INTRODUCTION

Information is life. Therefore, when nations go to war, information operations – including data theft, denial, and manipulation – are one of the keys to victory.1 Even in peacetime, governments today run thousands of computer network operations (CNO) every day, to support a wide range of law enforcement and intelligence actions. In some countries, they support democracy and human rights. In others, they target and terrify innocent civilians.

In 2015, while I was a visiting professor at Taras Shevchenko National University in Kyiv, I edited a book entitled Cyber War in Perspective: Russian Aggression against Ukraine. Twenty authors, including the chief of Ukraine’s Computer Emergency Response Team (CERT-UA), detailed many cases of CNO against Ukraine’s government, private sector, and civil society, specifically during the 2014 Revolution of Dignity and Russia’s subsequent invasion of Crimea and Donbas.2

This paper examines the publicly-known CNO during Russia’s further invasion of Ukraine in 2022. It describes pro-Russia and pro-Ukraine attacks, and seeks to place them into geopolitical context.

Kenneth Geers

Kenneth Geers

II. PRO-RUSSIA HACKS

A) Prepping the Battlespace

On Feb 24, 2022, Russia invaded Ukraine from the north, east, and south, seeking to overthrow the government of Ukrainian President Volodymyr Zelensky. Russian government hackers had been preparing for this day for at least a year, via the collection of strategic intelligence and the prepositioning of destructive malware. Microsoft alone detected at least six Russian “Advanced Persistent Threat” actors and at least eight malware families4 that were focused on these goals.

As over 150,000 Russian forces encircled Ukraine in early 2022, Russian CNO shifted to intimidation and destruction. Over 70 Ukrainian government websites were “defaced,” and their original content was replaced with overt threats, written in Ukrainian, Russian, and Polish. In mid-January, security researchers discovered WhisperGate, a malware campaign focused on encrypting files, corrupting a computer’s Master Boot Record, and displaying a fake ransom note.

Russian state hackers also began targeting the natural resources of Ukraine – and the United States (US). On Jan 14, Oleg Nykonorov, CEO of Regional Gas Company, announced on Facebook that his IT staff were fighting “like lions” to defend their enterprise. In mid-Feb, hackers likely associated with Russia’s Main Intelligence Directorate (GRU) gained access to over 100 computers associated with 21 US liquefied natural gas (LNG) companies, paying up to $15,000 per account on the dark web, and used them as a backdoor into company networks.

These attacks showed foresight, as Russia’s pending war would skyrocket the demand for LNG worldwide, especially from the US.

For ten days prior to the invasion (Feb 15-24), Russian CNO shifted again, to distributed denial-of-service (DDoS) attacks.

The Ukrainian government announced that the attacks, which targeted ministries, intelligence agencies, and banks, were the largest DDoS it had ever seen.

In such cases, attacker attribution is often a slow process, but on Feb 18, the White House announced that it possessed “technical information” linking the attacks to the GRU.

B) H-Hour

On Feb 24, as Russian troops attempted to take Kyiv, Russian CNO shifted again, this time to destructive “wiper” code that targeted the Ukrainian government. On Feb 23, HermeticWiper/FoxBlade appeared, in a highly tailored deployment that included a signed digital certificate. On Feb 24, malware analysts discovered IsaacWiper; this attack was so urgent that a new version was released within two days.

One of this war’s biggest hacks occurred exactly one hour before the Russian army crossed into Ukraine. A likely malicious firmware update in Viasat ground infrastructure rendered the US firm’s KA-SAT modems unusable. The Ukrainian military uses Viasat for military command-and-control (C2); therefore, the attack had an “immediate and significant” impact on Ukrainian government communications. As with NotPetya in 2017, there was collateral damage across Europe, including over 5,000 wind turbines in Germany. The US Government attributed the Viasat hack to Russia.

Ukrainian communications were a key target on the opening day of the war. On Feb 24 (and then again on Mar 9), hackers penetrated Triolan, a major Ukrainian Internet service provider, and succeeded in resetting devices to factory settings.

The attackers destroyed “key nodes” of the company’s network, and some routers could not be recovered. Mitigation was a challenge because the restoration of some equipment required physical access, which became more difficult once the war started.

On Feb 24, the Russian army invaded the Ukrainian border town of Sumy. In a subsequent report, Microsoft noted that suspected Russian hackers had been active on Sumy’s critical infrastructure networks since at least Feb 17. On Mar 3, there was a telecoms blackout in the Sumy Oblast, followed by regional power outages, explosions at an electricity substation, and explosions at a combined heat and power (CHP) plant in Sumy, resulting in a loss of heat, water and electricity.

On Feb 25, CERT-UA announced that hackers working for the Belarusian Ministry of Defense (aka UNC1151 or Ghostwriter) conducted a spearphishing campaign targeting the private email accounts of members of the Ukrainian armed forces.

Once the invasion began, there was an increased focus on psychological operations (PSYOP) against Ukraine. SMS threats were sent both to soldiers (“flee or be killed”) and to citizens (“ATMs are not working”). Ukrainian military leadership Facebook accounts were hacked, from which the hackers tried to order Ukrainian troops to surrender. Facebook detected and disrupted state actors from Russia and Belarus, who were conducting influence operations on its platform. Russian spam bots were repurposed from anti-vax to anti-Ukraine campaigns. On 21 July, two Ukrainian radio stations were hacked, and used to spread fake messages that Zelensky had been hospitalized and was in critical condition.

C) Pro-Russia Hacks: Evolution

The correlation between CNO and traditional military operations is sometimes easy to see. On Mar 1, the Russian military announced its intention to destroy “disinformation” targets in Ukraine. That same day, a Russian missile destroyed Kyiv’s primary TV tower, and suspected Russian state hackers deployed DesertBlade (a malware family that overwrites data and renders machines unbootable) against a major Ukrainian broadcasting company.

In another case, according to Microsoft, Russia took down the computer network of a nuclear power plant before Russian troops took it over.

In other cases, a bit more homework is required to see how and where new campaigns fit on existing timelines of threat actors and malware families. On Mar 15, ESET researchers discovered CaddyWiper, which did not share a code base with HermeticWiper or IsaacWiper. However, the new campaign specifically targeted Ukrainian organizations, destroyed user data, and deleted partition information on attached drives. Just one week later, on Mar 22, CERT-UA released the details of yet another wiper: DoubleZero.

One of the most ambitious attempts to use a wiper in this war could have caused a blackout for two million Ukrainian citizens. On March 19 – just days after Ukraine joined the Europe Union’s power grid – Russian hackers (alleged to be GRU Unit 74455 or “Sandworm”) are believed to have temporarily shut down nine electric substations, using “Industroyer2” malware, which can wipe Windows, Linux, and Solaris operating systems. The hackers tried and failed to turn off the power and then destroy the computers used to control the electricity grid.

One of the most successful attacks occurred on Mar 28, when hackers caused an extended, country-wide network disruption at the national ISP Ukrtelecom, by targeting its “core infrastructure.”

According to NetBlocks, Ukrtelecom suffered a drop in connectivity to just 13% of its pre-war levels. The company was only able to restore its service 15 hours after the initial disruption.

According to Victor Zhora of Ukraine’s State Service for Special Communications and Information Protection (SSSCIP), the government was concerned that this attack was not a DDoS, but a deeper, more sophisticated intrusion.

Some attacks come in clear response to ongoing geopolitical events. On Jun 27, as the Russian foreign ministry threatened to retaliate against Lithuania for halting the transit of EU-sanctioned goods to the Russian exclave of Kaliningrad, a pro-Kremlin hacking group, “Killnet,” conducted a DDoS attack that it said “demolished” over 1500 Lithunian sites. Lithuania’s National Cyber Security Centre (NKSC) said that some users could not access the country’s Secure Data Transfer Network, which was specifically built to allow government officials to communicate during crises.

By mid-July, Killnet had declared “war” on 10 nations that were supporting Ukraine.

Its impressive Telegram channel was created just after the Russian invasion. Similar “patriotic” hackers working with XakNet, Trickbot, and Conti, are suspected to be working for or with Russian intelligence.

According to Microsoft, by June 2022, Russian CNO successfully penetrated 128 networks in 42 countries, including Ukraine, the US, Poland, the Baltics, Sweden, Finland, Denmark, Norway, and Turkey. Victims included government agencies, think tanks, humanitarian groups, telecommunications, energy, and defense companies. However, Russia has also been more careful with its malware than with NotPetya in 2017, confining its worm-like behavior to specific network domains in Ukraine.

In the Ukrainian territory which the Kremlin has recently captured, such as Kherson, Russia is quick to replace Ukrainian telecoms infrastructure with its own, including SIM cards with Russian numbers, so that all data is routed through Russia. Thus, many Ukrainians are now living under Russia’s System for Operative Investigative Activities (SORM), which can read email, intercept text messages, censor information, and disseminate propaganda. In late July, Russian state hackers disseminated an Android app called “CyberAzov,” which looked like a tool to hack Russia, but in fact was malware designed to discover who would use such an app.

Finally, this paper focuses on computer hacking, and not on disinformation, but there is a link between the two.

Botnets spread propaganda, such as the story about secret US biological weapons laboratories in Ukraine. On Aug 5, Ukrainian authorities dismantled a “million-strong” bot farm used to discredit Ukrainian leadership and to create social rifts in the country, seizing 5,000 SIM cards used to create and maintain accounts, and 200 proxy servers used to spoof IP addresses.

And there is more than one way to hack information: in 2014, the Crimea campaign was buttressed by mass changes to Wikipedia, where Russian propaganda teams worked to drive the narrative;40 in 2022, a Moscow court fined the Wikimedia Foundation 5 million roubles, demanding the removal of certain information in Wikipedia articles about Russia’s invasion of Ukraine, as it posed a risk to “public order” in Russia; and the Donetsk People’s Republic (DPR) announced that it had blocked access to the Google search engine, because it promoted disinformation.

III. PRO-UKRAINE HACKS

A) H-Hour

During the initial phase of Russia’s invasion, one group of hackers may have played a strategic role in helping the Ukrainian government to survive. Working with Belarusian dissidents, they compromised Belarusian railway signal control cabinets (which still ran Windows XP) in an effort to sabotage Russian military deployments, transiting Belarus on their way to Ukraine. The targeted train traffic was reportedly “paralyzed” for days, and contributed to the vulnerable 40-mile convoy north of Kyiv. Belarusian police announced the capture of three saboteurs, and state television broadcast “chilling” footage of the men, still bleeding from having been shot in the knees.

Typically, in war, the defender enjoys some strategic advantages, such as a superior knowledge of battlefield terrain and communication networks. Following its invasion, Russian forces struggled with both, as its forces failed to take Kyiv, and were forced to withdraw from northern Ukraine. Russian forces are believed to have suffered a breakdown in military communications, which led to a reliance on Ukrainian SIM cards. As a result, Russian comms were more vulnerable to interception, jamming, and geolocation, which may have led to the assassination of an unusually high number of senior Russian military officers.

On Feb 24, the world’s most famous hacktivist group tweeted: “The Anonymous collective is officially in cyber war against the Russian government.”

Subsequently, Anonymous claimed to have defaced or knocked offline many Russian government and media sites, doxed the Russian MoD, and hacked Russian television to display war footage from Ukraine. Anonymous defaced the website of Russia’s Space Research Institute (IKI), and leaked files from Roscosmos, which announced that no satellite control centers had been hacked, but that doing so might be a “cause for war.” The Anonymous group Squad 303 sent millions of text messages to Russian phone numbers in an attempt to provide Russian citizens with better information about the war.

B) Hacker Allies

In geopolitics, it is hard to overstate the importance of allies. Therefore, on Feb 26, the Ukrainian government issued a worldwide call for “cyber volunteers,” to anyone in the world who would be willing to attack digital targets in Russia. A designated Telegram channel, “IT ARMY of Ukraine,” gained nearly 300k subscribers. Assigned tasks included DDoS, propaganda, doxing, defacements, intelligence gathering, and engaging in simple political dialogue with Russian citizens. Naturally, there are significant challenges to mobilizing an army of hackers, to include vetting, command-and-control, adversary infiltration, mistakes, and possible retaliation.

Clearly, some hackers have signed up for duty. One prominent example is the Distributed Denial of Secrets website, which has posted over 6 million Russian and Belarusian documents, allegedly stolen from government, military, intelligence, economic, and media domains. There were 360k files from Roskomnadzor, the agency responsible for monitoring, controlling, and censoring Russian mass media. Due to the ongoing war and the controversial origin of the documents, a disclaimer reminds researchers that some of the data could be fabricated, altered, or contain malware.

At the nation-state level, Ukraine is likely receiving far more help from its NATO/EU allies than Russia is receiving from autocratic nation-states. Belarus is now severely dependent on the Kremlin, and on Mar 7 its Ghostwriter APT was caught installing MicroBackdoor on Ukrainian government systems.

China may be playing a double game: its state hackers were accused of conducting espionage against Ukraine and the West – but also against Russia and Belarus.

At a May 16 meeting of the Collective Security Treaty Organization (CSTO), Russia’s counter to NATO, only Belarus voiced its support for Moscow’s invasion of Ukraine.

The US has been active and vocal in supporting Ukraine:

  • the FBI has shared intelligence;
  • USAID has provided thousands of emergency communication devices;
  • and DOE is helping to integrate Ukraine’s electrical grid with the EU.
  • The US DHS/Cybersecurity and Infrastructure Security Agency (CISA) “Shields Up” website has provided intelligence reports, updates, and best practices for countering CNO; in late July, CISA announced a new Memorandum of Cooperation (MoC) with Ukraine’s SSSCIP.
  • The White House announced a preemptive counter-hacking operation that secretly removed Russian malware that had been installed around the world. And while naming and shaming Russian hackers may not have improved deterrence, it is much better at building an alliance of defenders.

The US Cyber Command (CYBERCOM) is collaborating with its counterpart in Ukraine. In June, CYBERCOM Director General Paul Nakasone announced that the US was engaged in defensive and offensive operations, “across the full spectrum,” in support of Ukraine; in response, Andrey Krutskikh, Russia’s top cyber diplomat, said that Russia would respond to all such aggressive operations. Krutskikh claimed that over 65,000 “armchair hackers” from the West were taking part in DDoS attacks against Russia, and warned that such behavior increased the risk of a traditional military clash with the West. In July, CYBERCOM published a list of 20 indicators of compromise (IOC) that it had received from Ukrainian security services.

In February, the European Union (EU) created a Cyber Rapid Response Team (CRRT) to help Ukraine, which was led by Lithuania; participating nations included Croatia, Poland, Estonia, Romania, and the Netherlands.

C) Pro-Ukraine Hacks: Evolution

In the first days of the war, one strategic counter-hack came partly in response to the successful Russian attack on Viasat. The Ukrainian vice prime minister sent a desperate tweet to Elon Musk, who in turn green-lighted the immediate delivery of his Starlink satellite Internet service to Ukraine. Starlink’s low-orbit system works in tandem with backpack-sized stations on the ground, and offers high-speed, strongly encrypted, highly configurable service, which has withstood increasingly sophisticated Russian hacks.

Starlink has been used for countless military and civilian communications in this war; it keeps Zelensky in touch with allied leaders and gives Ukrainian commanders the ability to call artillery strikes on the battlefield.

Naturally, InfoSec experts have been asked to opine not just on Russian CNO, but also on broader questions of national security and international relations. One expert recommended that the West send a message of deterrence to the Kremlin by temporarily knocking Russia offline. However, there is no guarantee that such a dramatic CNO would lead to desired political results, and it may deprive the West of its own lucrative CNO. One danger might lie in the domain of nuclear command-and-control (NC3); both the US and Russia have warned that impeding either nation’s NC3 could lead to catastrophic results.

As the war grinds on, every day is a good day to hack something, as each side strives to obtain an advantage.

On June 17, a DDoS attack delayed a speech by Russian President Vladimir Putin for 100 minutes. The incident took place at the St. Petersburg International Economic Forum, where Putin (eventually) gave a talk on Russian resilience in the face of Western sanctions.

The attack allegedly struck a database of conference participants, which complicated the process of screening guests, who included Chinese and Egyptian leadership figures.

IV. MID-WAR ASSESSMENT

The classified nature of nation-state computer hacking ensures that open-source researchers cannot see everything. However, there are already many publicly-known examples of computer hacking in this war. And while no single CNO is likely to have a strategic impact, there is today little doubt that soldiers do not move without some type of hacker support. Microsoft alone has reported 2-3 “destructive” GRU-associated CNO in Ukraine per week since Feb 23.

The two most impactful hacks may have occurred at the start of the war: the pro-Russia takedown of Viasat, and the pro-Ukraine hack of Belarusian railways.

It will take some time to better grasp what this war means for our understanding of CNO. At this time, one important question is whether Russia could not destroy more Ukrainian networks (e.g. air defense or leadership comms), or whether they were kept up by design (e.g. to facilitate Russian espionage or military comms). One expert workshop held in Estonia on May 30 suggested that, in this war, we may in fact have seen the full extent of Russian cyber capabilities, while also noting that the high operational tempo of a real war would at least temporarily lead to a high burnout rate in tools, personnel, and operations. One current theory is that, in January, Russia was too concerned with intimidating Ukraine via PSYOP, and thereby burned too much of its access to Ukraine’s networks before the war began. It is also possible that Moscow may have simply expected a quick and easy victory, which is a common political mistake throughout history.

Or perhaps Ukrainian infrastructure – like the country itself – was simply too big, too diverse, and too connected to conquer.

According to Yurii Shchyhol, head of Ukraine’s SSSCIP, there have been at least three difference-making gifts from the West:

  • first, Starlink helped Ukraine to relaunch destroyed infrastructure;
  • second, servers and mobile data centers allowed Ukraine to create backup copies of entire institutions, which allowed for the continuous operation of government;
  • and third, since the invasion, some expensive software has been provided for free, such as an Amazon private cloud, where the government now administers data from state registries.

One critical area of research is how to secure a decentralized battlefield.

In the battle for Kyiv, a crowdfunded unit of drone-flying Ukrainian special forces on quad bikes successfully harassed the invaders. One 15-year-old Ukrainian boy pinpointed a Russian convoy with his drone, and the footage led to the destruction of more than 20 Russian military vehicles. The “Dnipro 1” drone intelligence unit can place an explosive charge of up to 800g on its craft. On June 22, a drone crashed into the Novoshakhtinsk oil refinery in Rostov, Russia, causing a massive explosion, and a shutdown of the plant. On July 31, an apparently homemade drone carrying an explosive device detonated at the headquarters of Russia’s Black Sea Fleet on the Crimean peninsula, injuring six people, and causing the cancellation of observances of Russia’s Navy Day holiday. On July 12, the White House said that Iran was preparing to supply Russia with drones that may have combat capabilities. And even when the war is over, robot sappers will help to clear minefields. However, drones in this war have been vulnerable to jamming, tracking, and destruction, with an average lifespan of just seven days.

Finally, this war is not only a catastrophe for Ukraine, but also for Russia.

Even from the perspective of DEF CON 30, the fact that scientists, intellectuals, and artists are leaving Russia in numbers not seen since 1917 means that Russia is bleeding hackers.

Yandex alone, which was generally considered to be Russia’s “coolest” company and its national answer to Google, has lost thousands of employees (including its CEO) since the start of the war.81 RUNET is now a digital Iron Curtain, a self-inflicted denial-of-service, and it will take years to replenish its lost talent. The SSSCIP is now urging the West to prevent any Russian code from running on Western networks, and it is seeking the ouster of Russia from international organizations like the International Telecommunication Union (ITU).

In Ukraine, the opposite appears to be happening, as the now work-from-home IT sector is apparently thriving during the war – air raid sirens notwithstanding.

Original report

In August 2022, the report was released at the DEFCON 30 conference, one of the world’s largest and most notable hacker conventions, held annually in Las Vegas, Nevada.

Dr. Kenneth Geers works at Very Good Security. He is an Atlantic Council Cyber Statecraft Initiative Senior Fellow, a NATO Cooperative Cyber Defence Centre of Excellence Ambassador, and a Digital Society Institute-Berlin Affiliate. Kenneth served for twenty years in the US Government: in the Army, National Security Agency (NSA), Naval Criminal Investigative Service (NCIS), and NATO.

He was a professor at the Taras Shevchenko National University of Kyiv in Ukraine from 2014-2017.

Kenneth is the author of “Strategic Cyber Security”, editor of “Cyber War in Perspective: Russian Aggression Against Ukraine”, editor of “The Virtual Battlefield”, and technical expert to the “Tallinn Manual”.