing Russia to delay its own invasion timetable, which allowed NATO allies more time to coordinate their response.

Relatively little has been written about cyber intelligence operations against Russia by Ukraine and its allies, although there have been suggestions that NATO forces have contributed targeting data for high-value targets such as munitions depots and command centers. Employment of HIMARS, an artillery rocket launcher, and its long-range (>70 km) guided rocket GLMRS (“M142 HIMARS,” n.d.), have yielded spectacular results in destroying ammunition depots and command targets (Hunder, Balmforth, and Heritage 2022). Such targeting information could have been learned through cyber means, by hacking and tracking cellular telephones or even by hacking into Russian military command networks; through more traditional signals intelligence operations (e.g., triangulating the locations of radars and radios); via satellite reconnaissance; and/or from observers and drones on the forward line of troops.

It is also entirely possible that cyber operations have degraded Russian military capabilities. In another context, for example, Israel allegedly hacked a Syrian radar system (Gasparre 2008) prior to bombing the Al Kubar nuclear facility in 2007 (Farrell 2018). We note that the Russia S-300 radars used by Syria in 2007 are still fielded by Russia in Ukraine today, so it is conceivable that some Ukrainian military operations have tried something similar. The Russians may also be attempting to glean cyber intelligence. They have done so before. One curious episode, unearthed in 2016, concerned a Ukrainian homegrown cell phone app for artillery targeting, which the Russian military was able to compromise, giving it real-time geolocations of Ukrainian artillery units (Martin 2016). This is exactly the kind of cyber intelligence activity that we would have expected to happen in the current war. If it is happening, it is not making the news.

What we do know about is the relevance of open source intelligence (OSINT). At least at the beginning of the war, any Ukrainian with a camera who filmed an attack on a Russian armored vehicle seemed to post it on the internet. Those images, in aggregate, plus videos posted by the Ukrainian and Russian militaries, often from UAVs, add up to a surprisingly comprehensive view of the war. They are also increasingly studied by large, distributed amateur and scholarly communities. King’s College Ph.D. student and former U.S. Marine officer Rob Lee (Lee 2022), among others, strung together a collage of online media to create a compelling analytic narrative of the war. Non-governmental groups like Bellingcat have collected data and developed guides and tools for others to use (e.g., for Telegram and TikTok [Bellingcat 2022]). No doubt machine learning techniques and increasingly sophisticated geo-indexed imagery sources can paint vivid pictures of the battlefield at a distance (Tearline 2022). There is even an OSINT component to understanding the cyber war, evinced by raw reporting from security researchers and government/civil society and aggregated in this CSIS report (Harding 2022).

Propaganda, Misinformation, and Disinformation

If there was an area in which we previously believed Russia to be incredibly strong, it was influence operations conducted through cyberspace (Cordey 2019). Russia’s combination of computer hacking and targeted propaganda in both the U.K. Brexit referendum and U.S. national elections in 2016 indicated its intelligence services' tremendous skill and sophistication in undermining NATO democratic institutions. We have come to expect online active measures that confound NATO democracies (Rid 2020). However, Ukraine has dominated the information war for public support.

In information operations, Ukraine has been able to effectively turn everything from leaked, unsecure Russian communications to video of anti-armor ambushes (Sabbagh 2022) into a narrative of triumph over a hapless opponent. Ukraine has waged a media war that effectively portrays the country as a victim (which it is) and that shows Russia has paid a terrible price for the invasion (which it has). With the retreat of Russian forces from the outskirts of Kyiv came additional propaganda points.

Russian propaganda, internally targeted, has perhaps inspired support at home, although Russia has also aggressively cracked down on and jailed its internal activists (Dixon 2022). Whether or not it has been successful, Russia has invested significant effort at hobbling its domestic news media and limiting access to the broader internet (McMahon and Lieberman 2022). For the Ukrainian territories occupied by Russian forces, Russia has rerouted internet traffic through its own ISPs and thus through its own censorship regime (Satariano and Balbierz 2022). It is at best unclear whether this has had a meaningful, pro-Russian impact on public opinion in these regions.

Outside of its own borders, Russia has been ineffective at countering Ukraine’s narrative. For example, early in the war, Russia would regularly accuse Ukraine of being filled with “Nazis” and even ramped up this false narrative in May (Srulevitch 2022, Cloud et al. 2022). They appear to have abandoned this propaganda plank. Worse, Russia’s propaganda has been a vector for targeting Russian forces, a cardinal sin of information operations. Ukraine likely employed Russian news reporting of maritime logistical operations in the port of Berdyansk in preparing its standoff missile attacks against Black Sea Fleet amphibious ships there (BBC 2022). Video from Russian-controlled Berdyansk of the sinking of one ship and the strikes against two others leaked online (Sutton 2022). Footage also emerged online of the severely damaged Black Sea Fleet flagship, Moskva, before she sank. A Russian “own goal” or two due to failed propaganda operations is hardly something we might have expected.

What’s Coming Next?

Wisdom is shown again and again in Yogi Berra’s aphorism, “It’s difficult to make predictions, especially about the future.” We will not try to predict the future of kinetic warfare in Ukraine, which depends on a variety of unknowns, including what weapons Ukraine is able to adopt and how effective it will be at blunting Russia’s attacks. Likewise, we cannot predict whether NATO sanctions against Russia and its oligarchs will yield sufficient domestic political pressure for Russia to either convince Putin to withdraw or to convince others to overthrow him. What we can predict is that both sides will increasingly look to cyber tactics, both in support of kinetic warfare, as well as in support of propaganda and information operations.

For kinetic warfare, we are already seeing a variety of NATO armaments being delivered to Ukraine, many of which include precise GPS targeting capabilities. This suggests Russia might counter with GPS jamming/spoofing. It also suggests that broader packages of the latest electronic warfare equipment might be necessary for Ukraine to continue to fight (see, e.g., LaPorta 2018). We might also imagine that Russian cyber operators, or their Ukrainian counterparts, may achieve a breakthrough in their opponent’s command-and-control systems, potentially giving real-time intelligence to their soldiers in the field attempting to find hidden enemies, to escape ambushes, and to degrade the command systems’ effectiveness.

We can also predict that propaganda operations will grow more sophisticated on both sides. Today’s propaganda is largely the release of news and videos to broad audiences. Even though TikTok’s short videos might be a novel delivery mechanism, the idea of using videos for propaganda purposes is nothing new. What we expect to happen next will be microtargeted propaganda. Much as Russian operatives used Facebook’s advertisement targeting features to identify and manipulate U.S. voters in the lead-up to the 2016 election (Mayer 2018), we can and should expect similar microtargeting to occur elsewhere. This could include Russia attempting to manipulate the 2022 U.S. midterm elections. It is also likely that Russian propaganda or cyber-hacking efforts will target other countries that have emerged as important allies to Ukraine. For example, Albania, which has offered public support to Ukraine and has taken in a modest number of Ukrainian refugees, experienced a cyber attack, forcing it to take down a number of government services (Euronews Albania 2022). As of this writing, the country only attributes the attack to actors “outside Albania.”

Closer to the battlefield, attempts to manipulate the morale of soldiers are as old as warfare itself. We know that Russia has sent messages to Ukrainian phones (soldiers and their families) and volunteers are sending pro-Ukrainian messages to random Russian phone numbers and posting them to Russian restaurant review sites (Cecil 2022, Collins 2018, Zitser 2022, Gronholt 2022). With broader data collection, we could imagine individual soldiers receiving tailored text messages: “Here’s a photo of you at this location today. We’ll kill you there tomorrow if you don’t lay down your arms and leave.” On top of that, Ukraine could combine its war crimes documentation efforts (The New York Times 2022) with its tailored messages: “We know you were ordered to do X. That would make you personally liable as a war criminal, so you really shouldn’t.” Such messages could even be created as group texts with the soldiers’ families, perhaps inferred from text message interception, in an attempt to leverage family ties to break soldiers’ morale. Of course, as word spreads at home, this would dissuade other civilians from enlisting for voluntary military service. It is also completely reasonable to imagine Ukraine sending informative text messages to recently arriving Russian soldiers, e.g., “Welcome to Luhansk. Here’s a link to your instruction on the Geneva Convention and war crimes.”

One curious aspect of cyber effects in warfare is that they do not appear to raise the same risks of escalation, with the notable exception of a cyberattack on nuclear command and control (Acton 2020). NATO’s caution against Russian escalation has clearly limited the flow of weapons to Ukraine. For example, the U.S. has supplied Ukraine with HIMARS artillery rocket systems, but not with the longer-range variants, fearing deterrence issues. This contrasts with cyber operations, which the U.S. can conduct itself without giving any technology directly to Ukraine or putting any American operators in harm’s way, and which apparently does not offer the same risks of military escalation (Libicki 2012). While the exact nature of U.S. cyber operations in Ukraine has not been publicly disclosed, it is reasonable to assume that U.S. and other allied cyber operations have been working closely to support Ukraine, and we have every reason to believe that this will only continue.
Other Recent Academic Discussions of Cybersecurity in the Ukrainian War

Eichensehr (2022) notes the limited role taken by cyber operations in the Ukrainian War and considers the ramifications for this on international law.

Kostyuk and Gartzke (2022) present a statistical analysis of 11 years of recent military campaigns and finds that “cyber operations are rarely used as either complements to or substitutes for conventional military operations.” They also survey how other military theorists have discussed the role of cyber activities in and around traditional warfare.

Rovner (2022) makes many of the same observations we do, including the seeming importance of cyber attacks as part of a military campaign and the corresponding absence of Russian effectiveness. Cyber attacks should be particularly effective as a means of sabotage, damaging or degrading both cyber and physical assets, without the risks normally associated with human saboteurs, who might be captured or killed. From what we see, their primary use in Ukraine is for espionage (e.g., exfiltrating secrets/signals intelligence).

Wilde (2022) examines how NATO and Russian military theorists have viewed the role of cyber attacks as part of larger military campaigns, discussing a number of cyber failures in prior campaigns. His conclusion is worth quoting:

The issue is less that Western observers might have overestimated Russia’s cyber potential in its war on Ukraine, more that they almost certainly underestimate the complexities and frictions which separate intent from execution, intensity from effect. Particularly in the still murky arena of information warfare, the chasm between theory and practice remains wide. Moreover, in an era of apparently robust intelligence insights into the Kremlin’s designs, it may prove far easier to slip into erroneous assumptions based thereon, the foremost being that intention necessarily equals capability.

Clark (2022) summarizes Russia’s portfolio of electronic warfare systems, including jammers, attack tools, counterattack tools, and surveillance equipment, and explains how ineffective they have been for most of the war, becoming relevant only once the battle lines became relatively static in Eastern Ukraine. Clark suggests that this advantage could be fleeting if Ukraine, with NATO assistance, could gain aerial superiority.

Geers (2022) catalogs a number of Russian cyberattacks against Ukraine, both before and during the invasion. Geers also discusses activities of independent “hacker” groups, and how both Russia and Ukraine evolved their attacks and defenses after the invasion began.
Conclusion

In this essay, we have considered all of the ways that computer systems have played a role in the Ukraine war. We expected the Russians to mount sophisticated cyberattacks, both in terms of espionage and sabotage, against the Ukrainians, and this did not happen—or at least they did not happen in any fashion that would have been decisive to the war. If anything, Ukraine has outperformed Russia, both in its cyber defense and its counterattacks (perhaps with significant aid from its NATO supporters).

We could easily reach a conclusion that Russia’s cyber corps failed, or that cyber-effects are an unimportant part of Russia’s overall military strategy. A perhaps more nuanced view would be to note that every other aspect of Russia’s military has also failed, including its command and control, logistics, air forces, and navy. It is difficult to point to anything going particularly well for Russia in this war, and that suggests Russian deficiencies at the highest echelons of its military and civilian leadership.

Perhaps the question we should be asking, after what we have seen in Ukraine, is not why Russia has done so poorly with its cyber forces there. Instead, we should ask why it appears that Russia has been so successful in other arenas. It appears that a vigilant and prepared defender can stand up to the information and cyber punishment that may be dealt out by the Kremlin.

No comments: