Russian cyber and information warfare in practice

Lessons observed from the war on Ukraine

Russia’s full-scale invasion of Ukraine in February 2022 confounded many expectations about Russian military capabilities and Ukrainian resilience – including in the cyber and information aspects of the war. This paper examines Russia’s deployment of cyber and information operations against Ukraine, assesses the effectiveness of Ukrainian responses, and outlines potential lessons for other states.

Many factors contributed to the failure of Russian cyber and information operations to achieve their intended effects. Ukraine had a long time to familiarize itself with its opponent’s methods in the eight years since Russia’s seizure of Crimea and parts of eastern Ukraine. Russia also badly misjudged Ukrainian resilience, failing to anticipate its adversary’s resourcefulness and whole-of-society approach to mobilizing formal and informal resistance. Crucially, too, Ukraine received – and continues to receive – substantial support from tech firms in the West.

Other states looking to learn from the Ukrainian experience should consider, among many factors, the need to be pre-emptive in detecting and monitoring threats, and to ensure that national defence strategies take full account of the interdependencies between different types of Russian operations. There is also a need to review closely the legal implications of wartime activities conducted by civilians and private sector companies, as such activities may blur the distinction between combatants and non-combatants.

02 Ukrainian resilience and resistance in 2022

Just as with conventional military operations, Ukraine’s unexpected resilience to information warfare campaigns and cyberattack confounded Russian expectations and assumptions in the early phases of the full-scale war. But many assumptions by foreign observers were also misplaced.

Opening salvoes

Just as with assessments of Russian conventional warfare against Ukraine, there is a broad consensus in analysis of the early stages of Russia’s cyber campaign against its neighbour in 2022 that the forces waging it were fundamentally unprepared for the nature of the conflict that developed.

In some analysis, this has been attributed to Russia’s cyber forces being as uninformed as the ground troops on overall plans to launch the invasion, and being given no time to prepare for the new nature of the conflict. This, however, is not borne out by other observations, which suggest that those involved in cyber and information activities – like the rest of the Russian military and intelligence services – were prepared for a swift ‘special military operation’ but were startled by it turning into a full-scale war in which the enemy fought back.

Activities before and during the initial stages of the assault suggest that Russia’s cyber and information forces were better prepared than its armour and infantry. A spike in destructive cyber assaults against Ukraine occurred in January and February 2022, and has been characterized in one analysis as a process of ‘softening up by software’. Attacks that sought to suppress communications by Ukraine’s government and military indicate that long-term, coordinated preparation was involved. One example was the attack on the Viasat KA-SAT network immediately before 24 February, which was followed up by conventional and electronic warfare (EW) attacks also designed to blind Ukrainian forces. The clearest evidence of Russia’s information preparations for the move into Ukraine came in the execution of plans to round up previously identified individuals as soon as Russian forces gained control of a particular city or town. In keeping with consistent practice during Soviet times, arrests, interrogations and murders of public servants, politicians, local activists, journalists, police officers, war veterans and other groups were an immediate priority. Russian forces were fully equipped with lists of names, telephone numbers and addresses of those to look for.

But it is likely that failure to anticipate Ukrainian resistance severely impaired other cyber and information operations intended to support Russia’s conventional war effort. In the early stages of the new invasion, further destructive attacks on communications and other infrastructure were constrained by an assumption that Ukraine would fall without a fight, and that infrastructure would be taken over by Russian authorities. Once that assumption was discovered to be distant from reality, Russia’s forces across the board found themselves fighting an unanticipated war. This may have contributed to a further transition in the ensuing months, when there was a change in tempo to what have been described as ‘fast and dirty’ cyber methods, as Russian cyber forces transitioned to tactics that required less forward planning and were more straightforward to implement; these included distributed denial of service (DDoS) attacks and the deployment of a new generation of less sophisticated and modular ‘wiper’ malware.

Analysis from December 2022 concluded: ‘Russia’s experience suggests that cyber fires can be usefully concentrated in a surprise attack or other major salvo, but they risk fading in relevance during larger, longer wars.’ This seems to contradict another key aspect of Russia’s employment of information and cyber effects, namely that ‘the demands of preparation for a combined-arms campaign do not lend themselves well to Moscow’s more nebulous notions of information warfare as an ongoing, unending struggle’. However, both of these assessments can be valid at once due to the specific view held by Russia and other nations of information warfare as a holistic activity, in which cyber campaigning is simply a manifestation of information manipulation. One practical result for Russia’s armed forces is the continuing need to integrate cyber effects with conventional warfare at an operational and tactical level, as well as treating them as strategic tools. This was one of the intents behind the establishment of Russia’s ‘Information Operations Troops’; and it has led to a distinctive structure for this element of Russia’s armed forces, grouped under the GRU military intelligence service. Importantly, Russia sees cyber operations in wartime not as a direct replacement for missiles and bombs for destructive effect (as interpreted in some popular Western descriptions), but as applicable to far more uses.

One result of the war developing in an unexpected direction appears to have been unanticipated demands on Russia’s cyber forces which they may have been poorly prepared to meet, due to a lack of forward planning appropriate to a protracted conflict.28 This may have led to early squandering of advantages held by Russia. Google’s Threat Analysis Group notes that the destructive impact of attacks on Ukrainian networks around the time of the full-scale invasion was not as significant as that of earlier Russian cyber campaigns against Ukraine, and that the attacks wasted access gained months in advance. The expectation of a short war led to a ‘lack of operational preparation that could have sustained some persistent accesses while burning others during destructive activity’, Google concluded.

Preconditions for Ukrainian resilience

One simple fact working against Russia was that its war on Ukraine did not in fact start on 24 February 2022. Expectations of cyber and cyber-enabled effects that would leverage an adversary’s surprise and unpreparedness were misplaced. Although Russia might have been expected to take a different operational approach in full-scale conflict compared to the limited warfare waged in 2014–22, the preceding eight years of hostilities nevertheless gave Ukraine ample time to study Russia’s capabilities and intentions and develop resilience. Ukraine’s cyber defences, like its armed forces, had developed beyond recognition from their threadbare and compromised state in 201430 – although this development too was widely underestimated outside Ukraine itself.

An additional enabler for Ukraine was support from abroad, both nationally and by private industry. In the lead-up to the invasion, Google observed the pattern of attacks against Ukrainian media and civil society websites and decided to extend its Project Shield protection against DDoS attacks – first to the Ukrainska Pravda news website, and then to a further 2,300 sites judged to be important to keep functioning. This meant that when major attacks were mounted against these sites, they were in a form that would have been overwhelming for an individual site but were trivial for a network and capabilities on the scale of Google’s. This, too, reputedly caused surprise on the Russian side. According to one account: ‘Folks in the Kremlin pressed the button with glee. Then nothing happened – so they pressed it again.’ The nature and impact of the foreign support provided to Ukraine will be examined in detail later in this paper.

Social media platforms operating by peacetime norms can be deeply unhelpful to a country fighting a war of national survival.

Other technology companies, however, were less cooperative. As Ukraine has found with Facebook suppressing commentary on Russian actions, and not responding to investigative enquiries into hostile information operations in a timely manner, social media platforms operating by peacetime norms can be deeply unhelpful to a country fighting a war of national survival. Ukraine’s efforts at maintaining the integrity of its own information space were also hampered by the fact that the regional headquarters of many technology companies were in Russia, not Ukraine. The Google office making decisions on content carried by Google’s YouTube platform for Ukraine was in St Petersburg, and Ukrainian information professionals noted repeated instances of undue promotion of pro-Russian content on the platform. They have noted that Apple, too, ran its Ukrainian operations from Russia, meaning that hardware was distributed through Moscow and consequently implying that the FSB – Russia’s Federal Security Service – potentially had access to smartphones before these reached the Ukrainian market, thus potentially compromising their security. Similarly, companies like HP and Cisco also covered Ukraine from Moscow, meaning that technical data for the country was routed through Russia and thus vulnerable to access by the Russian intelligence services. Consequently, it was impossible to build network infrastructure that would be inherently secure.

As noted above, Ukrainian OPSEC measures have been highly effective. One result of this is a dearth of reporting on successful information operations by Russia – or on other forms of setback or failure by Ukraine. Reporting of this kind, when not easily dismissed as Russian hyperbole, can be difficult to confirm, so there are only isolated descriptions from authoritative sources suggesting that cyber or cyber-enabled operations may have had a substantial impact on Ukrainian battlefield capability. For instance, in the earliest phases of the conflict, Bayraktar TB-2 unmanned aerial vehicles (UAVs) were a significant asset for Ukraine (albeit widely hyped in information campaigns); but they later virtually disappeared from the battlefield. This could be explained by developments in Russia’s air defence posture from the early and chaotic days of the invasion, but Google attributes this to a successful act of cyber espionage by Russia’s FrozenBarents/Sandworm cyber operations group on the drones’ Turkish manufacturer, which enabled Russian forces to discover means to disable them. (A more prosaic possible explanation is that during this period Bayraktars were also supplied to the Russia-friendly government of Mali, which could well have passed on observations on best practice for neutralizing them.) Meanwhile, multiple sources note that other campaigns have targeted sensitive information like Ukrainian military communications and troop movements – but these sources have not provided the kind of detail that would allow an assessment of how such targeting was carried out, what the effect was, and whether this provides transferable lessons for other conflicts.

The fact that cellular telecommunications networks need to stay up and are used by both Ukrainian and Russian troops, at times for operational as well as personal purposes, has been exploited by both sides. The apparent asymmetric success enjoyed by Ukraine in this field once again derives not only from defensive countermeasures but also from a significant difference in operational security. Russia’s poor OPSEC has led both to extensive communications intercepts and to effective exploitation of the information in them, whereas in relative terms genuine Russian intercepts of Ukrainian conversations seem to have been almost non-existent. But in addition, here too Russia is using familiar techniques delivered by systems that have been well known for years, such as the Leer-3 UAV-borne EW system for harvesting data from and disseminating content to an adversary’s connected devices. These are, again, methods with which Ukraine’s forces had grown familiar over an extended period prior to the full-scale invasion in February 2022, and so these techniques had limited potential to deliver decisive new impact.

Ukraine’s successful efforts at crowdsourcing resistance – making best use of the volunteer services of a population highly motivated to fight a war of national survival – have been reported on extensively. These have included effective tasking of the entire civilian population for intelligence collection and reporting (the legal implications of which are also discussed further below). Resilience measures have also involved the specific and careful preparation of decision-makers in government and industry as well as other stakeholders. Focused efforts at building networks, ensuring communications and gaming out crisis cooperation through table-top exercises in the months before Russia’s escalation helped prepare key leaders for the reality of conflict.

The overall effect of these combined measures has been to keep the Ukrainian state largely functioning online, despite Russia’s best efforts to prevent it from doing so. Success in this regard can be measured against other countries in the region and beyond: Ukraine daily withstands numerous attacks on a scale that has proven capable of taking entire governments offline in countries that have invested less in their resilience.

Source: Chatam House