Cybersecurity & Tech

Cyber Conflict and Subversion in the Russia-Ukraine War

Lennart Maschmeyer
Tuesday, June 11, 2024, 2:44 PM
Cyber operations reveal their limitations as means of warfare, but territorial conquest opens unique opportunities for exploitation.
Use of cyber attacks in Ukraine (UCSD Jacobs School of Engineering, https://www.sdu.dk/-/media/cws/cws/images/cws-dossiers/ukraine+cyber+attacks.jpeg, CC BY-NC 3.0 US)

Published by The Lawfare Institute
in Cooperation With
Brookings

The Russia-Ukraine war is the first case of cyber conflict in a large-scale military conflict involving a major power. Over the years, Russia-sponsored hacking groups have adapted their tradecraft to the war setting. Contrary to cyberwar fears, most cyber operations remained strategically inconsequential, but there are several exceptions: the AcidRain operation, the UKRTelecom disruption, the September 2022 power grid sabotage, and the catastrophic Kyivstar outage of 2023. Delving into these operations shows how Russia-sponsored hacking groups have exploited unique opportunities provided by territorial conquest and reveals an intriguing, underappreciated insider dimension to some of the war’s most damaging cyberattacks. These developments suggest hacking groups are increasingly fusing cyber operations with traditional subversive methods to improve effectiveness.

In the wake of the invasion, there were predictions of cyber “shock and awe” campaigns that would trigger catastrophic large-scale disruption and might even render the use of force unnecessary. Nadiya Kostyuk and I pushed back against these predictions two weeks before the invasion. We stressed the need to assess plausible threats based on Russia’s track record. Rather than being a novel tool of warfare, I have previously argued on Lawfare that cyber operations are more similar to intelligence operations, specifically subversion.

Subversion projects power indirectly and secretly, exploiting vulnerabilities in adversary systems to infiltrate them and make them do things they are not supposed to. Traditionally, states have used spies to infiltrate enemy societies and institutions. Examples of subversion are turning a political organization into a covert arm for adversary interests or turning an industrial facility into a lethal weapon by releasing poisonous gases. It offers an indirect and secret way of interfering in adversary affairs. Today, states can also do so via cyber operations that infiltrate the computer systems that modern societies and institutions increasingly depend on. The targets differ, but the mechanism works the same way. Hacking into systems means nothing else than finding vulnerabilities and exploiting them. The goal is to manipulate targeted systems to behave in ways neither their designers nor users expected, harming the victim to the benefit of the sponsor of the operation. Importantly, subversion’s indirect and secret mechanism of action offers great promise in theory: a cheap, easy, yet effective means to project power that can offer an alternative to force, or complement it. Accordingly, subversion has long been the source of great fears. Current worries about cyber threats from U.S. adversaries closely echo those expressed in the Cold War.

However, as I have shown, the same characteristics that enable this promise also tend to prevent its fulfillment in practice. Projecting power indirectly and secretly through adversary systems is hard. Subversive actors need to find vulnerabilities that the designers and users of that system missed. Doing so takes time. Meanwhile, subversive actors must stay hidden lest the victim discovers the manipulation, providing an opportunity to neutralize it—by arresting or killing a spy, or by deleting malware or revoking access credentials. Hence, actors must proceed carefully. Moreover, most computer systems are not designed to cause physical damage or bodily harm. All this limits the intensity of effects. Finally, things can go off the rails. Subversion produces effects by making systems behave unexpectedly—and thus inherently involve a high risk of unintended consequences. In short, subversion is constrained in speed, intensity, and control. The more actors try to maximize one or two of these variables under a given set of circumstances, the more they will tend to have to compromise on the remaining one(s). Consequently in most circumstances subversive operations are too slow, too weak, and too volatile to produce significant strategic value in practice.

Evidence from cyber conflict in Ukraine since 2022 largely confirms these expectations. As my new book “Subversion” shows, there was a lot of activity—but little of it made a measurable contribution toward Russia’s goals or an impact on the course of the conflict. Time pressure, sometimes combined with efforts to maintain control over effects, limited the latter’s intensity. Four major cyber operations challenge the theory of subversion and its constraints, however, by seemingly producing relatively intense yet controlled effects with relatively little preparation time. On closer look it becomes clear that some of these operations exploited unique opportunities for insider attacks offered by territorial conquest—underlining not only the continued relevance of traditional subversive infiltration but also the added effectiveness of combining offline and online means of compromising systems.

Taking Stock: Cyber Conflict 2022-2024

Two years into the conflict, it is time to put these expectations to the test. In 2022, Nadiya Kostyuk and I predicted that if Russia invaded Ukraine, the limitations of cyber operations would render shock-and-awe scenarios exceedingly unlikely compared to the opportunistic use of low-level irritants, which are annoying for victims but strategically inconsequential. The main danger, we highlighted, would not be the effects of cyberattacks against intended targets but, rather, their collateral and uncontrolled damage against unintended targets. The trajectory of Russia’s prewar cyber operations indicated growing efforts to avoid the latter, however.

By and large, these predictions have held up, though a handful of cyber operations challenge them. Overall, cyber operations sponsored by (or suspected to be sponsored by) Russia that targeted Ukraine since 2022 fell into two strategic roles. First, they were deployed as an independent instrument pursuing, and continuing, a long-running general erosion strategy aiming to undermine Ukraine’s strength and societal cohesion from within. Second, some cyber operations also fulfilled an auxiliary role, complementing and facilitating the use of force. 

Russia ran an against Ukraine involving covert warfare, cyber operations, and traditional subversion for . Many observers have argued that cyber operations significantly of this kind. In fact, the term “hybrid war” came to represent this supposedly new form of warfare, and Ukraine has been its paradigmatic case. Events on the ground have disproved these expectations in a horrific way. Russia’s “hybrid war” strategy failed to achieve its core goal of stopping Ukraine from maintaining a pro-Western foreign policy. Consequently, in February 2022, Russia escalated to the use of force.

Unsurprisingly, the cyber operations Russia deployed since then showed the same limitations as those before the invasion. There are already several excellent analyses assessing Russia’s wartime cyber operations. They largely reach the same conclusion, namely that Russia’s cyber operations caused negligible damage and mostly fell short of strategic significance. The more interesting question is how hacking groups have adapted to the challenges of an active war. I argue that Russia’s wartime cyber operations faced the same types of constraints as its peacetime campaigns, but that the wartime environment further exacerbated them. Foremost, time pressure mostly precluded exquisite sabotage operations of the kind of the 2015 and 2016 power grid sabotage in favor of relatively simple low-intensity disruptions through reusable disk wipers. Suspected Russia-sponsored hacking groups have deployed a lot of the latter.

While the quantity of cyber operations has increased, their quality has not fundamentally changed. On the contrary, most wartime activity pursued lower intensity effects compared to pre-invasion operations. That is what one would expect given tighter timelines in an active conflict. Intriguingly, none of the various wipers deployed—by now over 20—spread out of control like NotPetya did in 2017. This is not an accident but reflects clear efforts to maintain control—which further reduces intensity, as expected. All in all, this evidence is closely in line with expectations. Meanwhile, several operations challenge the theory in seemingly striking ways. I examine them below.

AcidRain Knocks Out Satellite Communications

The first exceptional case is AcidRain. This advanced malware knocked out satellite communication provided by Viasat’s K-SAT service across Europe the very moment the invasion commenced. Among the customers of the K-SAT service: Ukraine’s military. The operation that deployed this malware stands out not only because it shows a direct linkage to military goals but also because it could have plausibly produced a clear tactical, potentially strategic, advantage for Russian troops at a decisive moment.

The operation also stands out due to its long lead time. While most of the wipers deployed at the same time took at most a few weeks of preparation, AcidRain most likely required over a year of intensive efforts. As expected, this extra time enabled more intense effects. It not only disrupted but permanently disabled affected satellite modems—cutting off customers until they replaced the modems. Such a communication outage could be catastrophic for a defending army, especially when facing a far superior invading force. Initial reports accordingly spoke of a “massive loss of communications.” Yet later clarification from Ukraine’s security services indicated the outage did not affect military operations, as troops could fall back on alternative communications channels. Consequently, AcidRain produced little measurable tactical advantages for Russia—a conclusion in line with the course of events on the battlefield. Meanwhile, also as one would expect, AcidRain’s more intense effects came with greater risk of collateral damage. And indeed, its damage spread far beyond Ukraine and affected thousands of Viasat customers across Europe without any direct, or even plausible, linkage to the conflict. This collateral damage likely contributed to further resolve among Western nations as AcidRain illustrated Russia’s aggression beyond Ukraine.

The Insider Angle: the UKRTelecom and Kyivstar outages 

The second exception is a cyber operation in March 2022 that caused a massive outage of UKRTelecom, a major internet provider in Ukraine. It took only a month to prepare yet caused significant damage. It cut off over 80 percent of UKRTelecom’s customers from the internet for close to 24 hours. Meanwhile, it did not cause any collateral damage. It was fast, intense, and controlled—seemingly avoiding the expected trade-offs.

However, there is a catch: This outcome was only possible due to a unique type of insider threat. Rather than exploiting flaws in the network, the hacking group involved (or its colleagues among Russia’s intelligence services) used legitimate access credentials from a UKRTelecom employee in occupied territory. It’s unclear how they obtained these credentials, but it is unlikely the employee handed them over voluntarily.

In any case, this insider angle was a unique opportunity provided by territorial conquest. Without the capture of the employee within occupied territory, such a severe outage would have likely been beyond reach. Previous disruptions of UKRTelecom via distributed-denial-of-service and other remote means accordingly proved far less impactful. In effect, this was traditional subversion, using an insider in an organization to sabotage systems. The fact that it became the most damaging cyber operation in this phase of the conflict underscores the effectiveness of such traditional means of subversion—contrary to prevailing expectations around cyber operations as a game changer in covert operations

On the contrary, traditional subversion achieved far more tangible and significant strategic gains in this conflict compared to cyber operations. I show in the book how subversion enabled some of Russia’s key successes, such as the takeover of Crimea in 2014 that stunned the world, as well as the nonviolent capture of the strategically important Chernobyl nuclear ruin in the early moments of the 2022 invasion.

Underlining the relevance of traditional means of infiltration, an insider threat of the type just mentioned probably also enabled another large-scale communications disruption: the outage of mobile provider Kyivstar in December 2023, affecting millions of customers. Destructive malware developed and planted by the infamous Sandworm group sabotaged Kyivstar’s infrastructure from within, knocking out cell service and “destroying the core of the network” as Illia Vitiuk, the head of Ukraine’s intelligence service SBU put it. He also explained that Sandworm was in a position to place this malware only because it gained access “through a company insider.”

2022 Power Grid Sabotage: A New Era?

Finally, the potentially most severe challenge to the theory of subversion is a power grid sabotage operation in September 2022. The operation stands out not only because it used a novel technique but also because it took very little preparation. According to Mandiant, it required only two months of preparation and used what is called “living off the land” techniques, namely foregoing malware and using only existing functionality. Due to these feats, Mandiant lead cybersleuth Dan Black has hailed this operation as the harbinger of a “new era” in cyber conflict. At face value, that is persuasive. This operation was fast, caused an intense effect, and exhibited exquisite control over the target network. Sandworm, it seemed, had thus evolved beyond the constraints it faced in previous operations. 

There is rarely a free lunch, however—and the same is the case here. Proclaiming a new era in cyber conflict is premature for several reasons. First, the preparation time should not be considered in isolation. As Mandiant’s investigation showed, the attack unfolded by injecting commands directly into files used by MicroSCADA systems. It is worth noting that Sandworm’s 2016 power grid sabotage operation also used specific commands by ABB MicroSCADA systems that controlled the operation of breakers in the grid. The 2022 sabotage thus built directly on the knowledge gained in the 2015 and 2016 power grid sabotage operations. Without this knowledge, gained over a period of years, it is extremely unlikely Sandworm would have succeeded. Furthermore, its 2015 power grid sabotage used only malware to gain access. To disrupt the power, it used existing, legitimate functionality of the system itself. As DRAGOS’s report underlines, “Malware enabled the attack, and malware delayed restoration efforts, but it was the direct interaction of the adversary leveraging the [industrial control system] against itself that resulted in the electric power disruptions, not malware.” Causing a power outage without malware is thus not itself game-changing. Nonetheless, and even so, the two-month preparation period for this operation is a significant improvement compared to its predecessors.

Second, considering the above discussion, this operation may ultimately turn out to be less unique than the circumstances it occurred in. Mandiant’s report notes it was “unable to identify the initial access vector into the IT environment.” Given Sandworm’s modus operandi in the high-profile disruptions just discussed, it is not impossible this malware-free approach was enabled through an insider angle. To be sure, there is no hard evidence pointing either way at this point, but it is an angle worth considering—especially since Mandiant itself observed in a previous contract with Ukrainian gas giant Naftogaz how Russian operators were leveraging physical access to data centers in occupied territory to compromise corporate networks. Nonetheless, this remains a speculative point until more evidence comes out.

Finally, and most importantly, however, even if subsequent evidence proves both points to be moot, it is not clear the operation did in fact cause a power outage. Mandiant highlights that the operation “resulted in an unscheduled power outage.” It also notes the coordination between this operation with missile strikes against the energy grid. Given the massive outages affecting millions of people across much of eastern Ukraine resulting from these strikes, isolating the impact of the cyberattack is likely impossible. Victor Zhora—then head of State Service of Special Communications and Information Protection (SSSCIP)—who was involved in the investigation, told me as much (via private message). In his words, it is “unclear to distinguish if the outage was caused by a cyber [attack] or series of kinetic attacks which resulted in disbalancing the entire power grid.” In other words, the power grid sabotage was a technical marvel using novel tools, but it is uncertain whether it actually caused a physical effect—and if it did, that effect was so small in comparison to the massive outage caused by missile strikes, it is below the measurement threshold.

In short, this operation shows technical innovation and advancement. As such, it illustrates the importance of learning: The more time hacking groups spend honing their skills, the faster and more effectively they will be able to compromise and manipulate targets. That development does not refute the theory of operational constraints laid out at the outset of this piece, however, which predicts trade-offs under a given set of circumstances—such as the hacking group’s skill level. It is not surprising that after years of targeting the energy sector, and specifically MicroSCADA devices, Sandworm became more adept at doing so. Nonetheless, at the current skill level, the group will still likely have to make trade-offs among speed, intensity, and control in mounting its operations. 

Strategically, however, the 2022 power grid sabotage is no game changer. If the impact is so small that it is impossible to measure, it is probably not significant. This point, of course, highlights the question of realistic expectations and associated conceptions of success and failure. Early theorizing, and the recent cyberwar panic prior to the invasion, foresaw strategically decisive cyber strikes akin to strategic bombing. Yet there is little evidence supporting this expectation, and mounting evidence indicates the strategic limitations of cyber operations. Nonetheless, cyber operations can still be useful below that threshold. Even small contributions toward operational or strategic goals offer added value, as cyber operations are only one among many instruments of power states can wield.

Implications

The course of cyber conflict in, and against, Ukraine by and large demonstrates its expected limitations and underlying trade-offs. Meanwhile, the exceptional cases are not fatal to the theory. Rather, they illustrate the importance of facilitating conditions, namely physical access to infrastructure (via conquest), the availability of insider angles, and the potential for learning. Trade-offs remain, but actors can find ways to alleviate them by exploiting the way the physical and virtual worlds are intertwined. Insider angles offer one way to speed things up, for example. Why go through the time-consuming process of identifying technical vulnerabilities and developing exploits when you can also bribe or blackmail your way in? Cyber conflict is a constant struggle between intelligent agents who aim to subvert each other’s systems in creative and cunning ways. As participants evolve, so does the activity—but the fundamental trade-offs involved in the process of exploitation and manipulation remain. That means cyber operations are likely to retain their limitations as instruments of power even as actors strive to improve their tradecraft and skills.

Consider the case of learning. Hacking groups learn and improve. But so do defenders. There is a strong case to be made that the absence of more severe cyberattacks in Ukraine is primarily due to the skills acquired by its network defense teams after being subjected to regular cyberattacks for close to a decade. This may well be the most visible, and measurable, cumulative effect of Russia’s decade-long cyber campaign against the country.

Finally, the case of Ukraine illustrates not only the limitations of cyber operations but also the relative superiority of old-school means of subversion. In contrast to prevailing expectations around the unprecedented effectiveness of cyber operations as low-intensity means of power, as I show in the book, traditional subversion achieved far more strategically relevant outcomes for Russia—such as the 2014 takeover of Crimea, a massive sabotage operation destroying Ukraine’s artillery ammunition stockpile, or the capture of the Chernobyl nuclear ruin in the early hours of the invasion. Cyber operations offer a new way to implement strategies of subversion, but they do not upend its role in world politics.

Editor's note: Based on further input from the infosec community since publication, the author has revised the discussion of the potential insider angle in the 2022 power grid sabotage to underline the speculative nature of the point given the current lack of evidence.


Lennart Maschmeyer is a Senior Researcher at the Center for Security Studies at ETH Zurich. He holds a PhD in Political Science from the University of Toronto and an M.Phil in International Relations from the University of Oxford. His current research focuses on the nature of cyber power and the relationship between operational constraints and strategic dynamics in cyber conflict. Lennart is also working on a second project compiling a dataset of threat intelligence reporting to identify potential sources of bias in the data and how these impact prevailing threat perceptions. He is a Fellow at The Citizen Lab.

Subscribe to Lawfare