Mark Twain once said, “It ain’t what you don’t know that gets you into trouble. It’s what you know for sure that just ain’t so.” Twain's quote provides two key lessons: first, why double negatives in a sentence are a terrible idea, and second, how assumptions can lead one into trouble. Assumptions affect all levels of decision-making; however, when national leaders make assumptions, trouble can rapidly escalate to chaos and turmoil.
Russian President Vladimir Putin and his military suffered from chaos and turmoil throughout the first year of the war in Ukraine. These failures were driven by numerous factors, ranging from micromanagement of military decisions by Putin himself to limited resupply capabilities inside Ukrainian territory. Before the conflict, one significant assumption existed in Russia’s favor: that its cyber and electronic warfare capabilities could exert enough influence to shape the war in their favor. Russian cyber warfare capabilities have been in the limelight since their Military Intelligence Directorate and Federal Security Service hackers infiltrated the Democratic National Convention servers during the 2016 US Presidential elections.[1]
These accomplishments led to Russian leadership assumptions regarding cyber and electronic warfare capabilities against Ukraine. These assumptions led to complacency, and that complacency killed Russian momentum in Ukraine. As a result, initial attempts at cyber warfare have produced minimal gains, and electronic warfare units have failed to downgrade Ukrainian capabilities effectively. While Putin has succeeded on certain fronts, such as degrading the Ukrainian economy, his assumptions concerning cyber and electronic warfare's effectiveness have assisted in driving his Ukrainian offensive toward failure.
First, by analyzing Russia’s past success in cyber and electronic warfare, this essay examines how Putin developed his assumption that Russian cyber operations would overwhelm Ukrainian cyber security measures. Second, it explores how these assumptions contributed to complacency and failure in the war in Ukraine. Finally, the essay discusses how Russia’s failures in Ukraine will shape the future of cyber and electronic warfare.
Russia: A Modern History of Hacking - Before the war in Ukraine, Russia's cyber network attack and exploitation capabilities were considered reputable following two successful ransomware and critical infrastructure attacks. First, the successive industrial control system attacks on the Ukrainian electrical grid in 2016-17 reinforced the assumption that Russia would successfully integrate cyber warfare into its 2022 invasion of Ukraine. Second, the 2017 NotPetya attack further illustrated the Russian intelligence community's advanced cyber and electronic warfare capabilities.
In the winter of 2016-17, Russian cyber and electronic capabilities struck at the infrastructural stability of Ukraine. Russian-backed hacking organizations infiltrated Ukrainian industrial control systems that oversaw the electrical grid in Kyiv's neighboring cities. The hackers used a specialized approach as they moved along the industrial control system cyber kill chain. Unlike Russia’s future NotPetya attack, which self-replicated and spread throughout systems indefinitely, the 2016-17 Ukrainian electrical grid attacks illustrated the more meticulous hands-on approach Russian hackers could employ.
This attack demonstrated the vast array of damage cyber network attacks could entail. The Russians used a three-pronged approach to target the Ukrainian electrical industrial control system. Initially, they manipulated the connections between the digital and physical breaker systems. This manipulation allowed Russian malware to destroy the backup breakers when Ukrainian engineers attempted to reroute power. Next, the Russians overwhelmed the Ukrainian help desks with robotic calls. This type of attack is known as a denial of service, intended to reduce the Ukrainian population's confidence in their government's response abilities. Finally, Russian cyber efforts promoted misinformation online, claiming the electrical industrial control system failures stemmed from aging infrastructure rather than a foreign-born cyber network attack.
Later in 2017, the global financial system suffered from the most significant cyber network attack in history. Likely backed by the Russian Military Intelligence Directorate and Federal Security Service operatives, the attack originated from a malware system known as NotPetya.
Through the covert international hacking organization known as the Shadow Brokers, Russian hackers acquired access to the leaked National Security Agency's EternalBlue penetration program, which at the time represented cutting-edge hacking capabilities. EternalBlue found and implemented zero-day exploits, which are opportunities "when security teams are unaware of their software vulnerability, and they’ve had 0 (zero) days to work on a security patch or an update to fix the issue.” These exploits expedite the cyber kill chain process, which originates with basic reconnaissance and typically finalizes with an attack or espionage.
Traditionally, the reconnaissance and infiltration portion of the cyber kill chain can take months to complete. However, EternalBlue offered Russian hackers zero-day exploits in the form of backdoor entry into systems. Backdoors are coding loopholes that create an "undocumented way of gaining access to computer system(s).” EternalBlue identified these backdoors for Russian hackers, allowing them to rapidly move down the cyber kill chain directly to installation and action initiation.
Lockheed Martin’s Cyber Kill Chain
The endgame of the Russian hackers in the NotPetya attack was to cripple the internal tax and auditing system of Ukrainian banking. Instead, NotPetya began replicating uncontrollably and spreading to any system tangentially connected to the Ukrainian financial system. The less concerning outcome of NotPetya was the cost to the global economy of over $10 billion. The more significant concern was Russia's access to and use of EternalBlue, which allowed the Russians to continue implementing Zero Day exploits. Both NotPetya and the 2016-17 industrial control system attacks illustrate the hacking capabilities of the Russian intelligence community. With a definitive history of manufacturing and spreading misinformation, crippling the global economy, and conducting spoiling attacks on your enemy, why would Russia not assume they would roll over Ukraine in the cyber realm?
Russia has struggled to gain momentum throughout its invasion of Ukraine, including in the cyber domain. Like the wide physical front opened at the beginning of the war, the Russian intelligence community has attempted a broad cyber network attack and espionage campaign to cripple Ukrainian resistance.
The Russian Military Intelligence Directorate and Federal Security Service units hacked into multiple Ukrainian nuclear power sites, claiming the Ukrainians were using said sites to manufacture chemical weapons and other illegal capabilities. Multiple hacking organizations with close ties to the Russian intelligence community have penetrated the Ukrainian federal government and military readiness sites and installed Wiper malware. This malware format permanently destroys critical data storage capabilities and has been further used on industrial control system sites throughout Ukraine during the invasion.
The Russians have also targeted Ukrainian defense satellites and telecommunications firms, while also manufacturing bot farms to feed disinformation into Ukrainian public discourse. However, due to two key points, most cyber network attacks have failed to meet their objectives. First, foreign influence and assistance have improved the cyber defensive capabilities of Ukraine since the 2016-17 industrial control systems infiltration. Since the publication of the Cyber Security Strategy of Ukraine in March 2016, Ukrainian officials have been sponsoring Western foreign assistance in developing and maintaining defensive cyber capabilities.
Private firms such as Microsoft and Wordfence have aided Ukraine since the beginning of the Russian invasion, providing protective measures unavailable during the 2016-17 industrial control system incidents. Because Russia used the same cyber network attack methods from 2016-17, international private organizations had the opportunity to correct zero-day exploits and patch other software shortcomings.
Concurrently, the US military aided the Ukrainian cyber defense buildup before the latest invasion began. A task force of US Cyber Command soldiers and leadership arrived in Ukraine months before the invasion. These efforts shored up flaws throughout the Ukrainian military’s cyber networks, limiting the infiltration ability of Russian intelligence groups.
Ukraine’s increased defensive capabilities correspond with Russia's inability to coordinate cyber network attacks and espionage with actual kinetic attacks. As a result, the Russian military could not logistically support Putin's plan of taking Kyiv in under a month. A lack of logistical planning was evident, with ineffective cyber network attacks and electronic warfare brigades unable to support forward combat arms units. Furthermore, electronic warfare units were unprepared to face the US provided single channel ground and airborne radio system (SINCGARS) radios and drone systems operating outside Russian jamming capabilities. Moreover, logistical failures led to unplanned and hasty retrogrades by the Russian military, with units leaving behind equipment they deemed inessential. This unaccounted equipment included the Krasuhka-4 and Leer-3 electronic warfare networks, which are Russia's premier unmanned aerial vehicle and wireless network jamming systems. Both systems have fallen into Ukrainian hands, which will minimize their long-term effectiveness in this war.
The only notable example of cyber success for the Russians has been the jamming and destruction of a television tower in eastern Ukraine. Without adequate forward progress on the physical front, cyber network attack operations have played a much less critical role than expected for the Russians.
Lessons Learned - With a contemporary history of cyber network attacks and espionage successes, the odds were in Russia’s favor for cyber and electronic warfare to steamroll Ukrainian defenses. Unfortunately, determining the precise cause of failure is complex, and it is impossible to evaluate nebulous concepts like complacency. Russia's failure comprises many factors, ranging from micromanagement to logistical miscalculations. However, one clear, practical lesson the international community can take away from the war in Ukraine is the effectiveness of cyber and electronic warfare in a conventional fight.
First, while Russian cyber offensives may have failed in the first year of a haphazard campaign, the entire experience has been emblematic of what to expect in future conflicts. The main lesson is the potential scope of destruction by a robust cyber operation working in tandem with traditional kinetic means.
Second, Ukraine should expect Russian cyber operations to continue now that the war has become a grinding, drawn-out conflict rather than a dash for Kyiv. In addition, the US and other nations must focus on the continued integration of cyber capabilities into conventional warfare, especially concerning advanced threats such as China.
Finally, integrating corporations such as Microsoft into a public-private partnership with the Department of Defense will better equip both parties to enhance their security against future cyber offensives. Moreover, providing Cyber Command servicemembers and expertise to Ukraine before the conflict that began in 2022 proved effective in patching aged security measures and limiting any costly zero-day loopholes.
Overall, it is difficult to determine if Russian cyber capabilities were overhyped or underperformed in a new and unique environment. Nonetheless, what any nation can take away from Russia's struggles is to not remain complacent because "it's what you know for sure that just ain't so" that will get you in trouble.
Author: Jonathan Beto is currently a Security Studies graduate student at Georgetown University’s Walsh School of Foreign Service. The views expressed are the author’s alone.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
[1] https://thestrategybridge.org/the-bridge/2023/6/6/hype-or-hoax-are-russian-cyber-capabilities-robust-enough-to-cripple-ukraine
Comments