Ukraine’s Battle against Russian Cyber Aggression

By Carlos G. Sháněl, Director, Center for Cybersecurity Studies, Casla Institute

In the first week of January 2024, hackers allegedly linked to the Ukrainian secret services (SBU) attacked the systems of M9 Telecom, a Moscow-based internet and TV provider. According to available sources, the hackers deleted a staggering 20 terabytes of data from the Russian company, causing internet outages for some Moscow neighborhoods.

A few days later, the same group (known as “Blackjack”) successfully breached a Russian state enterprise handling a series of military construction projects. According to Newsweek, they gained access to and subsequently deleted over 1.2 terabytes of classified information, including maps of more than 500 Russian military bases, air-defense installations, and weapons arsenals.

Referring to a source close to the operation, London-based journalist James Pearson, cybersecurity correspondent for Reuters, wrote that this appears to be a calibrated retaliation for a significant Russian cyberattack on Ukraine.

In December 2023, Kyivstar, Ukraine’s largest mobile network operator, faced a sophisticated cyberattack orchestrated by Russian hackers. The invasive attack was one of the most significant cyber incidents since Vladimir Putin’s military invasion of Ukraine in February 2022, paralyzing the mobile company and revealing a disturbing fact: The hackers had covertly infiltrated the company’s systems months before unleashing their destructive assault.

In an interview with Reuters, Illia Vitiuk, the head of the cybersecurity department at SBU, said, “The hackers attempted penetration in March 2023, gained entry by May, and likely had full network access by November.” The extended infiltration period allowed them to gather sensitive information, learn vulnerabilities, and strategically position themselves for a devastating strike.

This stealthy cyber operation aligns with the concept of Advanced Persistent Threats (APTs), a sustained and covert form of cyberattack. APTs involve targeted efforts by adversaries to infiltrate and remain within a network undetected, often to extract sensitive information or inflict significant damage. In this case, the attack was not intended to merely steal data; it was a full-scale assault aimed at paralyzing critical systems and causing widespread disruptions across Ukraine.

Contrary to the expectation that Russia would target electric infrastructure as they did last winter, their focus shifted to mobile operators, leaving over 24 million people without a connection for a protracted period. The consequences extended beyond digital borders, affecting businesses, education, and more critically, the psychological well-being of individuals who could no longer connect with their families and friends. The situation was even more dire for those on the frontlines, yearning to hear their loved ones’ voices.

Cybersecurity’s significance has evolved, transforming from a secondary concern to a crucial aspect of national security.

~ Analysts at the Casla Institute Cybersecurity Studies Center

A disruption like this has consequences beyond communication breakdowns. For instance, mobile operators play a vital role in GPS services, and many people depend on these services for travel, volunteer support, and various activities typical for a country at war. A connection loss like this one significantly complicates navigation and coordination. A less-discussed but still-critical factor is the failure of mobile phone air raid alert applications. Millions of Ukrainians without this alert system become more vulnerable to potential air attacks.

Russia’s Default Mode: The Strategy of Constant Intimidation

Despite Ukraine’s technological advancement, it faced significant challenges post-cyberattack. The attack’s sophistication and scale at least partially overwhelmed the country’s advanced digital infrastructure, exposing vulnerabilities and disrupting critical systems beyond initial expectations.

The impact is felt across various sectors, with individuals unable to utilize two-factor authentication, verify their email identities, or conduct online transactions. This situation poses a risk to vitally important services like Diia, a mobile application that seamlessly connects over 19 million Ukrainians to more than 120 government services and numerous digital documents.

Pennsylvania-based tech professional Iurii Fedorenko closely monitors the developments in his native country. Explaining the application’s significance, he states, “In Diia, you can store your digital IDs, passports, and driver’s licenses. You can file taxes, open a business, request financial aid, change your car’s registration, and much more—all without the hassle of repeatedly proving your identity and uploading documents.” The reliance on connectivity becomes evident when it fails, leaving users vulnerable.

While reports so far suggest no damage to the Ukrainian banking system, government, and other mobile operators, the extent of the information the Russian hackers accessed remains uncertain. Given the intricate link between mobile phones, bank accounts, and personal information, future consequences are unpredictable, raising worries about deception, fraud, or potential bank account failures.

Fedorenko reinforces this concern with a global warning, stressing Russian capabilities as a severe and state-sponsored threat actor. “Russian cyberattacks can target any country on the planet,” he cautions.

The current situation in Ukraine is a stark reminder of cyber warfare’s widespread impact and highlights the interconnected nature of cyber conflicts, where actions in the digital space have tangible consequences in the physical world. The implications expand beyond Ukraine, prompting global awareness of the urgent need to address the new cyber threats.

The Evolution of Russian Cyber Aggression

The historical footprint of Russian cyber aggression goes beyond the headlines capturing media attention today. Its roots reach back to 2007, when the Kremlin orchestrated a significant cyberattack against Estonia, targeting key government institutions, banks, and media outlets. A dispute over the relocation of a Soviet-era monument in the Estonian capital of Tallinn catalyzed this assault.

The attack, featuring distributed denial-of-service (DDoS) tactics, overwhelmed the country’s digital infrastructure. DDoS attacks involve multiple compromised computers flooding a target system with traffic, making it inaccessible to users. This event marked a watershed moment, signaling one of the earliest instances of one nation-state employing cyber warfare against another. It exposed modern society’s vulnerability to digital aggression.

Since the 2007 cyberattack on Estonia, Russia has been implicated in various significant cyber incidents against other nations.

For instance, shortly after the annexation of Crimea and the conflict outbreak in the Donbas in 2014, Russia was accused of engaging in cyber operations against Ukraine. One notable incident involved the use of malicious software known as “BlackEnergy” to remotely manipulate and disable key components of Ukraine’s power grid, causing massive outages affecting around 230,000 people for between one and six hours in several regions.

The following year, a cyber espionage group, suspected to be linked to Russian intelligence, targeted the German Parliament’s information system and affected its operations for several days. “A significant amount of data was stolen, and email accounts of several MPs as well as of (then) Chancellor Angela Merkel were affected,” EUR-Lex, the official information web portal of the European Union, published years later.

During the 2016 U.S. presidential election, Russian interference involved hacking into political figures’ and organizations’ email accounts, including the Democratic National Committee (DNC). The stolen data was subsequently leaked, impacting the election narrative. Additionally, Russia deployed a sophisticated disinformation campaign on social media platforms to influence public opinion by spreading misleading or divisive content. These combined cyber and information warfare tactics sought to undermine trust in the democratic process and sow discord among the American electorate.

The list goes on. In the U.S., National Public Radio (NPR) recently published a report that sheds light on the latest display of Russian cyber aggression, revealing a disturbing pattern of state-backed hackers infiltrating Microsoft’s corporate email system. This breach not only targeted the company’s leadership team accounts; it also extended to individuals within its cybersecurity and legal teams.

These incidents highlight Russia’s strategic deployment of cyber weapons for geopolitical goals, raising fears about the worldwide ramifications of state-sponsored cyber aggression. Members of military and academic communities, as well as cybersecurity experts, advocate for robust international measures to counteract Moscow’s evolving threats.

State-Sponsored Threat Actors and Information Warfare

In the fluid realm of cyber warfare, tracing attack origins has become daunting. The use of cyber proxies and advanced attribution evasion techniques has created a multifaceted and elusive digital battlefield, intensifying challenges for those tasked with unveiling the attack perpetrators. Adding to the complexity, Russia categorically denies any involvement in the cases with which they are linked.

“Cyber operations are just another phase in the evolution of conflicts—another weapon. Whether initiated by a state or a non-state actor aiming to disrupt and polarize society, it’s a cost-effective alternative to invading with tanks and troops,” says Tomáš Řepa, a professor at the University of Defense in the Czech Republic.

These cyber operations have evolved into a formidable tool, serving not only technological warfare, but also as a means to orchestrate information warfare. Manipulating public opinion via disinformation campaigns is one of the architects’ key objectives, aligning narratives with their strategic goals.

As a gateway to vast knowledge, the Internet exposes individuals to diverse perspectives. However, the downside emerges as the algorithm-driven social media platforms create filter bubbles, isolating users within echo chambers that reinforce existing beliefs. This personalized content, coupled with human susceptibility to manipulation and disinformation, further influences thought patterns.

So, according to Řepa, reshaping thinking has become relatively simple in today’s landscape. “Factors such as critical thinking, personal frustrations, and fears all play crucial roles. Brainwashing and influencing public opinion have occurred throughout history. Now, it just has taken a new form, orchestrated by state-sponsored threat actors,” he states.

Cyber Warfare Escalation?

While examining Ukraine’s potential vulnerabilities to the recent Russia-orchestrated cyberattacks, the need for Western support beyond conventional weaponry becomes evident. Merely painting a bleak picture is insufficient; it serves as a stark reminder of the urgency to confront the harsh reality and take proactive measures. Acknowledging the vulnerabilities Ukraine faces prompts us to contemplate the importance of collective security, international cooperation, and fortified cyber defense as integral components of national resilience.

Cybersecurity’s significance has evolved, transforming from a secondary concern to a crucial aspect of national security. Western support can play a pivotal role in enhancing Ukraine’s capacity to withstand and counter cyber threats. This support should extend beyond reactive measures to encompass proactive strategies, including expertise sharing, technological resources, capacity-building programs, and the development of robust cybersecurity frameworks.

The urgency for Western support gains further significance in the context of a potential broader confrontation between the West and Russia at the regional level.

Considering Russia’s technological capabilities and virtually unlimited resources, the consequences of a large-scale cyber assault are unimaginable. The digital world’s interconnected nature means that an attack on one can have cascading effects, potentially disrupting critical infrastructures and economies and compromising the security of entire nations. Therefore, assisting Ukraine in cyber defense serves not only the immediate objective of safeguarding its sovereignty but also becomes a crucial proactive measure to mitigate the broader risks of cyber aggression coming from Moscow.

Initiatives like Cyber Coalition, NATO’s flagship annual collective cyber defense exercise, provide essential forums where nations can collectively enhance their cyber capabilities. Ukraine’s participation in such initiatives, including joining the NATO Cooperative Cyber Defense Centre of Excellence (CCDCOE), reflects its commitment to collaborative efforts in strengthening cyber defenses.

In the ongoing cyberwar between Russia and Ukraine, motivations are clear when examined in the context of their broader war. But understanding the covert operations behind it proves complex, often escaping the mainstream spotlight. Unraveling these cyber battles demands a closer look at motives, strategies, and covert maneuvers than surface narratives often present in the media.

As the conflict escalates, both nations delve deeper into cyber espionage, infiltrating military and defense institutions to glean insights into each other’s capabilities, strategies, and vulnerabilities. Demonstrating cyber capabilities through disruptive attacks sends a clear message of potential consequences, adding further complexity to an already intricate web of geopolitical maneuvers.

The “Blackjack” hacking incident against M9 Telecom and the Russian military in January 2024 sent a clear message: Ukraine will not remain passive in the face of cyber aggression. But neither will Russia.  

During the time I’ve been writing this piece, I’ve been following CNN correspondent Sean Lyngaas’s latest reports from the cyber frontline. Immediately after I completed this article, he reported that Naftogaz, Ukraine’s largest oil and gas company, is under a ‘large-scale cyberattack’ targeting one of its data centers. Seeking further information, I turned to online sources.

Almost simultaneously, Ukraine’s Ministry of Defense’s Intelligence Directorate announced that ‘hacktivists,’ identified as the ‘BO Team,’ have successfully infiltrated the Russian Center for Space Hydrometeorology, also known as ‘Planeta,’ executing a cyberattack that wiped a staggering two petabytes of data.

These new developments clearly show that all is not quiet in the digital frontline. Clearly, this is not the culmination, but rather another episode in an ongoing cyberwar between the two countries. The war has expanded beyond physical borders to the vast and often mysterious world of cyberspace. The battlefield may be virtual, but the stakes are real.

Author: Carlos G. Sháněl, is a journalist and cybersecurity professional, based in Philadelphia. Ten years at Casla Institute with previous experience as a foreign correspondent in Europe and the United States. Author of ‘Ceasefire Zone: Diary of Ukraine’s Forgotten War’. He serves as a reserve officer in the Army of the Czech Republic.