Since the collapse of the Yanukovych government in 2014, Ukraine has found itself destabilized, divided, and vulnerable to outside attacks - military or otherwise. Though the annexation of Crimea and subsequent war in south-eastern Ukraine captured international headlines, careful Western observers have also been following the cyber dimension of the conflict with great interest. Ukraine has found itself a battleground on a variety of domains, a proving ground for 21st century warfare. While most observers have focused on the cyber-attacks harming Ukrainian infrastructure, might there be another objective? Might the ongoing cyber conflict in Ukraine be about influence, rather than subversion?
“That analysis is supported by another facet of the attack: The fact that the hackers could have done much more damage than they did do if only they had decided to physically destroy substation equipment as well, making it much harder to restore power after the blackout.”
Jose A. Bernat, referencing a SANS Institute study
Many view the Russian military campaign in Ukraine through the lenses of ill-defined concepts such as “hybrid warfare,” wherein direct military action is combined with unconventional and subversive tactics, including the strategic use of propaganda and cyber-attacks. The Russian Federation with which Ukraine finds itself in conflict is considered the foremost pioneer of hybrid warfare and among the most sophisticated cyber actors in the world. According to a World Economic Forum estimate, Russian cyberwarfare capabilities are matched by only a few peers such as the United States, China, and Israel.
Attacks on Ukrainian infrastructure, government websites, election machines, and communication networks may be evidence of an all-out campaign of subversion against a former ally which turned hostile. Is this really the Russian long-term strategy however? Could there rather be, in the words of Sherlock Holmes, a “larger game afoot?”
Despite sensationalist headlines, the plurality of the evidence suggests that the Russo-Ukrainian cyber conflict is largely about influence. The digital divide between Moscow and Kyiv is better explained in terms of a Weltanschauungskrieg, an epistemological struggle not only between Russia and Ukraine but within Ukrainian society as well. On a societal level, Russia and Ukraine have been extremely close for centuries, “fraternal peoples” in a fair use of the term. If the current political situation were to be different, this fact would still hold true.
From Moscow’s point of view therefore, an eventual return of Ukraine to its sphere of cultural, political, economic, and military influence is logical. This is the genuine sympathy within most of Russian society, not only government propaganda. A targeted campaign of covert influence would therefore make more strategic sense for the Kremlin, than an all-out destructive campaign would. Ukraine is Russia’s misguided sibling, not a genuine enemy - as the popular anti-Maidan song goes. Nevertheless, it would be important to send the message that Moscow could bring down Ukraine’s infrastructure should relations continue their downward spiral.
All About Power – Sometimes Literally
On December 23, 2015 residents of the Ivano-Frankivsk region in western Ukraine suddenly found themselves without electricity. While this is bad enough news in and of itself during the worst of the Ukrainian winter, the means by which the power was lost would send shock waves throughout the Western world.
According to a report by the US Department of Homeland Security, Ukrainian power companies “experienced unscheduled power outages impacting a large number of customers in Ukraine. In addition, there have also been “reports of malware found in Ukrainian companies in a variety of critical infrastructure sectors.” Reports further indicated that BlackEnergy (BE) malware was discovered on various computer networks affiliated with the Ukrainian power grid “however it is important to note that the role of BE in this event remains unknown pending further technical analysis.”
Caught off-guard and seemingly overwhelmed, the Ukrainian government sought US assistance in investigating the incident. The result was “an interagency team comprised of representatives from the National Cybersecurity and Communications Integration Center (NCCIC)/Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), U.S. Computer Emergency Readiness Team (US-CERT), Department of Energy, Federal Bureau of Investigation, and the North American Electric Reliability Corporation travel[ing] to Ukraine to collaborate and gain more insight.” Thus began a new era in US-Ukrainian cyber defense cooperation, a serious unintended consequence if the hackers in question did indeed have pro-Kremlin motives.
The team reported that:
The “power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers. While power has been restored, all the impacted Oblenergos continue to run under constrained operations. In addition, three other organizations, some from other critical infrastructure sectors, were also intruded upon but did not experience operational impacts.”
Furthermore, “the cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access” [emphasis added].
This last point suggests a degree of personnel infiltration, the Ukrainian companies in question were suffering from insider threats without being aware of it. If the theory that the Russian intelligence services were behind this attack it to be believed, it suggests a degree of coordination between human intelligence assets and cyber actors. This theme will come up again later in this paper, after a few more technical details are discussed. Given the fact that many of Ukraine’s security professionals (especially those over 35) received their training in what is now the Russian Federation, this possibility is especially worth considering.
The Ukrainian companies further reported that the actors “wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk.” The actors “also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the actors reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts.”
Robert M. Lee, a former US Air Force Cyber Warfare Operations Officer, commented that the attack “was brilliant” that, “in terms of sophistication, most people always [focus on the] malware [that’s used in an attack].” Further adding, “to me what makes sophistication is logistics and planning and operations and … what’s going on during the length of it. And this was highly sophisticated.”
Unlike the Ukrainian government and unnamed “intelligence sources” however, Lee was hesitant to point any fingers. “This had to be a well-funded, well-trained team. … [B]ut it didn’t have to be a nation-state.” Given the current political and security climate, it was very easy for Kyiv to immediately accuse Moscow of the attack, something which is certainly logical at first glance.
The fact that the attack, while tactically and logistically complicated, nevertheless was reported as somewhat restrained, is telling. It seems that the perpetrator intended to demonstrate advanced capabilities, while only causing (in relative terms) little damage. Furthermore, the fact that the attack could have been carried out by a non-state actor served to provide a level of uncertainty where post-mortem analysis is concerned. These factors were to have a demoralizing effect on the Ukrainian security services, which were already embattled by severe corruption and an ongoing armed conflict to the east.
Of “Dermo” and “Democratia
“The people who cast the votes decide nothing. The people who count the votes decide everything." – Iosif Dzhugashvili (Joseph Stalin)
Less than a month before the attack on the electric grid, three days before the Ukrainian presidential vote, the Ukrainian National Election Commission came under attack from a group calling itself “CyberBerkut” (a reference to the infamous Berkut special police force of the previous regime). As reported by The Wall Street Journal, the official stated intent of CyberBerkut was “To cripple the online system for distributing results and voter turnout throughout election day. Software was destroyed. Hard drives were fried. Router settings were undone. Even the main backup was ruined.”
Though Ukrainian IT professionals managed to reverse most of the damage in less than 72 hours, and the elections went on as planned, a clear message was sent. Ukraine was severely unprepared for cyberwarfare – and even the government was vulnerable.
CyberBerkut alone has claimed responsibility for several Distributed Denial-of-Service (DDoS) attacks, as well as the releasing of emails belonging to Ukrainian government officials. Among the documents released to Russian media were details of arms sales from Ukraine to Qatar, including surface-to-air missiles which eventually wound up in the hands of the Islamic State. The narrative the pro-Russian hackers had built up till this point can be summarized thus: not only are your (Ukrainian) government servers and electoral process vulnerable to outside hacking, but the supposed liberal reformers you are electing are complicit in dirty deals with repressive regimes. How is this any better than the Moscow you are so busy vilifying? The attempt to discredit Kyiv continues.
According to a report by the Russian state-owned media company RT (Russia Today), the group also claimed responsibility for taking down three NATO websites. Given that RT is Moscow’s main propaganda arm aimed toward English-speaking audiences, there is merit in analyzing its statements. It can provide insight when trying to analyze the narrative the Kremlin is promoting. The websites in question included the main international site (nato.int), “as well as the sites of the alliance’s cyber defense center (ccdcoe.org) and NATO's Parliamentary Assembly (nato-pa.int). The group, in a message posted on its website, says its members will ‘not allow the presence of NATO occupation on the territory of our homeland!’”
The use of the term “our homeland” can be interpreted in several ways. Firstly, it could be an attempt to portray CyberBerkut strictly as a group of Ukrainian dissidents who were loyal to the previous government. Second, if the group does turn out to primarily consist of Russians (or ethnic Russians) it could suggest that they view Ukraine as part of their homeland. Thirdly, it could have been deliberately vague so as to further blur the lines of perception in the (then) emerging conflict.
As defined by the US Department of Defense, a Desired Perception is “what the deception target must believe for it to make the decision that will achieve the deception objective” (JP 3-13.4). Translated into real English, this is referring to a series of techniques which one party can use to influence the decision making of another party, preferably without the latter being aware of it. This technique is an important part of the hybrid warfare concept. Seen through this lens, it seems likely that CyberBerkut and similar pro-Russian hackers are carrying out a campaign of perception management in Ukraine. Discredit the new government, reveal the corruption of the Ukrainian authorities, and make the pro-Kremlin model appear the better alternative (all while confiscating your own allegiances and causing little long-term damage to Ukrainian infrastructure).
The Long Game
“We're playing checkers against the people who invented chess, and they're beating us at every move." - Alan Dershowitz
The Ukrainian journalists’ initiative stopfake.org has identified two major themes of Russian propaganda and disinformation, both intended to undermine the legitimacy of the new Ukrainian government. “The first interprets the Euromaidan protests as a coup d’état in which a Western-backed junta seized power from Ukraine’s rightful rulers. This plays into aforementioned wider narratives about a supposed Western–mostly American–plot to dominate the world. The second attempts to define the emerging democratic regime in Ukraine as ‘fascist.’” While the fascist narrative has been dismissed by many in the Russian-speaking world, the coup d’état narrative has been harder to discredit. While the presence of US Senator John McCain and several European dignitaries on the Maidan square was most likely meant as a symbolic gesture of support for pro-democracy movements, it did give pro-Kremlin groups plenty of material to work with for propaganda purposes. Indeed, Russian media has used the “fascist card” less and less frequently, except with groups that actually do contain fascist or ultranationalist elements (such as the infamous Right Sector movement and the Azov Regiment, which even Western academics admit have an extreme-right ideology). Rather, the “CIA coup” narrative has been increasingly promoted in its stead.
Researchers Edward Lucas and Peter Pomeranzev elaborate, assessing that “the Russian government’s use of information warfare—“disinformation”—differs from traditional forms of propaganda. Its aim is not to convince or persuade, but rather to undermine. Instead of agitating audiences into action, it seeks to keep them hooked and distracted, passive and paranoid. Inside Russia, this concept is known as ‘information-psychological war.’ It is a tactic used to disorganize and demoralize an opponent. It is fought in the realms of perception and the minds of men. It continues through both official peace and wartime” [emphasis added].
While pro-Russian sympathies certainly did exist throughout Eastern Ukraine and Crimea prior to the events of Euromaidan, this did not automatically translate into separatism or even support for Kremlin policies. Declaring Russian ethnicity or identifying with Russian culture over Ukrainian culture was not necessarily a political statement. “Pushkin is not Putin” as the saying goes. These issues were only later conflated, due both to the perception management efforts of pro-Kremlin sources, and the admittedly poor Ukrainian response to them.
“The eternal questions of the Russian people: Who is to blame? And what is to be done?”
Alexandr Herzen and Nikolai Chernyshevsky, later famously reprised by Lenin
Looking again over the available cases, let us examine the Russo-Ukrainian cyber conflict once more. There have been several cases of cyber-attack which demonstrated a high technical ability, with the potential to cause more serious damage than they actually did. It has been shown that every critical sector of the Ukrainian digital infrastructure is vulnerable – from the power grid, to the election system, to the personal files of government officials. Yet, these vulnerabilities have only been partially exploited by hostile actors, as if the intention was to demonstrate ability rather than cause actual damage.
Such facts are logical when one sees the Russian strategy as one of influence, rather than subterfuge. If the Kremlin seeks to regain a positive image in Ukraine, to bring the country back into its sphere of influence, an information war would be a logical way to go about it. This is especially true if you are prepared to invest several years (perhaps more than a decade) into the effort.
This struggle over narrative and information, this Weltanschauungskrieg, is not only between Russia and Ukraine, but is primarily focused on Ukrainian society internally. As Lucas and Pomeranzev assessed, this information campaign “hopes to radicalize potential supporters in eastern and southern Ukraine… seeks to reach a wide range of potential supporters” in the areas where the pro-Russian Party of Regions historically won elections. It is hard to assess the likelihood of success however. Given the current political and security environment, anyone expressing an overtly pro-Russian opinion is subject to intimidation, harassment, or worse, making it difficult to determine the actual level of support a pro-Kremlin campaign may have.
It is reasonable to expect however, that pro-Russian sympathies may still exist in private. Working with data which is only four years old, it is clear that the Kremlin-sympathetic Party of Regions and Communist Party of Ukraine held clear majorities in both Crimea and the South East of the country up until 2013. It is probable therefore that Moscow still has receptive audiences to target with its information campaign, and that this threat will not go away anytime soon. As a result, it is likely that Russia’s information warfare campaign will continue in Ukraine, with high-profile attacks like those against the election system and power grid occurring occasionally to remind Kyiv the extent to which they are vulnerable. The main objective for Moscow remains influence however, to bring Ukraine back into its orbit. Cyber-attacks are merely an efficient tool to bring this about.
Photo Courtesy of Wikimedia Commons