War on the cyber front

“And now I decide to say goodbye to you. I advise you to lay down your arms and return to your families,” said Ukrainian President Volodymyr Zelensky to his countrymen. “You should not die in this war. I advise you to live. And I will do the same.”

Ukraine’s political and military leader was dressed in his trademark olive green combat uniform, sitting in an official governmental briefing room. He stared directly at the camera, his eyes looking dull and glazed. Ordinarily stoic and unyielding, the Ukrainian leader appeared to acquiesce to the reality of Russian President Vladimir Putin’s invasion of his country. In simple, slightly hollow sounding terms, he stated that he will lay down arms and return to his family. The Ukrainian people, Zelensky said, should do the same.

Of course Zelensky never said such a thing – rather, he was spoofed. This deepfake video was broadcast on a Ukrainian news website, Ukraine 24, in March 2022. The clip was also posted to Telegram and Russian social network, VKontakte, according to the Atlantic Council. It sent shockwaves around the world but it was swiftly denounced as a fake by experts and Zelensky himself – Ukraine 24 said hackers defaced its website with a still from the video and inserted a summary of the fake news into a broadcast.

A relentless barrage

The video may have been too clunky to fool everyone, but it demonstrated the lengths Russian or Russian-affiliated hacktivist groups will go to in order to frighten and destabilise Ukraine and its allies. Since the conflict began at the tail end of February 2022, Russian hackers have been striving to infiltrate and undermine the Ukrainian government and critical infrastructure.

According to a European Parliament briefing document, CaddyWiper malware infiltrated the systems of several Ukrainian organisations in the governmental and the financial sectors in March 2022. Later that month, cyberattacks targeted Ukrtelecom and WordPress sites, causing connectivity collapse and restricting access to financial and government websites. Other successful infiltrations followed, but there is a consensus among cybersecurity experts and military intelligence analysts that Russia’s hacking operation has been more inconvenient than invasive, and not as devastating as many feared it could be. In the words of Lindy Cameron, CEO at the UK’s National Cyber Security Centre, we have not seen a “cyber armageddon”.

Of course, that does not mean that Russia and its allies have not been hard at work trying to execute nefarious schemes in cyberspace. As any military or intelligence operative knows, it is only when a subsequent breach occurs that the public finds out. “In the public domain, we tend to only read about the attacks that are successful,” says Ian West, chief of Nato’s Cyber Security Centre. “The reality of operating with today’s technology is that you see so many of these attacks every single day.”

As head of the centre – which is part of Nato’s Communications and Information Agency – West is responsible for “the entire lifecycle of the cybersecurity mission”. Together with a team of 250 experts, West spends his days defending Nato’s enterprise networks, whether in static headquarters, or on exercises or operations. The role encompasses a broad remit of responsibilities: from defining and designing cybersecurity solutions, through to their implementation and operating those cyber defences on Nato’s networks. Nato’s cybersecurity chief does not divulge how many threats have been uncovered on the Nato network since the start of the Russia-Ukraine conflict, but one can guess that Putin’s decision to invade his western neighbour has only exacerbated the level and frequency of attacks. “Against Nato networks, we see the entire spectrum of cyberattacks,” West says. “Every day, we see attempts to attack Nato systems, whether it’s from malicious software like a ransomware wiper, or other types of viruses and worms that are pretty indiscriminate and would attack your home computer. Then we also get more specific and targeted attacks from hostile nation states.”

“Sometimes we see website defacements,” West adds. “An opponent will [attempt to] put a message on your website, which can be particularly damaging depending on what type of operation we’re in.”

Bad actors on the world stage

From a western perspective, Russia and its hacktivist allies have been sharpening their skills for some time. In 2007, after a diplomatic row over a Soviet war memorial with Russia, Estonia endured a series of cyberattacks on its parliament, banks, ministries, newspapers and broadcasters. Online banking services were temporarily defunct and government employees were unable to send emails.

In 2015 and 2016, Russia was almost certainly behind wide-ranging destructive hacks of Ukrainian electricity infrastructure. The US government concluded that a cyberattack caused a power outage in Ukraine which left 230,000 people temporarily without power. Then came NotPetya, a set of devastating malware attacks against the Ukrainian government and other commercial targets unleashed in 2017. Ukrainian ATMs froze, railway and postal systems were paralysed, and hospitals blacked out due to lack of power. As West explains, “the NotPetya cyberattacks were variations on ransomware” – the kind of malicious software that criminals use to worm into computer systems asking users to click a link or open an attachment. “The ransomware will encrypt every single bit of data with very high-grade encryption, so that the user can no longer get access to that data,” West says. “Then a message will pop up, which tells the user that their data has been encrypted.”

Generally, the software will tell users to pay a certain amount of Bitcoin or fiat currency to get the key to decrypt their data. Ordinarily, that might be a couple of hundred dollars, but in the case of NotPetya, the damage was far more catastrophic. The malware shifted across the globe at light speed, inflicting $10bn in damage, making it the most wide-reaching and destructive cyberattack in history.

Widely attributed to the infamous Sandworm hacking group – a cyber military unit within Russian military intelligence – NotPetya is the kind of widespread shutdown military and intelligence analysts have feared since Putin’s war began. So far, however, Ukraine (and Nato) seem to have been resilient against this kind of cyber armageddon.

Reasons behind resilience

The question of why Ukraine has been so adept at warding off the worst of these attacks probably has a few answers. It has received an outpouring of support from industry partners and collaboration between the UK, US, EU, Nato and others. In November 2022, it was revealed that the UK had spent £6.35m helping Ukraine defend its networks from cyberattacks in the weeks after the invasion began. These attacks had already been happening for some time, however, coming in waves in the second half of 2021 as Moscow prepared to invade. Once the war began, Russia’s strikes only intensified.

“We’ve seen, on a daily basis now, the terrible images of the way that the electrical grid in Ukraine has been battered by ballistic strikes and drone strikes from the Russians – they face the same threat and same challenge in the cyber domain,” Leo Docherty, Europe minister at the Foreign, Commonwealth and Development Office (FCDO), told the BBC at the start of November 2022.

Christopher Bronk, Gabriel Collins and Dan Wallach at Rice University’s Baker Institute for Public Policy, cite previous conflicts in Ukraine and Syria, arguing that “lessons learned” have been applied since February, “blunting the impact of the cyberattacks now”. In a keynote speech at Chatham House’s security and defence conference this year, Cameron suggested that Russia has made Ukraine “match fit over the last ten years by consistently attacking them”.

Does West agree with Cameron’s assertion that persistent hacks from Russia have bolstered Ukraine’s cyber defences long term? “I would concur”, West says. “At Nato, we’re under attack every day. That keeps us match fit. Every organisation will exercise their defences [...] and, in the current situation, Ukraine has been under significant attack and has been able to put up a seriously good defence on its own, but also with the help from others – particularly from its allies.”

West and his team will continue to work day and night to keep Nato and its networks safe from nefarious entities. To stand the best chance of doing that, he advocates a collaborative transnational approach to cyber defence that is open to sharing information with other European nations.

“The moniker of collective defence has never been more true than in the cyber domain,” West says. “We’re all using the same sort of technology. We’re all faced with the same sort of threats. We work in an incredibly collaborative way, sharing information and best practices, not just within Nato, but with our allies and partners as well.

“It’s [about] being ready when an attack happens. It’s not just about Ukraine, it is the same for many organisations,” he adds. “From a defender’s perspective, being ready and being secure is just critically important.”

No matter the form or frequency in which these operations occur, there is no doubt that cyber warfare will continue to influence the conflict in Ukraine. These attacks might not make the headlines, but they are an integral part of a shadowy conflict being played out behind closed doors that can have far reaching consequences for Russia, Ukraine and the European continent.

“Vladimir Putin has backed himself into a corner,” West concludes. “He’s going to use anything he has to change the tide of the war – and cyber capabilities are part of his weaponry.”