Some perspectives on the use of cyber-attacks in the first weeks of Russia’s invasion of Ukraine

By Mikkel Storm Jensen, msje@fak.dk, 3/15/2022

Two weeks into the largest inter-state armed conflict in Europe since World War II, it is perhaps useful to pause and make some tentative observations regarding the coercive use of cyber means. The following analysis – if this piece can aspire to such a presumptuous description – is based on first impressions from what can be gleaned from reputable media’s reporting, not thorough scientific research or what in military terms would be called proper intelligence. For the same reasons, the piece is not provided with sources, and terms such as “cyber-attack” and “cyber-domain” will be used intuitively without reference to any specific doctrine.

I will initially clarify what offensive cyber means are and then summarize how state actors have deployed them in the war so far. I will then touch upon how non-state actors on both sides have joined the fray in the cyber domain, and how this has played into the combatants fight to dominate the war narrative in the international public arena. Finally, I will make some tentative observations on what implications for cyber means’ roles in interstate warfare may be emerging from the war so far.

The cyber means discussed in this peace are those capable of conducting offensive activities – cyber-attacks – through the internet to destroy, degrade, interrupt or in any other way manipulate data, the nodes through which the data moves, computers or any hardware connected to them. Thus, defensive cyber activities and cyber-attacks for the purpose of e.g. espionage are not included and neither are information operations conducted through social media.

The expected war that wasn’t: Russia’s offensive use of cyber

For years prior to the invasion, Russia has shown both the will and the capability to conduct cyber-attacks on Ukrainian infrastructure. Infamously, and used as examples ad nauseam, with the Black Energy-attack Russia executed a shutdown of parts of Ukraine’s electricity distribution for some hours during the Christmas of 2015, and two years later it hit Ukraine’s economic critical infrastructure with the NotPetya-attackthat spread across the globe. These attacks, conducted below the threshold of armed conflict, have been interpreted as part of a Russian “hybrid warfare” campaign with the purpose of undermining the Ukrainian populations trust in the government’s ability to protect and preserve the nation.

During the Russian preparations and logistical build-up period immediately prior to the invasion, attacks on banks and government sites have increased somewhat, but they remained strategically very far from the above-mentioned attacks of 2015 and 2017. Contrary to the expectations of many analysts, since the invasion began and the threshold of armed conflict was crossed, the amount and severity of Russian cyber-attacks have reportedly not increased. While reporting in the field is likely lacking precision and difficult to verify, Ukraine’s critical infrastructure, including most means of communication, appear to be online and working sufficiently for the society to continue functioning.

The apparent lack of Russian attacks leaves a major question to be explored by researchers: If Russia did not appear to be bothered by international norms with regards to cyber-attacks on Ukraine before breaking the immense taboo of invading the country, why has Russia not conducted substantial cyber-attacks after the invasion? In theory, cyber-attacks on infrastructure such as electrical power, telecommunication and railroads could undermine Ukrainian morale and support the land forces’ offensive e.g. by slowing down supplies and limiting communication. Obviously, there are two immediate hypotheses: Russia either can’t or won’t conduct such attacks. Neither can be tested without further insight into Russia’s military leadership and Ukraine’s defensive measures and any further thoughts would be mere speculation. Future developments will be indicative of whether won’t or can’t is the most likely reason for the lack of attacks. If destructive and disruptive cyber-attacks pick up at the same rate as the Russian use of artillery and unguided bombs to overcome the Ukrainian defensive operations, it could be an indicator of initial restraint. If the Ukrainian railroads and power plants keep running while the Russians commence attacks on e.g. Kyiv with massively destructive bombardments as in Grozny, Chechnya in 1999, then possibly the Russian offensive cyber capabilities are unable to support the ground forces at the operational level. It is still too early to draw any conclusions, but the second week’s increasing and more indiscriminate Russian use of heavy firepower against Ukrainian cities does not appear to be accompanied by a similar increase in severe cyber-attacks. Again, the reasons for this must so far be the topic of speculation, but it would arguably be inefficient for the Russians to “burn” offensive cyber capabilities on targets they are willing to destroy physically with conventional bombs and grenades.

Regarding Ukraine, little or nothing has been reported on her use, if any, of offensive cyber. However, the available reporting prior to the invasion suggests that Ukraine, at least until invaded, was only at the receiving end of cyber-attacks in the Russian-Ukrainian conflict. Regarding NATO, the alliance is very carefully avoiding intervention in the conflict, and, again hopefully, will not be called upon to do so. Hence, this is not an occasion for NATO to integrate offensive cyber effects through the Cyber Operations Centre.

Many individual members, including Denmark, offered Ukraine assistance with defensive cyber operations several weeks before the Russian attack. From a strategic perspective, such support is good use of military force: Strengthening Ukraine’s cyber defence can provide substantial defence of Ukraine from direct attacks. Moreover, as this kind of support is not of a nature that can reasonably be perceived as threatening by Russia and provoke escalation of the conflict, this strategy looks well fit to avoid a conflict spill-over – again recalling the Russian NotPetya-attack in 2017 that had severe consequences outside Ukraine.

Non-state actors and activists join the fray

While the reported Russian state initiated cyber-attacks have been less than expected, several non-state actors have entered the conflict. On the Russian side, some cyber-criminals, a very competent ransomware gang attributed with significant attacks in the past, have declared their support for the Russian “liberation” of Ukraine and threaten Western states. One such Russian criminal group stated that "If anybody will decide to organize a cyberattack or any war activities against Russia, we are going to use all our possible resources to strike back at the critical infrastructures of an enemy,". However, some of the members of this criminal software development team are Ukrainians. They have allegedly provided authorities information on Russian parts of the gang in response to the invasion.

On the other side of the frontlines, the illusive international hacker-activist association “Anonymous” has declared their support for Ukraine. Other civilian activists have reportedly conducted individual attacks, e.g. disclosed information gathered from Russian government sources. Some have begun arranging homepages where less computer savvy people sympathetic to Ukraine can allegedly mouse click a button and put their computer to work to overwhelm a number of Russian internet sites. In parallel efforts, the Ukrainian government has called non-state actors for help and made lists of Russian targets available. Reportedly, these attacks are having some effects but these have yet to be confirmed and measured before any substantial assessment can be made. Regardless of the actual effects, the mere public discussion of such “cyber partisans” provide additional venues for Ukraine to promote their plight and draw sympathy and moral support.

The use of civilians as voluntary bot armies by providing both the necessary software and targets is reminiscent of the Russian use of “active patriots” as part of their cyber campaign against Estonia in 2007. Hence, some of the Ukrainian tactics are not novel. What is new, however, is the involvement of self-motivating civilian activists. While one can have sympathy for the reasons why they do this, the activists (regardless of which side they support) are in principle committing sabotage against a state. The monopoly of the legal use of violence – including cyber-attacks – is a very basic attribute of a state. Moreover, states are actually obligated to stop any such activity that takes place from their territory – just as Western states have called upon Russia to curtail criminal groups attacks on western targets, e.g. the Colonial Pipeline-attack in 2021.

Apart from the legal aspects, the involvement of self-motivating civilian activists is problematic from a strategic perspective. As it takes time to attribute and assess cyber-attacks, they may have a very destabilising effect on decision makers that are under severe strain and have limited information. Under such circumstances, it is difficult and potentially escalatory if the state under attack is unable to distinguish between state actors’ activities and private initiatives made without official consent.

Blood and iron are still the decisive factors in combat

A final thought to round these initial impressions is that cyber-attacks have only had a limited influence on the outcome of the war so far. The overwhelming part of the fighting has been decided by military hardware and the capability, courage, cleverness and luck of those wielding them. As noted, the influence of cyber could perhaps have been greater if Russia had the will and/or the means – which of them is lacking is guesswork at this point – to shut down major parts of Ukraine’s infrastructure and communication.