Cyberattacks in hybrid warfare: the case of Russia/Ukraine War

The recent invasion of Ukraine and the different tactics used by Russia have shed light on a new generation of warfare where the new battlespace is in the mind and in the virtual space. Indeed, beyond the physical component, Russia’s approach is dominated by information and psychological warfare, where the main objective is to reduce the necessity for deploying hard military power to the minimum necessary.

In this article, we will first explore the concept of hybrid warfare and how Russia is making the definition evolve through a targeted use of cyberattacks. It is complemented by the arrival of new non-State, private actors on the battle scene, raising the questions of legitimacy and entitlement. Finally, we will suggest some considerations on the impact of the Russia-Ukraine war on Western companies and organisations.

Since the 2000s, we have seen the appearance of cyber-threats and cyber-attacks in defence considerations. The NIST defines a cyber-attack as the “… use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of data…”.  Used to isolate the enemy by deactivating its communication and radar systems, to undermine it by destroying its critical infrastructures, and/or as a diversion tactic, cyber has become an additional tool in hybrid warfare.

The concept of hybrid warfare itself has many definitions, its meaning continuously evolving. Thus is the changing character of contemporary warfare. The NATO Wales Summit Declaration of 2014 referred to hybrid warfare as “…threats, where a wide range of overt and covert military, paramilitary, and civilian measures are employed in a highly integrated design.” This definition implies a shift from traditional warfare carrying only military operations, towards a type of warfare using both military and civilian measures against the adversary, with an increased sophistication and destructive power. Other definitions speak of hybrid warfare as different modes of warfare conducted by a variety of State, State-sponsored and non-State actors, bringing an asymmetrical nature to it. Non-State actors usually are described as armed groups, organisations, private actors, or individuals that have control over a territory or a population.

2014-2022: a timeline of cyber-attacks against Ukraine

Cyberattacks are an integral part of Russian warfare. Already used by Russia during the Georgia-Russia conflict in 2008, particularly used in the 2014 Russian annexation of Crimea and through the continuous support to rebel militant groups in Eastern Ukraine over the years, the Russian government has been applying its own definition of hybrid warfare through a variety of methods and techniques. On top of the traditional combination of conventional and irregular combat operations, we can witness economic coercion, sponsorship of political protests, and cyber operations that include an intense disinformation campaign. The latter could be considered as the most distinguishing feature with the use of weaponised information to divide and destabilise the Western States.

Between May 2014 and March 2022 included, Ukraine (which includes the public, private and industrial sectors together) has suffered a total 43 known cyberattacks, out of which 56% can be directly attributed to Russia as the threat actor. However, it is interesting to note that 36% of these attacks remain unattributed. The  targeted sectors of these attacks are the financial and energy sectors (to create panic and insecurity through service disruption), the telecommunications sector (including mostly disinformation and public website defacing), the public and governmental sector (to propagate disinformation from official sources or simply shut down their services), and finally targeting citizens themselves through phishing and their email and social media accounts hacking.

A quick analysis through the types of the cyberattacks targeting Ukraine highlights mostly DDoS (either interrupting the activity or shutting down the targeted services), botnet farms, data wiper software (sometimes disguised as fake ransomware), phishing, social media account hacking, disinformation, and public websites defacing.

If between May 2014 and December 2021, Ukraine suffered between zero and three cyberattacks a year in average, since January 2022, we have witnessed an exponential increase with 35 cyberattacks targeting Ukraine between 1 January and 31 March 2022. These attacks included malware wiper attacks, defacement of over 70 Ukrainian government websites, multiple DDoS attacks on public and private sector websites, an SMS Disinformation Campaign, as well as continuous cyberattacks on Ukrainian media websites.

In particular, the “WhisperGate” Wiper Attack is a fake ransomware attack without a ransom recovery mechanism. Other wiper attacks included NotPetya (2017), HermeticWiper/FoxBlade, IsaacWiper, CaddyWiper, and DoubleZero, and it is interesting to note that all these malwares do not have any code similarities among themselves. However, their sole purpose remains the destruction or corruption of the data in the targeted devices and networks. The SMS Disinformation Campaign notified state-owned banks’ clients of ATM malfunctions; a false claim aiming at creating panic among the population. Finally, DDoS attacks aim of course at stopping – temporarily or permanently – the activity and availability of a service, the consequences of which are more often than not financial, economic and reputational for the targeted critical infrastructures.

Their countrywide scope, sometimes irreversible impact, and their increased frequency, suggest a common objective to all these cyberattacks: a purposeful intention to weaken and undermine Ukraine from the inside at a critical moment of crisis.

Cyber battlefront: new actors and implications

However, it seems Ukraine is not alone, and help has come from unexpected places, bringing a new shift to the definitions of previously mentioned concepts of hybrid warfare and non-State actors.

The first particular case that comes to mind is American tech billionaire Elon Musk who took action following Ukrainian Prime Minister Mykhailo Fedorov’s appeal for help. Indeed, since the beginning of the war, Ukraine has been suffering from Internet cuts on its territory; it seems in a bid to isolate further the population from the rest of the world. In response, Elon Musk, a private individual with no territorial or insurgent aspirations as opposed the most common understanding of a non-State actor, ordered the deployment of satellites through his company Starlink to provide Internet service in the country.

This is only confirmed by the second unexpected player. A day after the Russian invasion on Ukraine, on 25 February, the Anonymous collective of hackers declared in a tweet cyber war against Russia in support of Ukraine. Anonymous announced its good intentions, targeting the darkest corners of the Internet. However, despite this endeavour calling for people “to stand up against anything”, they remain a vigilante group with no authority to report to and with relatively limited resources – compared to a potential state-sponsored cyber actor for example.

Since their involvement, Anonymous has received widespread public support, and taken credit for various cyberattacks carried out against Russia such as hacking Russian state TV channels, DDoS attacks on Russian government websites, cyberattacks against the FSB (the Russian intelligence service) and leaked alleged correspondence between Russian President V. Putin and Russian Minister of Defence S. Shoigu on plans to cut down and sell Ukrainian forests, among others.

In retrospect, as is the case for many individuals or groups with no authority to report to or unregulated, Anonymous is playing judge, jury and executioner. They decide which targets are justified and need to be attacked. This raises two questions: on what grounds do they declare some targets guiltier than others? And what is Anonymous’ legitimacy in taking action? Furthermore, Anonymous has not confined its cyber war against Russia to purely Russian public targets, as is demonstrated by their tweets from March 2022 where they are calling “on companies that continue to operate in Russia: Immediately stop your activity in Russia […] Your time is running out. We do not forgive. We do not forget.” Attached to that tweet was a picture with dozens of corporate logos. One concrete example of this was Anonymous hacking Nestlé and leaking 10GB of sensitive data containing information on more than 50,000 business customers. This action certainly affected Nestlé’s reputation, but it would be interesting to know the follow-up consequence on the business customers whose data was leaked publicly. Several questions come to mind, such as: Were these 50,000 business customers operating outside of the official existing laws? Did their country of operations change laws and these customers failed to comply? If they were proved incompliant, did they fail to correct their course of action? What type of business relationship did they have with Nestlé? Were these business customers public companies, private companies and/or private individuals? All different questions that in a legitimate system of separation of powers are tackled by three different branches of power: executive, legislative and judiciary.

Nevertheless, Anonymous is only the tip of the iceberg, since in their stride, different hacker crews and groups came forward and publicly started picking sides. As the Russian invasion in Ukraine continues, there is a parallel battlefront in the cyber world developing with the different hacker groups issuing bans and threats for supporters of the opposite side. CoomingProject, Conti Ransomware, BlackHawk, ATW, the IT volunteer army for Ukraine, etc. These are some of the hacker group names mobilising in the cyber world.

What is at stake for Western businesses?

So far, it is clear that the Russia-Ukraine conflict has been a complex multi-layered battlefront, with the cyber aspects having their own complexity. One final question comes to mind: what are the impact on Western businesses and the implications in Europe? It is a fact that currently Russia is isolated from the world. It is therefore highly likely that Russia may use any tool to retaliate against the Western countries. In truth, Russian cybercriminals have targeted Western companies with impunity in the past, and currently cybersecurity experts are already witnessing an increase in malicious cyber activity. On the other hand, many Western companies lack awareness and/or preparedness against potential cyber-attacks, either because of a lack of (invested) means (i.e., budget cuts or budget prioritisation) or because of a false sense of security thinking that no one would attack them due to their smallness and inconsequentiality. 

However, Russia seeking revenue by attacking Western companies, using ransomware to support its economy, is becoming more and more a realistic scenario. Companies, critical infrastructure and government organisations need be on the lookout as the collateral damage would otherwise be devastating. Feeling the full force of Russian cyber operations would be brutal, with the potential of ultimately crippling the majority of these companies and organisations, in particular the ones with a false sense of security. Moreover, as seen with the data wiper malwares disguised as fake ransomware targeting Ukraine, paying the ransom might no longer be a viable option in case of ransomware.

HeadMind Partners’ commitment to Cyber Risk & Security

In conclusion, a strong understanding of their own vulnerabilities and upstream preparedness are key for all companies and organisations. To that endeavour, HeadMind Partners (HMP) offers a large panel of cyber services with a strong team accompanying its clients in their journey towards cybersecurity. Through the three pillars in the cyber risk and security practice, HMP offers a holistic cybersecurity approach in the upstream preparedness (e.g., pentestings, risk management, etc.), incident management, and downstream recovery for strengthening its clients’ protections.

Cyber may be used as a weapon in this evolved concept of hybrid war, but it remains a polyvalent tool used at different levels by many actors. Its offensive and defensive properties are opening a whole new world of possibilities and opportunities for the world of today and tomorrow.

Written by Nina HASRATYAN 

Sources

1. https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks/
2. https://www.bbc.com/afrique/monde-60198890
3. https://ccb.belgium.be/fr/actualit%C3%A9/le-r%C3%A9gime-russe-nh%C3%A9site-pas-%C3%A0-mener-la-guerre-en-ligne-faut-il-en-%C3%AAtre-inquiets
4. https://www.marshallcenter.org/sites/default/files/files/2020-05/pC_V10N1_en_Wither.pdf
5. https://www.nato.int/cps/en/natohq/official_texts_112964.htm
6. https://www.computerweekly.com/news/252515064/Anonymous-claims-it-has-hacked-the-Central-Bank-of-Russia?force_isolation=true
7. https://www.zdnet.com/article/ukraine-is-building-an-it-army-of-volunteers-something-thats-never-been-tried-before/
8. https://cybernews.com/news/get-out-or-face-our-wrath-anonymous-tells-big-firms-in-russia/?utm_source=newsletter&utm_medium=email&utm_campaign=CyberNewsLetter_59
9. https://cybernews.com/cyber-war/russia-on-the-path-of-crippling-western-companies-by-cyberattacks/?utm_source=newsletter&utm_medium=email&utm_campaign=CyberNewsLetter_59
10. https://cybernews.com/cyber-war/10gb-of-nestle-data-leaked-say-anonymous/?utm_source=newsletter&utm_medium=email&utm_campaign=CyberNewsLetter_59
11. https://www.reuters.com/world/us-says-russia-was-responsible-cyberattack-against-ukrainian-banks-2022-02-18/?fireglass_rsn=true#fireglass_params&tabid=a7750c670eaeeec1&start_with_session_counter=12&application_server_address=euroclear12.prod.fire.glass
12. https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
13. https://techstartups.com/2022/03/05/the-largest-cyberwar-in-history-is-happening-right-now-microsoft-warns-of-hermeticwiper-malware-cyberattack-targeting-ukrainian-infrastructure/
14. https://www.bleepingcomputer.com/news/security/ransomware-gangs-hackers-pick-sides-over-russia-invading-ukraine/
15. https://www.trendmicro.com/en_us/research/22/c/new-ruransom-wiper-targets-russia.html
16. https://www.bleepingcomputer.com/news/security/new-caddywiper-data-wiping-malware-hits-ukrainian-networks/
17. https://cybernews.com/news/anonymous-stole-20-terabytes-of-data-from-rosnefts-german-unit/
18. https://cybernews.com/news/cyber-army-grows-as-digital-partisans-flock-to-ukraine-banner/?utm_source=newsletter&utm_medium=email&utm_campaign=CyberNewsLetter_56
19. https://www.merriam-webster.com/dictionary/warfare
20. https://www.escr-net.org/resources/non-state-actors
21. https://www.geneva-academy.ch/research/our-clusters/non-state-actors
22. https://www.lawinsider.com/dictionary/state-actor
23. https://www.differencebetween.com/difference-between-state-actors-and-vs-non-state-actors/
24. https://csrc.nist.gov/glossary/term/cyber_attack
25. https://csrc.nist.gov/glossary/term/cyber_threat
26. https://www.cnet.com/home/internet/starlink-satellite-internet-explained/