To war or not to war? Russia’s cyber strategies in Ukraine 2014-22

Illustration by Andrzej Zaręba

Although the war is far from over, until now, “cyber fire” has yet to generate spectacular breakthroughs on the battlefield. At the same time, very few of the dynamics between cyber and military operations have developed as expected. In addition to the attempts to coordinate cyber and kinetic forces at the beginning of the war, we now see the use of these two Russian capabilities independently of each other. This might be caused by different goals set for the Russian cyber and kinetic invasion, where cyber is for information warfare and kinetic is for seizing territory. Therefore, it can be assumed that the widely predicted “cyber Pearl Harbour” is not coming, yet also that Russia is not as bad at cyberwarfare as expected. This is mainly because cyber weapons were not suitable for the situation in Ukraine. Following the trials of various cyberspace strategies tested by the Russians in Ukraine from 2014 till today, the Russians adapted their plans and ways of implementing cyber-weapons in Ukraine. This can tell us much about the future of cyberwarfare.

War and non-war in cyberspace

The 2010 Stuxnet worm attack, which was allegedly the result of US-Israeli cooperation, is the best example of using cyber conflict as a substitute for war. It destroyed centrifuges at Iran’s Natanz nuclear facility, thus delaying the country’s progress towards building a nuclear weapon. The attackers did not need to use military force since the cyber-attacks achieved similar goals. At least since 2014 Russia has been modelling its own activities on this master pattern. It tried implementing a grey zone conflict strategy, including activities in cyberspace, to pressure Kyiv to make concessions. Cyber-tools from the grey zone, including ongoing misinformation and disinformation, informational propaganda, election interference in 2014, cyber-attacks on critical infrastructure in 2015, and a cyber-attack that targeted Ukraine’s ministries and banks in February 2022, were a form of limited military competition that persisted beyond peace but remained short of full-scale war. The aim of all these activities was to avoid open conflict and serious clashes and, at the same time, achieve strategic goals. Therefore, we may conclude that the Russia-Ukraine conflict before February 24th 2022 was a perfect example of “salami tactics”, offering an attractive option for an expansionist power on the cusp of a major war.

Despite some spectacular successes, for example releasing a piece of devastating malware called NotPetya in 2017 or the unprecedented hacking of Ukraine’s power grid in 2016, the Kremlin decided that the grey zone strategy was insufficient to satisfy its great power aspirations and consequently decided to engage in a military invasion of Ukraine. Assuming that Moscow had used cyber operations to substitute kinetic operations, we should have seen a full-blown cyber war instead of a conventional invasion. In fact, the consequences of the pre-war period were modest, and most of the actions taken seemed to be rushed or poorly planned. Russia failed to achieve its strategic objectives using cyber operations and the Kremlin concluded that its only option was to launch a military campaign.

Using cyber-tools directly

Offensive actions in cyberspace can be divided into two categories: those that directly complement the war effort on the frontline and those that indirectly affect the outcome of an armed conflict. To be relevant for conventional forces, the first one must be synchronised in time and place with what is happening in the real world on the ground. A report published by Microsoft in April 2022 pointed to Russian attempts to coordinate activities in cyberspace with kinetic ones. A series of what seems to be hastily compiled Wipers, a class of malicious software that deletes files on infected computers, were the main tool of the attack, but their effectiveness was not confirmed. Up until now, the only publicly known serious cyber incident that took place simultaneously with the launch of the Russian ground invasion was against Viasat, the company that provides satellite internet for Ukraine and Europe. As a result, the communications of the Ukrainian military forces were severely limited, but only until Starlink agreed to provide its communication services to Ukraine.

Activities in cyberspace aimed at disrupting or damaging enemy communications systems are a result of long preparations for such an attack. First, the attacker needs to find access to the system and this process is time consuming. The attacker also needs appropriate tools, especially access to vulnerabilities which will allow one to launch an attack. Moreover, once a cyber-attack is detected, the vulnerabilities that enabled it are quickly patched and reusing them becomes ineffective. This fact distinguishes conventional weapons, which are generally reusable, from cyber weapons, the use of which each time limits their effectiveness in future attacks. A firearm may serve as an example. If one wants to use it, all he or she needs to do is to aim and pull the trigger. The weapon then will fire, and the effect will be seen immediately. As a result, due to the very different nature of the two types of weapons, coordination of their mutual actions on a battlefield is extremely difficult. This may hint at why the role of offensive actions in cyberspace during the Russian invasion of Ukraine was limited. 

To achieve its goals in Ukraine, Russia chose conventional strikes on critical infrastructure over cyber-attacks. The explanation as to why indiscriminate bombing remains the Kremlin’s preferred tactic can be found in cost-effect reasoning. It is beneficial for the Russian army to use proven methods of hitting targets, including cruise missiles or cheap Iranian drones, rather than investing time and resources in uncertain cyber-attacks on critical infrastructure. From the course of the war, it can be concluded that so far Russian hackers have not deployed any new cyber-weapon and probably regret that at present they cannot repeat cyber-attacks on Ukrainian power plants like those from 2015 and 2016, or the NotPetya attack from 2017. Yet as mentioned earlier, once a cyber-weapon is used and detected, it no longer becomes effective. 

Using cyber-tools indirectly

To support the war effort, the cyber domain can also be used indirectly, and two roles are important here: cyberespionage (“cyberint”) and information operations aimed at influencing the society of another country. Intelligence activities in cyberspace are the key elements of the daily activities of each state’s secret services. The goal is to steal secret information from enemy systems. However, the desire to remain undetected causes cyberint operations to stretch over time.

During the war in Ukraine, cyberspace is used by both parties for intelligence purposes. The Russian secret services have documented instances of successful operations in the past, including the notorious SolarWinds cyber-attack in December 2020, when at least 200 of the largest global companies and several US federal agencies were infiltrated. Intelligence activities also take place during the operation in Ukraine. In April, Microsoft noted the extensive activity of Russian hackers who tried to obtain secret information and credentials from Ukrainian institutions. However, it can be concluded that like the ground offensive, Russian services have not yet achieved any spectacular success in the field of cyber espionage. At least, any achievement which would have had an impact on the course of the conflict. 

Information and psychological operations are the second field in which cyberspace activities can indirectly support the war effort, however, they seem to be the first option for Russia. Currently, more than five billion people have access to the internet, or 63 per cent of the world’s population. This makes the internet a perfect place for propaganda activities and the longer a society is exposed to cyber influence, the more effective it becomes. It is estimated that English-language websites with pro-Kremlin propaganda are visited 60 to 80 million times a month in the US, which is as often as the Wall Street Journal. Russia has long pursued this type of action, but also in this field, it is difficult to indicate unequivocal successes that would have an impact on the strategic dimension of the so-called “special operation”. Although they are not as spectacular as offensive actions, it seems that psychological operations will be the dominant way of using cyberspace to support Russian military operations in Ukraine. 

What we have learned

The Ukraine invasion is a year in, yet the answer to the question on how the Russians have used their cyber potential is neither simple nor easy. However, some conclusions can be drawn already. Firstly, coordination across domains is demanding even for the most advanced militaries. Cyber-attacks are both more time consuming and planning intensive than traditional ones. They require sophisticated reconnaissance to find vulnerabilities to be exploited. After using a vulnerability once, the attacker must search for a new one and start the process all over again. Considering that the Russians hoped for a quick victory in Ukraine, they were unprepared for sophisticated cyber operations that would complement the tasks in the field. Frankly speaking, Russian military actions in Ukraine show the problem of coordinating actions in one single domain, let alone coordinating two domains.

Secondly, the Russians are aware that cyberspace is most useful in pursuing informational goals, such as gathering intelligence to get better insights about the conduct of war, creating and delivering disinformation, promoting chaos or winning diplomatic debates. In Russian thinking, cyber-tools are not sufficient to capture the nation but are best to use to compete in the information sphere, through which one can attempt to win political goals and capture the hearts and minds of people. When the goal is to seize territory, the kinetic forces are more efficient. Therefore, there are different goals for the Russian cyber and kinetic invasion of Ukraine.

Thirdly, it is very likely that, under pressure from western countries, the Russian Federation will look for an adequate response. In this situation, the cyber domain is perhaps the best-suited option for retaliatory actions against foreign sanctions. In addition to information warfare, Russia may also use all kinds of ransomware attacks to improve its finances. 

Finally, the problems related to coordinating cyber and kinetic activities might stem from the fact that the Russian army is centrally managed, and it gives no room for greater autonomy for lower-ranking commanders. Consequently, communication problems appear between specific commands. Apparently, the Russians did not learn from the Iraqi experience of General Stanley McChrystal, who transformed the US Joint Special Operations Command from a pyramid hierarchy to a web of teams with him at the centre. Furthermore, adopting a model of “radical transparency” has made communications crystal clear from the top to the bottom of the command and across it to develop a shared awareness of the situation.

Taking everything into account, (as of now) cyber is not going to replace traditional forms of combat, but according to the recent reports, cyber-attacks in Ukraine are more sophisticated and widespread than many recognise. Therefore, in the future, different patterns of behaviour may appear.

Dominika Dziwisz is an assistant professor at the Institute of Political Science and International Relations of the Jagiellonian University in Kraków, Poland. Her research focuses on US cybersecurity policies, critical infrastructure protection and the relationship between big data and human rights.

Błażej Sajduk is an assistant professor at the Institute of Political Science and International Relations of the Jagiellonian University in Kraków, Poland. His research interests focus on the role of new technologies and international security (practically 5G and Artificial Intelligence).

cyber-warfar, cyberoperations, cybersecurity, Russia, Russia's war against Ukraine, Ukraine