International Cybersecurity Research Made in Hamburg

The Role of Cyber Operations in War – Part I:
What (Not) to Learn from the Ukrainian Case

Mischa Hansel

25 May 2022

In the three months since the initial Russian invasion of Ukraine, numerous articles on the military and strategic significance of cyber operations have been published. Most – but not all – assume we are faced with major puzzle: how come there have not been any large-scale disruptive cyberattacks against critical infrastructures in Ukraine and beyond (see for example here and here).  On closer inspection, this perceived puzzle can be divided into three separate elements: impact and intensity, integration of operations, and timing.

Lacking Impact and Intensity

Although a series of wiper malware attacks has affected thousands of Ukrainian government institutions and businesses, their impact has been limited to the usability of IT systems themselves. This pales in comparison to the far-reaching but temporary electricity blackouts caused by state-affiliated Russian hackers in 2015 and 2016. The latter attacks caused physical effects, something that usually requires considerable resources, expertise, and long-term planning. Yet, only one similar attempt has been publicised to date: a cyberattack that attempted to shut down local high-voltage electricity substations by targeting one of Ukraine’s largest energy companies in early April. Other such attacks may simply have not been revealed, or they may still be the making. So far, however, Russian cyber operations have had a very limited impact on critical infrastructures – considerably below what a many policymakers and security experts expected (for example, see here and here).

Missing Military Integration

Second, cyber operations do not appear to be closely integrated with the overarching Russian military campaign. This does not mean that there is no co-ordination between cyber and ground operations at all. As Microsoft highlighted in its April report, there have been a number of cases where cyberattacks seem to have worked in tandem with physical attacks against a shared target set. However, and on the very same page, Microsoft states that it is “unclear if there is coordination, centralized tasking or merely a common set of understood priorities driving the correlation”. Moreover, the perceived strong correlation becomes highly speculative on a macro-level at least. On page ten of its report, Microsoft provides a map of various Ukrainian regions, comparing data on detected and blocked cyberattacks and open source data on kinetic attacks. While the authors correctly emphasise some overlap between high concentrations of malicious network activity and high intensity fighting during the first six weeks of the invasion, their map actually shows almost an equal number of regions with weak as with high correlations. A recent report by Kaspersky uses similar comparisons but comes to the conclusion that, with one exception, it was hard to notice “any particular coordination efforts”, neither between cyber attacks, “nor with military operations occurring at the same time”. As further evidence of the existence of independently operating groups, they also point out the vast difference of malware used, with HermeticWiper representing the upper, and IsaacWiper the lower end, in terms of sophistication.

Quiet Before the Storm?

Finally, it may only be a matter of time. To date, we have not seen any large-scale efforts to retaliate against Western sanctions or weapons deliveries via cyberattacks, despite the harsh rhetoric of Russian policy makers. For example, the German government as recently explicitly denied having knowledge of any deliberative cyberattack against German targets in the context of the ongoing war as recently as May. While there is always the possibility that ongoing attacks remain undetected, this is rather unlikely in case of highly disruptive attacks whose very success implies visible effects, such as on energy provision or other critical services. Furthermore, members of NATO, the EU and the Five Eye countries have a growing tendency of publically attributing malicious cyber activities perpetrated by, or at least linked to, state actors. Combined with the growing amount of publicly shared threat intelligence, this further reduces the likelihood of undisclosed evidence. Of course, this does not mean that there is no malicious activity at all. Russian intelligence collection within Western networks certainly has not, and will not, stop.

Also, there are indications of a possible move towards more disruptive cyberattacks in the near future, as the discovery of Incontroller shows, which is a highly sophisticated set of tools apparently designed to manipulate industrial control systems in various sectors, including energy supply. While it is not unreasonable to suspect the involvement of Russian security agencies in this case, it is not always apparent who the actual target is, nor the envisaged timeline. Thus, a further internationalisation of the war via cyberattacks against NATO countries is far from certain. Even when we include the possibility of proxy cyber operations, for example the idea that Putin would unleash cybercriminals as a political weapon against the West, the picture does not really change. According to the NSA, the number of ransomware attacks has actually declined during past weeks.

Read Part II: (Cyber) History does Not Repeat Itself -->