Russia's hybrid war with Ukraine: strategy, norms, and alliances

During Russia’s hybrid war against Ukraine, we’ve heard reports of deepfakes, influence operations, website vandalism, DDoS attacks, GPS jamming, hack-and-leaks, phishing campaigns, and data-wiping malware, with the involvement of official, volunteer, and vigilante actors, and assists from Belarus, Huawei, and Anonymous. Numerous Russian and Ukrainian targets have been struck, apparently including Russia Today, Russia’s Ministry of Economic Development, a Federal Security Service (FSB) unit, Russian satellites, Russia's Beloyarsk Nuclear Power Plant, the Conti ransomware gang, Ukrainian banks, and Ukraine's Ministry of Defense, among others. Belarusian assets like railway systems and government sites also took hits. 

Lisa Plaggemier, Interim Executive Director of the National Cybersecurity Alliance (NCA), highlighted the attack on internet connectivity in Ukraine as one particularly notable event, explaining its probable motives: “While they cannot yet pinpoint the source of the attack and whether the Russian government is to blame, the major Ukrainian internet service provider Triolan has experienced cyber attacks the last few weeks causing severe internet outages. While there are a number of reasons why shutting off the internet in major Ukrainian populations would benefit Russia during their invasion, one major aspect could be to prevent the worldwide release of the crimes against civilians they are committing, which would further negatively impact their war efforts domestically and abroad.” Russia is losing the information war, Daily Mail reports, in part thanks to the old libido ostentandi magnified manyfold by a new era of connectivity.

Is Moscow pulling punches, saving them for later?

Ukraine’s cyber resilience Plaggemier marked as one of the more surprising features of the war thus far. “One of the most interesting aspects,” she said, “is how resilient the Ukrainian cyber defense has been. The war has been going on for weeks but…Ukraine’s electricity grid, communications systems and other infrastructure are still largely up. Not only have the Russians suffered on the battlefield, but they are showing that their cyber capabilities, which were [expected] by many to play a major role in their invasion, have produced inferior results.” 

Plaggemier considered two possible explanations—incompetence and strategy—for Moscow’s lackluster performance, against the backdrop of well-established Russian cyber prowess: “It is tough to say whether Russia is simply holding back its full cyber capabilities to use during a different and more crucial point in the war or if the country’s hackers just couldn’t penetrate Ukraine’s improved cyberdefenses. To this point, Russians military operations have seemingly not been as effective as many had anticipated. And although Russia has been able to disrupt the Ukrainian cyber world through DDoS attacks, it does not seem as if they have been able to overrun Ukraine in the cyber world either. That said, Russia is known to be an incredibly savvy and capable cyber bad actor and therefore, Ukraine, NATO and other allies would be ill advised to rest on their laurels.”

As we’ve seen, Plaggemier isn’t alone in warning against underestimating Russia’s cyber capacity, when Moscow’s hesitation might be calculated, a strategic decision informed by the single use nature of cyber weapons, Russian ground forces’ reliance on Ukrainian infrastructure, and the possibility of mutually assured infrastructure destruction. Just Security has some ideas about how to stand up against ongoing Kremlin operations, using capacity building, legal frameworks, and innovation centers. 

How might the war spill over into US systems?

In February, twenty-one US natural gas companies faced attacks on their systems. Plaggemier suspects a link between this event and the Ukraine offensive. US intelligence sources agree, according to Fox News, and the Cybersecurity and Infrastructure Security Agency is on the case.

While the endgame of the incident is “tough” to decipher, Plaggemier said, and we often can’t see the full picture of cyberattacks “until all of the dust finally settles sometimes years later,” she thinks “the proximity between these attacks and the Russian invasion is likely not a coincidence.” It’s also worth recalling, she said, that “nations and companies that are on the other side of the planet from an intended target can get entangled in the fallout from a cyber breach,” as a result of “how interconnected the world is.”

The worst case scenario in terms of damage to US infrastructure would be “a successful attack by Russia or another foreign entity that penetrates or shuts down” critical systems like “government entities, nuclear and energy facilities, transportation and information systems, [or] water structures,” Plaggemier said. And Russian groups have demonstrated “through a variety of attacks – such as the Colonial Pipeline breach and BlackMagic – that [they are] willing and capable of attacking critical infrastructure,” she added. 

The Department of Homeland Security warned in January, ABC reported, that Russia could strike US systems if any NATO counter-measures get Mr. Putin’s goat. The memo, however, indicated a relatively well-secured goat (in this respect, anyway): “We assess that Russia's threshold for conducting disruptive or destructive cyber attacks in the Homeland probably remains very high and we have not observed Moscow directly employ these types of cyber attacks against US critical infrastructure—notwithstanding cyber espionage and potential prepositioning operations in the past.”

Plaggemier sees both reasons for hope and reasons for redoubled efforts to bolster US defenses. “The good news is that there is a huge push within the United States from both the public and private sectors around building a more modern cyber framework,” she said. “The problem is, that given years of stagnating investment and fragmented strategies there is still a lot of work to be done. Nonetheless, there is notable headway being made in some areas that could help tackle some of the issues posed by this invasion. For example, new ransomware reporting regulations were just approved…[as] part of a growing attempt to shore up cyber defenses, especially in the private sector…Russia’s consistent cyberattacks over the years on infrastructure has prompted these changes and a growing push to build up cyber defenses.” 

How might the war reshape the cyber landscape?

Russia’s invasion might catalyze shifts in cyber policy, cyber alliances, and the norms of cyber war, Plaggemier said. “At least to start, likely the biggest potential policy changes will relate to opening up increased information sharing between nations in terms of vulnerabilities, defenses, ongoing cyber attacks and potential threats. Even before this crisis, the Biden administration was already trying to move closer to allied countries through ‘softer’ efforts such as signing the Paris Call. However, the recent developments in Ukraine have likely lit a fire under all allied nations to put more formal and ‘binding’ policies in place.”

As for the long-term impact of specific cyber events, Plaggemier said, “it’s too early to say,” but closer relationships between cyber allies are probable: “one positive result that will come out of this conflict is the future expedited cybersecurity collaboration between nations. While nations have hoped to work together in the cyber realm, progress in forging collaboration has been slow going. Now, due to the war, allied nations are prioritizing working more closely.”

The rules of cyber engagement might also be up for reconsideration. One “long-term result of this war,” Plaggemier said, “will be an examination of the rules and lines that need to be established internationally relating to the cyber realm...However, whether nations will abide by these rules is unfortunately up for debate.” 

There are the formally agreed-upon norms, and there are those that emerge in times of friction. The CyberWire’s Dave Bittner noted about the latter, “in a way, we're seeing the rules of the road being developed in real time…We have a real conflict in front of us, and so whatever the norms are going to be, accidentally or not, this will…set certain precedents.” Trustwave has a longer discussion of how current events may mold the future of cyber war, with an emphasis on the new role of volunteers. 

However the war ends, Plaggemier said, cybersecurity needs to remain a top priority: “Regardless of the outcome, the international community's response toward Russia and the threat the nation poses will have long-lasting implications. Even if Ukraine is able to repel the Russian invasion…Russia will still possess incredibly sophisticated cyber crime capabilities, and therefore the cyber issues it presents won’t suddenly disappear. In the end, no matter what outcome occurs, the lessons need to stay the same: that cybersecurity is here to stay, and the need for collaboration across the international community and within the public-private sector is pivotal if we are going to create a more secure world.”

(For more updates on the crisis in Ukraine, see the CyberWire's continuing coverage here.)