Pages

1 March 2023

One year of Russia’s cyberwar in Ukraine: what we have learned

Gintaras Radauskas

Moscow was thought to be a superpower in cyber warfare, but Russia hasn’t been able to hit Ukraine’s networks as hard as it has been doing by kinetic means this past year. Cybernews went looking for an explanation.

One year after Russia launched its invasion of Ukraine on February 24, 2022, some analysts say it’s quite clear Moscow hasn’t accomplished much.

Yes, the invading forces and the incoming missiles have destroyed thousands of military and civilian lives, while Russia continues to occupy much of Ukraine’s eastern Donbas region and the southern coast.

However, as US president Joe Biden noted on a surprise visit to Ukraine’s capital city this week: “Kyiv stands. And Ukraine stands. Democracy stands.” The country is very much functioning and continues to resist the invaders, who some analysts say have lost tens of thousands of troops.

Russia’s efforts, or lack of, in cyberspace have surprised many as well – Moscow’s cyberattacks do occur, but they have not had the intended impact. Ukrainians freely access the internet, where important battles for the hearts and minds of Western decision makers and voters are taking place.

Many analysts interviewed by Cybernews agree, though, that this doesn’t necessarily mean that Russia’s cyber capabilities have been overestimated. It’s precisely Ukraine that’s punching above its weight, with the help of Western allies.

Even so, the war is not over. Russia keeps going and doesn’t actually need powerful cyberattacks to compromise Ukraine’s critical infrastructure, as it sends forth missiles and suicide drones.

Besides, Russia, keen to avoid larger confrontation with the West and NATO countries for now, might have chosen to initiate only low-level attacks – but it can probably mobilize more powerful tools in the future, Irina Tsukerman, a geopolitical analyst and national security lawyer, told Cybernews.

Cloak of deniability needed no more

Have cyberattacks played a decisive part in the conflict? Even though they clearly have not changed the course of the war, some experts are warning that one should not jump to conclusions just because large-scale cyber operations have not been held – both at the beginning of the invasion and later.

First, one could speculate that the Kremlin did not launch devastating attacks at the outset of the war – although there were half-hearted attempts – because the Russians thought they would reach Kyiv in three days and therefore need Ukraine’s infrastructure to maintain the occupation.

Second, as experts at both the Security Awareness Special Interest Group (SASIG), a networking forum based in the United Kingdom, and the World Economic Forum have noted, cyber warfare is not a standalone entity.

According to experts – who spoke at a recent webinar under the Chatham House Rule, meaning their identity and affiliation cannot be disclosed – full-scale and separate cyberwar is not a realistic prospect at all, but rather a tool in a wider war. Moreover, they added, it’s hard even to define such forms of conflict, because the use of cyber means is by design subversive.

“Besides, this has been a traditional war in the sense of many bombings, tanks, close-range combat. There has been less impact from cyber tactics – these techniques are often better for intelligence collection rather than a wide-scale impact on the battlefield,” Grayson Milbourne, security intelligence director at software company OpenText Cybersecurity told Cybernews.

Kevin Kirkwood, deputy chief information security officer at LogRhythm, a US security intelligence company, agrees: “Once a war turns kinetic, the cyber aspects of it may take a back seat. They’re still an important part of a battle plan, but the kinetic aspects of the conflict have a tendency to disrupt the infrastructure that supports cyber action.”

Michael McLaughlin, an attorney in Baker Donelson’s data privacy and cybersecurity practice in Washington who previously served as a senior counterintelligence advisor for US Cyber Command, told Cybernews he noticed a strange thing when the invasion started.

Like most experts, McLaughlin expected Russian cyber actors to ramp up operations coinciding with military action. But the opposite actually happened, and Russian cyber activities never reached the peak of January and February 2022, even though Moscow attempted to correlate cyberattacks with kinetic operations.

“I think, quite frankly, it is because the Russians no longer needed the cloak of deniability that cyber operations provide. The Russians were fully engaged in a hot war across the whole of Ukraine,” said McLaughlin.

“They didn’t need to deploy exquisite cyber weapons when they could fire a missile instead – and that’s what they did. As the war has progressed, we have seen catastrophic kinetic attacks against Ukrainian critical infrastructure that rendered cyber options less necessary. I think we are seeing the limitations of cyber warfare in general once a war goes hot.”

Preparation time and Western help

Jonathan Reiber, vice president of cybersecurity strategy and policy at AttackIQ, a security optimization platform, who previously served as the chief strategy officer for cyber policy in the Office of the US Secretary of Defense during the Obama administration, has another theory.

“An operating assumption that I have is that Putin hasn’t escalated cyberattacks outside of the Russian area of operations significantly, because he knows that it could trigger further involvement and escalation, and doesn't want to make things worse for himself,” Reiber told Cybernews.

Western countries and companies indeed rushed to help Ukraine defend its institutions. Analysts told Cybernews that US Cyber Command’s “hunt forward” teams were deployed to Ukraine ahead of the invasion to smother critical lines of attack.

Google’s Threat Analysis Group recently said in a report that 50,000 Google Workspace licenses and rapid air raid alerts systems for Android phones were donated to the government.

Microsoft has announced several aid packages and is helping Ukraine defend against destructive wiper attacks by threat actors affiliated with Russian military intelligence. Elon Musk’s Starlink satellite internet service kept the country connected and functioning after the Viasat satellite services Ukraine used were hacked.

“Without the support of the West, it is difficult to even imagine the course of the war."Konstiantyn Savchuk.

Ukrainians themselves are quick to point out that their resilience, as fantastic as it is, would not be enough by itself to counter Russian attack waves in the cyber arena.

“Without the support of the West, it is difficult to even imagine the course of the war. For example, having our troops connected via Starlink provides advantages on the battlefield. At the same time, the Russian side has big problems with communication,” Konstiantyn Savchuk, security analyst at MacPaw, a Ukraine-based software company, told Cybernews.

“Starlink also helps in military headquarters, strongholds, and places where radio communication does not work, while using Amazon or Microsoft Azure on favorable terms allows businesses and banking systems to work. Companies such as Cloudflare and CrowdStrike helped stop attacks on government institutions.”

Of course, it helps that Ukraine had already experienced Russian cyberattacks in the past – the country knew it had to significantly strengthen its defenses. For example, NotPetya malware, while it had worldwide impact, was first targeted against the Ukrainians in 2017, and in late 2015, the power grid in two regions of Ukraine was hacked.

“This was years before the war started, and the Ukrainians have had a lot of time to invest in their defenses since then. We haven't seen Russia shut off the lights in Ukraine through cyberspace operations in the past year, perhaps because Ukraine has improved its defensive posture,” Reiber told Cybernews.

The weaponization of Starlink

Ukrainian IT professionals are unsurprisingly grateful to their allies in the West. After almost casually mentioning regular Russian missile strikes, Savchuk, who had to work from a bomb shelter last year, modestly shrugs: “Any help from Western partners is valuable to us in the fight against the aggressor.”

Relying on help from private corporations is quite risky, though, numerous experts told Cybernews. The shock effect of Russia’s invasion helped in 2022, but these companies might change tack once they realize money is being lost – because they are ultimately concerned about their own financial interests.
Starlink terminals in Ukraine. Image by Shutterstock.

This is already happening. Musk’s SpaceX, the company behind the Starlink service, said earlier in February that it had taken steps to prevent Ukraine’s military from using Starlink for controlling drones in the region. Gwynne Shotwell, SpaceX’s president, later said that Starlink was “never ever meant to be weaponized”.

This is the elephant in the room with the potential to become a big problem for Ukraine, Tsukerman said. According to her, while NATO military assistance in the cyber realm has been effective and indispensable for Ukraine, the Big Tech involvement could potentially be as much a hindrance as a help.

Tsukerman thinks Microsoft and other big corporations are not well known for having particularly great cyber defenses. Moreover, they allegedly employ cybersecurity professionals “that are not of the highest caliber and not trustworthy during a state of conflict”.

“Elon Musk, in addition to taking a bizarre ideological position, has been more and more often seen as reflecting Russian propaganda talking points, and he also has financial conflict of interest, especially with respect to China and due to taking money from several other countries which coordinate with Russia on various matters,” said Tsukerman.

“Ideally, it should be possible to incentivize Musk in some way – but without the threat of losing US government subsidies, that will likely not work. Even if it happens, other governments can step forward and offer him support – as they have already done.”

McLaughlin stresses that the world is for the first time seeing “super-empowered individuals and corporations” make strategic, operational, and ethical decisions that have lasting consequences on the battlefield.

“The question is whether the international community is prepared to allow corporations – who represent their own interests rather than those of nation-states – to make these types of decisions unilaterally. While the US lauds Starlink and Microsoft for their support of Ukraine – and rightly so, were Huawei to do the same on the side of Russia, the international community would be in uproar,” McLaughlin told Cybernews.

The Western help to Ukraine is also not a one-way relationship. NATO, the EU, and the US are gaining valuable intelligence and feedback from this effort.

“The amount of intelligence that can be collected from providing this assistance will additionally allow NATO, the EU, and the US to see what an adversary like Russia is capable of and what type of doctrine they may be following, which would help shape better defenses for future conflicts,” Michael Galde, professor of practice for the cyber operations program at the College of Applied Science and Technology at the University of Arizona, told Cybernews.

No secret ace up Russia’s sleeve

To be sure, Russia-related hacking collectives such as Killnet constantly seek ways to hurt Ukraine and its allies in the West.

Success is hard to see and actually measure – one of the major challenges in cyberspace is the lack of established rules of engagement. However, some experts fear Moscow may at any given time move on from these limited and sporadic hits to something more powerful.

“For now, it has to be assumed that Russia has used up many of its best tools. But it would be foolish not to think that there is a reserve,” Sam Curry, chief security officer at Cybereason, a US cybersecurity company, told Cybernews.

“Distributed denial-of-service (DDoS) attacks and website defacement may be the poor man's tools and splashy, but don't be fooled. Just because lower-caliber weapons and grenades are being used doesn't mean higher-caliber weapons, artillery, and nastier weapons aren't being employed with less splash in the depths of networks around the world."

On the other hand, Savchuk of MacPaw said Russia’s cyber capabilities were overestimated – yes, there have been isolated attacks, but they haven’t been devastating: “Ukraine has already experienced several stages of a high-intensity war, but we have not observed successful cyberattacks that would change the course of the war.”

“Russia may increase attacks in response to developments on the battlefield, international funding, and military aid. But I believe that Russia has nothing new to offer,” Savchuk told Cybernews.

Milbourne agrees: “One year into the war, these attacks are more of a nuisance than impactful. Cyber operations are more effective at intelligence collection, which can have a big impact in war. However, so far we’ve not seen this to be a deciding factor. I do think that if Russia had an ace up their sleeve, we’d have seen it by now."

Kirkwood, the cybersecurity professional at LogRhythm, told Cybernews he personally believed the Kremlin started believing in their own mythology and was sure Ukraine would simply collapse. Obviously, this is the opposite of what happened.

“Folks in the areas where the attacks were first launched had been preparing for conflict for a long time and were fighting for their family, homes and country. That is a strong combination of factors that creates the right motivation. No amount of ‘the big bad wolf is coming’ would be enough to overcome that,” Kirkwood said.

“It is doubtful that Russia has a secret cyber bomb up its sleeves. If it had one, it would have already deployed it, and if NotPetya is any example, it would have escaped country boundaries and impacted other nations and businesses across the world. The battle in Ukraine will now be won or lost on the kinetic front, with the cyber efforts playing a supportive role.”

No comments:

Post a Comment