Ukraine at D+119: A look at both sides of a cyber campaign.
N2K logoJun 23, 2022

Both Russian and Ukraine have used cyber operations in Russia's hybrid war. A report cautions against dismissing Russian cyber capabilities because of their so-far apparently limited effect, and another study sees Ukraine's IT Army as a new form of organization likely to have unforeseen effects on the development of norms for conflict in cyberspace.

Ukraine at D+119: A look at both sides of a cyber campaign.

This morning's situation report from the UK's Ministry of Defence describes a Russian advance along southern approaches to Lysychansk. "Since 19 June, Russian forces have highly likely advanced over 5km towards the southern approaches of the Donbas city of Lysychansk. Some Ukrainian units have withdrawn, probably to avoid being encircled. Russia’s improved performance in this sector is likely a result of recent unit reinforcement and heavy concentration of fire. Russian forces are putting the Lysychansk-Sieverodonetsk pocket under increasing pressure with this creeping advance around the fringes of the built-up area. However, its efforts to achieve a deeper encirclement to take western Donetsk Oblast remain stalled."

Thus the Russian army's slow advance continues, with enormous expenditure of ammunition, a great deal of expenditure of troops, and so far undetermined human suffering. The New York Times offers a summary forecast of the near future in the Donbas. US officials are expressing unusually sanguine assessments of the likely effect recently delivered weapons will have on Ukraine's defense of the Donbas. Since this has become an artillery campaign, and since artillery and counterfire targeting systems have figured prominently in Western aid to Ukraine, observers see Ukraine as having gained, relative to the only Russian arm that's worked about as advertised.

Russian missile strikes hit two grain terminals in the Black Sea port of Mykolaiv, the Wall Street Journal reports, which gives the lie (again) to Moscow's insistence that it's Ukraine and not Russia who's interfering with grain shipments and using food as a weapon.

Reviewing Russian cyber campaigns in the war against Ukraine.

Microsoft yesterday published a long report, "Defending Ukraine: Early Lessons from the Cyber War," in which Redmond describes what it's observed so far. The result that's been most widely reported is a significant increase in Russian cyberespionage directed against countries regarded as either friendly to Ukraine or of dubious adherence to the Russian cause. The countries that have received more Russian attention since February include: Albania, Armenia, Australia, Belgium, Brazil, Canada, the Czech Republic, Denmark, Finland, France, Germany, Georgia, Guatemala, Hungary, India, Iran, Iraq, Japan, Kazakhstan, Kyrgyzstan, Latvia, Lebanon, Libya, Lithuania, Mexico, Moldova, Nigeria, Norway, Oman, Poland, Qatar, Romania, Sweden, Switzerland, Tajikistan, Turkey, Turkmenistan, the United Kingdom, the United States, and Uzbekistan. In all, Microsoft tallies 128 organizations in 42 countries as subjected to Russian cyberespionage. The target list was composed of "mostly governments, although [it] also included think tanks, humanitarian groups, and critical infrastructure providers."

Reuters notes, in its coverage, that "The Russian embassy in Washington did not immediately respond to a request for comment. Moscow has in the past denied conducting foreign cyber espionage missions, saying it "contradicts the principles of Russian foreign policy." But no thinking person takes such denials seriously (especially no thinking person in Russia).

Microsoft is concerned to set the cyber phases of Russia's hybrid war into historical context. The company's chair and president, Brad Smith, writes in his blog post introducing the report:

"While no one can predict how long this war will last, it’s already apparent that it reflects a trend witnessed in other major conflicts over the past two centuries. Countries wage wars using the latest technology, and the wars themselves accelerate technological change. It’s therefore important to continually assess the impact of the war on the development and use of technology. 

"The Russian invasion relies in part on a cyber strategy that includes at least three distinct and sometimes coordinated efforts – destructive cyberattacks within Ukraine, network penetration and espionage outside Ukraine, and cyber influence operations targeting people around the world.

Cyberwar is particularly difficult to contain within a theater of operations, still less within a particular country, and its inherently deniable character presents a constant temptation to its use. Smith argues that Russia's war against Ukraine should motivate governments, corporations, and NGOs to develop effective alliances capable of responding to further aggression along Russian lines. He also warns that influence operations have played a significant part in Russia's cyber campaigns. And he cautions against letting the apparent ineffectuality of Russian cyberattacks against Ukraine, which fell far short of consensus expectations, lull anyone into a false sense of security.

The report draws five major lessons from the hybrid war so far:

  • "First, defense against a military invasion now requires for most countries the ability to disburse and distribute digital operations and data assets across borders and into other countries."
  • "Second, recent advances in cyber threat intelligence and end-point protection have helped Ukraine withstand a high percentage of destructive Russian cyberattacks."
  • "Third, as a coalition of countries has come together to defend Ukraine, Russian intelligence agencies have stepped up network penetration and espionage activities targeting allied governments outside Ukraine."
  • "Fourth, in coordination with these other cyber activities, Russian agencies are conducting global cyber-influence operations to support their war efforts."
  • "Finally, the lessons from Ukraine call for a coordinated and comprehensive strategy to strengthen defenses against the full range of cyber destructive, espionage, and influence operations."

Ukraine's IT Army is a complex phenomenon.

The IT Army Kyiv has summoned to its cause has generally received favorable press in the West, although its activities have tended to be dismissed as nuisance-level website defacements and distributed denial-of-service (DDoS) attacks. A study by the Zurich-based Center for Security Studies, "The IT Army of Ukraine: Structure, Tasking, and Ecosystem," argues that the EU in particular has failed to take proper stock of the IT Army, and in particular of its implications for international norms.

The study sees the origins of the IT Army of Ukraine in years of consideration of lessons to be learned from "the success of the Estonian Defence League's Cyber Unit and other efforts around the globe to organize, incorporate, and surge civilian IT volunteers into existing military structures in times of need." Those efforts have generally been defensive in nature, and grew in a relatively controlled and systematic way. (For how a reserve can be developed and mobilized at need, see the recent US Cyber Shield exercise in which the National Guard played a central role.) Whatever thought Ukraine devoted to the problem in pre-war days, the IT Army itself seems a wartime improvisation, "stood up in an ad-hoc manner without a clearly structured and proven plan." It appears to have emerged as a surrogate for a Ukrainian military cyber command, the study argues, but for all that it's been intelligently assembled and used with greater effect than has been generally appreciated. "Born out of necessity, the IT Army subsequently evolved into a hybrid construct that is neither civilian nor military, neither public nor private, neither local nor international, and neither lawful nor unlawful."

It differs in one significant respect from the earlier Estonian model: from the outset, the IT Army has been encouraged to conduct cyber offensive operations against Russian targets. It has two distinct aspects: "(1) a continuous global call to action that mobilizes anyone willing to participate in coordinated DDoS attacks against designated – primarily civilian – Russian infrastructure targets; and (2) an in-house team likely consisting of Ukrainian defense and intelligence personnel that have been experimenting with and conducting ever-more complex cyber operations against specific Russian targets. Both parts of the IT Army are purely offensive in nature and serve to bring willing amateurs (civilians) and dedicated professionals (civilian, military, intel) into one – most likely – hierarchically organizational structure." It's also attracted significant support from private sector companies in IT and cybersecurity, both in Ukraine and abroad. (MIcrosoft's report on "Defending Ukraine" is recent evidence of this)

The report concludes, "The IT Army of Ukraine is a unique and smart construct whose organizational setup and operational impact will likely inform the art of cyber and information warfare in future conflicts. On the public side, the IT Army serves as a vessel that allows the Ukrainian government to utilize volunteers from around the world in its persistent DDoS activities against Russian government and company websites. As of 7 June 2022, this includes 662 targets. On the non-public side, the IT Army’s in-house team likely maintains deep links to – or largely consists of – the Ukrainian defense and intelligence services." And it warns that this kind of organization is unfamiliar, especially to NATO's European members, and that it represents a challenge to international norms of conduct in cyberspace.

That final caution seems overstated. International law requires that armed conflict be waged by competent authority and by personnel who operate under that authority's control. The IT Army seems, by the study's own account, to do both. The laws of armed conflict, which are being gradually extended into cyberspace, also requires that military operations be both discriminating (protective of civilians) and proportionate (not productive of excessive damage). There are no signs that the IT Army is guilty of either, although one might wonder about operations against civilian websites. That the IT Army represents an unfamiliar kind of organization seems, nonetheless, to be correct, and to warrant further study.