Analysis of a hybrid cyberwar between Russia and Ukraine | Stormshield

The Russian invasion of Ukraine marked a first in the history of conflict, with the widespread use of cyberattacks. This development has transformed the landscape of the traditional war, raising many questions. We take a closer look at a hybrid cyber-warfare in which the forces involved are a combination of traditional battlefields and a new digital dimension.

 

The prelude to war in Ukraine: what role do cyber-tools play in an armed conflict?

Put another way, the question becomes: when did cyberspace start to become a military sphere? As is often the case, history gives us the resources we need to better understand the context and, in this case, the unprecedented nature of this cyber-warfare. And to learn about the earliest years of experimentation in cyberspace, we need to go back to the 1980s and 1990s. But what characterizes these years is essentially the disconnect between the real-world impact of these operations and the mythology that surrounded them. “At that time, some analysts were claiming it was possible to bring entire populations to their knees by cyber means alone,” says Pierre-Olivier Kaplan, R&D Engineer in the Stormshield Cyber Threat Intelligence team. This apocalyptic vision was somewhat far removed from the limited scale of the cyberattacks of the time; the same psychotic mindset was also evident in the narrative regarding the the famous “Y2K bug”. “However, the cyber-Pearl Harbor event never happened,” Kaplan points out. After that, however, the situation evolved, leading up to large-scale cyberattacks. Targeting critical and sensitive infrastructures, their impact was felt at national level in some countries, such as the attacks against Estonia in 2007, India in 2009, Iran in 2010 with Stuxnet, Ukraine (already) in 2015 and 2017 with the Black Energy, CrashOverride and Triton malware, and South Korea in 2018 with Olympic Destroyer. Despite circumstantial evidence pointing to certain state forces, responsibility for these attacks has not been officially claimed. But (with the exception of Olympic Destroyer) they do have one thing in common, as Stormshield Cybersecurity and Product Management DirectorSébastien Viou  explains: “We know the preferred target of these cyberattacks: energy. The aim is to cut off a country’s resources and fatigue its population. Here, cyber-weapons are not seeking to kill, but to make life precarious or even unsustainable.” So is it accurate to consider a cyberattack as an act of war?In reality, yes, but from a purely semantic point of view, no,” says Pierre Olivier Kaplan. “For, once again, it is extremely difficult to pinpoint the origin of cyberattacks with certainty, especially since no state has openly claimed responsibility for these acts.

A game of deception? A duty of secrecy? An international balancing act? For Pierre-Olivier Kaplan, the lack of any such claims is explained by the nebulous nature of this type of attack, which, although not officially forming a part of conventional military doctrine, still bears the hallmark of methods associated with certain States. According to him, the use of cyberattacks in support of military operations actually dates back to the 2008 Russian-Georgian conflict. “The example of Georgia in 2008 is, in this respect, a key case in point. The tactic of swamping government sites with widespread denial-of-service (DDoS) attacks is a standard Russian modus operandi. But Russian officials have never formally claimed responsibility for the intrusion, which crippled some of the country's sensitive sites, because to do so would have brought the practices of some independent hacktivist groups officially into the spotlight. These are, in fact, satellites of the Russian services, without actually forming a part of official military institutions. They are therefore operating in a geopolitical grey area that has yet to be clarified. During her speech at FIC 2021 in France, the then Minister of Defence, Florence Parly, referred to a “Cold War in cyberspace” and the highly specific issues associated with it: “Unlike the historic Cold War, which had its own de-escalation mechanisms to avoid a nuclear apocalypse scenario, a new cyber-Cold War, involving states or non-state actors, would certainly not be governed by the same restraint. There is no “red phone” in the cyber world. Worse still, some actors remain reluctant to establish game rules for confrontations in cyberspace. We could therefore be faced with rapid and uncontrolled escalation, leading to unprecedented crises and unanticipated cascade effects.

 

A hybrid cyber and physical war

Digital conflict, computer warfare, manoeuvre warfare or cyber-warfare: how should the war in Ukraine be described? The descriptions change depending on who you’re talking to. Officially, the war was described as a cyber-warfare by Major General Aymeric Bonnemaison, Commander of French Cyber Defence, at a December 2022 meeting of the Commission on National Defence and the Armed Forces: “There has undoubtedly been a cyber-war in Ukraine.”

Whatever terminology you choose, the Russian-Ukrainian conflict marks a first in the use of cyber-weapons, as it stands out from the Russian-Georgian conflict through the use of diversified cyberattack tactics in support of the war effort. Or even to help finance it… “We have seen an exponential growth in ransomware cyberattacks in recent years,” Viou points out. “It is well known that Russian groups are behind a large part of them, and that there are connections between them and the Russian state; the only possible conclusion is that this was a financial preparation for war, yet it is one that can unfortunately never be verified.” “In this conflict, I have identified four different types of repeated cyber-operations: destruction, disruption, intelligence and influence,” Kaplan says. The first consists of destroying infrastructure, ranging from simple computer servers to entire electrical systems. Disruption means waves of DDoS attacks with the aim of neutralising certain infrastructures for a given amount of time. Intelligence, more traditionally, relies on the collection of sensitive information. And lastly, influence involves the manipulation of opinion via social networks, thanks to networks of bots and trolls. Taken together, these four approaches provide a toolkit for destabilising a state in today’s cyber world. The Russian-Ukrainian war marks a turning point in this race to acquire cyber-arsenals.

The Kremlin strategists imagined that the war would be brief and last only three weeks,” Kaplan adds. So much so that at the start of the conflict, most recorded cyberattacks came mainly from “cyber-partisan groups with little interaction with the physical staff on the Russian side.” At that time, there was only limited correlation between physical manoeuvre warfare and cyberspace warfare. It was only from the end of 2022, and the manifest stalemate on the Russian side, that the volume of cyberattacks increased significantly. Radio jamming operations – for example, to disrupt the use of military drones – proliferated. And coordination between the physical front and the cyber front then became a paid strategy.This complete hybridisation between a trench war, which harks back to the dark days of the World War of 1914-18, and a technological war based on cyberattacks and computer espionage, has been one of the key characteristics of this conflict,” Viou adds. At the same time, starting from April 2022, another front opened up: the information war. With the discovery of a mass grave in the town of Bucha that had been occupied by the Russian forces, these civilian massacres were widely publicised in the international press. Russian forces were cornered by media pressure and forced to come up with a counter-narrative focusing on abuses by the Ukrainian army. Such propaganda counter-offensives are essential at a time when the sensitivity of international public opinion can lead a government to change its military strategy. Ultimately, these three forms of war – military, cyber and informational – constantly overlap.

 

Participating cyber-forces in Ukraine

This war in Ukraine has provided an opportunity for hacktivist groups to step up their efforts across the board, from those working on behalf of the Russian state to those defending Ukrainian defence efforts. With cyberspace serving as a new battleground, several hacktivist groups have explicitly aligned themselves with the subject of their political affiliations.

And in this particular conflict, what are the (main) forces involved? As for pro-Russian belligerents, “from targeted cyber-destruction to all-out cyber-harassment, the methods used by hacktivists take the form of massive denial of service (DDOS) attacks,” notes a Thales report from February 2023. Such methods “contribute to the Russian processes of information warfare with the aim of wearing down both private and public organisations”. Similarly, Sekoia.io reports on the explicit collaborations between certain hacktivist groups and the Kremlin's intelligence services. Such direct affiliations now characterise the war in Ukraine. The hacktivist groups “have chosen their side”, write the ENISA experts, listing nearly 70 groups that have taken up arms, like Russia’s pro-Russian Cyber Army, with some of these groups demonstrating a remarkable level of operational sophistication. French site Numerama points to the presence of the pro-Russian attacking group Conti, which was quickly discovered and counterattacked by the Ukrainians. But also included are the powerful Killnet and NoName, which are deemed to be remotely operated by the Russian state. These powerful, well-identified groups coexist alongside small, isolated groups that, out of patriotism, take sides and launch attacks on their own initiative. “They are indeed the privateer operators of cyberspace,” says Kaplan, “in that they act independently.” The Kremlin’s military can also count on the support of state agencies, “such as the SVR, the foreign intelligence service, and its cyber-armed arm, which carry out so-called disruptive and support operations,” Kaplan points out. “The FSB internal intelligence service operates in the military intelligence sector, whereas the Russian army’s GRU internal intelligence service is responsible for carrying out malware-type offensive operations to destroy enemy defence systems.” The cooperation between these three services illustrates the cyber-warfare conducted directly by the Russian state.

From the beginning of the invasion, the Ukrainian side organized the response by setting up its IT Ukrainian Army, a group of volunteers formed under state supervision to launch cyberattacks against Russian targets. With a strong game in terms of large-scale denial-of-service (DDoS) attacks, this group also conducts intelligence operations to disclose information that may potentially weaken Russian attackers. This state group enjoys the support of the Anonymous group, which declared itself “officially at war against the Russian government”, through a tweet on 24 February 2022. EY estimates that 2,500 Russian sites have been attacked by this international group of activists since the start of the offensive. “In Poland, Squad 303 also lent its explicit support to the Ukrainian camp. Similarly, in Belarus, a cyber-partisan group opposed to the pro-Kremlin government is defending Ukrainian interests in cyber-warfare operations,” Kaplan adds. For historical reasons, the United States also got involved at an early stage by providing Ukrainians with tools, such as access to Microsoft services, to bolster the cybersecurity of Ukraine’s critical infrastructure. According to the expert, this assistance enabled the country to “avoid the worst”. In particular, US aid helped to resist the Russian attack via the malware known as “Hermetic Wiper”, which targeted computer servers, government companies and the KA-SAT telecommunications satellite in the early hours of the Russian invasion. It was thanks to another American company, Starlink, that the satellite link in Ukraine was maintained during these few weeks of destabilisation.

The contribution made by auxiliary partisan groups was therefore decisive in supporting the cyber-efforts of the two parties involved. “However, it’s important not to over-state the reliability of all these auxiliary groups,” stresses Pierre-Olivier Kaplan. For example, on the pro-Russian side, the mutiny led by late Wagner Group leader Yevgeny Prigozhin showed how these satellite entities have the capacity to rebel.

 

Post-war Ukraine: will it impact future cyber-warfares?

Now, more than ever, the notion of resilience is central to these two years of Russian offensives in Ukraine. So far, the Ukrainian army has held firm, although the latest information from Norwegian military intelligence suggests that the conflict is escalating. But the most striking impact is the integration of cyber-operations and cyberattacks into military doctrines, such as the US cyberattack on an Iranian warship suspected of spying in early 2024.

The use of cyber-weapons in this conflict highlights the opaque legal boundaries of cyber-warfare. This is because the threat can cause considerable damage to civilian populations, especially in relation to targeted cyberattacks against critical infrastructure. On the other hand, civilian cyberattackers forfeit their protection as civilians, yet do not have military status. And the question of how to categorise their actions remains unclear. Terrorism? War crimes? Crimes against humanity? Although not answering this last question, in early October 2022 the International Committee of the Red Cross (ICRC) issued a list of rules aimed at better managing cyberconflicts. The watchword: limit the impact on civilian populations. In total, there are eight rules or recommendations for cyberattackers: do not conduct cyberattacks on civilian property; do not use malware or other tools or techniques that automatically spread and indiscriminately damage military goals and civilian property; when planning a cyberattack on a military goal, do everything you can to avoid or minimise the effects your operation could have on civilians; do not conduct cyberattacks on medical and humanitarian facilities; do not conduct cyberattacks on objects that are essential to the survival of the population, or that can release dangerous forces; do not make threats of violence to sow terror among the civilian population; do not encourage violations of international humanitarian law; follow these rules even if the enemy does not. These precautionary rules can be applied today in relation to the multiple armed conflicts that are rumbling on around the planet, most of which have repercussions in cyberspace, as is also the case with the Israeli-Palestinian conflict.

 

It is therefore appropriate to speak of a time before the Russian-Ukrainian conflict, and after it. The official use of cyber-tools as a weapon of war has opened the door to a strengthening and hardening of state cybersecurity arsenals – and also raises the question of possible enhanced international cooperation in the fight against cybercrime in times of war. New war, new tools: after the diplomatic adviser, will we next see the diplomatic cyber-adviser?

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
As our society digitises and international tensions multiply, geopolitical considerations become criteria for choosing suppliers and the products they design. This means that Europe has an essential role to play: to offer sovereign, reliable and secure cybersecurity solutions. To contribute to this sovereign “Made in EU” cybersecurity, Stormshield has for many years been established as a trusted European alternative.
At Stormshield, we are dedicated to providing effective protection against these cyber-threats to businesses. This takes the form of a dedicated Cyber Threat Intelligence team that has two key missions: to study cyber-threats in order to understand them, and to continuously improve the protection offered by Stormshield products. Their aim in all of this is to contribute to the cybersecurity community’s effort to address cyber-threats.
About the author
mm
Victor Poitevin Editorial & Digital Manager, Stormshield

Victor is Stormshield’s Editorial & Digital Manager. Attached to the Marketing Department, his role is to improve the Group’s online visibility. This involves Stormshield’s entire ecosystem, including websites, social networks and blogs. He will make use of his diverse experience, gained in several major French and international groups and communications agencies, to fulfill the Group’s high digital aspirations.