Blue, yellow and gray zone: The cyber factor in Ukraine

source:  |  image:


WASHINGTON — As Russia massed troops along its border with Ukraine over the last few months, it was unclear whether Russian President Vladimir Putin would invade. But if he did, experts warned, Russia would bombard the nation with a series of cyberattacks to sow confusion and weaken its resolve.

On Feb. 24, Putin unveiled his plans. Moscow’s war machine rolled into the Eastern European nation. The combined Russian air, land and sea assault was preceded by waves of cyberattacks, the sort of gray-zone meddling analysts and defense officials had foreseen. Websites were hamstrung. Malware coursed through computers. Communications were hampered.

But the full-fledged cyberwar some feared has not materialized. There has been no digital devastation of critical infrastructure, no damning disinformation.

“Apparently, it’s less than we thought would have happened at this point,” said Charles Munns, a retired U.S. Navy vice admiral who has advised the Defense and Energy departments. “It’s more of a 20th century invasion, with tanks and missiles and airplanes.”

A brief cyber history of Ukraine

Both Russia and Ukraine have a history with cyberattacks — the former leveraging the domain to wreak havoc, and the latter often finding itself on the receiving end.

The U.S. Cybersecurity and Infrastructure Security Agency, an arm of the Department of Homeland Security, found Russia previously used cyber tools and disinformation to project its force, to varying degrees of success.

In 2014, hackers besieged Ukraine’s elections, targeting networks and planting malware. Pro-Russia group CyberBerkut claimed responsibility. In 2015 and 2016, the Ukrainian power grid was compromised, resulting in thousands of outages. And in 2017, perhaps most infamously, NotPetya malware incapacitated vital systems the world over, resulting in enormous financial losses. The American, British and Ukrainian governments pointed their fingers at Russia.

“It spread across the West … and cost billions of dollars worth of damage, even shut down the English health care system for awhile, even responded back and hit Russian systems,” Senate Intelligence Committee Chairman Mark Warner, D-Va., said of NotPetya during a Feb. 28 Washington Post event. “Those kinds of pieces of malware, once they’re out in the wild, you don’t know where they end up.”

In late 2020, six officers of the GRU, a Russian intelligence agency, were accused of infiltrating and disrupting networks worldwide as a means to advance the Russian agenda. The U.S. and Ukraine were among those targeted.

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” then-Assistant Attorney General for National Security John Demers said when a federal grand jury returned an indictment with charges of conspiracy, computer hacking, wire fraud, aggravated identity theft and false registration of a domain name.

But the Russia-Ukraine conflict so far has not included that level of damage. Exactly why is not quickly discernible.

“I think it goes, overall, into President Putin underestimating how easy it would be to take over Ukraine,” said Craig Albert, the director of intelligence and security studies at Augusta University in Georgia. “I think he might be holding some more cyberattacks in his back pocket. He doesn’t want to unleash them yet.”

Throughout January and February this year, Ukraine was peppered with distributed denial-of-service attacks, a tactic that paralyzes websites with an overwhelming stream of traffic.

On Feb. 23 — just hours before Russia began its physical invasion — the websites for Ukraine’s defense, foreign affairs and interior ministries, among others, were knocked offline, the government said. Later, malware was discovered on hundreds of machines. Metadata cited by cybersecurity firm ESET suggested the attack may have been in the works for weeks.

“The attack involved new data-wiping malware dubbed HermeticWiper — a destructive malware that can delete or corrupt data on a targeted computer or network,” the CyberPeace Institute in Switzerland wrote in reporting the timeline of cyberattacks on Ukraine. “The wiper has been detected in Ukraine, Latvia and Lithuania, and targets include financial organizations and government contractors.”

The State Service of Special Communication and Information Protection of Ukraine said it and its cyber partners worked to counter the attacks and glean information from them. Prompt updates were promised.

“Most analysts assumed the next war by Russia would be something where we would see actual, physical destruction or death as a result of the cyberattacks, something like [former U.S. Defense Secretary] Panetta’s infamous ‘cyber Pearl Harbor’ that was warned about,” Albert said.

Blame game

Attributing cyberattacks to any one specific actor can be difficult — but both Ukraine and the U.S. were quick to blame Russia for the attacks in recent months, pointing to digital footprints and other evidence.

“The Russian government has perpetrated cyberattacks against Ukraine,” President Joe Biden said Feb. 24. “We saw staged political theater in Moscow, outlandish and baseless claims that Ukraine was about to invade and launch a war against Russia, that Ukraine was prepared to use chemical weapons.”

Days prior, the White House’s National Security Council publicly linked the attacks to the GRU.

“The U.S. has technical information linking Russian GRU to this week’s distributed denial of service attacks in Ukraine,” the council tweeted Feb. 18. “Known GRU infrastructure has been noted transmitting high volumes of communications to Ukraine-based IP addresses and associated banking-related domains.”

Moscow has historically denied responsibility. The Russian Embassy in the U.S. in mid-February said Russia “has never conducted and does not conduct any ‘malicious’ operations in cyberspace” and described related remarks made by a U.S. official as “purely anti-Russian.”

The US and NATO respond

Both the U.S. and NATO have responded to the cyberattacks, with the Western alliance working to bolster Ukraine’s cyber defenses and Biden threatening retaliation if attacks bleed into NATO-aligned countries.

The NATO Cooperative Cyber Defence Centre of Excellence in Estonia recently granted Ukraine “contributing participant” status, after rejecting its membership last year. The new relationship, expected to sharpen Ukraine’s cyber skills, was announced March 4.

“Capability and knowledge comes from experience and Ukraine definitely has valuable experience from previous cyber-attacks to provide significant value to the NATO CCDCOE,” Estonia’s minister of defense, Kalle Laanet, said in a statement.

The director of the center, Col. Jaak Tarien, in a separate statement suggested Ukraine’s expertise would bolster research, exercises and training.

Should the Kremlin ramp up its cyber operations and set its sights farther west, the U.S. is “prepared to respond,” according to Biden.

“For months,” the president said Feb. 24, “we’ve been working closely with the private sector to harden our cyber defenses and sharpen our ability to respond to Russian cyberattacks.”

While the president did not say what the response would be, and U.S. Cyber Command did not respond to requests for comment, the country has plenty to bring to bear.

“Should we keep all our capabilities on the table? Should we be prepared to use those capabilities? Absolutely, yes,” Warner said. “I don’t believe, though, that we should pre-commit on those until we see what kind of Russian activities take place here.”

A study published in 2021 by the International Institute for Strategic Studies ranked the U.S. as the world’s No. 1 cyber superpower, with decades of development and investment across military, industry and academia. The same study put Russia in the second tier, alongside China and others.

Russia’s strategy, Munns said, historically focused on collecting intelligence, “like many big countries do,” and sowing discord. Russian interference in the 2016 presidential election is a prime example. Divisive topics were identified, amplified and exploited, much to the detriment of stateside discourse.

“What most people don’t understand is the United States and Russia are in cyber conflict constantly,” Albert said. “It’s not cyberwar, it’s not warfare that we’ve known.”

The Cybersecurity and Infrastructure Security Agency has said there are no credible cyberthreats bearing down on the U.S. Nonetheless, the agency issued a “Shields Up” notice earlier this year, indicating every organization, large and small, should be ready to respond to irregularities.

“If [Putin] views any of these actions as an act of war, if he views them as a provocative, assertive gesture by NATO and the U.S., one way for him to retaliate without risking full-scale kinetic warfare between NATO member states and Russia would be to respond through cyber means,” Albert said. “I assume that’s happening in some scaled version already.”

Warner and other lawmakers have expressed similar worries about spillover.

“I think one pressing concern is that what the Kremlin is directing at Ukraine may not stay in Ukraine, in terms of the cyberattack,” House Intelligence Committee Chairman Adam Schiff said late February. “The other possibility is that Putin lashes out at the United States and NATO, and in this kind of hybrid warfare, it deploys cyber tools to attack American companies or American infrastructure.”

Schiff, D-Calif., said as of Feb. 24 he hadn’t seen evidence of Russian “cyber action directed at the United States over Ukraine.”

But there “is always the risk of escalation,” he cautioned, and it is “very early in the conflict.”