ArchiveOODA Original

OODA Special Report: The Kinetic Potential of Russian Cyber War

Introduction to the Kinetic Potential of Cyber Operations

The proliferation of cyber physical systems (CPS) has increasingly enabled cyber actions to have direct kinetic effects on tangible infrastructure, even as cyberspace itself depends on tangible infrastructure vulnerable to kinetic damage. In a report titled “The Dawn of Kinetic Cyber” by Scott Applegate of the Center for Secure Information Systems at George Mason University, the phrase Kinetic Cyber is used to refer to a class of cyber attacks that can cause direct or indirect physical damage, injury or death solely though the exploitation of vulnerable information systems and processes”. This is a real and growing threat that OODA members should track closely due to its potential impact to business and governments. In discussing the kinetic potential of cyber conflict, both nation’s and businesses need to understand and address the vulnerability of cyber infrastructure to both cyber and to purely kinetic attacks.

Cyber attacks with kinetic effects debuted almost 20 years ago, not as a result of great power rivalry, but rather as a result of petty grudges. The first case came from Queensland, Australia, where a utility worker hacked into the supervisory control and data systems for Maroochy Water Systems, his former employer, in order to release a total of approximately 70,000 gallons of raw sewage in Maroochy over the course of several months in early 2000. A more dangerous stunt, with even more petty motivations, emerged 8 years later, when a 14 year old Polish citizen used a modified tv remote to reroute trams in the city of Lodz for his own amusement, causing more than a dozen injuries in the process, and demonstrating for the first time the potential for cyber actions to kinetically harm human beings directly. In an even greater escalation, the 2010 Stuxnet cyber attack—widely believed to be the work of American and Israeli state actors—represented the first known instance of such kinetic action being undertaken in an operational context in order to influence geopolitics. Recent history has also included costly attacks against infrastructure by Iran and, as will be discussed further below, the most costly cyber attacks to date, which were launched by Russia.

This report focuses on Russia, a particularly important threat actor to track given their track record of brazen infrastructure attacks. It is almost certain that we will see further attacks from Russia against the infrastructure of other nations.  The only uncertainty remaining pertains to what sort of attacks they might be motivated to initiate under what circumstances, and whether we would even know if they had already been accomplished.

Major sections of the report include:

  • Threats to Air and Space Infrastructure
  • Threats to Underwater Infrastructure
  • Threats to Land Infrastructure
  • Kinetic Cyber Threats to Non-combatants
  • Autonomous Threats To Combat Forces
  • The Bottom Line for Business


Threats To Air and Space Infrastructure

Russian cyberattacks against Aircraft are proven capabilities that have evolved from years of investment in anti-air military systems. Some may also be used against commercial air. The attacks most recently in the news have been fuzzing of GPS location data, probably from high powered ground based jammers. This can have an impact on the increasingly modernizing commercial air traffic control systems. More on threats to transportation will be discussed below.

Regarding space, given that satellites are increasingly vital to providing internet access, traditional kinetic ASAT weapons may serve as part of a cyberwar strategy. The high value Russia places on counterspace technology was noted in the DIA’s 2019 space threat document, which was itself summarized in a previous OODA report. According to the DIA report “Russia likely is developing a ground-based, mobile missile system capable of destroying space targets in LEO” and since 2010 Russia appears to have been developing a more novel system of laser weapons capable of interfering with and damaging satellites. Besides kinetic energy ASAT, space to space “Orbital threats” might be used to kinetically destroy the satellite infrastructure enabling a rival nations cyber capabilities.  Russia’s longstanding interest in kinetic orbital weapons is perhaps epitomized by the Soviet’s Almaz space station, which in the 1970s was equipped with a modified aircraft cannon. In an approach less blatantly incongruous with Russian rhetoric urging the avoidance of weaponized space, the immediate Russian threat to satellites largely comprises dual use maintenance satellites capable of disabling other satellites at close range. In particular the Rendezvous and Proximity Operations (RPO) of the mysterious Luchs spacecraft around Intelstat communications satellites serving state actors, have raised concerns regarding Russia dabbling in such acts of sabotage. Finally, as a nuclear power, Russia is also capable of detonating a nuclear weapon in space. The 1962 American “Starfish Prime” test inadvertently demonstrated just how devastating such a detonation may prove to satellites, and even ground electronics, for that matter.

But such traditionally kinetic weapons are not the only counter-space tools available to Russia. Cyberattacks may pose a significant threat to satellites and the supporting infrastructure back on the ground support, even as cyber capabilities have become a major part of Russian attempts to develop their information warfare capabilities. Satellites have also been exploited by Russian cyber attackers in order to defend themselves. Cybersecurity firm Kaspersky—itself eliciting some cybersecurity concerns, reminiscent of those surrounding Huawei—has reported extensively on Turla group. Despite finding that the prolific cyberespionage cell has engaged in “satlink hijacking” in order to seize information while protecting its Command and Control servers anonymity, Oleg Gorobets, Kasperky’s Head of Technology Positioning, describes  this clearly politically motivated and well equipped group as “Russian speaking”, while the Center for Strategic and International Studies (CSIS), goes further, stating that Turla is “likely linked to the Russian government”.

As suggested in OODA’s Russian Threat Webinar , which provided a broader overview of the threat posed by Russia, the significance of the distinction between state forces and non-state forces with probable connections to the Russian state remain largely uncertain, and may vary significantly between actors.

Threats To Underwater Infrastructure

Foundational context on Russian threats to underwater infrastructure is provided in a National Interest article titled:  “Russian Spy Submarines Are tampering with Undersea Cables That Make the Internet Work“. The report describes how undersea fiber optic cables represent a key provider of the internet access enabling cyber operations  (American and European access to websites from the opposite side of the Atlantic depend on these cables) and how Russian operations threaten them.

Undersea fiber-optic cables are more widely used than satellites, with over 97 percent of intercontinental communications going via these cables. This makes them a particularly tantalizing target for Russia, with its emphasis on information warfare. Furthermore, targeting these cables may also be financially destabilizing, given that “Over 15 million financial transactions worth $10 trillion are facilitated by undersea fiber-optic cables daily.” (For more see Undersea Fiber-Optic Cable Security). And because fiber optic cables are highly vulnerable to accidental damage, for example from anchors and fishing equipment, state actor sabotage might be accomplished while maintaining deniability. Though accidental physical destruction of fiber optic cables remains the primary concern, current trends indicate that cyberattacks are beginning to emerge as the greatest threat.

High rates of accidental damage have also necessitated the presence of a multitude of redundant backup cables. Consequently, disabling Trans-Atlantic cable connections on a meaningful scale would seem to present an impossible challenge for Russian submarines, yet that did not stop Russian submarines from increasing their activity around the cables last year. The intention may therefore be to tap into cables rather than disable them. While it was relatively easy to splice into copper undersea cables, the glass casing of fiber optic cables are relatively difficult to tap into unnoticed. Still, it is not impossible for submarines to tap into these cables. This may well have been the mission of the submarine which recently suffered a deadly fire in Russia’s northern fleet (for more see our report on What The Most Recent Russian Submarine Incident May Mean For Business).

Alternatively, the undersea connections to less developed and more isolated regions—which may host American military installations–may be more vulnerable to kinetic assault, and if the Russian subs could identify “the Pentagon’s secret DoDIN cable network” or NATO’s “Sound Surveillance System”—itself a tool used to observe Russia’s submarine movements—they might be disabled independent of the more expansive network of civilian cables.

In December of 2017, Air Chief Marshal Sir Stuart Peach delivered a lecture sponsored by the Royal United Services Institute (RUSI), in which he stressed the importance for of protecting transatlantic cables enabling communication for Britain and its NATO allies, particularly in the wake of Russian naval modernization, occurring in a context of broader military reform with an emphasis on “unconventional capabilities and information warfare”.  General Valery Gerasimov was appointed to direct the reforms in 2012, and as a result is credited with modernizing Russia’s hybrid war capabilities, focusing in particular on developing mobility and deception as part of its military reforms.

In an article featured in the in the Institute for the Study of War’s September 2015 Russia Report, Maria Snegovaya noted that Russia lacks wealth, so the cost effectiveness of information warfare has long seemed appealing.  But Snegovaya describes the use of hackers, bots, and trolls to spread propaganda and disinformation over the internet as the most original tactic Russia’s demonstrated in the Ukrainian conflict. Donghui Park, Julia Summers, and Michael Walstrom of the University of Washington, similarly commented that cyberwarfare is the most novel aspect of the reformed Russian approach to hybrid warfare.

Threats to Land Infrastructure

Russia first demonstrated its potential conduct a Stuxnet like cyber-attack with kinetic effects in late 2015. Ukrainian authorities were quick to identify the power outages experienced on December 23, 2015 as the result of a Russian cyber attack. The Electricity Information Sharing and Analysis Center (E-ISAC) and SANS Industrial Control Systems (ICS) released an open source analysis document on March 18, 2016, containing this summary of how the cyberattack was conducted:

  • Spear phishing to gain access to the business networks of the oblenergos
  • Identification of BlackEnergy 3 at each of the impacted oblenergos
  • Theft of credentials from the business networks
  • The use of virtual private networks (VPNs) to enter the ICS network
  • The use of existing remote access tools within the environment or issuing commands directly from a remote station similar to an operator HMI
  • Serial‐to‐ethernet communications devices impacted at a firmware level16
  • The use of a modified KillDisk to erase the master boot record of impacted organization systems as well as the targeted deletion of some logs17
  • Utilizing UPS systems to impact connected load with a scheduled service outage
  • Telephone denial‐of‐service attack on the call center

The Russian cyberattack infiltrated Kyivoblenergo’s system control and data acquisition (SCADA) systems, just as a lone wolf had done in Maroochy, though in this case the effect was to disable “seven 110 kv and 23 55 kv substations … for three hours”, depriving the Ivano-Frankivsk region of electricity. According to the U.S. Department of Homeland Security, three oblenergos—Ukrainian distribution companies—were targeted, depriving 225,000 people of power, for a few hours.

The particular Russian actors involved in the attack provided the Russian government with a degree of deniability, just as in the larger conflict in Ukraine. However, hackers are particularly difficult to conclusively connect to governments.  By February of 2016, American and Ukrainian government officials could agree that the 2015 cyberattack had originated from Russia, but the specific Russian organization responsible was harder to pinpoint. Ukraine’s own investigation initially pointed to APT28, aka Fancy Bear, a Russian hacker group whose previous attacks on foreign military and political organizations had suggested that its orders come from the Kremlin. The blame ultimately fell on the Sandworm Team, another Russian hacking group with a similar history, albeit more focused on stirring up trouble for NATO, in large part due to the inclusion of the “Black Energy3” malware in the 2015 cyberattack.

Though spatially and temporally limited in scope, the 2015 cyberattack should not be viewed as an isolated incident. The December 17, 2016 power outage at a “transmission station in northern Kiev” was similarly traced back to Sandworm, though by this point they had upgraded from using “Black Energy3” to their “Industroyer” malware, which was custom designed for dealing with “industrial control systems” specifically.

These cyber attacks may have had a dual benefit for the Russian government, simultaneously destabilizing a Ukraine already struggling to remain unified, and also serving as a test for cyberwarfare capabilities while avoiding substantial cyber reprisals.  In March of 2018, Homeland Security and FBI analysis was compiled into a “Technical Alert” regarding similar Russian cyber actions brazenly targeting the United States directly. These attacks began two years earlier, in March of 2016, just a few months after the first cyber attack on Ukraine. Russian cyber actors—which the DHS and FBI link to the government in no uncertain terms— “staged malware, conducted spear phishing, and gained remote access into energy sector networks”, though in this case the cyber attackers limited themselves to collecting information rather than conducting outright sabotage.

Kinetic Cyber Threats To Noncombatants

Russian kinetic cyber may go beyond merely exploiting the human element of cybersecurity in order to take control of technical systems. Indeed, targeting human beings might represent an end in and of itself, as cyber methods of assassination become increasingly reliable. Russia appears uniquely prone to assassinations, as demonstrated by the below infographic (Good & Column Five) showing the geographic distribution of assassinations in the first decade of the 21st century.


This graphic was just a high level overview, there are many other known and suspected Russian assassinations, this is a serious issue that has yet to be addressed in any meaningful way by western nations.

The brazen attempted assassination of Sergei Skirpal on British soil further demonstrates both Russian governmental complicity in assassination and that the threat extends far beyond Russia’s own borders, or even those of the Soviet Union. Simultaneously, CPS developments in transportation and medical technologies arguably offer great potential for cyber assassinations.

The potential of hacked transportation technologies to directly cause physical harm was established in the previously mentioned Polish 2008 tram cyberattack, but in 2010, a group of American scholars developed “CarShark” as a tool to assess the extent of an automobile’s vulnerabilities to cyberattacks. With CarShark they were able to lock and unlock doors, stop the engine, and control brakes to individual wheels or even disable the brakes outright, as the vehicle was moving at speed. As Scott Applegate notes, these remote controlling capabilities would enable a hacker to cause an “accident” with a high probability of killing or maiming the target, while maintaining deniability, particularly if the malware used was designed to delete itself after the accident. Similar effects might be achieved by hacking into the infrastructure designed to manage traffic, such as traffic lights, and indeed these are already a popular target for hackers.

Even if a cyberattack targeting transportation technology failed to kill its target outright, a subsequent kinetic cyber initiative might finish off the victim at the hospital. Medical professionals could be duped into killing their patients if the hospital records were altered to prompt a procedure lethal for the patient, and if the hackers restored the records after the deed was done, the doctor would be unable to prove he had been duped. However, the more direct kinetic threat lies in medical devices already implanted in the patient before the assassin’s strike. In particular, CPS technologies designed to have a kinetic impact, like pacemakers.

After receiving a pacemaker in 2001, Vice President Dick Cheney had the wireless features disabled, in an early demonstration of concern regarding cyber assassination. In 2008, research out of Harvard Medical School conclusively demonstrated that pacemakers could be remotely reprogrammed to shock a heart beating normally or neglect to shock one beating rapidly. Perhaps because pacemakers must by necessity be quickly accessible, the only cybersecurity mechanism in place to defend against such as thing was an unencrypted username and password, which was frequently the pacemaker’s own serial number. This vulnerability is compounded by the human element of rampant inattention to the security of information on computers in a hectic medical environment.

Four years later, another researcher, Barnaby Jack demonstrated the continued vulnerability of such devices by hacking into a pacemaker and remotely delivering a lethal 830 volts. He further stated that state actors were capable, if they so chose, of creating a worm that would spread from a single pacemaker to any other pacemakers of the same type within the vicinity.

Little seems to have changed. 10 years after the threat was raised by Harvard medical research, Laurie Pycroft and Tipu Aziz noted in their editorial for the Expert Review Of Medical Devices, that not only were pacemakers still vulnerable to cyber weaponization, but that insulin pumps and neurological implants could be manipulated to similarly lethal effect.

Autonomous Threats to Combat Forces

No discussion of the kinetic potential of cyber technologies would seem complete without addressing the revolutionary emergence of increasingly autonomous weapons and artificial intelligence (AI), which might one day render the human component of cybersecurity redundant.

Through much of this analysis, the ability to hack into systems remotely has been stressed as a core capability. However, as suggested in early 2018 by Jamie Condliffe of MIT’s Technology Review, computer systems mounted on unmanned aerial vehicles (UAVs) may be able to approach and hack into systems otherwise protected from cyberattack by their lack of connectivity, all while maintaining anonymity. Drones themselves are also vulnerable to being disabled by cyberattacks, resulting in kinetic destruction when they fall from the sky.  This would seem to indicate there is potential for cyber dogfights between UAVs in the future.

In an interview with C4ISRNET in late 2018, Samuel Bendett of the Center for Naval Analyses and American Foreign Policy Council went so far as to predict that as of this year Russian military UAVs would threaten American supremacy in the industry for the first time. Yet Russia’s experimental stealth drone, the Skat, has yet to progress beyond the development stage, and can only be launched from land bases, while its American corollary, the X-47B is already operational and can be launched from U.S. aircraft carriers.

Still, the AI revolution might upset the status quo. Given the risk jamming poses to remotely operated drones, drones may become increasingly autonomous in the future, with AI taking over from remote human pilots. While fully automating drones is a controversial concept, and norms may well be established demanding human involvement, proving that a strike was conducted by a machine instead of a human decisionmaker may prove unfeasible. This represents exactly the sort of deniability Russia has exploited when violating international norms in the past. Indeed, Russia is increasingly developing its autonomous weapon programs without the imposing the same weapons constraints limiting the United States, for example. Russia lacks the sort of autonomous weapons policies instituted by the United States and United Kingdom, even as the closed nature of Russian society prevents any details of policy discussions from being made known.  Additionally, if Putin believes that AI capabilities will determine military supremacy in the future, but understands that Russia is disadvantaged in this new arms race, the AI technological revolution may increasingly drive Russian cyber espionage.

Russia might also attempt to gain an edge in the autonomous arms race by pursuing capabilities left relatively unpursued by its advantaged competitors. In his 2018 book Army of N0ne, Paul Scharre provides an in depth analysis of Russia’s program to develop “ground combat robots”. By contrast, the United States only briefly dabbled in arming robots on the ground, during the Iraq war. In 2013, a year after he was appointed to overseer massive reform of the Russian military, General Gerasimov wrote that the future of warfare would be characterized by autonomous “’fully robotized’” units, but Scharre indicates that this future may still be a long way off.

Russia’s semiautonomous ground weapons currently comprise armored combat vehicles like the Uran-9, Vikhr, and Armata, in addition to smaller antipersonnel vehicles like the Platform-M, Wolf-2, and the amphibious Argo.  The Platform-M has already been used in combat exercises with Russian troops. While its makers’ comments suggest that the Platform-M possesses a fully autonomous targeting capability, Scharre expresses skepticism, noting that there is footage showing Russian soldiers selecting targets on a screen. The slightly larger Wolf-2 operates by a similar system, enabling its human operator to select 10 targets at a time. The Uran-9 and Vikhr appear likewise incapable of independently selecting their targets. But Russia’s autonomous counter-tank aspirations may be more feasible than its anti-personnel aspirations. Using AI to target easily recognizable military vehicles is far less challenging than targeting individual combatants, which cannot be easily discriminated from innocents, especially in the urban combat theatres Russia’s autonomous weapons are intended for. The Uran-9 and Vikhr can be operated remotely from a nearby vehicle, and appear to be intended as ambush weapons, eliminating more powerful enemy tanks without risking as much in terms of human and economic costs. By contrast, the T-14 Armata represents the first ever “main battle tank to sport an uninhabited turret”. Russia will likely to attempt to develop a fully robotic, uninhabited version in the near future.

Despite constituting his primary focus with respect to Russia, Scharre indicates that ground capabilities hardly represent the breadth of military technologies Russia has sought to automate. For example, Kalashnikov’s “’combat module’”, designed to “’identify targets and make decisions’”, and the Russian Area System, an example of autonomous systems designed to ensure the survivability of ground vehicles in the face of bombardment by precision guided munitions. The Kubrickian “Perimeter” system went so far as to partially automate Soviet decision-making regarding nuclear retaliation. This system may have alleviated time pressures rushing decisionmaking, but it also made it possible for computer errors to ignite nuclear Armageddon, and it is possible the Perimeter system is still being used by the Russian Federation.

The Bottom Line For Business

The most important point this overview brings out is that Russia will continue to attack via cyberspace, and, when it meets their interests, they will attack the infrastructure of cyberspace itself. Therefore, businesses should factor this threat into risk planning. Consider your organization’s dependencies on infrastructure which Russia could hold at risk and means to mitigate the impact of attack. The following resources can help you do that:

Tyler Robinson

Tyler Robinson

Tyler Robinson is an OODA analyst currently based in Colorado Springs, Colorado. He holds an undergraduate degree in International Relations and a Master of Letters in International Security Studies from the University of St Andrews. His research interests include political psychology, deniable actors, gray area phenomena, and privatized security.