Cyber is effective. Explosions are effective-er.
The publication of documents that allegedly describe the work of a Russian IT company on behalf of Russian intelligence services caused quite a stir in various journalistic publications at the end of March this year.
Please note: This post has originally been released on June 28th, 2023. The information contained in it contain my analysis / opinion / comment on events that transpired at said date. Facts might have changed since then. Please bear this in mind while reading it.
The publication of documents that allegedly describe the work of a Russian IT company on behalf of Russian intelligence services caused quite a stir in various journalistic publications at the end of March this year. The “Vulkan Leaks” also included information on a project that was run under the name “Kristal-2V”. The documents relating to this project contained numerous references to attacks against OT systems and the effective implementation of information operations involving these attacks.
However, for whatever reason, this was often not mentioned in the initial reporting: Kristal-2V was, as far as could be judged, purely a training platform. Yes, the platform allowed both defensive and offensive simulations and yes, it can be assumed that Russian intelligence services are interested in having capacities that reliably enable physical destruction through cyber attacks.
But none of these are surprising or unexpected details. The “BlackEnergy” attack on the power supply in Ukraine is almost a decade in the past, the destructive use of Stuxnet in the enrichment plants of Natanz and Bushehr even longer - and the “Aurora Generator Test” has now almost come of age.
Nevertheless, these revelations have ensured that the topic of cyber attacks with physical effects has been increasingly drawn back into the spotlight, even beyond the Vulkan leaks. In particular, the headlines and headlines about a potential cyber war being waged across Europe with catastrophic effects on the stability, metaphorically and literally, of our society were not without a certain irony given the current security situation in Europe.
Since February 2022, the beginning of the Russian invasion of Ukraine, we have been witnessing a “classic” war in this country, a conventional military conflict between two nation states - the first of its kind since the end of the Second World War almost 80 years ago.
This also means that for the first time we are experiencing a war where the parties involved are not completely asymmetrical, as was the case in the Syrian civil war, for example. And accordingly, this would also be the first war in which destructive cyber attacks could have been part of combined warfare (I will ignore individual incidents in the past, such as the Israeli “Operation Outside the Box”, due to the limited scale). In particular, there were repeated warnings about Russian capabilities in this area, especially in the months leading up to the start of the war. At one point during the war, this raised the question for me: What was actually true about these fears?
In order to answer this question, I have tried to compile the scant public information available and to find out whether, and if so to what extent, destructive cyberattacks by Russian threat actors have had a direct influence on the fighting in Ukraine - and how their effectiveness compares to kinetic attacks.
A few small but important details first: I looked almost exclusively at data and information on destructive attacks; attacks aimed at gathering information were largely left out. All of this was a purely empirical endeavor. Even though I tried to be objective and factual, scientific standards were not met at any point. The data situation as far as public sources are concerned is extremely poor and it cannot be ruled out that details will come to light in the coming weeks, months and years that will completely refute my conclusions. Or, to put it in the words of a pirate: Ye be warned!
Before I go any further, let me summarize the most important key points:
- Looking at the entire course of the conflict so far, destructive cyber attacks have been almost completely ineffective from a military point of view, and also useless in terms of damage to civilian infrastructure. The paralysis of VIASAT at the beginning of the conflict may have had a positive impact on Russian military operations, but this too cannot be proven in any way.
- Especially in direct comparison to “classic” kinetic attacks, the damage caused by cyber attacks was negligible.
- Similar to the initial Russian military tactics, which were plagued by massive deficits in coordination between the different branches of the military, cyberattacks were used in a very “blunt” manner in most cases; none of the specific advantages of cyberattacks were utilized.
Military view
The mass destruction of modems belonging to the company Viasat, which resulted in a temporary, complete outage of the KA-SAT communications network owned by the company, was treated by the media as the “digital starting signal” for the Russian invasion. According to initial reports, these attacks had a massive impact on the ability of the Ukrainian armed forces to effectively coordinate defense operations.
However, this was repeatedly denied by Ukrainian commanders who were deployed around the Ukrainian capital Kyiv at the beginning of the invasion. According to their statements, the effects of the KA-SAT failure were negligible, as it would not have been possible to use it even if the network had been fully functional. All electronic communications were disrupted by means of electronic warfare by units of the Russian armed forces.
Which factor was actually decisive for the initial communication problems of the Ukrainian armed forces was the subject of intense debate in the articles and opinions I reviewed.
Two other Ukrainian internet service providers, Ukrtelecom and Triolan, also fell victim to cyber attacks relatively soon after the start of the war, which led to temporary problems with availability - but according to Ukrainian government representatives and the affected companies themselves, did not have any military consequences at any time.
Although no evidence was provided, the statements are consistent with other reports of experiences by Ukrainian units at the beginning of the war. Most of them describe (often successful) attempts at radio-electronic jamming by Russian units (for which there is an excellent analysis by the Institute of Electrical and Electronic Engineers). Problems caused by a failure of the service providers are not mentioned at any point.
In terms of military supply, both at the operational, tactical level and in terms of the supply of military aid by Western countries, there is no publicly available information (or even evidence) that this has been affected by cyber-attacks.
While government and civilian facilities were massively hit by the use of wipers at the beginning of the war (more on this later), military systems appear to have been largely spared. The same applies to the direct loss of material and human life caused by the activities of Russian threat actors. The only case I know of in which a Russian cyberattack in the war in Ukraine could have led to direct military losses is the alleged compromise of a Ukrainian app for calibrating older howitzers by APT28, which is attributed to the Russian military intelligence service GRU.
In a report published in December 2016, the security company Crowdstrike describes how the threat actor compromised the app developer's end devices and then modified the source code of the app itself in order to collect location information that could subsequently be used for the targeted shelling of Ukrainian artillery positions. According to the company, this cyberattack subsequently led to significant losses on the Ukrainian side - up to 80% of the howitzers in question.
I am relying on the subjunctive here because while Crowdstrike seems to be convinced in its analysis and attribution, but both the allegedly affected developer and the Ukrainian Ministry of Defense question the report.
Yet even if we assume that the report is correct and that the successful attack had catastrophic consequences, it is a single attack that took place in 2016, i.e. before the start of the open Russian invasion in February last year.
This contrasts with thousands of casualties on the part of the Ukrainian armed forces (and the Ukrainian civilian population) caused by the use of conventional weapons. Even if the exact figures are not known and only rough estimates are currently available, the ratio is more than clear.
Civilian view
In a report, Crowdstrike described 2022 as “the most active year for wipers to date”. By the summer of last year, Ukrainian networks, both of government agencies as well as civil society institutions and commercial companies, had been hit by a total of almost 50 different wipers (the exact number varies, but an analysis by the Center for Strategic & International Studies gives the lowest number I came across in the course of my research as 37).
As with the attack against VIASAT, opinions differ as to how high the effective damage of these attacks actually was. While this was described by the Ukrainian side as “non-existent”, Microsoft speaks of a “permanent destruction of data on hundreds of systems from dozens of organizations across Ukraine” - but calls the actual impact on the availability of services “limited”.
Even if the impact of these attacks was in fact stronger than Microsoft assumed, it was very short-lived. As shown in a chart from the CyperPeace Institute, the number of Ukrainian systems and networks attacked peaked about four weeks after the invasion began, after which the curve flattened rapidly and sustainably.
While the war has now lasted significantly longer than week 35 of 2022, which is used as the end point in the graph, assuming that the information shared in articles and posts on social media provides a reasonably accurate picture of Russian cyberattacks in Ukraine, nothing has fundamentally changed since last year - even for the most “interesting” target for attackers.
In recent years, the Ukrainian power grid has repeatedly been the target of cyberattacks that have attracted worldwide attention. One example is the hours-long power outages caused by malware in December 2015. Before the war began, many experts assumed that this type of destructive attack would play an important role in the event of a Russian invasion.
As part of my work I, as well as my colleagues, assumed that these attacks would occur. Even though we have tried to take into account the general overview of the possible effects of a Russian attack on Ukraine, we have been particularly concerned about the question of whether there could potentially be collateral damage for energy companies in other countries in the event of such cyber attacks.
We were all the more surprised when there were no immediate, massive and, above all, effective attacks against the Ukrainian power supply at the beginning of the attack. This has not changed to this day, with only two unsuccessful attack attempts publicly known since February 2022.
On the other hand, there have been periodic power outages, particularly in the winter months at the end of 2022, some of which have affected the entire country. Triggered by targeted air, drone and missile attacks against all parts of the Ukrainian power grid, at times hundreds of thousands of people were without electricity for several days.
At the same time as the coordinated attacks described above, and even after they subsided, there were also repeated individual defacements and smaller data leaks, as well as concerted DDoS attacks by allegedly pro-Russian hacktivists (anyone who has read news related to IT security in recent months will have heard the name “Killnet” at least once). To describe the effect in the words of an employee of a European MoD (which I have taken out of context): “I'm sure the Javelins are scared because the website of the Kherson regional bank is offline.”.
As with the military perspective, the picture here is very clear - the damage caused by kinetic attacks, and the associated suffering for the civilian population, is many times greater than the damage caused by cyber attacks and the resulting impact.
A few, limited outages of national connectivity caused by the activities of Russian threat actors are not even remotely on a par with the massive outages caused by destroyed network infrastructure, or the intensive bombing of the country's critical infrastructure (especially the power supply) - which could hardly be justified militarily as the war progressed.
Apart from a handful of very specific exceptions in terms of time and place, mostly at the beginning of the invasion, destructive attacks by Russian actors of all stripes have fallen far short of expectations (and theoretical possibilities) in terms of their impact & can be considered a failure in their entirety as things stand today.
Fortunately, I am in the position of working for an organization that deals with the analysis of these attacks on a technical level. Detailed military assessments and an estimation of what the events in “military cyberspace” mean for defense policy developments in the coming years are not my responsibility (and are probably not seriously possible on the basis of such a rudimentary analysis as the one above).
Nevertheless, I would like to take a brief look at what the reasons for this apparent failure, or rather the nullity of these cyber attacks in the “big picture”, might be.
What's the reason for all of this?
The list of reasons for the comparative lack of success, or at least effectiveness, is probably long and complex. Some particular factors stand out in my view.
Russian threat actors have been present in public reporting on cyberattacks for more than a decade, and have dominated it more than once. This could possibly give the false impression that Russian intelligence services have a huge army of highly trained specialists at their disposal, which can be expanded at will and is just waiting to be unleashed on the digital enemy.
There are no public figures on personnel capacities, but it is probably not an entirely absurd estimate to assume (including Russian citizens who are involved in criminal activities of a digital nature and provide their expertise out of patriotic enthusiasm that has nothing to do with more or less subtle threats of coercive measures) a low four-digit number of people who are at least fundamentally suitable for offensive operations.
This is not necessarily much, especially when you consider that, despite the importance of the war, Ukraine is not the only theater of activity for Russian threat actors. And it is precisely this limitation of personnel that is one of the problems that has reduced the effectiveness of Russian cyberattacks in the context of supporting military attacks or has contributed to the focus being less on destructive attacks than was assumed before the war began.
For example, to physically capture a handful of power plants, it takes (purely in terms of manpower, leaving aside any resistance) a few trained non-commissioned officers and two or three companies of infantrymen whose training is sufficient to follow orders.
(If anyone with military training is grabbing their head and despairing at my milquetoast calculation, please bear with me for the sake of argument. I wasn't even fit enough to do community service, let alone military service.)
In order to successfully compromise the same number of power plants and negatively impact the power supply, a group of trained and experienced specialists would be needed if this is to be done promptly.
There is a rapidly dwindling number of these, and increasing this number is not trivial. Especially when the pool of potential candidates is constantly shrinking due to the outflow of young, educated people triggered by the war. Without having any insight into the capacities of other states, I assume that this problem applies to most state threat actors. Cyber attacks only scale to a very limited extent.
Furthermore, Russian threat actors were largely unable to exploit the typical advantages of cyber attacks. Or, to put it better: Russia did not need to exploit them. When you're already in the process of invading a country, things like cost-effectiveness, credible deniability and the ability to avoid collateral damage are no longer really useful. The metaphorical fine, possibly camouflaged blade is no longer necessary when you can easily fall back on the literal grenade instead.
Where attacks on Ukrainian IT networks have occurred, the attackers have come up against an adversary that has spent the last few years hardening its systems and putting the experience gained from successful attacks into practice.
At a conference last year, I had the chance to talk at length with the head of security at a Ukrainian government agency. One statement that stuck in my mind was: “We fend off more attacks per month than most companies experience in several years”.
Regardless of how extreme the discrepancy actually is, Ukraine has increasingly been the target of Russian cyberattacks, particularly since 2014 and the events in Crimea and the east of the country. Especially at the beginning, the attackers were enormously successful due to the country's outdated and desolate IT landscape, both at state institutions and private companies. This has changed dramatically over the last few years, and many companies could learn a lot from the security level of some Ukrainian companies.
In addition to these years of experience, the support provided by Western partners, both by various intelligence services and a large number of commercial companies, should not be overlooked.
The transfer of critical data from the Ukrainian authorities, the comprehensive provision of endpoint protection for Ukrainian systems, a presumably gigantic amount of information and generally intensive information exchange and cooperation have certainly made a massive contribution to strengthening the resilience of Ukrainian systems.
I can't say what exactly was contributed by the intelligence services, but I am relatively certain that their threat information was the opposite of useless. And while we're on the subject of intelligence services ...
Espionage?
I said at the beginning of this article that I had more or less ignored digital espionage. Even though I personally find the topic very exciting, in my professional capacity I'm focused on IT security..
In addition, the information situation (as far as public sources are concerned) is very poor and would require a lot of speculation. As far as destructive attacks are concerned, the completeness of the available information is also more than questionable, at least somewhat better due to the excellent work of security companies, independent researchers and experts as well as some publications by government agencies.
Nevertheless, I would like to briefly discuss information gathering through cyberattacks so as not to give the false impression that Russian activities were successful here, precisely because destructive attacks were not. I am sure that there were countless cases of cyber espionage during the war, but I doubt that they were more effective in military terms than destructive attacks.
There are a few indications that information was obtained during cyberattacks that was subsequently used to coordinate attacks. In one report, for example, Microsoft mentions attacks in spring 2022 against the administration of the city of Vinnytsia, whose airport was hit by several medium-range missiles two days later.
The same incident is also mentioned in a second report, although Microsoft itself states in that report that this is a temporal correlation and not necessarily a causal link.
Of course, it is conceivable that relevant military data was captured in the course of attacks against IT systems in the theater of operations. However, it would be much easier and probably faster for the commander of a military unit to deploy a cheap drone and scout out the enemy positions instead of waiting until a map of all positions is accidentally found on an enemy computer.
Alternatively, a non-commissioned officer can perhaps make use of satellite images, mobile radar units, acoustic anti-artillery devices and other technology - or simply ask the pensioner cycling from the neighboring village whether she happened to see any tanks in the main square.
In addition, a lot of audiovisual content was generated and shared on social networks by everyone involved on all sides - soldiers, journalists and civilians. This can also be used to obtain operational information more quickly, cheaply and easily.
Apart from the fact that it can be assumed with a certain degree of certainty that digital espionage operations have suffered from the same problems and limitations as destructive attacks, cyber attacks at the operational level, in the field, are probably not the means of choice.
What does this mean for us, the (cyber)defenders?
My supervisor has this strange, fixed idea that I make statements about past and future developments based on incomplete information. He calls it “analysis” and claims that I'm paid for it. Wherever he might have gotten that one, I have no idea..
The majority of the “lessons learned” are probably of less importance to most companies than to military planners. The course of the war in Ukraine so far has shown that it is a gigantic challenge to continuously carry out cyber attacks that are targeted, expedient and effective. Designing them in such a way that they support the kinetic operations of your own troops may be an even greater challenge.
Nevertheless, for the civilian sector, for day-to-day business, there are a few things (which we have also been saying for a long time) that have once again proven to be true in the context of the war in Ukraine.
Careful preparation and continuous improvement of the security of your own networks works. Investment in this area may be a cost center, but in the long term it is critical to ensuring the regular operation of your own business.
The focus of these investments, both monetary and human, should be on the basics. Cyber attacks rarely involve the use of fundamentally new attack methods; in most cases, tried and tested tactics and techniques are used. This also applies in extreme cases, as the Ukrainian SSSCIP found in an analysis of the scale of Russian cyber attacks.
Threat hunting, having an ultra-modern SOC or using artificial intelligence are all well and good, but are of little help if there is a single local admin password for all systems or the accounting program relies on Windows XP (without a service pack).
At the same time, cyberattacks know no rules, they do not adhere to any social conventions or international standards. Criminals are in no way interested in ISO certifications (unless they explicitly make fun of them on their leak pages), and in the rarest of cases, laws have any relevance for the perpetrators.
Every company, every institution, every organization is a legitimate target as long as it is profitable for the attackers - in whatever way. Even if threat actors claim not to attack certain groups of targets (as was recently the case with attacks by the Clop ransomware gang), this does not mean that this is actually the case in the end.
What has changed since the start of the war in Ukraine, however, is not necessarily causally related: In the past, information operations were almost exclusively the domain of nation states, or organized groups (for example, corporations or political parties), and in most cases the objective was some form of political influence.
In recent months, especially in the case of financially motivated cyberattacks, the perpetrators have shown a willingness to increase the pressure to negotiate and pay by targeting the media, especially social media but also “traditional” news organizations, and the gradual publication of allegedly stolen information.
This is in contrast to the almost comment-free publication of affected companies on the respective leak sites. It is therefore advisable to involve your own communications department in the incident response process at an early stage and to have a communication strategy in place. Communicating transparently and honestly with those affected, customers and the wider public after a security incident is invaluable and, interestingly, something that large companies in particular do not get right.
Even if my assessment is in line with large parts of the community - I recommend the excellent paper written by Jon Bateman as part of his work for the Carnegie Endowment for International Peace, which deals with very similar questions (and is much more detailed and qualitative) - it is fair to mention that there are experts who see things differently.
The head of the British GCHQ describes the denial of the influence of Russian cyber attacks as a “mistake”. And there are also voices within NATO who consider cyber attacks to be Russia's greatest military success since the beginning of the war - security expert Dmitry Alperovitch takes the same view with regard to the attack against KA-SAT at the beginning of the war. Even if I would of course like to claim the absolute truth, it probably lies in one of the many shades of gray between the binary assessments.
In conclusion, I am in no way denying that Russian intelligence services are continuously investing in their offensive capabilities and pose a threat to Austrian targets (the same of course applies to other threat actors, whose increased activity could fill more than one article...), that cyberattacks against critical infrastructure are a seriously increasing threat, or that OT systems are becoming an increasingly rewarding target for attacks. Hopefully, none of this is up for debate.
But in order to ensure the best possible protection of these critical systems, I believe it is important to take an objective, rational approach to assessing threats and risks - and not to fall into or follow hyperbole.