In February 2015, The Daily Beast published an insightful article about cyber war activity between Russia and Ukraine. The article profiled Eugene Dokunin, a Ukrainian web security consultant who gave up his day job to launch cyber-attacks against Russian targets. He works with a team of volunteers and performs an innumerable amount of combative actions, from financial account takeovers to hacking into CCTV systems in order to report on troop activity.
The article was somewhat vague about who he works with and whether or not he receives direct support from (or directly supports) either the Ukrainian government or anti-Russian irregular forces. This ambiguity was likely intentional for personal security reasons, as Dokunin does little to conceal his goals and objectives, and so must keep some secrets for his own safety.
It’s difficult to find reputable examples of cyber war using a rigorous standard definition, but the Daily Beast profile and other media reports indicate that we are witnessing one right now.
The concept of “cyber war” is often used — and misused — in the media, by both politicians and the public at large. A “cyber war,” as an actual event, has a clear and concise definition, and the bar is set high as to what actually constitutes one. There must be deliberate and apparent actions taken in cyberspace and approved by a military commander to further battlefield objectives, while also allowing friendly forces to maneuver.
Stuxnet, Operation Aurora, and the Sony Pictures Entertainment incidents are all examples of cyber-attacks that, at one point, were declared maneuvers of cyber war. Despite the gravity of these episodes, the definitive terminology regarding what constitutes “war,” cyber or otherwise, leaves very few cyber-attacks (including those just mentioned) able to fit the proper characterization.
We do, however, have one example out of a handful of candidates, and it’s continuing to unfold daily. The ongoing War in Ukraine, also known as the War in Donbass, meets the standard of cyber warfare. The mainly kinetic (military speak for physical, lethal action) conflict also includes persistent cyber-attacks from both sides of the conflict, and meets the generally accepted standard for the following reasons:
- The cyber warfare component is overt, meaning the perpetrators make little effort to hide either their identities or their allegiances.
- The two countries are in open, hostile and declared conflict with each other.
- Both sides have stated military and political objectives.
- Cyber-attacks are launched to deny the enemy from achieving their objectives, while allowing friendly forces to reach theirs.
“Map of the war in Donbass” by Marktaff, ZomBear (CC BY-SA 4.0)
This conflict is a complex political situation that has tensions dating back several hundred years, but the current crisis began in March 2014 when Russia annexed the Ukrainian territory of Crimea. This took place during a period of civic unrest within Ukraine, during which pro-Russian demonstrations had been turning up across the country for several months. Pro-Russian forces, with the help of Russian military intervention, escalated the situation to an armed conflict in the Donbass region that continues to this day. Involved in the rivalry are Russian regular forces, pro-Russian militants in Ukraine, paramilitary forces, and volunteer militia on both sides, among many others.
In the opening days of the conflict, pro-Russian hackers disrupted Ukrainian media and telecommunications networks. This hindered the ability of Ukrainian government officials to get the word out to their constituents about what was going on, and presumably hampered the ability to mobilize counter-forces.
In response, pro-Ukrainian forces have used the same tactics and have fought back with DDoS (distributed denial-of-service) attacks, website defacements, hacks of government computers, and cyber espionage.
On their own, these cyber-attacks would not be considered cyber warfare. However, since they occur in conjunction with military attacks and operations, and are used to provide intelligence to military forces, these attacks meet the standard definition. For both security professionals and business leaders, this is an important story to follow, as it may provide clues and a backdrop for how cyber conflict and cyber warfare might play out in a worldwide arena as part of a larger rivalry.
The cyber battle between Russia and Ukraine also shows how effective insurgent forces are fighting an asymmetric war against larger forces. This dynamic can be found in nearly every modern conflict, from partisan forces fighting the Nazis in WWII to insurgents fighting the Americans in Iraq; asymmetric warfare is very effective and should be considered in any firm’s risk modeling if it provides critical services or infrastructure support.
- On both sides, the actors are mostly overt, meaning they do little to hide who they are or whether objectives may be. Contrast this with the perpetrators of the Sony Pictures hack; attribution is suspected but not fully disclosed.
- In the opening days of a kinetic military operation, cyber-attacks are launched on telecommunications infrastructures. Collateral damage occurs within civilian infrastructure, with the primary targets being government and military communications.
- A highly motivated, moderately skilled small insurgent hacking group can significantly hamper the military objectives of the opposing force.
- DDoS attacks are the cheapest and easiest way to attack a marked target, but effects are temporary and generally do not contribute to larger military objectives. They can also be useful for propaganda or disinformation purposes.
- Doxing opposition commanders, financial account takeovers, and espionage can be remarkably effective, especially if coordinated with the actions of friendly forces.
Not every cyber-attack listed below fits the standard of “cyber warfare,” but taken together as a whole, they help build a more complete picture of the political and economic uncertainty in the Ukrainian region.
- February 2014: Armed men broke into a Ukrainian telecommunications facility and tampered with fiber optic cabling.
- March 2014: Pro-Russian hackers launched a prolonged DDoS attack against Ukrainian and NATO media outlets.
- March 2014: During and directly after the annexation of Crimea, pro-Russian hackers disrupted the mobile phones of members of the Ukrainian parliament.
- October 2014: During Ukrainian elections, pro-Russian hackers launched DDoS attacks against election commission websites, effectively eroding public trust in the voting mechanisms and impartiality of the voting officials.
- Pro-Ukrainian hackers identified and obtained access to the PayPal accounts of more than 170 pro-Russian separatists, which amounted to more than $3 million in frozen funds.
- Pro-Ukrainian hackers have infiltrated the CCTV systems of more than 200 surveillance cameras and use this data to report on Russian troop movements.
- Multiple DDOS and other cyber attacks have been carried out against pro-Russian media and supporter websites on a near-weekly basis; the claims on Twitter and Facebook are too numerous to keep up with.
Although this particular bout of Russian-Ukrainian contention is fairly young, it is still an interesting case study in how cyber-attacks can be used in a prolonged conflict or insurgency situation. Whether viewing this situation from the perspective of a military or a private business, one can study and learn from these ongoing virtual barrages how to defend against (and perpetrate) hacks from oppositional forces. Further study and retrospection may aid in gauging the effectiveness of cyber-attacks and understanding how they contribute to the overall objectives of both the military and private security firms.
Originally published at www.csoonline.com on April 24, 2015.