The role of Cyber Ops in a shooting war

Everybody in the cyber security field, whether blue team or red team has asked themselves at least once: How a cyber war would play out either between two nation-states with similar capabilities or groups of hackers waging a coordinated cyberwar against a nation-state?

Partially we got the answer with the Russian invasion of Ukraine that started on the 24th of February. In this article, we will look at the cyber operations while a shooting war is being fought in Ukraine.

Historically, Russia has been tied over time to multiple cyber-attacks against both Ukrainian and western targets. Though well documented and linked to several Russian groups, they have never been officially acknowledged by the Russian authorities.

We briefly analyze the role cyber operations play in actual military operations, the impact that the massive cyber-attacks have on the population of the targeted country, and the effects of cyber-attacks on critical and economic infrastructure.

The Power Grid Attack – Sandworm Team

The conflict in Ukraine is the first major conflict involving large-scale cyber operations. The so-far disastrous Russian invasion, where cyber operations have provided little benefit, raises the question about the utility of offensive cyber operations, and the requirements for planning and coordination. Better than expected Ukrainian defenses seem to be the main reason why Russian cyber efforts have had limited effect. Russia has used past cyberattacks against Ukraine to destroy or damage infrastructure and data. An example is the attacks on the Ukrainian power grids on 23 December 2015, and 17 December 2016.

On 23rd December 2015, a cyberattack compromised the systems of three energy distribution companies in the Ivano-Frankivsk region of Western Ukraine. The attack marked the first known successful cyberattack against a power grid. The attack was allegedly carried out by the Russian APT group Sandworm Team. Nearly one year after the first power grid attack, a cyberattack hit a substation in Kyiv and left a part of the Ukrainian capital and its surrounding area without electricity for more than one hour. Researchers describe the malware used in this attack as only the second-ever known case of malicious code purpose-built to disrupt physical systems and that the malware can automate mass power outages and include swappable, plug-in components that could allow it to be adapted to different electric utilities and be launched simultaneously across multiple targets. Again, the suspicion for this attack falls on the Sandworm Team.

Other attacks prior 24th of February

Prior to the invasion that started on the 24th of February, Russia launched a broad cyber campaign against Ukraine. The intent appears to have been to create disorder and overwhelm Ukrainian defenses. Russian hackers tried to disrupt services and install destructive malware on Ukrainian networks. The primary targets were Ukrainian government websites, energy and telecom service providers, financial institutions, and media outlets, but the cyberattacks encompassed most of the critical sectors. This was a wide-ranging attack using the full arsenal of Russian cyber capabilities to disrupt Ukraine, but it was unsuccessful.

performance stress testing services

Attacks included phishing campaigns, DDoS attacks, exploitation of known software vulnerabilities, deployment of destructive malware like HermeticWiper, and encryptors. Russia’s most significant cyber success so far was the disruption of Viasat Inc’s KA-SAT satellite. This created significant damage that spread beyond Ukraine but ultimately did not provide a military advantage to Russia. The attack may have been intended to be part of a larger, coordinated cyberattack that proved unsuccessful, or the Russians may have not expected the rapid restoration of service that was provided with outside assistance.

What’s the objective of cyber-attacks in modern conflicts?

Most of these attacks have been attributed by Ukrainian and Western sources to Russian government entities. Mainly GRU, Russia’s military intelligence service, which has a history of using disruptive cyberattacks. In a few cases, proxy groups such as ransomware group Conti were also involved. All these hacking efforts seem to have been poorly coordinated with Russian military actions in Ukraine.

In modern conflicts, involving modern armies, cyberattacks are best used in combination with electronic warfare (EW), disinformation campaigns, antisatellite attacks and precision-guided munitions.

The objective should be to degrade the informational advantage and intangible assets of the opponent, such as data, communications, intelligence assets, and weapons systems to produce operational advantage. The most damaging actions would combine precision-guided munitions and cyberattacks to disable or destroy critical targets. Cyber warfare can also be used for political effect by disrupting finance, energy, transportation, and government services to overwhelm defenders’ decision-making and create social turmoil. Russia has been unable to achieve any of these objectives a meaningful scale.

While cyber operations are invaluable for espionage they are far from decisive in armed conflict. A pure cyberattack is inadequate to compel any but the most fragile opponent to accept defeat. No one has ever been killed by a cyberattack, and there are very few instances of tangible damage. “Logical” damage from attacks on software and data is frequent, but these attacks do not usually create any strategic advantage, which can be defined as forcing an opponent to make changes or concessions it would not have otherwise made since they have not been used at scale and in a sustained manner, but rather in an uncoordinated and sporadic fashion. Sustained and systematic efforts are required to damage an opponent’s ability to resist.

Cyber operations in conflict are very useful to conduct espionage, gain advanced knowledge of opponent planning and capabilities and mislead. There was reportedly a surge of Russian actions to penetrate NATO networks at the onset of the conflict, a precautionary move from Russia, given its fear of the possibility of a NATO intervention on behalf of Ukraine.

One weakness of Russian cyber operations has been the lack of coordination between cyber and conventional forces. At a tactical level, cyberattacks can provide benefits when combined with other weapons, including conventional delivery systems, precision-guided munitions, UAVs, and electronic warfare. This combination has the goal of crippling command networks and advanced weapon systems and contributing to the attrition of opposing forces.

The most effective cyber tactic is to use hacking and misinformation to create confusion and inflame existing discontent, thus distracting the government by creating domestic social and political turmoil, but the Russians have failed to use this tactic in Ukraine.

Hacktivism

The cyber war declared by the Anonymous collective shortly after the illegal Russian invasion of Ukraine has gotten a lot of publicity and hype in the Western media, but the actual effect these attacks had on the overall course of the war so far is negligible. The declared goal of the hackers that so far have joined this unofficial cyber war against Russia is to force Vladimir Putin to stop the war of aggression against Ukraine. This obviously has not come to pass yet. Another objective was to stir into action the Russian population, in the hopes that massive protests and social unrest will force the hand of the Russian leadership, and stop the war. This objective has yet to be achieved.

The hackers managed to penetrate the networks of Russian state media and broadcast footage of the destruction wrought by the Russian military in Ukraine. Hackers temporally took control of news channels Russia 24 and Channel One. This did not have the desired effect, most Russians believed the official propaganda that states that the actual bombings of civilian buildings and the killing of unarmed civilians are false flag operations staged by the Ukrainian security service to frame the Russian military. The ban on popular social media sites, like Facebook, Twitter and Instagram makes the information war going on even more difficult.

While celebrated in the media, the various cyber actions against Russian websites by private actors had no effect on Russian military operations, its military capabilities, or the Russian government’s strategic calculations. Russia did not change course or alter plans as a result of these hacktivist efforts, nor was the Russian capability to engage in offensive operations degraded by these attacks. Russian public opinion, largely supportive of the war, seems unaffected by hacktivism.

At the start of the conflict, thousands of volunteers engaged in cyber action against the Russians and to defend Ukrainian network targets. The most difficult issue with an army of thousands of civilian volunteers is coordination. The mechanisms and infrastructure for coordination require advance preparation. Estonia’s Cyber Defense Unit is an example of how such groups can be organized to be effective. The lesson for other countries is that volunteers can provide valuable assistance in defense if their efforts are coordinated and a framework for coordination and partnership with government agencies is developed in advance of conflict. Ukrainian civilian efforts to provide intelligence on Russian forces, while dependent on networks are not exactly “cyber” efforts, but they provide real benefit to defenders.

Most of the attacks carried out by various hacking groups against Russian targets were DDoS attacks, but there were successful penetration attacks of various databases with the exfiltration of information. One such leak published the mobile phone numbers of the high-ranking Russian government and military officials.

These attacks have a big symbolic value, showing that the Russian cyber community is not as experienced or as well prepared as previously thought. There is though a huge risk that one of these attacks might hit a target that is considered of vital importance to the Russian Government, like their satellite network, or they might damage a hospital’s IT infrastructure that might lead to loss of life. There is a risk that Vladimir Putin might use such an attack as an excuse to escalate the conflict by blaming western security agencies for the hack, even though the attack was carried out by civilian hackers.

Conclusion

To sum up, cyber operations can play a vital role in traditional military operations if they are integrated into the overall operational plan, and there is enough planning and coordination to make sure that these operations achieve their goals. Cyber attacks are great for information gathering and disrupting communications and logistics, but their destructive capabilities are still limited. When a power plant is hit by a missile strike, the smoking ruble can be observed. It is more difficult to tell if a cyber attack was successful or how permanent the effect will be. Cyber attacks can be emphasized by disrupting command mechanisms, weapons software, and information. The most important lesson for cyber warfare from Ukraine is that preparation and planning are needed and have to be integrated with cyber operations or other methods of attack to achieve maximum effect.

An offensive cyber campaign needs thorough planning, reconnaissance of potential targets, and a very thorough attack plan with precise objectives and “weapons” design. Any potential campaign has to take into account potential collateral damage to civilians, like degrading access to online services and social media, the international community being less tolerant of collateral damage, and deliberate attacks on civilian targets.

Cyber operations failed to advance Russian goals in Ukraine, the occupation of the country, and the replacement of its elected government. The Ukrainian defenders and their international partners did a good job of reacting quickly to deflect Russian efforts to disrupt networks.

If Cyber Security is an interest to you, you might wanna know how to get started, read our article.

Leave a Reply

Your email address will not be published. Required fields are marked *