What is the Russian-Ukrainian situation like?
Currently, Ukraine – along with its allies in NATO – is very concerned about the roughly 90,000 Russian troops that are gathering near the Donbass region (aka Donbass) in eastern Ukraine.
This unusual build-up of troops has raised fears that Russia may be preparing to invade the region, which the already tense situation in Eastern Europe.
It has used cyberattacks in many of Russia’s modern military operations to weaken its opponents and aid its strategic goals. If Russia mobilizes military action against Ukraine in the near future, the chances are very high that it will result in a cyber attack.
Brief background on the Russian-Ukrainian conflict
The current crisis in Ukraine first flared up in 2014 when Russia invaded and annexed Crimea. After this annexation, separatists backed by Russia in south-eastern Ukraine were motivated to take the Donetsk and Luhansk regions, which are now collectively known as the Donbas region.
Despite several ceasefire agreements, sporadic fighting between the separatist rebels of Donbass and the Ukrainian armed forces continues. This conflict in eastern Ukraine, with renewed potential for escalation, has resulted in the deaths of more than 14,000 people in the past seven years International crisis group.
Russia significantly increased its military presence along the Ukrainian border last year. In April 2021, about 100,000 to 150,000 Russian soldiers gathered on the border with Ukraine for about five weeks, the highest level of troop mobilization since the annexation of Crimea in 2014.
The recent Russian troop movements reflect the armament in April and many countries fear that the conflict could escalate or – in extreme cases – lead to all-out war between the two countries.
Russian cyber-military coordination
To understand the likelihood of coordinated cyber military activity in this potential conflict, it is important to review previous cases where Russia coordinated cyber operations and traditional military actions.
Threat actors close to Russia engaged a series of cyber attacks in the run-up to the Russo-Georgian War in August 2008, which coordinated cyber activities with boots-on-the-ground operations for the first time.
The threat actors carried out two rounds of distributed denial of service (DDoS) attacks against Georgian networks. Coinciding with Russian military invaders into the separatist region of South Ossetia in Georgia (which marked the beginning of the five-day Russian-Georgian war), the second DDoS attack disabled most Georgian government websites by August 10.
The attacks, of which total 54 Georgian and Western websites [PDF], were designed to prevent the Georgian government from communicating with the public and international partners during the conflict – essentially a cyber lockdown on the country.
In order to avoid direct responsibility for the cyber attacks, Russian intelligence agencies deployed a proxy cyber militia to carry out the cyber operations instead of carrying out the operations themselves. Recorded Future researchers found that prior to the attacks, Russian government agencies had set up a hacking forum for “patriotic” cyber criminals who could allow their own computers to participate in the DDoS attacks.
Russia also coordinated its military and cyber activities during his invasion of the Crimean peninsula (in southern Ukraine) in 2014. In February of the same year, Russia stationed almost 150,000 soldiers along the Ukrainian border for a so-called “military exercise”.
March the Russian parliament unanimously approved the use of military force in Crimea and Russia “Little green men” began invading the area and confiscating buildings.
Around the same time, a DDoS attack – 32 times larger than the largest attack during the Russian invasion of Georgia – temporarily disrupted the Internet in Ukraine and affected the peninsula’s ability to communicate with the rest of the country. In addition, local Russian militias took control of numerous communications facilities in Crimea and damaged the fiber optic cables of a large telecommunications company (Ukrtelecom JSC).
The DDoS attack and the compromise of communications facilities associated with Russian naval vessels carrying jamming equipment to obstruct radio communications helped effectively isolate the peninsula while Russian-armed rebels took control of the territory.
In April 2021, 100,000-150,000 Russian soldiers gathered at the Ukrainian border. Although the Russian Defense Minister explained the structure because of “training exercises” in response to threatening activities by NATO, the Russian troops were deployed for over five weeks – much longer than Russia’s largest annual training exercises (which usually take about a week).
Not surprisingly, Russia also coordinated cyber activities with this military movement; However, this operation was different from the two cases discussed earlier in that the purpose of these cyberattacks was to cyber espionage rather than to disrupt or destroy.
From January to March 2021, the Russian Advanced Persistent Threat (APT) became Gamaredon tied to Russia’s Federal Security Service (FSB), targeted Ukrainian government officials Spearphishing Attempts as tensions between the two nations increased. Like many other Russian spearphishing campaigns, these relatively brief email spam outbreaks were carried out in the hopes of gaining initial access to Ukrainian organizations for intelligence gathering.
In the middle of February 2021 also Gamaredon compromised launched a file sharing system operated by the Ukrainian government and attempted to distribute malicious documents to other government agencies with the aim of mass contaminating public authorities’ information resources.
It is currently unclear whether these attempts were successful; Coordinating these cyber attacks before the troops are built up, however, represents a sustained effort to destabilize Ukraine and exploit weaknesses in its cyber defense.
So what could we see in this potential conflict?
Similar to the troop movements in April, this current build-up could just be another attempt by Russia to turn the heat up and down abruptly to keep Ukraine and NATO tense and unbalanced. Lots of officials, including State Secretary Antony Blinken, are concerned that a Russian invasion of the Donbass region is imminent.
Given the coordination of military and cyber activities by Russia so far, I assume that there will almost certainly be cyber operations by Russian units in support if Russia invades Donbass or mobilizes its armed forces against Ukraine.
Russian cyber espionage attacks
In coordination with the troop build-up on the Ukrainian border, Russian threat actors could carry out cyber espionage attacks in order to gain access to Ukrainian government networks and to gather information on strategies, plans and troop positions.
Cyber espionage is often carried out as a prelude to military or diplomatic activity, and often the goal of espionage campaigns is to remain undetected on enemy networks for as long as possible. Since these attacks can be more difficult to identify and relate to kinetic activity, they are often discovered after the offensive.
Disruptive / destructive Russian cyber attacks
Russia could also aim to weaken the Ukrainian government by compromising government networks or key private companies that provide essential services.
We have never seen Russia launch cyberattacks on critical infrastructure to directly support military operations. However, Russia has previously compromised Ukrainian power grids twice in 2015 and 2016 that resulted in temporary blackouts for hundreds of thousands of civilians. With this, Russia has demonstrated its ability to compromise critical resources and it is possible that Russia will try to do similar damage if it invades Donbass.
More advanced Russian TTPs and bypassing techniques
I predict that when Russia tries to invade Donbass and annex it, it will use tactics relatively similar to those used in Crimea to effectively cut the region off from the rest of the country. In this situation, however, the threat is even greater.
Russia’s past cyber operations in Crimea and around the world made it possible Russian APTs to gain insight into how to change their TTPs to be more effective. Russian threat actors are known to evolve more demanding Malware variants and changing their TTPs to better evade defenders, which means any future offensive cyber campaign will likely be more difficult to combat and detect.
Cyber Criminal Recruitment
As we saw in Georgia in 2008, it is also possible for the Russian government to use cyber criminals and hacktivists to carry out cyber attacks. Referred to as “safe haven for cyber criminals“It was reported that Russia is cooperating with cyber criminals residing in the country on various operations. To avoid the consequences of direct attribution, Russian intelligence agencies can recruit these cyber criminals to carry out DDoS attacks or even more sophisticated attacks to weaken the Ukrainian cyber infrastructure.
What is the significance of potential? Russian military cyber conflict?
Russia has become much more sophisticated in its cyber operations and has demonstrated its ability to wreak havoc on several occasions. The country’s history of coordinating cyber and military activities supports the presumption that it will do the same if embroiled in a future conflict with Ukraine.
The world is now entering a new concept of warfare in which “Hybrid Warfare” becomes an important means by which countries conduct offensive operations. In the case of Russia, hybrid warfare has become an integral part of the country’s geopolitical strategy as it uses disinformation campaigns, cyber operations, and kinetic attacks to deal an even bigger blow to its adversaries.
Although influence campaigns and cyber operations can be conducted independently of other activities, it is very unlikely that Russia will conduct military operations without coordinating them with other non-kinetic tactics. As a result, during high geopolitical tensions, Russia’s activities in cyberspace must be monitored in order to gain a competitive advantage over its adversaries.
For more information on historical Russian cyber attacks, see Russian Cyber Attack Campaigns and Actors.