Have Russian Cyberattacks Changed the Course of the War in Ukraine?

Have Russian Cyberattacks Changed the Course of the War in Ukraine?

While Russia was ultimately unsuccessful in its attempts to paralyze Ukrainian resistance, it was able to inflict considerable damage on Ukraine’s critical infrastructure.

 

When Russia began its large-scale invasion of Ukraine on February 24, it was evident that something had gone wrong in the Russian concept of operations. Early footage showed hapless Rosgvardia forces advancing on Kyiv alone and Russia’s elite airborne forces repeatedly trying to seize Hostomel airport without ever receiving the combined arms support they would have needed to succeed. And, having discussed their plans in the days preceding the invasion, Russian forces were met with robust Ukrainian resistance. Along with the infamous “forty-mile column,” this seems to suggest that the Russian forces had been committed with a hopeless lack of coordination and forethought.

However, some elements of the invasion were clearly planned in advance, and this is most evident in reports of cyberattacks that Microsoft claims to have uncovered. The evidence provided by Microsoft indicates that Russia coordinated cyberattacks with kinetic effects against certain key Ukrainian targets. The company states that a Russian actor launched a DesertBlade cyberattack against a Ukrainian broadcaster on March 1, which was the same day that Russia announced it would destroy sources of “disinformation” in Ukraine and launched a missile strike against a TV tower in Kyiv.

 

In the second week of the invasion, Russian forces seized the Chernobyl and Zaporizhzhia nuclear power plants, both of which had been targeted shortly before by Russian cyber actors, leading to data leaks. By the fifth week, Russian cyberattacks had expanded to include a targeted strike on Ukrtelecom, a major fixed-line telecommunications and internet provider in Ukraine. The Ukrtelecom attack led to a drop in connectivity to 13 percent of pre-war levels, the BBC reported. Other attacks were launched against one of Ukraine’s largest energy providers using a variant of the Industroyer malware, although the attacks were averted through intelligence and coordination services provided by Microsoft and Eset. Russia’s cyber forces also targeted the systems responsible for grain exports, tried to manipulate public opinion through information strikes, and attacked a logistics company based in western Ukraine.

The deliberate targeting of critical infrastructure is expected to cause psychological and physical damage to an opponent; Russian theorists refer to it as a strategic operation for the destruction of critically important targets (SODCIT), a concept that was covered at length by Mike Kofman from the Center for Naval Analyses in a 2021 report. A SODCIT can include a broad range of targets, including government, military, and economic buildings, and the means of mass communication. Kofman and his colleagues note that the campaign is meant to cause carefully calibrated damage to deter an opponent from escalating further and degrade the will of the opposing leadership to resist. The means used to achieve these effects can include kinetic strikes as well as electronic warfare and cyberattacks. It stands to reason that the coordinated use of cyber and kinetic actions against Ukraine’s critical national infrastructure was part of a SODCIT. It is possible that this element of the campaign was planned and coordinated in advance.

Evidently, if the Russian SODCIT in the opening phase of the Ukraine war was intended to undermine President Zelensky’s will to resist or paralyze Ukraine’s armed forces, it failed. However, Russia’s use of strategic cyber effectors was expanded to degrade Ukraine’s military capacity as well.

War in Space

In a study on Russian thought around information strikes and reconnaissance-strike complexes, Timothy Thomas found that in 2009, Russian authors had referred to the need to fight the opening stages of a conflict in space. At the very early stages of Russia’s invasion, a massed cyberattack was conducted against Viasat, a satellite internet provider that serviced Ukraine and parts of Europe. The Ukrainian armed forces are understood to have utilized this internet provider via mobile Tooway reception stations, and Viasat may have been involved in supporting the GIS Arta artillery coordinating app. An investigation by Sekoia indicates that it may have been these Tooway stations that were hacked by Russian cyber forces.

Viasat later reported that the cause of the Tooway blackout—which affected 30,000 European modems—was the result of high volumes of malicious traffic issued by two Skybeam modems, which prevented other modems from connecting. Viasat added that the attacker was able to access the network by exploiting a misconfigured VPN, moving laterally through the network by issuing malicious commands to overwrite data in the flash memory of the modems. Viasat implemented defenses, but attackers continued to attempt to access the network and compromise it.

The attack was coordinated with the start of Russia’s invasion, as well as with a host of other kinetic strikes and cyberattacks that were intended to degrade Ukraine’s ability and will to resist. The cyberattack that brought the Viasat network down degraded Ukrainian communications and drove Ukraine’s reliance on StarLink, which has also been subject to jamming and cyberattacks. Ukraine may have suffered from a severe lack of jam-resistant communications without the timely provision of StarLink equipment.

What’s Next?

While Russia was ultimately unsuccessful in its attempts to paralyze Ukrainian resistance, which may in part be a result of poor intelligence assessments, it was able to inflict considerable damage on Ukraine’s critical national infrastructure with a combination of cyber and kinetic effects. The former appears to have been designed to magnify the damage and confusion arising from the latter. Moreover, the attacks seem to have been coordinated in their time and focus, which suggests that certain aspects of the Russian invasion were well prepared and coordinated.

Cyberattacks are often limited in their ability to be reused, and they take a long time to develop. It follows that Russia may have exhausted a significant amount of its Ukraine-specific cyber capabilities in the war so far. Russia has also demonstrated that cyberattacks can be useful in securing or maintaining an advantage on the battlefield. An important element of Ukraine’s resilience has been the assistance provided by Western companies such as Microsoft and Starlink, which has helped Ukraine continue governing and coordinating its forces.

Sam Cranny-Evans joined RUSI as a Research Analyst in C4ISR in October 2021 having spent five years at the Janes Information Group where he finished as a lead analyst in land warfare platforms. He can be found on Twitter @Sam_Cranny.

Image: Reuters.