Contextualizing Last Week’s Malicious Cyber Activities Against Ukrainian Government Websites and Systems
The events reflect the complexity of how cyber operations can function diversely across and even within specific conflicts.
Published by The Lawfare Institute
in Cooperation With
As reported in the New York Times on Jan. 14, “[h]ackers brought down dozens of Ukrainian government websites,” posting a message on dark screens that read: “Be afraid and expect the worst.” To augment its intimidating effect, the message taunted its intended audience more specifically, “Ukrainians! All your personal data ... have been deleted and are impossible to restore.” Ukraine’s communication intelligence service indicated that “as many as 70 central and regional authority websites were targeted.” The menacing message was published in multiple languages—Ukrainian, Russian and Polish—which the Times’s article speculates is an attempt to “obfuscate” the perpetrators’ origin and motive. In the context of the evolving crisis, U.S. government officials and other experts have anticipated that Russia would engage in offensive cyber operations against Ukraine, but discerning the source and entity responsible for such actions can be difficult. Nevertheless, as reported by the Times, a Ukrainian government agency, the Center for Strategic Communications and Information Security, issued a statement directly blaming Russia for the hack:
“We have not seen such a significant attack on government organizations in some time,” it said. “We suggest the current attack is tied to the recent failure of Russian negotiations on Ukraine’s future in NATO,” ... referring to Moscow’s talks with the West.
Interpreting the meaning and import of cyber activities is often a complex endeavor. These and other cyber activities arising from the international conflict between Russia and Ukraine, however ominous, cannot be interpreted with certainty, at least for now. They reflect the complexity of how cyber operations, which are an integral part of modern-day international conflict, can function diversely across and even within specific conflicts, providing states with opportunities both to prepare the battlespace for more classic forms of military engagement and to create space for diplomacy and the deescalation of burgeoning crises.
The full scope of these activities is still being assessed. Cybersecurity and national security journalist Kim Zetter tweeted on Jan. 14 that “[t]here’s currently no indication that the attacks went beyond defacement [of government websites] and DDoS [distributed denial of service], but it’s too early to say.” Oleg Nikolenko, the spokesperson for the Ministry of Foreign Affairs in Ukraine, also indicated on Jan. 14 that, while a number of government agency websites were “temporarily down,” Ukrainian government “specialists have already started restoring the work of IT systems.”
On Jan. 15, Microsoft released information about another kind of activity, specifically the appearance of malware on the systems of government agencies providing “critical executive branch or emergency response functions” in Ukraine, as well as those of an IT firm that manages the recently defaced websites of Ukrainian government agencies:
Today, we’re sharing that we’ve observed destructive malware in systems belonging to several Ukrainian government agencies and organizations that work closely with the Ukrainian government. The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable. We’re sharing this information to help others in the cybersecurity community look out for and defend against these attacks.
At this time, we have not identified notable overlap between the unique characteristics of the group behind these attacks and groups we’ve traditionally tracked but we continue to analyze the activity.
With respect to this malware, known as “WhisperGate,” Zetter later reported that “[d]ozens of systems at two government agencies in Ukraine were wiped with a destructive tool that Ukraine now believes was part of a coordinated attack last week against systems in Ukraine.” The level of coordination between the hackers conducting the two operations is unclear, although Ukrainian officials indicated that the evidence connecting them “is both technical and intelligence[-based] in nature.”
Again, while the scope and harm caused by these activities is still being evaluated, one inherent challenge in communicating the meaning and import of such activities stems from the very term often used to describe them: “cyberattacks.” The Department of Defense (DoD) defines cyberattack or “cyberspace attack” as “actions taken in cyberspace that create noticeable denial effects (i.e., degradation, disruption, or destruction) in cyberspace or manipulation that leads to denial that appears in a physical domain, and is considered a form of fires,” where “fires” refers to “[t]he use of weapon systems or other actions to create specific lethal or nonlethal effects on a target.” Accordingly, both a DDoS attack that disrupts the operation of a government website, but does not otherwise cause damage, and the use of malware to shut down a power grid, which does cause significant damage, can be considered cyberattacks. The use of the term “cyber operations” or “cyberspace operations,” defined by the DoD as “the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace,” avoids some of the confusion the term “cyberattack” can create with respect to describing the damage caused and consequent significance of malicious cyber activities.
Just because nothing exploded or melted down as a result of the recent actions against Ukraine does not mean their significance should be discounted in the context of the current conflict. These activities come at a time when there is mounting evidence that Russia intends to invade Ukraine, and the United States is actively trying to deescalate the situation, thus far to no great effect, through diplomatic efforts and threatened further sanctions against Russia.
In December 2021, the New York Times reported that Russia was “stepping up” its cyber intrusions into Ukrainian infrastructure, prompting the United States and the United Kingdom to send “cyberwarfare experts” to assist Ukraine. Dmitiri Alperovitch characterized this activity by Russia as “cyber prep” of the battlespace. The targets, which Alperovitch identified as “government agencies, including internal affairs,” as well as “the national police” and “electric utilities,” were “precisely the ones you’d expect to be targeted for intel collection and battlefield preparation ahead of an invasion.” There are additional reasons to interpret all of these activities as foreshadowing an invasion: Russia’s annexation of Crimea in 2014, for example, also involved the execution of various cyber operations by both pro-Russian non-state actors and Russian soldiers bearing no insignia. These operations included the defacement of websites, the disruption of websites though DDoS attacks and other activities that facilitated Russia’s control of Crimea’s telecommunications infrastructure.
Understandably, a number of Russia experts believe that Russia’s invasion of Ukraine is only a matter of time now, and that there is little the United States can do to stop it. While it’s hard to know with certainty whether there will be a physical invasion of Ukraine by Russian troops, whatever the outcome, this unfolding crisis illustrates how cyber operations are an integral part of modern-day international conflict insofar as they facilitate various military and diplomatic options available to states.
Interpreting a government’s intentions for cyber operations in the context of any given conflict that has not evolved into an armed conflict, however, is rarely a straightforward matter. Even assuming that Russia executed, directed or enabled these most recent cyber operations—and in spite of compelling logical assessments concerning the plausible implications of other recent actions the country has taken, such as positioning troops along the Ukrainian border, signaling an intention to abandon participation in diplomatic efforts, and preparing to engage in a false flag operation to generate a pretext for invasion—any understanding of Russia’s intent and purpose remains inconclusive.
Some additional reporting suggests that Ukrainian officials now believe that a hacker group linked to Belarusian intelligence carried out at least part of the recent operations, “using malware similar to that used by a group tied to Russian intelligence.” If correct, then these events could signal an important alliance between Belarus for Russia for the purpose of an invasion, insofar as Belarus could provide Russia with certain advantages. As noted by Alperovitch: “A flank mechanized maneuver from Belarus would be highly desirable for the Russians in an invasion. ... [I]t would be very helpful to stretch the Ukrainian resources across a huge line of engagement and surround them from all sides.” Accordingly, if Russia does invade Ukraine, aspects of the cyber operations occurring over the past several months might be interpreted as preparation of the battlespace. Depending on the nature of Belarus’s involvement, the recent cyber operations might also signal that Russia has an opportunity to leverage Belarusian assistance in an invasion.
If, however, the burgeoning crisis is somehow averted, at least for some significant amount of time, the totality of these cyber operations might be viewed in a more complicated, nuanced fashion. As Erica Lonergan and Shawn Lonergan have argued:
Rather than use cyber operations as a means of coercion or to shape battlefield dynamics, governments might turn to conduct cyber operations to de-escalate crises. Cyber operations’ nonviolent effects and relative limitations in imposing costs make them an ideal way to resolve a crisis without appearing to have backed down. All sides may perceive cyber operations as less escalatory, in comparison to other military options that may be on the table during a crisis.
With some hindsight, depending on the eventual outcome, the totality of Russia’s cyber operations against Ukraine might be assessed as battlespace prep, coupled with an opportunity to allow for deescalation of the crisis. The Lonergans’ analysis ultimately concludes, however, that “uncertainty about [state] intentions in cyberspace is an endemic challenge” and one that isn’t going away anytime soon. Nevertheless, the conflict between Russia and Ukraine is an illustration of how cyber operations will, for better or worse, continue to shape and complicate the future of international conflict.