Why Russia's cyber war in Ukraine hasn't played out as predicted

Why Russia's cyber war in Ukraine hasn't played out as predicted
Cyber warfare involves fighting battles with keyboards and algorithms instead of guns and bombs
Cyber warfare involves fighting battles with keyboards and algorithms instead of guns and bombs
View 1 Image
Cyber warfare involves fighting battles with keyboards and algorithms instead of guns and bombs
Cyber warfare involves fighting battles with keyboards and algorithms instead of guns and bombs

With Russia's invasion of Ukraine dragging into its seventh month, a number of oddities are emerging from this odd war. One of the most perplexing is the question of why a major cyber warfare power like Russia has launched so few and such ineffective cyber attacks against Ukraine and its sympathizers. New Atlas looks into the digital battle for Ukraine and its implications for the future.

When Russia rolled into Ukraine on February 24, 2022, many observers expected a very different war than the one we see being waged today. Not only was the outcome supposed to be a blitzkrieg that would last only four days, but many experts thought that Russia would mount such an all-out cyber war against Ukraine that the invasion might not even be needed to make Kyiv give in to Moscow's demands.

The offensive has bogged down and turned into six months and counting of hard ground combat, but the digital war never really went anywhere. This is surprising because Russia, along with the United States, the United Kingdom, China, Israel, Iran, and North Korea, has for decades been developing sophisticated offensive and defensive cybernetic capabilities and has on a number of occasions demonstrated the willingness to use them.

Cyber war

We use the internet so much in our daily lives that it's become not just commonplace, but ubiquitous. Though we are constantly reminded of the dangers of hacking, it's very easy to forget that the digital realm is an invisible global battlefield where everyone from great powers to lone amateurs do combat with one another using binary code instead of guns and bombs.

The idea of cyber warfare is much older than many people realize. In fact, the concept was already being considered when computers were gigantic machines with less computing power than a television remote control. As far back as 1954, the science fiction B feature Gog was released with a plot revolving around a computer that was hijacked by a foreign power to steal US government secrets and indulge in a sideline of murder.

It's an idea that evolved as computers grew in sophistication, and in July 2010 a breakthrough was achieved when the suspected US/Israeli Stuxnet virus infected the computers at an Iranian nuclear weapon plant. How Stuxnet got into the facility is still unknown to this day. The computers at the plant weren't connected to the internet, but the virus could have been introduced in a Wi-Fi tablet, a thumb drive, by a human agent, or in a chip built into a component. However, when it activated it took over the processing plant and ordered the centrifuges used to enrich uranium to spin out of control and destroy themselves.

Russia's cyber invasion

According to cybersecurity firm Mandiant, Russia was launching cyber attacks against Ukraine weeks before the first tanks rolled across the border. However, instead of causing radar scanners to blow up, scrambling GPS signals, or crashing fighter jets into the ground, these were low-key, albeit sophisticated operations by hacktivists and organizations with links to the Foreign Intelligence Service of the Russian Federation (SVR), Federal Security Service of the Russian Federation (FSB), and Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). In addition, there were attacks launched from proxy sympathizers in places as far away as Brazil.

The first attacks were by what is known as wiper malware, which erases the hard drives of devices that it infects. These were aimed at multiple government, non-profit, and information technology organizations in Ukraine. Designated Whispergate, it was disguised as ransomware, but instead of allowing recovery, it activated when the infected device powered down temporarily and then downloaded a malicious .exe file to destroy targeted data. Another attack was malware called Gamaredon that didn't just go after Ukraine, but Ukrainian and associated targets around the world.

When Russian troops invaded on February 24, a cyber attack was launched at over 10,000 satellite internet modems that are part of the American satellite firm Viasat's network in Ukraine and other parts of Europe. Traced by the US, British, and EU governments to Russia, this attack was followed on March 1 by widespread cyberattacks on Kyiv-based media at the same time a missile struck Kyiv's television tower.

A few days later, an unidentified Ukrainian nuclear power company, as well as media firms and government offices, was the target of a cyber attack. This is according to Microsoft, which was monitoring Ukraine's cybersecurity situation. On April 12, the Ukrainian government reported a failed Sandworm malware, a variant of Industroyer 2, attack on the power grid aimed at causing a power blackout.

In addition to these incidents, financial services, border control stations, and even the internet infrastructure were attacked, disrupting banking services, causing power outages, and interfering with the distribution of medicines, food and relief supplies. There were even phishing attacks on the government and military, as well as the detection of surveillance software on various networks that stole information from the government and private citizens regarding social media and banking transactions. Another common attack were Distributed Denial-of-Service (DDoS) campaigns against telecommunications companies.

The information war

Most of these attacks were designed to disrupt systems or as espionage to gather data about Ukraine and its NATO supporters, but another major digital front was Russia's information war against Ukraine and the rest of the world.

Manipulating information to gain an advantage in war has been around since the first Australopithecus started shrieking and shaking branches at his rivals across the waterhole, but 21st century cyber warfare has sped up the process to near-instantaneous and extended its reach across the globe.

Part of Russia's cyber offensive has involved compromising websites, social media platforms, and messaging services to either deface them or to plant false information as part of a propaganda campaign, with the goals of demoralizing Ukrainians, sowing division between Ukraine and its neighbors, and bolstering support for Russia.

Many of these campaigns have involved setting up false narratives backed by doctored images and documents, though some have been pretty bold, such as planting a false message on a Ukrainian television channel Ukraine 24 claiming that Ukraine President Volodymyr Zelenskyy had surrendered complete with a deep-fake video.

Other messages posted claimed that Zelenskyy had committed suicide, and that Ukraine's Azov Regiment had vowed revenge against Zelenskyy. By March, the Security Service of Ukraine (SBU) had shut down five bot farms hosting 100,000 social media accounts being used for propaganda campaigns.

What went wrong?

These cyber operations may seem impressive, but they were not only nowhere near what was expected, they proved to be ineffective. Though Russia's cyber war was disruptive, sometimes frightening, and resulted in the loss of tens of millions of dollars, the whole thing never rose above the level of a series of pranks. And pranks have never won a war.

What has been apparent over the last six months is that few, if any, of Russia's cyber attacks have been launched in support of a clear military objective. There were no assaults on military command and control systems, no critical infrastructure attacks, and nothing that could put real pressure on Ukraine to force concessions from the country or its friends.

Instead, the Russian cyber campaign has been low-key and independent of the conventional military invasion. Why?

Part of the reason could be that Russia hasn't been able to coordinate its military operations with the planning and precision that NATO forces have mastered. NATO land, sea, air, and space forces are designed to operate as a single fighting unit that grows more interconnected with each technological generation – not just within each country's forces, but across the entire alliance.

Such coordination was anticipated during the first days of the Russian invasion, but the advance soon bogged down and devolved as the Russian forces fell back on their standard practice of relying on artillery to achieve their objectives. This showed that such precision coordination is still beyond them and this likely extends to the extremely detailed and time-sensitive planning for cyber operations if they are to work to achieve conventional military objectives.

Another problem is that conventional and cyber warfare are very different. Conventional war aims to destroy things and seize territory. Land is the vital objective and when an army attacks, the results are self-evident. A burned out tank or a crater where a radar station once sat are hard to ignore.

In cyber war, the objective is information. Land is irrelevant. The goal is to capture as much important data as possible and to deny it to the enemy, either by erasing or corrupting it. In the same way, conventional war aims to destroy the enemy's infrastructure, while in cyber war the digital warrior depends on that infrastructure and wants to preserve it whenever possible. Why destroy the enemy's internet when you want to use it yourself?

The result is that these two schools of war often act at cross purposes, so it may be that Russia decided to let the cyber corps sit in the back seat for now and concentrate more on intelligence objectives.

Ukraine defenses

Another factor may be Ukraine's cyber defenses. 2022 is not the first year that Russia has attacked the country. Ukraine has been Russia's digital test bed since the revolution in 2014 that toppled the pro-Moscow government. This has made Ukraine Russia's cyber sandbox, but it has also made Ukraine a laboratory for developing defenses.

The fog of war makes reliable reports difficult to find, but Ukraine has been able to fend off or limit damage from Russian attacks and has even managed limited counter-attacks. In addition, Ukraine's internet is highly decentralized and many of its assets are located in other countries. Indeed, the whole point of the internet was to build a computer network that would remain functioning even in the event of an all-out nuclear attack. Ukraine's commercial networks being hardened before the invasion have only added to this intrinsic robustness.

One ironic factor is that Ukraine still relies on Cold War technology for its weapon systems. In many ways, this is a disadvantage, but when radar systems use radio valves instead of microchips, they can be as invulnerable to cyberattack as a coal-burning steam engine.

On the opposite end of the technical scale, the introduction of the smartphone and other portable communication devices with reliable encryption makes the information war much harder to wage. Propaganda is easier to spread today, but it is also easier to refute, as has been seen in the West when the release of fraudulent documents in an election saw them debunked in less than an hour.

The implications

The implications of Russia's cyber war in Ukraine are many. In the short term, they show that cyber warfare has been oversold and that the example of Ukraine is likely to be repeated – at least in situations where the defender has a degree of technical sophistication and the backing of advanced cyber powers with assets like America's NSA or Britain's GCHQ.

We also probably won't see pure cyber wars where digital attacks take the place of conventional war. It may be that cyber attacks will take a secondary role in diminishing an enemy's tangible goods, but a primary role in fighting in the realm of information.

However, cyber war has many advantages. The attacks can come with incredible speed, range, and precision. Their effects can be unnoticeable until it's too late to do anything about them. They can be easily denied, launched from neutral territory, and even blamed on innocent third parties. They can also involve the entire world in a rapid escalation that would be impossible with conventional forces.

And behind all of this is the example of Stuxnet physically crippling a nuclear facility. In an increasingly digital world where we let cybernetic servants control our microwaves, regulate the heat in our homes, listen to our private conversations, and drive our cars and fly our planes, it may be that one day the effects of a cyber war will be very tangible indeed.

Hartley Strauss
A very well researched and written summation. Finally an overview that not only sums it all up, but is easy to understand . WELL DONE !
Larry Finkle
Yes, I agree with Hartley. Good Job David! This is New Atlas at it's best. An original story, thoughtfully researched and well written. I'm astonished at how ineffective Russia has been in the war. I too, had wondered about Russia's apparent lack of effective hacking. You have done a great job illuminating the reasons why. Thank you.

Regarding the Iranian centrifuge virus, if I remember correctly, it had a few other clever attributes that I believe are worthy of mention and possibly of interest to fellow readers. The virus was (allegedly) custom tailored to the predominant centrifuge model used by Iran at the time. Allegedly US/Israeli programmers tested it on the same type of centrifuge to optimize effectiveness (of destruction). It not only increased the RPM of the centrifuge above normal duty speeds but caused the majority of the damage by adjusting the speed slightly up and down so that it would "sweep" back and forth in the harmonic/resonant range. Like a car or appliance that will buzz or shake at a particular speed, harmonics are the speed that matches the natural harmonic frequency of a machine or assembly in motion. There were also brief pulses in the drive, so the drivetrain of the high speed centrifuge would buck back and forth , which along with operating in the worst possible speed range for reliability (at resonance, where the vibrations reinforce each other) the systems began to fail. Supposedly the machines sounded "normal" to the operators, and the speed counters had also been hacked and were showing the speed they would normally expect to see. It wasn't until multiple centrifuges had gone offline with similar failure modes that Iran FINALLY figured out there were shenanigans afoot. Bearing assemblies were wearing loose, and if allowed to continue would turn the centrifuge into a
radioactive shrapnel dispenser.