Putting into context last week’s malicious cyber activities against Ukrainian government websites and systems

Like reported in the New York Times on January 14,[h]ackers brought down dozens of Ukrainian government websites,” posting a message on dark screens which said: “Be afraid and expect the worst.” To increase its intimidating effect, the message mocked its target audience more specifically, “Ukrainians! All your personal data (…) has been deleted and cannot be restored. Ukrainian Communications Intelligence Service indicated that “up to 70 websites of central and regional authorities were targeted”. The threatening message was published in several languages ​​– Ukrainian, Russian and Polish – which, according to the Times article, is an attempt to “hide” the origin and motive of the authors. In the context of the evolving crisis, US government officials and other experts have anticipated that Russia would engage in offensive cyber operations against Ukraine, but it can be difficult to discern the source and entity responsible for these actions. Nevertheless, as reported by the Times, a Ukrainian government agency, the Center for Strategic Communications and Information Security, released a statement directly blaming Russia for the hack:

“We haven’t seen such a large attack on government organizations in some time,” he said. “We suggest that the current attack is linked to the recent failure of Russian negotiations on Ukraine’s future in NATO”, … referring to Moscow’s talks with the West.

Interpreting the meaning and significance of cyber activities is often a complex undertaking. These and other cyber activities stemming from the international conflict between Russia and Ukraine, disturbing as they are, cannot be interpreted with certainty, at least for now. They reflect the complexity of how cyber operations, which are an integral part of modern international conflicts, can operate in diverse ways across and even within specific conflicts, providing states with opportunities to both prepare the battlespace for more conventional forms of military engagement and to create room for diplomacy and the de-escalation of emerging crises.

All of these activities are still being assessed. Cybersecurity and National Security Journalist Kim Zetter tweeted on January 14 that “[t]there is currently no indication that the attacks went beyond degradation [of government websites] and DDoS [distributed denial of service], but it is too early to tell. Oleg Nikolenko, spokesperson for the Ukrainian Foreign Ministry, also indicated on January 14, when a number of government agency websites were “temporarily unavailable”, Ukrainian government specialists “have already begun to restore the work of computer systems”.

On January 15, Microsoft published information about another type of activity, in particular the appearance of malware on the systems of government agencies providing “critical executive or emergency response functions” in Ukraine, as well as those of an IT company that manages the recently degraded websites of Ukrainian government agencies:

Today we share that we have observed destructive malware in systems belonging to several Ukrainian government agencies and organizations that work closely with the Ukrainian government. The malware is disguised as ransomware but, if activated by the attacker, would render the infected computer system inoperable. We share this information to help others in the cybersecurity community monitor and defend against these attacks.

At this time, we have not identified any notable overlap between the unique characteristics of the group behind these attacks and the groups we traditionally track, but we continue to analyze the activity.

Regarding this malware, known as “WhisperGate”, Zetter later reported this “[d]dozens of systems from two government agencies in Ukraine were erased with a destructive tool that Ukraine says was now part of a coordinated attack last week on systems in Ukraine. The level of coordination between the hackers conducting the two operations is unclear, although Ukrainian officials said the evidence linking them “is both technical and intelligence.[-based] in nature.”

Again, while the scale and damage caused by these activities are still being assessed, an inherent challenge in communicating the meaning and importance of such activities stems from the very term often used to describe them: “cyberattacks”. The Department of Defense (DoD) defines a cyberattack or “cyberspace attack” as “actions taken in cyberspace that create noticeable denial effects (i.e. degradation, disruption, or destruction) in cyberspace or manipulation that leads to denial which appears in a physical realm and is considered a form of fire,” where “fires” refers to “[t]the use of weapon systems or other actions to create specific lethal or non-lethal effects on a target. Therefore, both a DDoS attack that disrupts the operation of a government website, but does not cause damage, and the use of malware to close an electrical network, which causes significant damage, can be considered a cyberattack. The use of the term “cyber operations” or “cyberspace operationsdefined by the DoD as “the employment of cyberspace capabilities the primary purpose of which is to achieve objectives in or through cyberspace”, avoids some of the confusion that the term “cyberattack” can create regarding relates to the description of the damage caused and the resulting significance of malicious cyber activities.

Just because nothing has exploded or melted in the wake of recent actions against Ukraine does not mean their importance should be ignored in the context of the current conflict. These activities occur at a time when there is mounting proofs that Russia intends to invade Ukraine, and that the United States is actively trying to defuse the situation, so far not much effectthrough diplomatic efforts and threatens new sanctions against Russia.

In December 2021, the New York Times reported that Russia was “escalating” its cyber intrusions into Ukrainian infrastructure, prompting the US and UK to send “cyber warfare experts” to help Ukraine. Dmitiri Alperovitch characterized this Russian activity as “cyberpreparation” of the battlespace. The targets, which Alperovitch identified as “government agencies, including home affairs”, as well as “national police” and “power utilities”, were “precisely those one would expect to be targeted for information gathering and preparation of the battlefield before an invasion”. There are other reasons for interpreting all these activities as foreshadowing an invasion: the annexation of Crimea by Russia in 2014, for example, also involved the execution of various cyber operations by pro-Russian non-state actors and Russian soldiers without insignia. These operations included defacing websites, disrupting websites with DDoS attacks, and other activities that facilitated Russian control of Crimea’s telecommunications infrastructure.

Naturally, a number of Russian experts to believe that Russia’s invasion of Ukraine is only a matter of time now, and there is little the United States can do to stop it. While it is unclear whether there will be a physical invasion of Ukraine by Russian troops regardless of the outcome, this ongoing crisis illustrates how integral cyber operations are to conflicts. modern international organizations insofar as they facilitate various military and diplomatic options. available to states.

However, interpreting a government’s intentions for cyber operations in the context of a given conflict that has not escalated into an armed conflict is rarely a simple matter. Even assuming that Russia executed, directed or enabled these most recent cyber operations – and despite compelling logical assessments regarding the plausible implications of other recent actions the country has taken, such as positioning troops along the Ukrainian border, signage an intention to abandon participation in diplomatic efforts, and preparing to engage in a false flag operation to generate a pretext for invasion – any understanding of Russian intent and purpose remains inconclusive.

Some reports suggests Ukrainian officials now believe a group of hackers linked to Belarusian intelligence carried out at least some of the recent operations, “using malware similar to that used by a group linked to Russian intelligence” . If correct, these events could signal an important alliance between Belarus for Russia in view of an invasion, insofar as Belarus could provide Russia with certain advantages. As Alperovitch noted: “A flanking mechanized maneuver from Belorussia would be highly desirable for the Russians during an invasion. … [I]It would be very useful to spread Ukrainian resources on a huge line of engagement and encircle them from all sides. Therefore, if Russia invades Ukraine, some aspects of the cyber operations that have taken place over the past few months could be interpreted as battlespace preparation. Depending on the nature of Belarusian involvement, recent cyber operations could also signal that Russia has an opportunity to leverage Belarusian assistance during an invasion.

If, however, the nascent crisis is somehow averted, at least for a while, the totality of these cyber operations could be viewed in a more complicated and nuanced way. As Erica Lonergan and Shawn Lonergan have argued:

Rather than using cyber operations as a means of coercion or to shape battlefield dynamics, governments could turn to cyber operations to defuse crises. The non-violent effects of cyber operations and the relative limits of imposed costs make it an ideal way to resolve a crisis without giving the impression of having backed down. All parties may perceive cyber operations as less aggravating, relative to other military options that may be on the table during a crisis.

With hindsight, depending on the end result, all of Russia’s cyber operations against Ukraine could be seen as battlespace preparation, coupled with an opportunity to enable crisis de-escalation. However, the Lonergans’ analysis ultimately concludes that “uncertainty about [state] intentions in cyberspace is an endemic challenge” and one that is not going away anytime soon. Nonetheless, the conflict between Russia and Ukraine is an illustration of how cyber operations will continue, for better or worse, to shape and complicate the future of international conflict.