Observations and Lessons from Cyber War in Ukraine
By Derek Bernsen
October 2, 2023
Introduction
Extrapolating lessons learned is difficult in the middle of a war: this is especially apparent as we pass the one year mark of Russia’s invasion of Ukraine. What lessons can the US Department of Defense learn from cyber conflict in the Russia-Ukraine war, at both a tactical and strategic level? While many pieces have covered grand strategy or specific threat intelligence, this is an important question that remains unanswered until now.
While there are more lessons than can be covered here and more that will come as the conflict in Ukraine continues, we can still extract four lessons that the US should incorporate into its planning for future conflict. First, cyber operations will continue to grow in importance and operational impact in warfare. Second, like special operations, cyber has a large skill and resource barrier and therefore must be built up and resourced far in advance of conflict. Third, the private sector, as well as non-state actors and vigilantes, will play a more direct role in wartime activities than in the past. And Fourth, we must assist our allies in developing their capacity for cyber operations. Some of these lessons have been discussed in the past, but the conflict in Ukraine has brought a new urgency to implement solutions.
Observations
Ukraine
Ukraine has had some unexpected successes in cyberspace during the war so far, between their vigilante hackers and cyber defenses. The Ukrainian IT Army formed shortly after Russians crossed the border and began large-scale offensive cyber operations against Ukrainian infrastructure. This group, a loose but global coalition of individual hackers, was created by Ukrainian Ministry of Digital Transformation, which called on the world’s hackers to join. While cyber criminals have also taken up the IT Army’s mantle, they have used their destructive malware for national defense rather than profit, using website defacements, distributed denials of service (DDOS), and other attacks meant to annoy and shame Russia. While vigilantes have occasionally played a role in national campaigns before, this conflict is a significant expansion of vigilante involvement. Since much of Ukraine’s offensive cyber force and the vigilante IT Army were organized after the start of the invasion, they are significantly less prepared and equipped to conduct meaningful offensive operations. While it is difficult to thoroughly assess Ukrainian skill at offensive operations due to secrecy around such activity, we can infer two points. First, Ukraine lacked a sufficient offensive capability at the beginning of the conflict, having no acknowledged dedicated cyber operations unit. If such a unit did exist, it was clearly insufficient to meet Ukrainian goals, resulting in the call to form the IT Army. Second, observed Ukrainian offensive cyber operations lack the level of sophistication and impact of their Russian counterparts. Though devoted, the lack of sophistication in Ukrainian capabilities and the lower level of skill of their operators likely precludes them from making strategic offensive cyber impacts. This begs the question: how much better could this vigilante army have been with prior preparation? It’s not clear whether or not the IT Army is a net positive on the battlefield, but vigilante involvement in future conflict will be inevitable. Regardless, Ukraine is trying to leverage them to its advantage, whether through doxing Russian personnel, conducting defensive operations, or presumably offensive operations.
Image: Staff Sgt. Ryan Whitney, https://https://www.dvidshub.net/image/459862/.
Ukraine was better prepared for defense than most expected.
Interestingly, other nations have not openly cracked down on these vigilantes, even though their activities are normally illegal in most countries. This could certainly be because of global indifference to hackers, but it could also be a sign of support for Ukraine – nations may continue to look the other way so long as hackers act in Ukraine’s interest. Still, the potential risk of unintentional escalation between Russia and a nation housing IT Army hackers exists and should not go unchecked.
In addition to Ukraine’s unique offense, Ukraine was better prepared for defense than most expected. This is partially a result of being forced to constantly repel and recover from attacks since at least 2014 with the initial Russian aggressions and annexation of Ukrainian territory. Since that time, Ukraine has established a dedicated cyber law enforcement agency and has trained a relatively large number of private and public sector professionals in defense. With the constant cyber attacks from Russia, including NotPetya, one of the most damaging pieces of malware ever, Ukrainians have both become adept at defending against cyber attacks, quickly recovering from them, and leveraging commercial cyber threat intelligence and western intelligence support. US Cyber Command has provided assistance to Ukraine for many years and had Hunt-Forward teams on the ground in the run-up to the invasion, and USAID has provided millions to build-up Ukrainian cybersecurity. Equally as important, Ukraine has learned to not rely on vulnerable systems, such as cellular networks, and how to operate with flexibility - with or without communications systems.
Russia
Russia’s cyber operations have not gone as many national security pundits expected. Prior to the conflict, Russia was considered one of the top cyber actors in the world. Though Russia regularly conducted cyber operations against Ukraine prior to the “Special Military Operation,” Russia steadily increased their cyber activity against Ukraine in the months leading up to the invasion. Early in the war, the Russians attempted to take out the Ukrainian power grid and infrastructure and keep it down long enough to sweep through the country. Russia was highly successful in the early days of the war, taking down ViaSat and other crucial Ukrainian communications systems. There is evidence they planned for many months to build up capabilities and targeting data to support the full scale invasion. This should have been expected given Russia’s ability to successfully pull off sophisticated attacks such as the Solarwinds hack. However, the beleaguered Ukrainians were able to quickly transition to using cellular networks. When Russia eventually attacked the cell network, SpaceX was able to step in with its Starlink service. Russia may have underestimated the speed at which other nations and private entities would begin to provide tangible support to Ukraine, and this support made Russian cyber operations ultimately appear unimpactful - even after they successfully took down Ukrainian systems. More problematic was Russia’s seeming inability to coordinate cyber and kinetic operations. Russian inability to get cyber and conventional forces to work cohesively has blunted the effectiveness of both.
Russia uses a diverse set of hackers including those from its intelligence and security services, the SVR (Foreign Intelligence Service), FSB (Federal Security Service), and GRU (Military Intelligence). Increasingly, Russian cyber criminals have gotten involved in the conflict, whether out of patriotism or possibly by direction of the Russian government. This diversity adds to the complexity of tracking actual changes in tactics. As criminals begin to attack the same targets as intelligence services and the two pass access to targets back and forth, it adds a level of chaos and compounds difficulties for analysts trying to draw lines between one actor and another.
Russia is continuing its offensive cyber campaigns, but has likely begun to change how it employs cyber capabilities. A recent analysis of Russian cyber operations shows that Russian operations have gotten significantly sloppier since the first months of the conflict - preferring speed and agility over stealth. While some claim this is a sign that Russia was not prepared for the extremely high pace required of their operators and developers, this could also simply indicate a deprioritization of opsec during a hot war. This suggests that Russia expected and prepared for a 30 - 90 day invasion, not an enduring conflict. Similarly, Russia has been observed using unsophisticated and sloppy malware. The reuse of old malware, such as “Industroyer”, with minimal modification to evade detection and the use of capabilities that seem incomplete is a sign that Russia does not have or is unwilling to use what sophisticated capabilities it has left. Russia is still successfully using old capabilities to conduct attacks, but these operations are more quickly detected and remediated. The shift to higher tempo operations with less concern of being detected is a sign of changing tactics. Either Russia is deciding at a strategic level to keep its sophisticated capabilities in reserve, or malware developers and vulnerability researchers cannot keep up with the pace of operations and are unable to provide operators with new high-end capabilities.
Now further into the conflict, Russia’s cyber forces are likely either trying to compensate for their deficiencies, or are trying to better integrate with the rest of Russia’s forces. After the initial 90-day mark, Russian tactics showed less concern for remaining clandestine during cyber operations, even as Russia continued to conduct operations both for destructive and intelligence gathering purposes. Russian cyber forces have also been observed gaining access to edge nodes in a network and launching destructive effects, while leaving their foothold intact - providing a location to attack from as Ukraine defends and restores systems. These noisy and more frequent attacks represent a subtle but significant change in tactics and demonstrate the difficulty Russia has had to overcome. Noisy operations could point to either conclusion and there is currently insufficient data to indicate which is correct. The higher tempo and lower concern for stealth would more closely align with ground troop operations and may be an attempt to provide better support. However, it could also indicate that Russian sophisticated capabilities that had previously been used have become ineffective and Russia is unwilling to use any high-end tools it still has. This would result in the use of noisy, less sophisticated capabilities that still get the job done and are easier for developers to produce.
Russia is also shifting its focus on targeting nations providing support to Ukraine: Dutch Intelligence has claimed to see an increase in publicly unreported Russian cyber activity in the wider region. The Prestige malware was found targeting Polish networks associated with logistics and transportation sectors, and did not create a sizable reaction from the Polish government into the war. If Putin does not receive significant pushback from targeting other countries, this tactic will likely be used more frequently.
Though Russia likely still has the capacity to conduct extensive cyber operations against the US directly, we have only seen limited attacks since the war began. The recent exposing of the FSB’s Snake malware has demonstrated they still retain sophisticated capabilities, even if they are not being deployed in Ukraine. Russian cyber espionage seems to be less successful and more limited than normal. This may indicate a desire to avoid escalation with the US, or their focus is on Ukraine.
While some claim cyber was not important in the Russian invasion of Ukraine, the above observations demonstrate that cyber was a major component, even though it did not have the shock-and-awe that was anticipated. Ultimately, cyber is inherently secretive and with the destruction and chaos of a war between two nations, we likely will not know the full extent cyber played for many years – if ever.
United States
The United States’ involvement in this conflict presents its own interesting observations and lessons. For many years, the US has assisted Ukraine with cyber defense. US Cyber Command’s Cyber Protection Teams (CPTs) have deployed to Ukraine and other friendly nations to help combat foreign hackers and improve host nation defenses. This assistance has contributed to Ukraine’s defensive success - but has distinctly lacked support for Ukrainian offensive cyber operations.
The US tech sector has also played an outsized role in Ukraine. Many companies have as much if not more observability of the cyber portion of the conflict than some intelligence agencies. This stems from the ubiquitousness of their tech providing a wide aperture through which to monitor the cyber domain. Many tech companies, such as Microsoft and Google, go to great lengths to protect their products and users, and thus have been impactful in preventing Russia from conducting more damaging cyber operations. In the US, there is a much larger cybersecurity workforce in the private sector than what the Department of Defense likely has dedicated to helping Ukraine. This scale goes a long way in making Ukraine as effective as it has been at cyber defense. US corporations have significant capabilities and talent and could be leveraged for both offense and defense. But currently, the US has done little to leverage them in the same way Ukraine has. There are certainly risks in relying on these corporations as they can and often do have conflicting goals, morals, and priorities as evidenced by Meta compromising an alleged US psychological operation.
The US government also seems out of sync on certain issues. The long standing Computer Fraud and Abuse Act (CFAA) has previously been used to prosecute cyber criminals. Though nothing has arisen yet, there are possibly IT Army members in the US - will the US arrest them or will they ignore them like the US citizen who took down North Korea’s Internet? The deeply flawed CFAA has been used to arrest and prosecute good faith hackers and cyber criminals alike since its inception. While the Justice Department has stated that though the CFAA has not been updated, it will no longer prosecute good faith security researchers, the law still appears to apply to a vigilante, acting out of patriotism in the US who attacks a foreign adversary. Failing to prosecute these hackers, even those acting in the interests of the US government, would be a break from the norm.
Lessons Learned and How to Prepare
In these observations, we can glean the following lessons:
Cyber operations will continue to grow in importance and operational impact in warfare. The Russian invasion of Ukraine serves as the first war between two nations in which cyber has played a key role from the beginning. While it lacked the initial shock and awe some expected, this conflict should serve as a warning for where integrated cyber and kinetic warfare is headed. Other nations will watch the conflict and prepare themselves to use the cyber domain in more cunning and deadly ways than we’re seeing now.
Cyber, like special operations, has a large skill and resource barrier and therefore must be built up and resourced far in advance of conflict. The military’s internal resources during a hot-war, the US will likely have to contend with many issues seen in Russia’s sloppy operations if cyber capabilities are continuously expended. The US must have a sufficient force to prevent the kind of pressure that may be creating Russia’s sloppy operations and to keep the cyber arsenal sufficiently full of sophisticated capabilities.
The private sector, alongside non-state actors and vigilantes, will play a larger and more direct role in wartime activities than in the past. With the Internet connecting the world, vigilantes, criminals, and non-state actors are likely to play a role in any future conflict. This could mean individual hackers working to attack US adversaries or the US itself, depending on who they align with. Other parts of the private sector are still far too vulnerable to withstand sustained offensive cyber operations from a determined nation state during an existential conflict. Ukraine’s surprising resilience was forcibly built up over years due to near constant Russian cyber attacks. The scale and relative calm of cyber activity in the US private sector means there are large swaths of organizations that are unprepared for similar conflict. Civilian organizations can create opportunities for the adversary, whether that’s through supply chain attacks against DoD systems, like we saw in the Solar Winds hack, or by being targeted directly causing chaos in the US.
Finally, we must assist our allies in developing their capacity for cyber operations. Finally, warfare is rarely a bilateral affair: the US must also build up its allies’ cyber capabilities and establish cyber coordination channels for future wars. This may take the form of an international version of Cybersecurity & Infrastructure Security Agency’s Joint Cyber Defense Collaborative, expanded NATO cyber intelligence sharing, or a special foreign disclosure process to coordinate offensive and defensive with allies. While current defensive cyber assistance is paying off, offensive assistance is nonexistent. Cyber is not nuclear warfare: helping allies build up their offensive cyber capabilities is not nearly as risky and can be a force multiplier.
Recommendations
First, to best implement lessons learned from this conflict, and ensure operational impact, the US must establish a cyber branch of the armed forces. The current model of US cyber operations is incompatible with the reality of a conflict as seen in Ukraine. Many have called for a Cyber Force for the last decade, but now is the time to make it a reality. If the US wants any chance of developing an integrated and lethal cyber force that is fully capable of leveraging the cyber domain’s vast potential, a Cyber Force must be established immediately. The increased pace of operations, burn rate of capabilities, and the need for a large pool of operators and developers as observed in Ukraine, all point towards the US moving away from the current model of generating cyber power and towards a dedicated service. USCYBERCOM is not responsible for force generation and training; that task falls to the services. Each of the services has at one time been on the front edge and pitifully lacking when it comes to cyber as none retain the domain as a core competency. If the US is to be prepared for the size, scale, and sophistication of a future hot conflict, then a Cyber Force, capable of consistently pushing the bounds of the state of the art in cyber operations and providing that to operational commanders, is critical. The existing services will never get there on their own accord. The current fragmentation of standards, training, and many other issues plaguing current cyber personnel has set the US on a course for disastrous outcomes if not corrected by a cyber service.
Second, to build up the resources in advance of future conflict, the US government must expand opportunities for the reserves. This includes expanding reserve and National Guard cyber personnel, the creation of cyber auxiliaries (like Estonia and the Marine Corps) and the creation of similar programs would also expand forces available to surge. Expanding programs, such as those employed by Defense Digital Service or Defense Innovation Unit, that allow private sector individuals to do a one-year tour in the government and then return to their previous job could again build institutional knowledge to make those individuals better prepared to protect the private sector or to assist the government in an emergency. Additionally, cyber and kinetic forces must become more integrated to be able to operate cohesively as a new form of hybrid warfare. Creating extensive exercises based on the lessons of this conflict will help the US develop Tactics, Techniques, and Procedures (TTPs) and Concept of Operations (CONOPS) utilizing cyber for maximum potential. Each service needs to further develop how to utilize cyber as it intersects with the services’ domain, but this must be in addition to an independent cyber service created to handle the majority of operations which can be completely domain agnostic.
The DoD must also create a strategy to handle or leverage vigilantes on both sides of a conflict. The US has done little to establish policy around these actors, or address how a policy may change during an existential conflict. In fact, US Cyber Command’s previous strategy during GLOWING SYMPHONY was to simply ask Anonymous to back off - we can do better. While leveraging vigilantes would be challenging and the use of cyber mercenaries dubious, private actors on either side of a conflict are likely to play a role, whether we like it or not. To be effective, this strategy must take into account future vigilantes aligned against the US; one solution may involve heavily incentivizing foreign hackers to move to friendly countries. Providing foreigners a better life in the US or elsewhere, giving them a mechanism to sell exploits and capabilities to the US, and using other incentives will go a long way for future conflicts. This modern version of Operation Paperclip will not only improve US preparedness, but simultaneously will deprive foreign countries of a larger hacker workforce.
Additionally, the US must create proactive partnerships with tech companies and create contingencies if companies intentionally or unintentionally interfere with US objectives. The US tech sector, as seen in this conflict, can be an exceptionally powerful and impactful player. While the government can work hard to prepare the private sector and protect them against cyber attacks, companies are ultimately financially motivated. Thus, the US government must create a wartime plan that considers big tech’s interests, placement, and visibility – as well as how the US will leverage that in a wartime environment. The US must have some tough conversations with the tech sector on how they can assist or, at a minimum, not interfere with ongoing US operations. The US cannot rely too much on the tech sector, as they can occasionally be unreliable or have counterproductive motivations: Google has previously exposed an alleged Western counter-terror cyber operation to further their own business interests, for example. While the US government cannot force the private sector to act in certain ways, it can provide numerous partnership incentives. Tax breaks and access to government contracts for companies that implement cybersecurity best practices (or fines for those that don’t) are obvious options. Expanding incentives for companies to bring their technical teams alongside their lawyers into Cybersecurity & Infrastructure Security Agency’s Joint Cyber Defense Collaborative discussions would be another proactive step to defend against impending cyber attacks. The recent National Cybersecurity Strategy discusses some of these ideas and proposed approaches. Whatever carrots or sticks are used, the US needs to be prepared to work with companies during and prior to a hot-war to ensure they don’t compromise US operations.
To help allied nations prepare for and leverage cyber operations, the US must build allies’ capacity for both defense and offense. Though sharing actual exploits and capabilities is a bad move, allies could be taught to build their own. There is some risk when building up an allied offensive cyber capacity - personnel could leave for a less ethical use of those skills, increased chance of cyber being used against the US particularly for espionage. However, the benefits of having an ally with a military cyber capacity outweighs the potential risks: when the US is in a war, these allies could help the US and could also be more effective in using offensive cyber if they were ever attacked.
Conclusions
The US is not the only country watching the Russian invasion of Ukraine closely. Other future adversaries are studying and learning lessons from this conflict that are likely to be used against the US. If the US doesn’t begin studying the role cyber played in this conflict we’ll quickly lose any chance of dominance over the domain in future conflicts. The unexpected outcomes from the war so far should serve as a stark reminder of how quickly things can change in cyber and the detrimental effect of relying on assumptions of how a conflict will play out. Learning from Ukraine’s surprisingly adept cyber defense and unique approach to cyber offense leveraging vigilantes and former cyber criminals can better prepare the US private sector and DOD, and it provides a glimpse into the unique challenges that will be more prevalent in future conflict. Similarly, studying how Russia lost its obvious advantage and evolved its tactics throughout the conflict will be a valuable source for US strategists. Learning is nothing without action, so the US must study these observations and implement real policy and tactical changes to ensure the US is positioned for success.
About the Author
Derek Bernsen served in the U.S. Navy as a Cyber Warfare Engineer from 2013-2021 on active duty and has since transitioned to the reserves. He earned a M.S. and B.S. in Computer Science from Georgia Tech and The Citadel, respectively.