Foghorn: Signals Through the Fog of War
Some Lessons Learned, So Far
Ukraine Survives and Thrives
Russia’s first wave of destructive cyber effects operations against Ukraine were effective. They targeted and disabled Ukrainian air defense systems, government ministries, and the national command and control infrastructure built over VIASAT. These successful operations were accomplished even though Russia’s military intelligence, the GRU, had very little time to prepare. Lessons to take from this are (1) that the GRU had years of access operations with many prestaged backdoors they could use; (2) they had prepared many wipers and, the VIASAT operation beforehand; and, (3) the often repeated mantra that “cyber operations require long lead times” has important caveats. Russia was able to operate effectively on short notice and achieve tangible effects that were instrumental in some of their early successes during those initial three days.
So why didn't Ukraine's systems collapse? How was Ukraine able to resist this cyber juggernaut that could exploit years of preexisting compromises, years of tool development, years of active operations, and so on?
Adaptation and Acclimation
The secret behind Ukraine’s resilience is their ability to adapt and fallback to alternative systems. For over eight years Russian security services have attacked Ukraine’s computers and other cyber infrastructure. Frequent cyberattacks created the conditions for adversarial evolution, forcing the Ukrainians to learn how to live with that reality. Now Ukrainians take cyberattacks in stride, they no longer fear them. A government website gets defaced with some threatening message? Must be a Tuesday.
Constant Russian cyber has built up Ukrainian resilience. The population as a whole, and the defenders in particular, lived with a barrage of highly visible cyber effects operations, influence operations, and near constant reports of successful cyber espionage campaigns.
Ukrainians have learned many Russian tricks. Android apps offered online for sideloading are not safe, so they use official channels. Websites get hacked, but they get restored. Sometimes Russian propaganda messages get sent to mobile phones, but they're not important. And many more Russian attacks became just part of life, not an exceptional event. This is one pillar of Ukrainian resilience – acclimation to cyberattacks. No fear.
Rapid Adoption
Besides losing their fear of cyber, Ukrainians became adept at switching to alternate systems. Many of these systems are provided by international providers, rather than local domestic companies, placing them beyond the reach of normal Russian offensive cyber operations. Facebook, Signal, Gmail, and so on are generally reliable and secure against Russian attacks. Even Telegram is generally fine to use as a public broadcast and messaging platform.
Of course, it is not only international systems that provide security against Russian attacks. Since the start of the war Ukrainians have adopted a number of completely new technologies for which Russia was not prepared. For example, using DJI drones as combat and reconnaissance platforms. As mentioned earlier, the VIASAT operation was almost certainly prepared well beforehand and taken off the shelf ready for use. Since then Ukraine has switched over to Starlink, against which Russia has not developed any operations. At least, nothing that has been successfully used so far (at time of writing, May 31 2022).
This is the other pillar of Ukraine’s resilience – the rapid adoption of alternative solutions. Satellite comms are down? Switch to another provider – over the weekend. Train system’s network vulnerable to cyber surveillance? Switch to the old analog Soviet system. Despite the success of Russian cyber effects operations, the Ukrainians have been able to work around the problems created. Helped by repeated exposure to cyber attacks they don’t panic, rather they adopt an alternative and keep going.
Sources of Immunity
After the better part of a decade on the receiving end of Russian cyber, Ukraine has had years to learn how to deal with Russian cyber capacity. They’ve deployed (some) secure systems. More importantly they’ve learned to mitigate Russian advantages by limiting their dependence on cyber. For example Ukrainian organizations rapidly adapt to new replacement systems, including many commercial off the shelf solutions.
Using common public solutions can bring significant benefits. Often these international solutions aren't as exposed to Russian attacks as domestic systems. An additional aid to cyber security is that many of these off the shelf solutions are new since the war. Russia hasn't had time to develop countermeasures and capabilities yet. Plus, some are just tough problems, even the US has struggled against DJI drones.
Spring Flowers
Ukraine also has a home field advantage that has helped against the invasion. As has been documented extensively, the Russian army suffers from communications difficulties. Their technology doesn’t work that well, their troops aren’t familiar with its use, and they’re not used to working with its limitations. The result is many Russians have fallen back to using their mobile phones. On Ukraine’s mobile phone network. Controlled by Ukrainian companies. Ukrainians call these mobile phones “spring flowers,” because they suddenly appear on the network. Spring flowers bring artillery showers.
Russia’s Cyber Strategy
Russia’s invasion plan was a retread of Storm-333. A very fast, very deep military strike that neutralizes the country’s leadership and immediately replaces them with a new regime.
Russia’s cyber capability was used to enable this operation. The backbone communications fabric of the Ukrainian military and civilian government was running over VIASAT. The GRU targeted VIASAT as a tier one priority and deployed wipers to destroy satellite modems connected to the network. Their targeting was a bit sloppy with some spillover into Germany and other European countries. (Note: this spillover is possibly the only reason we even know about the attack.)
This was a virtual decapitation strike, taking out major C2 infrastructure critical to managing the military and the country during wartime. A major coup for the GRU.
“The attack caused a major loss in communications in Ukraine in the early hours of Russia’s invasion,” [said] top Ukrainian cybersecurity official Victor Zhora
Government services and capacity were further compromised by wiper attacks at multiple ministries. [ThreatPost]
The GRU provided direct military assistance with destructive cyber attacks that disrupted or destroyed Ukrainian air defense system command and control infrastructure. Cyber effects operations against the C2 were combined with kinetic attacks against installations. However, poor Russian intelligence collection caused them to destroy many disused and abandoned locations.
The combined effects of these early cyber strikes was a severely reduced air defense capacity, and an isolated leadership. Against an extremely hierarchical top down military, such as Russia’s, this might have been decisive. Ukraine’s military, however, has a more Western style command structure, following the “centralized decision, decentralized execution” model favored by NATO militaries.
What does it all mean?
The cyber conflict was far from non-existent. It was probably the only part of the invasion that went according to plan. Russia’s cyber offense must be understood within the context of their broader strategy, which collapsed. Currently, whatever the new strategy is, cyber appears to play a smaller role. Understandably, because there really isn’t all that much cyber can do to assist an artillery duel, or help with crossing a river. And, of course, some elements of the war are simply immune to cyber, for example: Javelins and Stingers.
Despite the success of the Russian cyber offensive, including the severing of Ukraine’s communication fabric in the hours before the invasion, the actual benefits have been less than impressive. The credit for this goes to the Ukrainians. They have had a lot of practice dealing with Russian cyber effects operations. They moved to less vulnerable systems, deployed new solutions, and fell back to less vulnerable alternatives. The story of Russia’s unimpressive results from their cyber offensive is as much a story of Ukraine resilience as any limitations of cyber power.
Believing CW can change the outcome of a conflict is like thinking cutting off railways tracks could have changed the outcome of WW2