09.11.22 Analytics

Cyber Blitzkrieg vs. Cyber Solidarity

Why is the Kremlin losing in cyberspace?


Western experts have compared the potential losses from Russian hacker attacks to the damage from missile attacks, but these cyber threats remain mostly unrealised. As in its conventional war, Moscow has underestimated the willingness of governments, private companies, and Internet activists to cooperate against Russian cyber forces. However, experts believe that Russia's capabilities in this field should not be underestimated and note that ensuring the cyber security of Ukraine, while at war with Russia, is not a trivial task. Indeed, it could become a starting point for a new configuration of international cyber security.
Russia declared cyber war on Ukraine back in 2008 when it launched a Trojan called "Ouroboros" against its neighbour, according to Arnaud Baricella from the French “Jacques Delors Institute” (Notre Europe), the author of "Cyber Attacks in Russia's Hybrid War against Ukraine and Their Consequences for Europe". Before the full-scale invasion, Ukraine served as a training ground for Russian cyber forces to test new cyber warfare tools. For example, in 2015, Russia remotely shut down three unconnected power plants in western Ukraine, leaving 225,000 people without electricity for several hours, and in 2016 it did the same thing in Kyiv. 

2017 was the year of the NotPetya virus, which carried out an unprecedented cyber-attack, which was also linked to Russia. During this, hackers managed to take over 13 thousand devices and roughly 30% of all computer systems used by Ukrainian government agencies and state enterprises (including, for example, the Chornobyl nuclear power plant), which irretrievably lost all their available data as a result of the attack. However, it was not only Ukraine that was affected by this action: about 50 thousand computer systems in 65 countries were damaged by NotPetya, and well-known international companies such as the largest Danish logistics and shipping company Maersk and the European division of FedEx (whose damage was estimated at more than $10 million) also became victims. 

Researchers working in the field of information security believe that there is a fully-fledged cyber force at work in Russia, consisting of numerous departments of various government agencies, private IT companies, and independent teams that unite "patriotically-minded" hackers. Various investigations have determined that the FSB, SVR, GRU, Interior Ministry, FSO, and the Presidential Administration all have their own independent structures for conducting cyber attacks. The U.S. Congress believes that the Internet Research Agency, a famous "troll factory" associated with Yevgeny Prigozhin, is also a cyber group engaged in "information" warfare. 

These Russian cyber forces are fighting not only against Ukraine — over the past decade, they have targeted various Western European countries. For example, in 2007, Estonia suffered from DDoS attacks initiated by Russian hackers during its diplomatic conflict with Russia, and, in 2018, GRU officers tried to attack the systems of the Organisation for the Prohibition of Chemical Weapons, which was investigating the Skripal poisonings. 

Before the full-scale invasion of Ukraine, these Russian troops were already supporting traditional military units. In 2008, hackers worked alongside their colleagues from the Airborne Troops during the five-day war with Georgia. In Ukraine, cyber troops were expected to act similarly — just an hour before the invasion, hackers attacked the Internet service provider Viasat, disconnecting parts of Ukraine and other European countries from the Web, and even suspending remote access control of windmills in Germany. Microsoft estimates that in the first four months of the war, Russia carried out 237 cyber attacks in an attempt to destroy the infrastructure of 50 Ukrainian government agencies, and even more organisations were damaged by Russian hackers' attempts to steal government data. "64 percent of all Russian cyber attacks between February and June were directed against Ukraine," according to Microsoft's latest digital security report. 

As in the non-digital world, the Russian cyber war against Ukraine looks incapable of achieving any specific goals, but it does cause a lot of disruption and at the same time serves to shape a new configuration and architecture of international forces to counter such threats.

Since February, no cyber attack by Russia has managed to inflict damage comparable to the effects of the Viasat network shutdown. This was because Ukraine had adopted amendments a few days prior to the invasion, allowing the government to move government data to cloud storage. The failures of Russian cyber forces in Ukraine have surprised experts, who were confident that Russia was capable of a "cyber war blitzkrieg". Now, on the contrary, some experts believe that Russian attacks would not be able to cause significant damage to Ukraine’s infrastructure and are instead conducted to inflict psychological pressure.

Researchers believe that this failure of Russia’s cyber forces is the result of a combination of several factors. First, there was a lack of coordination between digital and traditional forces at the beginning of the war, possibly because, in the first instance, the Russian blitzkrieg plan was not intended to involve serious and continuous hostilities. Russian hackers had destroyed Ukraine's Internet communications infrastructure, but as it turned out, these missing 3G and 4G networks were the only communication channels used by the Russian military itself to transmit encrypted messages. This forced the Russian army to use unprotected lines of communication, which were vulnerable to the Ukrainian secret services

Second, as Moscow had  not been expecting a prolonged military conflict, the cyber operations were not properly prepared.

And, inthe meantime, Western sanctions have deprived the Russian IT sector of much-needed equipment, and a significant portion of the spring and autumn waves of "anti-war" emigration from Russia were IT specialists.

Third, for almost the first time in global cyberspace history, private and state agents have begun to systematically cooperate in their attempts to counter Russia. When, at the beginning of the war, Russian hackers tried to "clean up" Ukrainian government websites and seize servers responsible for storing Ukrainian government data with the FoxBlade virus, Microsoft, who localised it, immediately contacted the Ukrainian and American governments, offering them its anti-virus developments. Thanks to the efforts of Anne Neuberger, Deputy National Security Advisor of the United States, the software created by Microsoft was transferred to other European countries and, most importantly, to the Baltic states and Poland, which had previously been victims of repeated cyber terror attacks by the Russian Federation.

Finally, the international community has united beyond just through interstate cooperation (the U.S. has openly stated that it supports the coordination of Ukrainian cyber forces). Arnaud Baricella claims that over the past few months, Russia has been under constant cyberattacks by an "international coalition of independent hacker organisations," the most famous of which is the Anonymous movement. To their credit, they have hacked 1,500 Russian and Belarusian government agency websites, seized the airwaves of state television channels, published classified data of Russian government agencies and state-owned companies, and distributed the personal data of 120,000 Russian soldiers.

However, despite the failures of the Russian cyber army, the cyber threats posed by Russia should not be underestimated. In his report, Baricella warns that "If traditional military operations fail and the Kremlin feels cornered, Russian cyber attacks could become more intense". Microsoft President Brad Smith, describing the corporation's contribution to the Ukrainian cyber resistance, admits: "Russian cyber attacks are more sophisticated and extensive than various reports had described. And, the Russian army continues to adapt its cyber weapons to its changing military needs, this includes combining cyber attacks with conventional weaponry." 

Now, faced with unexpectedly effective resistance, Russian hackers have shifted their focus to the collection of sensitive data to inform their military. They use phishing attacks and Trojan software for this purpose. Microsoft analysts have managed to detect Russian hackers' attempts to infiltrate the computer networks of 128 organisations across 42 countries. The targets of the attacks are not only Ukraine and the United States, but also Poland, Denmark, Finland, Turkey, and other pro-Western countries. The USA (55%), Great Britain (8%), Canada (3%), and Germany (3%) are most affected by these attacks. In these countries, Russian hackers attack the information technology sector (29% of all attacks), nongovernmental (18%), governmental (12%) and educational (12%) organisations, and the finance industry (5%). For all this, Russia uses phishing links, exploits the vulnerabilities of Internet service providers and public Internet servers, and engages in personal data theft.

Who is being attacked by Russian cyber forces? 2021-2022, % of total recorded Russian cyber attacks

Microsoft has identified six major players involved in Russia’s use of cyber warfare and uses code names to designate them. Strontium and Iridium are cyber units supervised by the GRU, which attack the information systems of the Ukrainian Defense Ministry and critical infrastructure networks (e.g., transportation); Nobelium is a group led by the SVR whose mission is to attack the IT sector; Bromine, Seaborgium, and Actinium are groups of FSB hackers whose actions target Ukrainian educational institutions, research centres, as well as law enforcement and energy companies. 

"The unpredictability of the ongoing conflict demands that organisations around the world take steps to strengthen cyber security in response to the digital threats emanating from the Russian state and Russian-affiliated actors," the Microsoft experts outlined in their report. Baricella summarises that "The EU and the U.S. need to increase their support for Ukraine (to develop so-called rapid response cyber groups and create new instruments of cooperation) and to strengthen cyber security policy and legislation, while taking into account the differing legal norms among European countries.”