Russia's hybrid war against Ukraine: lessons learned.
the cyberwire logoJun 27, 2023

A brief retrospective on operations in cyberspace during Russia's hybrid war to date.

Russia's hybrid war against Ukraine: lessons learned.

This is a good time to reflect on what might be learned from the experience of Russia's hybrid war so far. The CyberWire (an N2K service) has been covering Russia's war against Ukraine since before the invasion began, devoting special attention to the cyber phases of that war. A chronological directory of our coverage may be found here.

Cyberspace as an operational domain in a full-scale conventional war.

Given the ways in which communications have evolved since the 1990s, cyberspace has become a domain of conflict, and it's a domain in which nation-states engage early in the spectrum of conflict, long before the shooting starts. There's been a convergence of cyber operations with traditional intelligence collection. Cyber operations now encompass most of what had formerly been conducted as electronic warfare (jamming, interception, meaconing) and psychological warfare (propaganda, deception, influence operations). Any war in which at least one of the belligerents had well-developed cyber capabilities is bound to have a significant cyber dimension, and that's true across the spectrum of conflict.

In the specific case of Russo-Ukrainian conflict, Russian cyber operations were foreshadowed by Russian action against Estonia and Georgia in the 2000s, and more recently by Russian operations against Ukraine (especially the power grid) in 2015-2017. There were signs in late 2021 that Russia was considering military action to increase the gains it had made in 2014. when it took Crimea and sections of the Donbas (the latter under deniable cover). We began daily coverage of the growing crisis on January 12th, 2022, with Warnings of Russian cyber activity as Moscow continues preparations to invade Ukraine. The war itself began more than a month later, on February 24th, 2022.

Initially, Russian cyber operations enjoyed some success. The disabling attack against Viasat broadband networks in the opening hours of the invasion was successful, and also coordinated with Russian combined arms operations on the ground--it amounted to well-targeted jamming. Wiper attacks against Ukrainian government agencies also enjoyed some success, although that success was less clearly tied to combat support. These successes, however, were short-lived. Starlink replaced Viasat within days, and has provided uninterrupted coverage since then. The wiper attacks proved less consequential. Since then, Russian cyber operations have been characterized by nuisance-level DDoS attacks (mostly carried out by deniable front groups, cyber auxiliaries), privateering (against civilian targets in the West), cyberespionage (collection by Russian intelligence organizations, mostly GRU and SVR), and influence operations.

Summarizing lessons from Russia's hybrid war so far.

Offensive cyber is more difficult than people think. Nuisance is achievable, theft happens, but it's much harder to pull off the much-discussed cyber Pearl Harbor--a nation-crippling bolt from the blue. This isn't a counsel of complacency, but rather of realism. Over the course of Russia' war wiper attacks and other disabling operations have grown rare, replaced by cyberespionage and distributed denial-of-service (DDoS) attacks. The DDoS attacks have for the most part been conducted by deniable hacktivist auxiliaries, and they've represented at worst a temporary nuisance. DDoS can serve as misdirection for more consequential operations, but for the most part what looks like a nuisance is just that.

The private sector makes a decisive contribution to resilience, defense, and intelligence in cyberspace. Ukraine has benefited considerably from the assistance of companies like SpaceX, Microsoft, Recorded Future, and Google. And these companies aren't alone in having worked with allied governments to support Ukraine's cyber defense; there have been many others.

Cyber operations support other action. Cyber operations are most valuable when they're coordinated with kinetic operations. that is, when they're conceived and managed as combat support. US doctrine on electronic warfare and its place in the targeting process affords a sound practical guide that might well inform cyber operations. FM 3-60, Targeting, says, "Targeting develops options used to engage targets. Options can be lethal or nonlethal, organic or supporting at all levels throughout the range of military operations as listed– maneuver, electronic attack, psychological, attack aircraft, surface-to-surface fires, air to surface, other information related capabilities, or a combination of these operations." It goes on to describe how to integrate these into combined arms operations.

OPSEC is now more difficult than ever. Operations security, OPSEC, has been made markedly more difficult by three developments: generally available, near-real-time commercial satellite imagery, the near universal use of camera-equipped smart phones, and pervasive access to social media. Before Russia's invasion began, these three gave journalists and anyone who was interested a tolerably complete and accurate picture of the Russian order of battle. Battlefield OPSEC is any traditional form seems effectively unattainable. Commanders need to either look to new, as yet undiscovered approaches to the problem, or they need to accustom themselves to working in unprecedented transparency.

OSINT is now more valuable than ever. Don't confuse value with cost, especially when it comes from open source intelligence. Sometimes the information posted by a rando taking selfies in front of a rail car with tanks on it can be more valuable than what you're getting from a billion-dollar hyperspectral sensing platform in low-earth orbit. (See the notes on OPSEC, above for why this has become so.)

Confusion is easy; persuasion is hard. Influence operations may, broadly speaking, be divided into two categories: negative (aiming at simple, opportunistic disruption of the adversary) and positive (aimed at convincing the adversary to adopt a particular set of beliefs). Russian influence operations, pre-war, as seen for example in their activity during the 2016 US elections, has been predominantly negative. And it's been most successful when it's been negative. Now it needs to be positive: it has to convince the world that the Ukrainians are Nazis, and that Kyiv, or alternatively Kyiv's masters in Washington and London, should be recognized as the real aggressors. Russia's been selling that, but few are buying.

What value would negative information operations have? Consider Clausewitz's dictum that what distinguishes the idea of war from actual war is what he called "friction." Recall that, when studying introductory physics you were often invited to simplify concepts by ignoring friction. "Assume a frictionless surface," your textbook might have said. What distinguished real surfaces from the ideal surface imagined for purposed of illustration was friction. Like any good Kantian, Clausewitz had a profound respect for Newtonian physics, and he used friction as a metaphor for all the things that can and do go wrong on the battlefield. Friction is bad weather. It's guns getting stuck in mud, It's a unit getting lost. It's orders being misunderstood. An actual commander dealing with a real battlefield must always remember the imperfectly foreseeable effects of friction.

There might, then, be two general approaches to war: increase the enemy's friction, or reduce one's own. Negative influence operations. opportunistic and entropic, induce friction in the enemy. They don't convince or persuade. Instead, they confuse and darken counsel. Russian influence operations enjoyed some success with these over the past decade. But actually convincing someone of a consistent narrative is much more difficult, and Russia hasn't enjoyed much success in this regard. They're selling, but not as many are buying as the Kremlin would like.

And the foreign adversary isn't the only target of influence operations. Influence operations often have a complex audience. A great deal of the content of Russian government disinformation--the positioning of Ukraine as a nest of Nazis, the framing of the special military operation as effectively a continuation of the Great Patriotic War--has been directed at least as much to the shaping of domestic public opinion as it is to persuading foreign audiences. Internal messaging has been especially heavy during the tensions surrounding the Wagner Group's march on Moscow.