ArchiveDisruptive TechnologyOODA Original

Russia Is Not Following Its Own Blueprint for Success in Cyberspace Against Ukraine

More than a week into its invasion of Ukraine, by many accounts the Russian military effort is not going as well as expected. Some movements have stalled, impacting Russian force supplies and prompting a 40-mile convoy to address these shortcomings. There is a general consensus Moscow has miscalculated its ability in winning the conflict quickly, strengthening Ukraine’s resolve against its belligerence and allowing the global community to unite against its malfeasance and providing financial and material aid to Ukraine. Moscow has had to rethink its initial campaign strategy.

Based on Russia’s previous incursions against Georgia in 2008 and Crimea in 2014, many expected Russia to unleash cyber attacks that would immediately and severely impact Ukraine’s critical infrastructure. As early as late January 2022, the Department of Homeland Security (DHS) recognized the potential for Russian cyber attacks to go beyond the region, alerting U.S. critical infrastructure operators of this possibility, a warning that DHS updated in late February.  Indeed, Russia has since executed a variety of disruptive and destructive cyber attacks on Ukraine’s public and private organizations. It conducted DDoS attacks and deployed WhisperGate Wiper malware prior to its invasion, and deployed Hermetic Wiper and Isaac Wiper before and during the attack.

However, despite their deployment, some are surprised that there haven’t been cyber attacks incorporating more destructive malware than what has been seen thus far. There has been some speculation that Russia might not have more sophisticated cyber weaponry to deploy, the result of Russian neglect to develop more advanced options. Regardless, if Russia has advanced cyber weaponry and has chosen not to use it yet or if it just lacks that capability, what is clear is that Russia is not adhering to the cyber/information blueprint that was successful against Crimea in 2014.

When it invaded Georgia in 2008, Russian cyber attacks built on what it had learned in the 2007 DDoS attacks against Estonia. The Georgia incursion was a watershed moment signaling the first time cyber attacks coincided with conventional military operations. Disruptive cyber attacks took the form of web page defacements and DDoS attacks against government, media, and financial institutions.  However, Russia’s softer information war (e.g., propaganda, information control, and disinformation campaigns ) was markedly less effective with Georgia who executed its own information war that countered Russian efforts and ended up influencing public opinion more successfully.

Russia did a better job against Crimea in 2014, vastly improving its information-enabled campaigns as well as selecting targets for its disruptive cyber attacks. Unlike Georgia, digital malfeasance transpired while Russian military crossed the border. Perhaps more importantly, Russian cyber attacks focused on the communications space, and shut down Crimea’s telecommunications infrastructure, disabled major Ukrainian websites, and jammed the mobile phones of key Ukrainian officials.  More importantly, Russia did not “invade” as much as infiltrate using troops for the purpose of securing the contested area of Crimea. This required Moscow to employ a robust information-enabled strategy that rewarded Russia with Crimea’s annexation without having to rely on the military to “take” it forcibly.

Fast forward to today, Moscow has abandoned that strategy in favor of relying on military might to achieve its Ukraine objectives rather than soft power.  Cyber attacks have not had the type of impact that perhaps Russian leaders anticipated, and as such, they have at least temporarily focused on conventional military strikes to win the engagement. According to one source, while there has been as many as 150 cyber attacks directed against Ukraine, the effects have been more psychological than physical. Instead of turning to cyber attacks to impact critical infrastructures (like the one that it executed against Ukraine’s Western power grid in 2015 that resulted in power outages in the region), Russia has relied on missile strikes to render some Ukrainians without heat, water, and electricity. Moscow may have preferred to deploy kinetic weapons whose damage could be reasonably quantified with accuracy, and therefore were more reliable to achieve the desired outcome.

Moscow is even finding it difficult in the information space, something that it didn’t experience in 2014. The global community has largely come to Ukraine’s support, flooding social media and traditional news sources with pro-Ukraine stories, countering Moscow’s messaging. Large numbers of international journalists are in Ukraine reporting on events, further impacting Russian narratives. Internally, despite banning social media platforms in country, Moscow has been faced with anti-war protests by its own citizens, suggesting internal focused propaganda campaigns are not succeeding. Even the hacktivist group Anonymous has gotten into the fight, targeting Russian websites and disrupting Russian TV channels.

It appears that rather than capitalizing on its past Crimean success, Moscow has taken a step backward. Its commitment to using military force with a minor cyber component and an aggressive pro-Ukrainian sentiment has impacted its ability to control the information space. As a result, information-enabled activities have lost their power and ability to influence target audiences. There is just too many checks and balances that have united to expose propaganda and disinformation operations. This realization has left Moscow to rely on a globally unpopular military conflict.

Recently, unconfirmed reports intimate that Russia will soon remove itself from the Internet and relocate digital assets to local domains and servers in order to protect itself from cyber warfare. Moscow practiced this in June/July 2021, perhaps a foreshadowing of its current situation in Ukraine and in anticipation of digital reprisal should Russia engage in cyber attacks against Western states. Should Moscow successfully take over Ukraine, it may have surrendered its information operations prowess as a consequence. And if it chooses this drastic course of action, Russia will find itself an isolated country economically, politically, and digitally.

Additional Reporting of Interest

A No Hype Assessment on Starlink Security: Starlink is a great system, but it was not designed for combat and has limitations when being used in this role. Many mitigation measures are in place that can make it harder on adversaries to exploit these limitations. This post reviews provides insights onto these mitigation measures.

The OODA C-Suite Report: Operational Intelligence for Decision-MakersWhat is the value of an informed decision? At OODA Loop, we seek to surface decision intelligence that provides meaningful perspective for leaders and analysts looking to make the most informed decisions possible. The topics examined in this assessment represent developments that fit the category of operating in a VUCA world, identifying and responding to Gray Rhino risks, or opportunities from advancements in emerging technology domains. These are issues we think our members should be tracking and map to collection requirements for our team to keep you as informed as possible.

John Boyd on Patterns of Conflict and the OODA Loop John Boyd studied. He studied fighter pilot tactics, studied aeronautical engineering, studied bureaucrats and how to avoid their traps, studied evolution and biology, and studied history. And Boyd synthesized in a way that only a real practitioner of war could to produce a briefing called Patterns of Conflict that is still having a big impact on the world today.This post summarizes some key points worth reflecting on as the world views and reacts to the Russian invasion of Ukraine.

Thinking Strategically About What Comes Next and How To Mitigate Risk As we have previously mentioned, the Russian aggression against Ukraine will have impacts far beyond the region. All companies and all government organizations (including those at local and state levels) should evaluate the potential impact of these hostilities on operations. We are a nation interconnected with the world by complex supply chains and a global high speed internet and must be ready to deal with impacts.

Twitter List For Tactical Information: This Twitter list of vetted resources that have reported accurately on tactical moves in the Ukrainian theater can be used to quickly capture the gist of a dynamic military situation.

C-Suite Guide: Improving Cybersecurity Posture Before Russia Invades Ukraine: The capabilities of Russia to conduct cyber espionage and cyber attack have been battle tested and are hard to thwart even during daily “peacetime” operations. They include well resourced capabilities of the military and intelligence services and also deep technical expertise in the Russian business ecosystem and in organized crime which operates as part of Russian national power. Proof points of Russian capabilities include the massive and sophisticated Solar Winds attacks which leveraged low and slow, well thought out plans to achieve access to multiple well-protected targets. Ransomware successes by Russian based criminal networks are also instructive as to the capability of Russian cyber threat actors. The use of malicious self replicating code (worms/virus/trojan) to spread malicious code into infrastructure is also well proven with decades of practice including fielding software that replicates from unclassified to classified systems in the military and spreads throughout critical infrastructure. This post goes beyond an articulation of the threat into recommendations leaders seeking to mitigate cyber threats from Russia including threats before, during and after a Ukraine invasion.

What The C-Suite Needs To Know About The Threat To Space Based Systems (and what to do about it): OODA recently updated the analysis below on threats to space based assets (with a focus on what the C-Suite needs to know) because of tensions with Russia and continued testing of satellite destruction capabilities the most recent of which (Nov 2021) caused significant increases in dangerous space debris.  We recommend this be read in conjunction with our report on what the C-Suite needs to know about the cybersecurity threats due to the coming Russian invasion of Ukraine, see links in the document for more.

Will China Replicate Russia’s Cyber Offensives in a Taiwan Reunification?: The current situation in the Ukraine has garnered the world’s attention with stakeholders watching attentively as the crisis unfolds. Such regional hotspots have the potential of spilling over into neighboring countries and pulling in governments from all over the world in some capacity. The threat of armed conflict escalating into a major global engagement is always a possibility. China and Taiwan are eagerly watching the crisis as well, but largely for different reasons. While Taiwan is interested to see how friendly governments come to Ukraine’s aid, China is observing how Russia may go about reclaiming territory of the former Soviet Union, in the attempts of gaining insight into how such an act can be accomplished successfully, should Moscow do just that.

A Warning for the U.S. Chip Industry: Russian Retaliation Could Hit Supply of Key Materials: Russia may retaliate against the U.S. threat of trade sanctions and export curbs by blocking access to key materials like neon and palladium. Ukraine supplies over 90% of U.S. semiconductor-grade neon. This type of supply chain-based retaliation has become a priority concern for the White House, which is encouraging a broad diversification of the supply chain in the event Russia limits access to these key materials.

In 2022, the Strategic Impact of Global Intermodal Supply Chain Gridlock on IT Supply Chain Remains High: The OODA Loop Research Team has been tracking the impact on supply chains from the onset of the pandemic.

Russia’s Long Game, Leadership Lessons, and Learning from Failure: In February of 2021, Matt Devost spoke to Rob Richer, a highly regarded advisor to international executives and global government leaders including several heads of state. Rob has a well-informed perspective on international risks and opportunities and an ability to analyze and distill observations in a way that is meaningful for your decision-making process. In light of the conditions in Europe, this portion of their initial OODAcast conversation is timely and includes a discussion of Richer’s time as the head of CIA Russian Operations, his perspective on U.S./Russian relations (especially the role of cyber), leadership, the role of failure, and decision-making.

Charity Wright on China’s Digital Colonialism: Charity Wright is a Cyber Threat Intelligence Analyst with over 15 years of experience at the US Army and the National Security Agency, where she translated Mandarin Chinese. Charity now specializes in dark web cyber threat intelligence, counter-disinformation, and strategic intelligence at Recorded Future. Her analysis has provided deep insights into a variety of incidents, activities and strategic moves by well resourced adversaries, primarily actors operating in China.

The January 2022 OODA Network Member Meeting: Putin, Russia, Gray Zone Conflict Capabilities and The Future of Europe: To help members optimize opportunities and reduce risk, OODA hosts a monthly video call to discuss items of common interest to our membership. These highly collaborative sessions are always a great way for our members to meet and interact with each other while talking about topics like global risks, emerging technologies, cybersecurity, and current or future events impacting their organizations. We also use these sessions to help better focus our research and better understand member needs.

CISA Insights Bulletin Urges U.S. Preparation for Data Wiping Attacks :In what felt like coordinated attacks last Friday, data-wiping malware (masquerading as ransomware) hit Ukrainian government organizations and was quickly followed by an aggressive unattributed cyber attack on Ukrainian government sites. The attacks prompted the release of a CISA Insights Bulletin urging U.S. organizations to strengthen their cybersecurity defenses.

Additional Context on OODA Reporting on Russia’s Military-Technical Maneuvers in Europe: We are conscious of our need to keep our usual variety of News Brief and OODA Analysis, but for obvious reasons, this week is top-heavy with Russian, NATO, and Ukrainian coverage. We intend on keeping our focus on providing context you need vice the blow by blow of major moves. Like in other domains we endeavor to provide the “So What?” and “What’s Next?” you need to help drive your decisions.

OODA Research Report- The Russian Threat: This special report captures insights into the capabilities and intent of the Russian Threat, with a special focus on the cyber domain. Our objective: provide insights that are actionable for business and government leaders seeking to mitigate risks through informed decisions.

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.