Recent related events clearly show the intentions of the Kremlin, which decided to invade Ukraine, potentially threatening the entire territory of the state. In the context of military operations, there is often talk of the role of cyber operations as supporting or even replacing kinetic operations. Especially the latter use stimulates the imagination - the media and commentators point to the possibility of achieving military goals using cyber means, breaking into military networks, turning off electricity or cutting off access to the Internet. In my opinion, this is a strong view of exaggeration. The events in Ukraine or the concentration of the Chinese navy in the South China Sea show that physical control of the territory simply cannot be replaced by even the most sophisticated cyber operations. Which in turn, cyber operations can cause economic losses, chaos in communication or disruptions in the supply of data services without exposing yourself to military losses. With that in mind, let's look at the types of operations we have already seen from Russia and what goals they have achieved. Speaking of Russian operations, I will choose those that have been assigned to entities related to the Russian government by government agencies, or private threat intelligence teams, which, in my opinion, have sufficient knowledge and access to data to identify the perpetrators with high probability.
Let's start with the most common use of cyber operations - military, economic or political intelligence. So what's wrong with my modes? Well, after making the intelligence activity public, for example APT28, there are very frequent voices about "cyber war", "hybrid war", "operations below the threshold of war" and so on. It is difficult for me to understand this approach to the subject, as in my opinion these are typical intelligence operations, not different in their goals from SVR officers recruiting sources or otherwise secretly obtaining information. We are not saying, however, that every intelligence operation is part of a war or military action, because espionage, by its very nature, is different from an armed attack. Going back to the merits and starting with the linked FireEye / Mandiant report from 2014, we see a clear focus on international organizations, the armed forces and political goals:
Similarly, in 2018, Mandiant announced the APT29 campaignwhich targeted entities related to defense, the sector, public, law enforcement and research centers. In both cases, the attackers used phishing to deliver implants to victims in order to gain remote access to systems, and thus access mailboxes, stored documents and other communication.
Just as the above examples concern political and economic intelligence, we can also find examples of military intelligence operations directly supporting military operations. In 2016, CrowdStrike described the operation of the Fancy Bear group aimed at the dissemination of the X-Agent implant along with the application used by Ukrainian artillerymen. Modifying the application by adding a malicious one did not affect its functionality. The aim was therefore not to obstruct the work of artillerymen, but to collect information about the location or activities of the troops, supporting the intelligence obtained, for example, with the help of air reconnaissance.
The second category of operations is much more like military operations and involves the use of cyber operations to disrupt systems and / or destroy data. The most spectacular and media example of such activity was the use of NotPetya malware to attack Ukrainian enterprises. NotPetya has been distributed via taking over the mechanism of updating the program used by accountants to settle taxes in Ukraine. The malware simulated ransomware infections, suggesting that the data could be recovered after paying the ransom, but in fact it did not have a data decryption mechanism - so it was irretrievably lost. According to analyzes by the White House, NotPetya caused $ 10 billion in losses. Similarly, although on an incomparably smaller scale, in 2018, the infrastructure used to support the Olympic Games was attacked with the help of Olympic Destroyer malware.
Among the operations with a destructive purpose, we can also distinguish attacks on industrial infrastructure. Again, the Russian services provide examples. IN 2015, the Sandworm group attacked Ukrainian control systems power grid depriving more than 200,000 consumers of electricity for about 6 hours. In 2017, the Trisis / Triton malware attacked oil plants in Saudi Arabia. This incident is noteworthy because, according to analysts, the operation's purpose was to disrupt industrial security systems, and thus lead to physical damage and potentially even casualties among the facility's employees.
Finally, the third type of operations that we can distinguish is what we would call "active measures". That is, activities aimed at promoting a specific narrative, disinformation, propaganda, introducing social unrest. From the Polish backyard, we can cite here the operation of the Ghostwriter / UNC1151 group (however, assigned by Mandiant to the services of Belarus)who stole it and published e-mails from the mailboxes of government officials. It used a very similar modus operandi GRU during the 2016 US presidential election, when e-mails were stolen from Hilary Clinton's mail server and selectively publish them via WikiLeaks.
In the context of these three types of operations, it seems to me that the discussion too rarely overlooks the division in the American doctrine CNO (Computer Network Operations) on CNE (Computer Network Exploitation) and CNA (Computer Network Attack). CNEs are activities to access and obtain information for intelligence purposes. CNA, on the other hand, is activities related to the disruption of systems, data destruction, access blocking. So this is where activities range from DDoS attacks that prevent access to websites, to using Trisis to cause physical damage. And it is precisely this distinction that seems to be ignored in the discussions, and this leads to an over-exaggeration of the role of normal intelligence or disinformation operations to the level of attacks understood as destructive actions. In the context of Poland, the adopted vocabulary does not help here, where the term "attack" is actually used for every activity in the cyber area, regardless of the target. The case is different in English - "cyberattack" is destructive operations, and gaining access to systems, for example for intelligence purposes, is "intrusion".
So, returning to the current situation, what could we classify as a cyber attack and how does it fit in the context of an invasion? ESET and Symantec announced the detection of a wiper installed on hundreds of machines in Ukraine:
and DDoS attacks hinder access to government services. The scale of both of these events is different - the temporary loss of access to the site is rather less burdensome compared to a massive infection with malware that neutralizes systems such as NotPetya. The aim of both operations, however, is partially similar, they are to arouse fear among the population, show how far the influence of Russian forces reaches and, of course, fuel confusion that makes defense difficult in the event of a conflict. So let us note that while the operation disclosed by ESET is as advanced as the spy campaigns described above *, DDoS attacks or similar system disruptions are technically complicated for me, but they are the actual CNAs. Therefore, if we want to precisely use the term "attack" and, above all, not to dilute the term for any activities that would probably go unnoticed otherwise, we should take into account the purpose of the activity and what effects it has on the target machines. Using the opinions of experts contained in Tallinn Handbook it must be emphasized that espionage as such is permitted under international law and cyber operations are not an exception to this rule. Operations aimed at espionage may be an exception, but the way in which they were carried out resulted in damage to the systems.
Unfortunately, as we have just seen, all these operations were by no means a substitute for the actual invasion. Cyber operations by Russia will certainly continue, both the CNE collecting information for the armed forces and the CNA weakening Ukrainian defense and the morale of the population. If cyber attacks on critical infrastructure could be extremely dangerous and cause losses among the civilian population, it is their precise nature (an example of what let Stuxnet still be) that makes them the most humane type of hostilities. The escalation of activity and how much the actions will affect civilians remains an open question and a still unexplored situation. Taking into account the incidents such as the attack on the Colonial Pipeline (which was ultimately a criminal activity) and the scale of losses after NotPetya, it should unfortunately be assumed that the losses caused by the activity of state groups and aimed at destructive activities will be incomparably greater. Among the information that came up today there was also (though denied) that President Biden was presented with a scenario of conducting destructive cyber operations against Russia. In the context of the vision of cyberwar appearing in the media, it is the exchange of cyber attacks replacing kinetic strikes, and escalating due to the mutual movements of both sides, seems to be the closest to it. It should also be remembered that such "cyber escalation" is so different from the classic military confrontation that offensive units will most often not be the target of a return strike - the most deliberate actions are operations against large organizations that can paralyze sectors of the economy or service delivery. The exchange of blows will therefore take place "next to" the units that perform it.
* My private and early assessment in view of disclosed sample characteristics and information provided by ESET.
English 
Polish
One thought on “Krótkie spojrzenie na cyber operacje w kontekście działań zbrojnych”