In the previous post, I tried to present what types of cyber operations accompany military operations and how different types of operations are to achieve their goals by different means. Some may have expected much more intense cyber activities in Ukraine, attacks on industrial networks or the massive use of wipers. Although there are no signals pointing to such radical operations, the first days of the conflict already outline the place of cyber operations in the conflict. So let's look at the activities in the context of the categories of CNE, CNA and active agents.
Naturally, when it comes to intelligence activities, there will be the least information. Both because such activities are intended to remain undetected, and because disclosure of information is not always in the interests of defenders, who can counteract the campaign more effectively if the attacker does not change their behavior. However, some insight into the operations is still provided by reports published before the invasion, where analysts described the activity of groups associated with the Russian services against Ukraine. The Unit 42 team described the activity of the infrastructure of the Gamaredon / Primitve Bear group, which the Ukrainian services linked with FSB. From the description of the activity, a classic picture of intelligence activities with phishing documents delivered by email and using the functionality of the Office suite to download external content to deliver implants, in this case to the State Migration Office of Ukraine, emerges. However, it is worth bearing in mind that Unit42 analysts themselves point out that the group has been conducting operations against Ukraine for about a decade. Let us remember that intelligence operations, especially in the context of countries with such a clearly defined dispute as Ukraine and Russia, are continuous. In this way, let us avoid automatically linking activity with the events in Ukraine, even if in this context the link seems very clear. The activity of UNC1151, which was trying to attack, can probably also be included in this category of activities soldiers in Ukraine and perhaps also Poland.
Much more has happened in the area of CNA, i.e. destructive activities. We had examples here DDoS attacks against banks and government institutions, WhisperGate malware which was a wiper masquerading as ransomware, and an associated activity group called HermeticWiper. The British NCSC has also published a report informing about the new malwares used by the Sandworm groupwhich replaced the VPNFilter implant. Finally, the group behind ransomware Conti declared that she would support the government of the Russian Federation and respond to potential cyber operations against Russia. Despite this, so far we have not seen any spectacular effects of this type of action - comparable to NotPetya, Industroyer or in the broader context causing massive failures of IT networks in Ukraine. An event that perfectly correlated with the onset of the invasion and fit into the pattern of CNA supporting the invasion, there is an attack on satellite modems of Viasat subscribers. In the early morning, users were deprived of access to the Internet because the firmware of the devices was damaged. This concerned modems connected to the satellite network at the time, the failure started in Ukraine, and the operator is actually talking about a cyber incident. However, we will probably have to wait for the details and attributions. Regarding DDoS attacks, however, some commentators, like Kim Zetter, they have even begun to question whether actions with such little effect should be called "attacks". However, ignoring the semantic discussions, it should be noted that given the scale of invasions and attacks on civilians, abstinence in the cyber area seems surprising. So what could be the reason?
- The simplest answer is that Russia does not need to use such measures. The equipment and quantitative advantage of the Russian troops over Ukrainian forces is significant and despite how well Ukraine is doing in these circumstances, Russia is pushing forward with the sheer force of its army.
- Cyber operations supporting kinetic operations must coincide with them. The DDoS attacks and wipers used in the first days of the conflict might have been supposed to support the offensive through additional chaos, but due to the defeats at the front, they did not have the expected effects, so increasing their intensity did not matter much in the context of the entire offensive. We should remember that just as an invasion requires the amassing of troops and the preparation of logistics facilities, cyber attacks do not happen overnight. They are preceded by long phases of reconnaissance, analysis of the victim's environment, the possibility of gaining uninterrupted access during an attack, and so on. It is enough just to look at the already quoted one HermeticWiper when operation began, according to Symantec, in December, or Olympic Destroyer, which was also prepared in December, and had effects in February.
- An invasion plan can also be cause of reduced destructive actions. If it was assumed that the invasion would end in the first days with the submission of the Ukrainian government and the establishment of the Moscow regime, attacks on infrastructure would additionally antagonize the civilian population against the occupiers.
- Finally, while NATO emphasizes that it will not become militarily involved in the conflict, intelligence cooperation may also include sharing information on cyber activities. In this way, Ukraine would benefit from the possibilities of harm reduction and faster detection of attacks, and the alliance countries would have access to telemetry related to Russian activities. This may affect Russia's calculation of the profitability of the attacks, the TTP of which would be immediately analyzed by Western services, all the more it may lead to limiting operations.
We observe the most visible effects in the area of information operations, the beginning of which we could already observe some time before the start of military operations. In mid-January, the government sites of Ukraine were attacked, and the attackers posted information on them in three languages, claiming that the attacks were revenge for the historical harm suffered by Poles:
Attacks with use of mobile phishing were also observed shortly before the invasion SMS informing about the failure of ATMs or triggering bomb alarms were sent, and the soldiers received messages to discourage them from fighting. Efforts in the field of information warfare are also constantly ongoing in the field of classical narrative creation regarding the attitude of Poles to the situation in Ukraine. Analysts of activity on social networks noticed trolls trying to change their approach to refugees, build tensions between Poles and Ukrainians and recall historical events related to dark cards of relations between countries:
In this post, I am focusing on Russian operations, but it is impossible not to mention the absolute domination of Ukraine in the field of information warfare and propaganda. Ghost of Kyiv, who at the current rate of shooting down Russian fighters will be flying over Moscow in around a week. An old lady screaming at the soldiers and putting sunflower seeds in their pockets to grow when they are killed. A man with a cigarette, putting an anti-tank mine in the forest. Russian warship, idi na huj. Examples of such viral events are many, and the attitude of Volodymyr Zelensky deserves a separate paragraph, as he regularly shows his steadfast attitude and is a gigantic moral support with the soldiers. Well, a propaganda war with a man who, before taking office, was professionally involved in creating materials that would reach the widest possible audience, could not end well for the attackers.
As we can see, cyber operations are auxilliary to kinetic activities - mainly in areas not directly related to combat. DDoS and wiper attacks did not cause any radical effects (or at least we do not know about them so far). In this situation, one should not expect an increase in the intensity of activities when the kinetic operation is already at such an advanced stage - the effects of the operation would be simply negligible. On the other hand, analysts expect Kiev to be encircled and cut off from support from the west. In such a scenario, an attack on utility service providers or even news websites would be a serious blow to the civilian population and an element of pressure in the negotiations.
Another area of concern is whether the CNAs will be used in response to Western sanctions. Fortunately, the West's response is very firm and united - the ruble is plummeting and sanctions on banks have cut off access to significant amounts of cash, now diminishing as a result of the worsening economic situation and the need to fund an invasion (burning through around $ 20 billion a day). Therefore, cyber operations may be an element of the response to these harsh actions. Western countries are a natural target for cyber attacks due to the high degree of computerization of the industry, which translates into a large attack surface. Let us recall, for example, the Colonial Pipeline incident. Contrary to some opinions, it was not even an industrial attack. As a result of ransomware, Colonial lost access to the invoicing system, which meant that it had to suspend deliveries, unable to settle accounts. Additionally, it was an incident that was a "side effect" of ransomware operators' activities, motivated by financial motives. In the event of an attack aimed solely at causing casualties, the consequences would be incomparably more severe. In such a scenario, unfortunately, we would also have the opportunity to see how escalating the activities in the. The proportionality of the answer and whether it would lead to a spiral of more and more destructive attacks would be a test of a cyber operation site against other forms of military operations.
What is the current situation in Ukraine in terms of cyber operations?
It is hard to assess current pace and type of operation due to limited public visibility. But reports published by Cisco, Mandiant, and CERT-UA indicate that the operations are focused on intelligence support of kinetic operations. The destructive ops had very limited effect, but then it is not possible to tell how much this an indication of limited usefulness or effective defense efforts.