Cyber Warfare? Or Russian conceptions of Information Confrontation? – A Timeline of Russian Use of Cyber/Information Capabilities
6 Months of Conflict
The 24th of August 2022, marked half a year since Russia has started the invasion of Ukraine, shifting the world’s economic landscape, and the attitude of the globe towards national defence.
Cyber warfare has been a quintessential doctrine of the Russian war machine before and throughout the conflict. Russian cyber capabilities have been used to gather intelligence, to carry out denial-of-service attacks infrastructure or services, and to disturb the political sphere of nation states.
Cyber Incidents Before the War
In April 2007, following a diplomatic row with Russia caused by the removal of a Soviet war memorial, Estonia received a series of cyberattacks, targeting the financial, media sectors, as well as government websites. The attack consisted of denial-of-service operations caused by high traffic emerging from a Russian controlled botnet.
On 20 July 2008, the website of Georgian president Mikheil Saakashvili was taken down by a series of denial-of-service attacks lasting for twenty-four hours. The website of the National Bank of Georgia and the Parliament of Georgia were compromised by hackers who displayed images of the Georgian president alongside Adolf Hitler. Less than a month later, on the 1st of August 2008, the Russo-Georgian War erupted, in which Russia attempted to annex the Russian-backed self-proclaimed republics of South Ossetia and Abkhazia. The war followed a period of deteriorating pollical relations between the two former Soviet nations, sparked by Vladimir Putin’s election in 2000 and a pro-Western change in power on the Georgian side in 2003. The Georgian War of 2008 was the first war in history in which cyber warfare coincided with military actions.
In January 2009, the two primary ISPs of Kyrgyzstan, domain.kg and ns.kg, were targeted by a sustained DDoS attack, similar to the one recorded in Georgia in the previous year. The attack had colossal consequences for the small nation, effectively taking the whole country offline. It is believed that the attack was part of a Russian campaign to pressure Kyrgyz President Kurmanbek Bakiyeev to close US access to an airbase key for supplying the ongoing war in Afghanistan.
In March 2014, three days before the referendum on Crimea’s status, Russia launched an eight-minute-long DDoS cyber-attack aimed at destabilising Ukrainian computer networks and communications, likely as a means of diverting public attention from the presence of Russian troops in Crimea. A few months later, in May 2014, prior to the Ukrainian presidential elections, a pro-Russian hacktivist group conducted a series of cyber-attacks to manipulate the result of the democratic process. The hacking group compromised the network used by the election system and deleted files in an attempt to change the election result. The attack resulted in a delay of the election vote count, however, it has failed in achieving its aim, as the malware was discovered and neutralised 40 minutes before the election start.
On December 23rd 2015, a cyber attack was carried out targeting Ukraine’s power grid, which resulted in power outages for approximately 230,000 consumers in Ukraine, lasting between one and six hours. The attack is attributed to the Russian advanced persistent threat group known as “Sandworm”. This incident marked the first time that a cyber attack was effectively utilised to deprive a nation of electricity.
Between 2016 and 2021, cyberattacks from Russia against Ukraine intensified, with the most notable event being the NotPetya malware, considered history’s most destructive cyber-attack to date. The NotPetya attack resulted in 13,000 public institution devices rendered unusable, by having their hard drives encrypted, and disabling data restoration. European and US companies were caught in the collateral damage caused by the attack, with around 50,000 systems rendered unusable, causing an estimated loss of over US $10 billion. Petya and NotPetya malware are ransomware, and formed the basis of the WannaCry cyber-attack in May 2017 that targeted victims throughout the world, including the UK’s National Health Service. Additionally, two major attempted cyber-attacks occurred in 2018 and 2021. The former targeted the Auly chlorine distillation station that supplies 23 Ukrainian provinces, while the latter targeted the websites of the Ukrainian security service.
In May 2017, on the eve of the French presidential election, the presidential candidate Emmanuel Macron was targeted by a “massive and coordinated” cyberattack, hours before voters made their way to the polls. Tens of thousands internal emails and other documents were released overnight, as the midnight deadline to halt campaigning passed. According to Emmanuel Macron’s election team En Marche!, “many false documents” were inserted in the leak alongside genuine stolen documents to attempt to destabilise the democratic process. In 2020, three years after the incident, US and UK authorities charged Russian state-backed actors with having carried out the May 2017 French presidential election hack.
In 2018, The Washington Post reported on an information disclosure provided by US intelligence. The report lighted information around the cyber-attack against the 2018 Winter Olympics hosted in South Korea. What made this attack special was that there were no implicit benefits for Russia to carry this attack, apart for as a rebuttal to the Russian team’s banning over doping violations. However, it was discovered that the attackers used malware signatures adherent to malware used by North Korean hacking groups to make it appear as if North Korea initiated the attack, likely to incite geopolitical tensions between the two Korean nations.
In Early 2019, a three-year pro-Russian disinformation campaign was uncovered by global activism company Avaaz and Polish investigative journalism website OKO.press. The campaign published fabricated material in support of three Polish pro-Russian politicians Adam Andruszkiewicz, leader of the All-Polish Youth ultranationalist party, Janusz Korwin-Mikke, far-right politician and leader of the Congress of the New Right (KNP), and Leszek Miller, at the time affiliated with the Self-Defence of the Republic of Poland party. Facebook agreed with the analysis provided and proceeded with the removal of the misinformative content. Additionally, the Polish government have released statement reports regarding Russian disinformation campaigns targeting Poland throughout 2020 and 2022. Reportedly, the purpose of these campaigns has been to destabilise the relationships between NATO and Poland and to display Poland as having plans of attacking Ukraine.
The 2022 War with Ukraine
70 Ukrainian governmental websites compromised by hackers, including the Ministry of Defence, Foreign Affairs, Education and Science, and the Cabinet of Ministers
Microsoft reports a soar in malware attacks targeting the Ukrainian government, as well as numerous Ukrainian non-profit and IT organisations
Ahead of the brewing conflict, last-minute precautions are taken by allies, including $200 million in security aid provisioned to Ukraine from the US
Russia carries out exercises involving 6,000 troops, and 60 jets near the Russian border with Ukraine’s Crimean Peninsula
UK’s National Cyber Security Centre (NCSC) asks UK organisations to bolster their cyber defences ahead of the upcoming conflict
A Distributed Denial-of-Service attack impacts two large Ukrainian banks, PrivatBank and Oschadbank, as well as The Ministry of Defence of Ukraine. The UK’s NCSC later released a statement attributing the DDoS attack to the Russian Main Intelligence Directorate (GRU). The statement also mentions the decision to publicly attribute this incident, which underlines that the UK and its allies will not tolerate malicious cyber activity from Russia
Hours before the full-scale invasion of Ukraine, a denial-of-service attack is launched against the Ukrainian branch of the commercial communications company Viasat. The “cyber event” causes outages for several thousand Ukrainians, and impacts windfarms and internet users in other European countries. NCSC later assesses that Russia “was almost certainly responsible for the attack”
Russian president Vladimir Putin announces a “special military operation” in eastern Ukraine, an effective declaration of war
On the 16th of March 2022, television station Ukraine 24 was hacked by Russian actors. The hacked television station was used to broadcast reports claiming that president Volodymyr Zelensky has called on the Ukrainian population to surrender. President Zelensky responded to the allegations via YouTube, referring to the false announcement as a “childish provocation” and reiterating that Ukraine would not give up arms until victory. The television station Ukraine 24 utilised social media to confirm the occurrence of the hack and to remark that Ukraine was unlikely to surrender, “especially in conditions when the Russian army is defeated in battles with the Ukrainian army”.
Throughout late April and early May 2022, amid the 2022 Russian invasion of Ukraine, Romanian military, governmental, bank and mass media websites were taken down as part of a series of Denial-of-Service attacks. The cyber-attacks were orchestrated by Killnet, a pro-Russian hacking group as a response to a statement made by the President of the Senate, Florin Cîțu, that Romania would provide military aid to Ukraine.
On May 7th 2022, Russian actors carried out cyber attacks targeting the city of Odesa in parallel with Odesa being the target of an on-going missile strike campaign. Ukraine’s Special Communications and Information Protection Service released the following statement: “Odesa was attacked by Russian invaders, again. According to Operational Command South, the enemy deployed strategic warplanes to launch cruise missiles. At about the same time, calls were posted on hostile platforms for a cyber attack on the Odesa City Council’s website.”
Late June 2022, Lithuania faced multiple cyber attacks originating from Russia as a result of the recent dispute over the Russian owned Kaliningrad region, sandwiched between Poland and Lithuania. The Kaliningrad region is dependent on the rest of Russia for support, as, being a territory of Russia, it is also under the effect of the economic sanctions. Lithuanian state and private institutions were hit by a denial-of-service cyberattack on Monday the 27th of June. Killnet claimed responsibility for the DOS attack, referencing the Lithuanian blockade of Russian goods to Kaliningrad as the direct reason for the attacks.
In August 2022, Estonia was hit a series of cyber attacks following removal of a Soviet tank monument. Killnet continued targeting former Soviet countries that were showing defiance against Russia. This series of attacks proved largely ineffective, as government services continued to operate with some “brief and minor exceptions”. A week earlier, Killnet also targeted Latvia as a response to the country voting to declare Russia a “state sponsor of terrorism”.
Even after the conflict between Russia and Ukraine concludes, assuming the severe economic sanctions still apply, it can be expected that Russia would resort to retributory cyber warfare against Ukraine and the West. Precedent for this can be observed from other pariah states, Iran, and North Korea, who have resorted to cyber warfare to damage adversaries and steal monetary resources.
Russia will amplify and expand its Information Confrontation to undermine Western alliances and gain strategic advantage alongside China in undermining the West. Whilst this paper does not seek to predict that future, the dependence on a small number of key technologies managed by Western technology multinationals (Microsoft, AWS, Google etc) the greater the gain is from disrupting confidence in those systems and services.