AUTHOR: Marcus Willett | IISS Senior Adviser for Cyber and former head of GCHQ | October 2022
The cyber dimension to the Russia–Ukraine war has been extensive. It reveals the characteristics of modern cyber conflict between well-matched states. While its predominant component has been a massive online ‘information’ battle for hearts and minds, comprehensibly amplified by private cyber-vigilante individuals and groups, it has also involved a large and concerted Russian campaign to disrupt Ukrainian critical infrastructure. This has been largely blunted by the soundness of Ukrainian cyber security, bolstered by Western assistance. Nevertheless, the risk remains that the cyber conflict could escalate beyond cyberspace to a more widespread confrontation between Russia and NATO. The chances of this happening are increased by uncertainty over the true nature of cyber operations, their responsible use, and especially how international law applies to them, making the efforts of states to address these issues urgently needed.
It was a surprise when Russia’s invasion of Ukraine in 2022 did not appear to be accompanied from the outset by Russian cyber operations aimed at extensively disabling Ukraine’s critical national infrastructure – for example, its telecommunications, banking, transport, water supply and energy supplies. As the war progressed, however, diametrically opposed views arose about the character and significance of the war’s emerging cyber dimension, ranging from ‘full-on, full-scale cyberwar’ to more cyber ‘fizzle’ than ‘bang’.1 Russia’s vaunted cyber capabilities came to be questioned, as was the general wartime utility of cyber operations. What is clear is that the Russia–Ukraine war of 2022 provides valuable insight into what the cyber dimension of a modern war might look like.
Russia has been developing and using offensive cyber capabilities against its perceived adversaries for at least 15 years. Their use is based on published strategy that casts what the West calls ‘offensive cyber’ as the technical component of a wider information-operations capability: one way for Russia to control its own information space and subvert that of its adversaries. Russian doctrine demands that, by default, cyber operations be fully integrated into both strategic information campaigns and full spectrum military operations. Such cyber operations are therefore as much an arm of Russia’s propaganda machine and a means of creating and delivering disinformation as they are a tool for disrupting an adversary’s critical infrastructure or military capability.
In 2013, General Valery Gerasimov, Russia’s Chief of the General Staff, published a significant magazine article in which he noted that the lines between war and peace were becoming blurred and emphasised the growth of non-military means of achieving political and strategic goals, which he contended were proving more successful than the traditional use of force. Nodding to the ‘colour revolutions’ in North Africa (for example, the Tunisian Jasmine Revolution of 2010–11) and the Arab Spring (2011), he cited the way an ‘informational conflict’ could be a key means of foreign intervention, leading to internal chaos, human catastrophe and civil war.2 Undoubtedly, he was influenced by the role the internet and social media played in fuelling the series of anti-government protests and uprisings in the revolutions he mentioned, but he was probably equally focused on similar aspects of the ‘colour’ revolutions in former Soviet states, such as the 2003 Rose Revolution in Georgia and the 2005 Orange Revolution in Ukraine.
Many Russian cyber operations that have occurred before and since Gerasimov wrote his article appear consistent with his ideas. The first were those orchestrated by the Russian state against Estonia in 2007 after the Estonian government had relocated some Soviet-era war memorials. These involved swamping the websites of the Estonian parliament, banks, newspapers and broadcasters with so much traffic – in what is known as a distributed denial of service (DDoS) attack – that they crashed. This meant that for several weeks, cash machines and online banking were sporadically out of action, news could not be delivered and government officials could not communicate. Described as more a cyber riot than a military attack, the operation’s immediate effects were short-lived, the most important probably being the disruption for a few weeks of the Estonian government’s ability to get accurate information to its citizens.3
There were also longer-lasting consequences. Some were salutary: NATO was spurred to base its new centre of excellence for cyber defence in Tallinn, Estonia was inspired to become a centre of excellence for cyber security and the first authoritative manual on the application of international law to cyber operations (the Tallinn Manual) was produced. Others were ominous: the Russians probably learned what sorts of cyber attacks on a NATO state the Alliance would not consider close to its threshold for triggering an Article 5 collective response.
The Russians have since executed many similar operations which, in addition to DDoS attacks, have included website defacement, the hacking and leaking of sensitive information, and the ubiquitous use of trolls (online profiles run by humans) and bots (those run by automated processes) to spread disinformation. The goals of such efforts have included undermining international investigations, such as those into doping in world sport in 2016; planting anti-NATO narratives in Latvia, Lithuania and Poland since 2017; and influencing the election processes of other countries. Perhaps the most notorious were those that sought to sow discord in the United States in the run-up to its 2016 presidential election. But arguably the clearest example of Russian cyber operations designed to coerce another state without needing to resort to armed force, in the mode of Gerasimov, was Russia’s campaign of cyber operations against Ukraine between 2014 and its 2022 invasion in an attempt to destabilise the Ukrainian government, presumably to increase the chances that it would be replaced by a pro-Russian one.
In doing so, Russia added to its familiar repertoire of cyber operations by using destructive malware to disrupt parts of Ukraine’s critical national infrastructure. For example, in December 2015 the Russians used ‘wiper’ malware on Ukrainian electric-distribution companies to sabotage the supply of electricity to a quarter of a million Ukrainians. The Russians repeated the operation a year later, but to less effect. Although the number of Ukrainians affected was not high, both operations signalled a clear Russian intent and capability to impede Ukraine’s ability to function as a state.
The disruption was more widespread in June 2017, when Russia used some popular Ukrainian tax-preparation software as a means of spreading malware (known as ‘NotPetya’) through Ukrainian networks. It locked computers in Ukraine’s banks, newspapers, electricity companies, national railway, postal service and health ministry, and in a nuclear facility, rendering the infected computers completely unusable for the period it took to clean up and rebuild the relevant information technology (IT). A Ukrainian government official estimated that 10% of all computers in the country were impacted, while Information Systems Security Partners, an independent Kyiv-based firm, estimated that 300 Ukrainian companies were affected.4 But because the Russians recklessly used an uncontrolled, self-propagating worm in combination with a widespread coding flaw in ubiquitously used IT (known as a ‘global IT vulnerability’), they lost control of the operation. The attack spread worldwide, significantly damaging systems in 60 other countries, including the US and other NATO member states. As a further example, in 2018, Russia staged an unsuccessful attempt to deploy disruptive malware on the plant that provides chlorine for the purification of Ukraine’s water supply.
On two occasions prior to 2022, Russia also resorted to offensive cyber operations during war. It used DDoS attacks, web defacement and disinformation during its short 2008 conflict with Georgia, targeting public-facing websites and digital assets of the Georgian military and government, as well as civilian websites. The Russians also rerouted and then blocked Georgian access to internet portals. Even if only in a crude sense, these are often cited as the first cyber attacks synchronised with military operations undertaken on land, air and sea, with the cyber component apparently timed to commence approximately two weeks in advance of the physical confrontations. The operations hindered to some degree the ability of Georgia’s armed forces and government to react, respond and communicate once the armed conflict began. The second wartime use occurred in early 2014, when Russia employed cyber operations against Ukraine prior to and during its occupation of Crimea. The nature, ambition, scope and effect of those operations were essentially the same as those conducted against Georgia.
Perhaps the most noteworthy aspect of Russia’s two wartime uses of offensive cyber before the 2022 conflict was their limited nature. They mostly equated to low-level cyber vandalism, with the blocking of Georgian internet access coming closest to being a major disruption.
The 2022 Russia–Ukraine war
It appears that the Russians had been conducting reconnaissance of, and pre-positioning cyber capabilities on, certain Ukrainian energy and communications networks from at least March 2021. But during the invasion itself, and for the few weeks preceding it, the Russians mainly undertook versions of the sorts of attacks they had employed against Georgia in 2008 and Ukraine in 2014. For example, the Russians defaced and conducted DDoS attacks against the websites of Ukrainian government ministries and private sector organisations. A few cases were detected in which malware capable of wiping computer hard drives was activated. Labelled ‘WhisperGate’, it spread to a few Ukrainian government networks and financial organisations, as well as Latvia and Lithuania, but caused little overall disruption. That said, it is possible that wider-scale attacks may have been disrupted by the detection of and patching against wiper malware by the Ukrainian government and Western cyber-security companies.
In the immediate aftermath of the invasion, the defacing of websites and denial-of-service attacks quickly mushroomed into a widespread online information and propaganda skirmish involving Russians, Ukrainians and their sympathisers. This smacked of cyber vandalism and the spreading of ‘fake news’ and propaganda as part of an information battle for hearts and minds. There still appeared to be no significant Russian attempt to disable Ukraine’s critical national infrastructure, even though during the build-up to the Russian invasion US officials had warned that the kinds of disruptive or destructive cyber actions to expect during a conflict were ‘different in scope, kind and sophistication from the types of incidents we have seen during peacetime’.5
Several theories were posited for this apparent restraint, including that the Russians might have learned the lesson of NotPetya and were being careful to avoid their operations spreading to damage non-Ukrainian networks in a way that might escalate the conflict. It was also possible that, just as in 2008 and 2014, they considered the utility of cyber operations to be limited once they moved beyond the conditions contemplated by Gerasimov as ‘below the threshold’ of a shooting war.
As the war proceeded, however, other cyber dimensions of the conflict were gradually revealed. It emerged that Russia had conducted a disabling attack on the European network of Viasat, a US-owned satellite system, on 24 February, less than one hour before invading Ukraine. The attack disrupted internet services for several thousand of Viasat’s customers in Ukraine, resulting in communications outages in several public authorities and companies. It also affected tens of thousands of users across central Europe (disrupting thousands of wind turbines in Germany, for example). According to a senior Ukrainian cyber-security official, Ukraine suffered ‘a really huge loss in communications’ at the outset of the conflict.6 The operation involved a hack by the GRU, the Russian military-intelligence agency, that disabled the system’s ground-based modems with a simultaneous denial-of-service attack on the network itself. It seems likely that the intended targets were specifically the Ukrainian government, armed forces and police, all of whom relied upon connectivity provided by Viasat. Clearly the targets and timing of the cyber attack were important enough for the Russians to take the risk that the attack could spread to targets beyond Ukraine. As of the date of publication, the Viasat hack remained the most significant and successful Russian offensive cyber operation of the war.
The Russians also may have had other cyber priorities in mind, given that the bulk of their operations against Ukrainian networks seemed to focus on harvesting personal data on Ukrainian citizens. They could have been attempting to, among other things, identify Ukrainians most likely to assist or resist them during an occupation.
As the war progressed, however, the Russians ratcheted up their cyber targeting of Ukrainian critical national infrastructure. This effort included an intrusion into one of Ukraine’s largest energy facilities in February, set to deliver a disruptive effect on 8 April using the same techniques Russia had employed against Ukraine in 2015 and 2016. Ukrainian cyber security neutralised it. The Ukrainians reported that while the malware (called ‘Industroyer2’) had penetrated the electricity grid’s management system, and would have shut off power for two million people had the attack succeeded, no power outages in fact occurred. To take another example, a late-March Russian cyber operation against a major Ukrainian telephone and internet service provider disrupted communications services in Ukraine for several hours. Between 25 and 29 March, there were 65 attempted attacks on Ukrainian critical national infrastructure. This was five times the total the week before, indicating a sharply increasing tempo.7
In late April, Microsoft reported that it had tracked more than 237 Russian cyber operations against Ukraine since just before the invasion, and that some had been successful, with ‘nearly 40 discrete destructive attacks that permanently destroyed files in hundreds of systems across dozens of organisations in Ukraine’.8 But many attacks also had been repelled. Overall, Microsoft assessed that Ukraine had not experienced the sort of widespread, nationwide disablement that many had anticipated.
Microsoft also judged that the Russians were integrating cyber into their other military operations, citing two examples from early March: widespread Russian cyber attacks on Kyiv-based media organisations that coincided with a missile strike on Kyiv’s TV tower; and a Russian breach of the networks of a Ukrainian nuclear-power company that coincided with the Russian military occupation of the Zaporizhzhia nuclear-power station. These appear to be crude and isolated examples, however. Other evidence clearly indicates that, even though evolved Russian military thinking prescribes integration of cyber operations into an overall military campaign, such integration was rarely attempted, and that, when it was, it was inept, with the Viasat hack perhaps the single exception. Apparently, in some instances, Russian missile strikes destroyed the very networks their cyber forces were attempting to infiltrate and use as platforms for wider operations.9 In June 2022, senior European cyber officials surmised that Russia had demonstrated that it was not ready to wage coordinated cyber and kinetic war, that its cyber activity against Ukraine was copious but poorly planned and organised, and that Russia was therefore not as strong on cyber as they had believed.10 Jeremy Fleming, head of the UK’s Government Communications Headquarters (GCHQ), similarly concluded that the impact of Russian cyber operations was ‘less than we (and they) expected’.11 But the Microsoft reporting, combined with that of other firms such as Cisco, Google and the Slovakian company ESET as well as the Ukrainian authorities, does show that there has been a large and evolving cyber dimension to the Russia–Ukraine war.
It now seems likely that, in anticipation of a short and successful war with Ukraine, the Russians may have initially considered cyber operations on a par with those conducted in 2008 and 2014 sufficient in 2022. In a ‘short war’ scenario, the Russians may have wanted to keep Ukrainian critical national infrastructure intact for their own use in capturing Kyiv and seizing control of Ukraine, which would also explain their focus on acquiring personal details about Ukrainians via espionage. Nevertheless, it seems both before the war and during its initial phases, the Russians still attempted to ensure they were well positioned on the relevant Ukrainian networks to launch more widespread disruptive activity if they needed to.12 But the Russian cyber tactics also clearly indicate that at the war’s outset the Russians lacked the cyber capabilities needed to surgically disable Ukrainian weapons systems and military units, and had to rely solely on conventional military capabilities – small arms, tanks, artillery, bombs and missiles.
Once the Russian attack on Kyiv and wider Ukraine had failed and the Russian focus switched back to fighting a more localised war in support of separatists in eastern Ukraine’s Donbas region, their cyber tactics reverted to those used against Ukraine since 2014: attacking Ukrainian critical national infrastructure to disable and undermine Ukraine’s national capacity to support its defence of its territory. This time, however, the Russians’ cyber operations were at a scale and frequency that far exceeded anything they had previously tried against Ukraine. Described by a US cyber official as an ‘enormous’ cyber offensive, it was clearly an attempt to achieve strategic effect.13 But despite some tactical and short-lived successes, the Russians failed to achieve a cyber ‘bang’ for a variety of reasons.
For one, Ukraine’s cyber security was enhanced by assistance from the intelligence, cyber-security and other government agencies of the US and the United Kingdom. In the years preceding the invasion, the US had invested considerably in building the capacity and resilience of Ukrainian cyber security, with the US Department of Energy working with Ukraine on improving the cyber security of its energy sector and US Treasury doing the same for its financial services. The US had since 2020 embedded technical experts within the Ukrainian government to bolster Ukraine’s response and recovery capabilities, as well as deploying software and hardware to improve the security and resilience of critical infrastructure. Further, from December 2021 US Cyber Command deployed experts who ‘conducted defensive cyber operations alongside Ukrainian Cyber Command personnel … looking for adversary activity and identifying vulnerabilities’, while also providing remote intelligence, analytic and advisory support from outside Ukraine, as did the UK’s GCHQ and National Cyber Security Centre. Once the war commenced, the United States’ FBI and Cybersecurity and Infrastructure Agency provided additional intelligence, investigative support and technical advice, while the US Agency for International Development enabled the deployment of more US technical experts and provided more than 6,750 emergency-communications devices (for example, satellite phones and data terminals) to essential-service providers, government officials and critical-infrastructure operators in key sectors such as energy and telecommunications.14
Ukraine also benefited from specific features of the national cyber-security ecosystems of Western states, and particularly the US. These ecosystems consist essentially of a burgeoning cyber-security industrial sector and close partnership and information-sharing between that sector and government. From early 2021, American companies have assisted Ukraine by monitoring Russian cyber activity, with Microsoft alone spending $239m on financial and technical assistance. The company said in April 2022 that its security teams were working closely with Ukrainian government officials to identify and remediate threats against Ukrainian networks, while keeping the US government fully apprised and providing NATO and European Union cyber officials with evidence of activity spreading beyond Ukraine.15 Significant assistance to Ukraine also came from Google, Cisco and others.
Arguably the biggest factor in Russia’s cyber failure, however, has been Ukraine’s own cyber-security expertise. While the Russians have picked up considerable know-how in operating on Ukrainian networks since 2014, by the same token the Ukrainians have learned a great deal about Russian cyber operations. It is likely that the Ukrainians taught the US and the UK more about Russian cyber tactics than they learned from them.
Russia’s own networks were also put under considerable pressure, coming under concerted cyber bombardment from a host of volunteer groups and individuals, acting largely on their own initiative and often described as vigilantes. The groups included the newly formed Network Battalion 65, the Elves (comprising over 4,000 volunteers in 13 Central and Eastern European states), the Cyber Partisans (a long-standing anti-government group in Belarus) and the notorious Anonymous collective, which declared war on Russia at the outset of the invasion. These groups’ activities were endorsed rather than directed by the Ukrainian authorities; they became known as Ukraine’s ‘IT Army’ simply because targets were suggested on a government Telegram channel of the same name.
The vigilante activity involved the widespread stealing and leaking of emails, passwords, documents, financial information and other data from Russian organisations. In March 2022, according to the Lithuanian digital security firm Surfshark, Russia-related email credentials leaked online comprised over half the global total and were five times higher than they had been two months earlier; US-related credentials have customarily held the top position.16 Material was stolen from the Russian media regulator Roskomnadzor and the All-Russia State Television and Radio Broadcasting Company, revealing their work with Russian intelligence agencies on internal surveillance, while data was leaked from the Russian Ministry of Defence and the state-backed oil firm Rosneft, supposedly following hacks by Anonymous.
There were also widespread DDoS attacks and defacing of websites on targets including the Kremlin, the state-backed news station Russia Today, the state news agency TASS and the video-hosting site RUTUBE. Accompanying this effort was a plethora of information operations designed to erode the Russian public’s support for the war, including hacking into Russian TV channels to post pro-Ukraine content and disrupting messaging from Russian trolls and bots.
Ransomware attacks were also prevalent. Ironically, some stemmed from the Russia-based Conti cyber-criminal group’s pledge to support Russian interests in cyberspace at the outset of the war, which spectacularly backfired. Conti had affiliates in Ukraine, one of whom leaked over 100,000 internal gang chats and the source code for Conti’s core programme to aid the detection of its ransomware. Network Battalion 65 then purloined and modified the code, and used it to lock the data of certain government connected Russian companies.
By March 2022, Russia thus appeared to be the most attacked country in cyberspace. This laid bare the miserable state of Russia’s own cyber security. The sheer scale of widespread cyber vigilantism during the Ukraine war also took Western governments by surprise.17 By May there were reportedly about 300,000 cyber vigilantes supporting either Russia or Ukraine operating on any given day. Given its unpredictability, that level of cyber activity increased the risk of spillover beyond the conflict zone and the possibility of incorrect attribution leading to retaliation and escalation. It nevertheless provides a good indication that cyber vigilantism will feature prominently in future major cyber conflict between states, and that states will need to consider its propensity for interfering with or impeding their own cyber operations.
Even so, widespread cyber vigilantism also creates layers of noise within which states can hide their own intelligence and offensive cyber operations. It is safe to assume that the Ukrainian government has been attempting to conduct a wide range of cyber operations directly against Russian targets, including to counter Russian cyber operations, impede Russian military operations inside Ukraine and disrupt war-supporting activity in Russia itself. Given Russia’s cyber-security vulnerabilities, these efforts are likely to have had some effect.
Layers of complexity
Among Ukraine’s state partners, the US and UK appear to have undertaken effective intelligence operations against Russia before and during the war, given the amount of intelligence they have publicly released. They are known to have worked closely with the Ukrainian authorities on the security and defence of Ukraine’s networks. It is less clear whether any cooperation arose on offensive cyber operations, or whether the US and UK conducted their own such operations in parallel with Ukraine’s. The Russians have certainly claimed that the US did so, pointing to a June 2022 Sky News interview with General Paul Nakasone, commander of US Cyber Command, in which he said ‘we’ve conducted a series of operations across the full spectrum – offensive, defensive and information operations’, adding that they were lawful and conducted with the approval of the appropriate civilian authorities.18 Without elaboration, the White House publicly denied that the operations contradicted the well-established US policy against direct involvement in the conflict.19
At issue here is the breadth of the operations that fall under the label ‘offensive cyber’ and how Russia and other states might politically and legally interpret them. Many think offensive cyber covers merely hacking into a network or device, or bombarding it with traffic to stop it from working – that because such an action is disabling and destructive, and often associated with the military, the cyber asset used is tantamount to a kinetic weapon. But cyber is also used to manipulate data and information, or even plant it, influencing the way people think and behave, and deceiving or subtly coercing them. This application could have a wide range of non-military as well as military effects, in peacetime and war, and be implemented by civilians as well as the military. The US and the UK predominantly used such ‘cognitive’ operations to disrupt the Islamic State, and they are likely to be the prevalent type of offensive cyber operation in any conflict, including the current Russia–Ukraine war.
It is fair to conclude that, despite the considerable uncertainty over the application of international law to cyber operations, most states would be likely to consider any US cyber operations or significant US assistance to Ukrainian cyber operations that resulted in death or injury, or widespread kinetic destruction (for example, explosions), to be a use of force, thereby potentially making the US a party to the conflict. But many other sorts of offensive cyber operations would not qualify. These include subtle cognitive and psychological operations designed to confuse and mislead; those intended to undermine Russian information operations, perhaps by altering their content; and operations disrupting Russian cyber attacks, perhaps by interrupting an attacker’s command of malware or nullifying the malware at source.
In this light, General Nakasone’s statement can be reconciled with the White House’s statement of US policy, even if US cyber operations were used to disrupt in various ways a wide range of Russian activity in the Ukrainian theatre. All this would apply equally to UK cyber operations, Fleming having said only that the UK’s National Cyber Force ‘may’ have been an important component of the UK’s response to the war, refraining from providing details since ‘stealth and ambiguity are key attributes of cyber operations’.20
If the Russians were to acquire evidence of US or UK cyber operations against them, how they interpreted and responded to it would be a political decision. It might occur to them, however, that the US and UK were likely operating in the same legal ‘grey zone’ that they themselves had been regularly exploiting in peacetime, as espoused by General Gerasimov, and that discounting it as a pretext for any serious retaliation and escalation would be the prudent course. Indeed, it is conceivable that the war might have given the US and UK an opportunity to signal their cyber capabilities and capacity to the Russians in new ways to deterrent effect. Even so, the two allies would undoubtedly consider themselves constrained to engage only in the ‘responsible use of cyber power’ – a way of operating strongly advocated by both states, even if neither has yet properly defined what the phrase means beyond their clear intent to abide by international law.
General Nakasone’s admission that US Cyber Command had conducted information operations underlines the fact that the largest dimension of the cyber conflict between Russia and Ukraine has been the online battle for hearts and minds. More specifically, Russia stands accused of attempting to sow distrust in information sources, misrepresenting Ukrainian actions and promulgating false narratives about the reasons for Russian conduct.21 The relevant actors have ranged from swathes of cyber vigilantes, news-media organisations and social-media platforms to intelligence agencies and other organs of the state, using all the means at their collective disposal, including botnets and troll farms established for the purpose, and unconfined to the theatre of war. Crucially, these Russian operations are not meant to be noticed, let alone make a ‘bang’. Most Ukrainian, US and UK cyber operations will be designed to counter this activity
There were novel features of this information war, with lessons to be drawn from the highly effective release of secret intelligence by the US and UK to undermine (or ‘pre-bunk’) the Russian narrative, the abundance of intelligence produced by private citizens using drones or taking pictures on their mobile phones, and the efficacy of cyber vigilantes. The circulation of short videos on TikTok has also had a significant impact, with the Ukraine war playing out there as the Arab Spring did on Twitter; the inspirational ‘Heroes of Snake Island’ video depicting Ukrainian defiance is a notable example. Private actors’ enabling of internet connectivity has also been crucial, epitomised by Elon Musk’s provision of his company SpaceX’s Starlink satellite system to Ukraine and the British Broadcasting Corporation and Radio Free Europe’s promulgation of instructions on how to use virtual private networks and access the Onion Router on the dark web to avoid Russian state surveillance. But perhaps the most illuminating phenomenon has been the ability of Ukrainian President Volodymyr Zelenskyy to rally both Ukrainian resistance and international opinion via the internet. The Russians may well conclude that refraining from attempting a general disablement of Ukraine’s internet access, including by using offensive cyber means, was a strategic mistake. It may be a moot point, as Ukrainian cyber security might well have blunted such an attempt. Most assessments have concluded that, as of August 2022, Russia was losing the information war.22
There is an additional, particularly dangerous aspect of the Ukraine war’s cyber dimension. While Western governments were initially concerned that Russian attacks on Ukrainian networks could unintentionally spill over to damage their networks, their primary worry soon became direct Russian targeting of Western networks in retaliation for the West’s imposition of harsh economic sanctions on Russia and its supplying of military equipment to Ukraine. There have apparently been plenty of Russian state cyber intelligence operations against foreign networks. A Microsoft report in June 2022 stated that governments, think tanks, companies and aid groups in 42 countries had been targeted since the outbreak of war, with two-thirds of the targets in NATO countries, the US and Poland in particular.23 There were also DDoS attacks and web defacements by state-sponsored Russian groups such as Killnet, which claimed responsibility for attacks in late June on Lithuanian state and private websites in retaliation for Vilnius’s decision to stop the transit of some goods to Russia’s Kaliningrad enclave in line with EU sanctions against Russia. But the more serious concern was that Russia could use destructive malware against the critical national infrastructure of targeted states, which intelligence indicated it was well positioned to do.
Sure enough, evidence of these capabilities soon began to emerge. For example, in early April 2022 the FBI reported it had disabled cyber capabilities that would have allowed the Russians to connect to thousands of routers and firewall appliances to create a massive botnet and had thereby disrupted it before it could be used for a destructive attack. Subsequently, US officials and cyber-security companies revealed that they had detected and were disrupting new malware (known as ‘Pipedream’) that could shut down critical machinery, sabotage industrial processes and disable safety controllers in energy plants, potentially causing explosions, with an apparent focus on the production of liquefied natural gas. The malware had various features in common with what Russia had used against the Ukrainian electric grid in 2015 and 2016 (‘Triton’) and against a Saudi oil refinery in 2017 (‘Industroyer’), and was confidently assessed to be Russian. As of June 2022, senior US cyber-security officials stated they knew the Russians had the capabilities and were actively planning to use them, the only questions being if and when they might ultimately decide to do so.24
It is difficult to judge which Russian capabilities will be discovered and disrupted before they can be activated, or the degree to which their effectiveness might be minimised. If the Western-enhanced protection of Ukrainian networks is anything to go by, most Russian operations would be defeated. Furthermore, the US government’s ‘Shields Up’ initiative, rolled out in February and re-emphasised in June, urging organisations across the US government and the private sector to bolster their cyber-security defences, was a clear attempt to prevent any intended or unintended spillover from wartime cyber operations onto their networks. The UK and other states conveyed similarly strong warnings and encouragement. Good cyber security will prevent the vast majority of cyber intrusions, while sensible planning for resilience can lessen the impact of any that might occur. As to those that did occur, the question would arise whether they constituted a coercive intervention, a use of force or an armed attack and, if so, how the injured state might decide to respond.
* * *
The cyber dimension of the 2022 Russia–Ukraine war is the first wartime cyber conflict between two states whose cyber capabilities are essentially well matched.25 Ukrainian cyber security, strong in and of itself, was bolstered by partner governments and by private-sector companies, while Russian cyber operations appeared to be less effective than expected. Both sides have suffered unrelenting pressure from cyber vigilantes. The result has been a large and highly attritional cyber conflict, the bulk of which has involved influence and information operations designed for cognitive effects. But it has also included a sustained Russian campaign to hack into and disrupt Ukraine’s critical national infrastructure, resulting in intense sparring between offence and defence, but with defence dominating most of the time, given its access to good intelligence and top-class cyber-security expertise. Some Russian attacks have succeeded, but their respective impacts have been limited by Ukraine’s ability to recover quickly from detected intrusions and by measures it has taken to improve its resilience (for example, it began to shift or mirror critical data to cloud services hosted out of country). It appears Russia has tried to minimise the chances of such disruptive operations spilling over to neutral networks to avoid sparking escalation. But Moscow has also envisaged the deliberate use of such operations beyond the conflict zone, and has been pre-positioning relevant capabilities, the only uncertainty being the conditions under which Russia might resort to attempting to use them.
The war has exposed some key weaknesses in Russian cyber capabilities compared with, especially, the US. These include a substantial inability to coordinate cyber operations with other military effects, the poor state of Russia’s own cyber security (especially given a lack of access to equivalent private-sector support), and a dearth of the sorts of capabilities needed to surgically impair military units, weapons systems, and command and control. Of all cyber capabilities, these are probably the most technologically challenging and resource intensive to produce and use, especially if they are to deliver strategic effects. It may therefore be that, recognising this, the Russians instead prioritised the comparatively ‘softer’ set of targets presented by Ukraine’s critical national infrastructure.
The Russia–Ukraine war has undoubtedly defined many of the criteria for modern cyber war, but not all of them. For example, it has not yet involved both sides using top-end offensive cyber capabilities against each other (and is perhaps therefore not full-on, full-scale cyber war). Further, a cyber conflict between Russia and a state with weaker cyber security than Ukraine, or one between NATO and Russia (or China), would perhaps see a different balance between offence and defence.
Perhaps the biggest risk is that the cyber dimension of the Russia– Ukraine war might result in escalation beyond cyberspace to a more widespread confrontation between Russia and NATO. This could certainly happen if Russia succeeded in delivering a destructive cyber attack against Western critical infrastructure or a NATO member state used a cyber operation amounting to a use of force or an armed attack against the Russians in Ukraine. Even before the war, the US and NATO had certainly made their concerns about the former risk clear. US President Joe Biden stressed that a cyber breach would be the most likely cause of the US finding itself ‘in a real shooting war’ with a major power.26 NATO stated that it would determine whether a cyber attack against any of the allied states crossed the Article 5 threshold for collective response on a case-bycase basis, and that it could consider an accumulation of minor attacks as crossing that threshold.27
Stark warnings such as these are necessary. While we are undoubtedly gaining a better understanding of the cyber dimension of modern war, including its propensity to spread beyond the conflict zone, we also find ourselves in what Suella Braverman, then UK attorney general, described last May as ‘confusion’ and a ‘vacuum’ when it comes to how international law applies to cyberspace in both war and peace.28 It was clear before the war that states needed to expend far greater efforts to answer this complex question, as well as to agree and define what constitutes the responsible use of cyber power. The Russia–Ukraine war has made those efforts even more urgent.
About the Author
Marcus Willett is IISS Senior Adviser for Cyber. During his previous career in GCHQ, he helped design UK cyber strategy, and initiated and led several national cyber programmes. This article is adapted from a forthcoming Adelphi book, On Offensive Cyber: The Responsible Use of Cyber Power.
It was a great pleasure to have Marcus deliver the Keynote Speech on “War and Ransomware – More Cyber Instability” on 25 August with Xcina Consulting and our distinguished panel comprising Tamlynn Deacon – at Hottinger Bruel & Kjaer, Daniel Pass – CTO at Perenna Bank and Rob Janssens at ParkNow.
1 See, respectively, Dustin Volz and Robert McMillan, ‘In Ukraine, a “Fullscale Cyberwar” Emerges’, Wall Street Journal, 12 April 2022, https://www.wsj.com/articles/in-ukraine-a-full-scale-cyberwar-emerges-11649780203; and Joseph Marks and Aaron Schaffer, ‘Some See Cyberwar in Ukraine. Others See Just Thwarted Attacks’, Washington Post, 14 April 2022, https://www.washingtonpost.com/politics/2022/04/14/some-see-cyberwar-ukraine-others-see-just-thwarted-attacks/.
2 See Valery Gerasimov, ‘The Value of Science Is in the Foresight: New Challenges Demand Rethinking the Forms and Methods of Carrying Out Combat Operations’, trans. Robert Coalson, Military Review, January– February 2016, pp. 23–9, https://www.armyupress.army.mil/Portals/7/military-review/Archives/English/MilitaryReview_20160228_art008.pdf. The article was originally published in Russian in Military-Industrial Kurier, 27 February 2013.
3 See Shaun Waterman, ‘Analysis: Who Cyber Smacked Estonia?’, UPI, 11 June 2007, https://www.upi.com/Defense-News/2007/06/11/Analysis-Who-cyber-smacked-Estonia/26831181580439/.
4 See Andy Greenberg, ‘The Untold Story of NotPetya, the Most Devastating Cyberattack in History’, Wired, 22 August 2018, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.
5 See David E. Sanger, ‘U.S. Sends Top Security Official to Help NATO Brace for Russian Cyberattacks’, New York Times, 1 February 2022, https://www.nytimes.com/2022/02/01/us/politics/russia-ukraine-cybersecurity-nato.html.
6 Quoted in, for example, Raphael Satter, ‘Satellite Outage Caused “Huge Loss in Communications” at War’s Outset – Ukrainian Official’, Reuters, 15 March 2022, https://www.reuters.com/world/satellite-outage-caused-huge-loss-communications-wars-out-set-ukrainian-official-2022-03-15/.
7 See Catherine Stupp, ‘Russian Cyberattacks Have Increased on Ukraine’s Critical Infrastructure’, Wall Street Journal, 5 April 2022, https://www.wsj.com/livecoverage/russia-ukraine-latest-news-2022-04-05/card/russian-cyberattacks-have-increased-on-ukraine-s-critical-infrastructure-nSa3wDFQr3fbILlQ6dGf.
8 Microsoft Digital Security Unit, ‘Special Report: Ukraine’, 27 April 2022, p. 3, https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4Vwwd.
9 See Jeremy Fleming, ‘By Invitation: The Head of GCHQ Says Vladimir Putin Is Losing the Information War in Ukraine’, The Economist, 18 August 2022, https://www.economist.com/by-invitation/2022/08/18/the-head-of-gchq-says-vladimir-putin-is-losing-the-information-war-in-ukraine.
10 See ‘Russia Unexpectedly Poor at Cyberwar: European Military Heads’, Defense Post, 9 June 2022, https://www.thedefensepost.com/2022/06/09/russia-poor-cyberwar/.
11 Fleming, ‘By Invitation: The Head of GCHQ Says Vladimir Putin Is Losing the Information War in Ukraine’.
12 See Stephen Barclay and Tony Danker, ‘Unity Is Essential to Beat Cyber Attacks’, The Times, 6 April 2022, https://www.thetimes.co.uk/article/unity-essential-to-beat-cyberattacks-gjw0r3qbq.
13 Quoted in David Ignatius, ‘How Russia’s Vaunted Cyber Capabilities Were Frustrated in Ukraine’, Washington Post, 21 June 2022, https://www.washingtonpost.com/opinions/2022/06/21/russia-ukraine-cyberwar-intelligence-agencies-tech-companies/.
14 See US Department of Defense, ‘Fact Sheet on U.S. Security Assistance for Ukraine’, 10 May 2022, https://www.defense.gov/News/Releases/Release/Article/3027295/fact-sheet-on-us-security-assistance-for-ukraine/.
15 See Microsoft Digital Security Unit, ‘Special Report: Ukraine’.
16 See Claudia Glover, ‘Personal Data Breaches Are Falling – Except in Russia’, Techmonitor, 15 April 2022, https://techmonitor.ai/technology/cybersecurity/personal-data-breaches-are-falling-except-in-russia.
17 See National Cyber Security Centre, ‘Three Key Reflections from CYBERUK 2022’, NCC Group, 13 May 2022, https://www.mynewsdesk.com/nccgroup/news/three-key-reflections-from-cyberuk-2022-447827.
18 Alexander Martin, ‘US Military Hackers Conducting Offensive Operations in Support of Ukraine, Says Head of Cyber Command’, Sky News, 1 June 2022, https://news.sky.com/story/us-military-hackers-conducting-offensive-operations-in-support-of-ukraine-says-head-of-cyber-command-12625139. Nakasone is also director of the National Security Agency, but he was not speaking in that capacity.
19 See ‘White House: Cyber Activity Not Against Russia Policy’, Reuters, 1 June 2022, https://www.reuters.com/world/white-house-cyber-activity-not-against-russia-policy-2022-06-01/.
20 Fleming, ‘By Invitation: The Head of GCHQ Says Vladimir Putin Is Losing the Information War in Ukraine’.
21 See ibid.
22 See Col. David Acosta, ‘Are We Informationally Disadvantaged? The Realities of Information War in Ukraine’, Small Wars Journal, 9 May 2022, https://smallwarsjournal.com/jrnl/art/are-we-informationally-disadvantaged-realities-information-war-ukraine.
23 See Microsoft Digital Security Unit, ‘Special Report: Ukraine’.
24 See James Rundle, ‘Russian Cyber Threat Remains High, U.S. Officials Say’, Wall Street Journal, 7 June 2022, https://www.wsj.com/articles/russian-cyber-threat-remains-high-u-s-officials-say-11654647242.
25 See Fleming, ‘By Invitation: The Head of GCHQ Says Vladimir Putin Is Losing the Information War in Ukraine’.
26 See, for example, Nandita Bose, ‘Biden: If U.S. Has “Real Shooting War” It Could Be Result of Cyber Attacks’, Reuters, 28 July 2021, https://www.reuters.com/world/biden-warns-cyber-attacks-could-lead-a-real-shooting-war-2021-07-27/.
27 See James Pearson and Jonathan Landay, ‘Cyberattack on NATO Could Trigger Collective Defence Clause – Official’, Reuters, 28 February 2022, https://www.reuters.com/world/europe/cyberattack-nato-could-trigger-collective-defence-clause-official-2022-02-28/.
28 Quoted in Charles Hymas, ‘Britain Can Legally Launch Cyber Attacks Against Hostile States, Says Attorney General’, Daily Telegraph, 19 May 2022, https://www.telegraph.co.uk/politics/2022/05/19/britain-can-legally-launch-cyber-attacks-against-hostile-states/.