Computer Network Operations During the Russian Invasion of Ukraine
This blog was originally published by VGS on May 12, 2022.
Written by Kenneth Geers, PhD, Information Security Analyst at VGS.
Information is life. Therefore, when nations go to war, information operations – including data theft, denial, and manipulation – are one of the keys to victory. Even in peacetime, governments run thousands of computer network operations (CNO) every day. Some are designed to support democracy and human rights, while others surveil, target, and terrify innocent civilians.
This week, at Black Hat Asia in Singapore, I will examine the CNO we have seen during the 2022 Russian invasion of Ukraine. Some of my relevant personal experience includes teaching a cybersecurity class at Taras Shevchenko National University of Kyiv (2014-2017), and publishing a book for NATO, *Cyber War in Perspective: Russian Aggression against Ukraine (2015)*.
On Feb 24, 2022, the Kremlin tried to seize Kyiv in a “special military operation” intended to force regime change in Ukraine. Computer hacking in support of this invasion, to collect strategic intelligence, had begun over a year in advance, and included at least six Russian “Advanced Persistent Threat” actors and at least eight malware families.
In January and February of 2022, as Russian forces encircled Ukraine, there were simultaneous operations in cyberspace, designed to intimidate Kyiv. Over 70 Ukrainian government websites were defaced, and their content was replaced with threatening messages written in Ukrainian, Russian and Polish.
For over a week, and just prior to the actual invasion (Feb 15-24), CNO shifted to distributed denial-of-service (DDoS) attacks. These were the largest that the Ukrainian government had ever seen, and their targets included government and intelligence agencies, as well as banks. Often, cyberattack attribution is a slow process, but on Feb 18, the White House announced that “technical information” had already linked these DDoS operations to Russia’s Main Intelligence Directorate (GRU).
As military forces began to cross the Russian border with Ukraine, the CNO shifted again, this time to destructive “wiper” code. In January, security researchers reported on WhisperGate, which encrypts files, corrupts a computer’s Master Boot Record, and displays a fake ransom note. On Feb 23, HermeticWiper appeared, in a highly tailored deployment that included a signed digital certificate. On Feb 24, IsaacWiper targeted the Ukrainian government.
The Internet now reaches into outer space – and so does computer hacking. On Feb 24, a likely malicious firmware update in Viasat ground infrastructure (a US firm) rendered user satellite modems “unusable” (they had to be replaced). The attack took place one hour prior to Russian troops crossing Ukraine’s border, and resulted in an “immediate and significant” loss of communications, as Ukraine’s military relies on Viasat for its command-and-control (C2). As with NotPetya in 2017, this hack caused collateral damage across Europe. The US Government attributed this attack to Russia.
Psychological operations (PSYOP) in this war have been prolific. Bots were repurposed from anti-vax to anti-Ukraine spam campaigns. SMS threats were sent to soldiers (“flee or be killed”) and citizens (“ATMs are not working”). Ukrainian leadership Facebook accounts were hacked and used to encourage Ukrainian troops to surrender. Facebook detected and disrupted state actors from Russia and Belarus, who were conducting influence operations.
In war, the defender typically enjoys certain advantages, including a superior knowledge of battlefield terrain and communication networks. During this invasion, Russian forces are reported to have suffered a breakdown in military comms, which led to a reliance on Ukrainian SIM cards, and a subsequent vulnerability to interception, jamming, and geolocation.
During the opening phase of the war, one group of hackers may have played a strategic role in helping the Ukrainian government to survive. Working with Belarusian dissidents, they compromised Belarusian railway signal control cabinets (which still ran Windows XP) in order to sabotage Russian military deployments. Train traffic was reportedly “paralyzed” for days, which was believed to have contributed to the vulnerable 40-mile convoy north of Kyiv.
On Feb 26, the Ukrainian government issued a worldwide call for “cyber volunteers”. Its designated Telegram channel, “IT ARMY of Ukraine”, now has nearly 300k subscribers. Tasks include DDoS, propaganda, doxing, defacements, intelligence gathering, and dialogue with Russian citizens. Management challenges include vetting, command-and-control, adversary infiltration, mistakes, and potential retaliation.
The hacktivist collective Anonymous claims to have defaced or knocked offline numerous Russian government and media sites, doxed the Russian MoD, and hacked Russian television to display war footage from Ukraine. One unit, Squad 303, sent tens of millions of text messages to Russian phone numbers in an effort to provide Russian citizens with better information about the war. Hackers defaced a Russian space research website and leaked files they claimed to be from Roscosmos.
The website Distributed Denial of Secrets posted over 6 million Russian and Belarusian documents, allegedly from Russian government, military, intelligence, economic, and media domains. For example, there were 360k files from Roskomnadzor, the agency responsible for monitoring, controlling, and censoring Russian mass media. Due to the ongoing war, a disclaimer reminds researchers that some of the documents could be fabricated, altered, or might even contain malware.
Cyberspace is a global domain. Chinese state hackers were accused of conducting cyber espionage against Ukraine, Russia, Belarus, and Poland, launched from compromised network infrastructure in the West. The US announced that it had secretly removed Russian malware that had been installed around the world, in a preemptive operation against future Russian cyberattacks. DHS/CISA created a “Shields Up” site to offer cyber intelligence, updates, and best practices for network defense during the crisis.
Private sector InfoSec experts have opined not just on CNO, but also on broader questions in national security and international relations. One expert recommended that the West send a message of deterrence to the Kremlin by temporarily knocking Russia offline. Others countered that this would be a terrible idea. CNO often lead to ambiguous results and unexpected consequences. In fact, both the US and Russia have warned that impeding either nation’s nuclear command-and-control (NC3) could lead to catastrophic results.
There are numerous examples of CNO on both sides in this war. In particular, there was at least one major attack on each side: the Russian compromise of Viasat, and the Belarusian railway hack. Neither of these attacks was decisive in the war. However, they strongly suggest that, in the Internet era, armies do not go to war without leveraging hacker tools and tactics.
Before the war, the West feared both Russian kinetic and cyber warfare capabilities. At this time, both seem to have been overhyped. Russia is struggling on the battlefield and in cyberspace. However, that may merely reflect the shortcomings of autocracy vis-à-vis democracy, or disastrous decision-making dynamics in the Kremlin. RUNET is now a digital Iron Curtain, a self-inflicted denial-of-service, and Russian scientists are fleeing their country in numbers not seen since 1917.
Ukraine has outperformed Russia on the traditional battlefield and in cyberspace. Over time, superior flexibility, adaptability, and bandwidth may constitute decisive advantages in CNO, as they better reflect the dynamic and fast-evolving nature of IT, computer networking, and hacking. Kyiv also has far more allies than Moscow, not only among the nations of NATO and the EU, but also among IT and IT Sec firms.
At this point in the war, Internet connectivity has proven to be surprisingly resilient. In Ukraine, almost everyone is still connected to each other – as well as to the outside world. This has allowed Volodymyr Zelensky to run diplomatic circles around Vladimir Putin, and leads us to a final point: so far in this war, simple information operations have far outshined complex computer hacking.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.