Cyberwar Lessons from the War in Ukraine

The Aspen Institute has published a good analysis of the successes, failures, and absences of cyberattacks as part of the current war in Ukraine: “The Cyber Defense Assistance Imperative ­ Lessons from Ukraine.”

Its conclusion:

Cyber defense assistance in Ukraine is working. The Ukrainian government and Ukrainian critical infrastructure organizations have better defended themselves and achieved higher levels of resiliency due to the efforts of CDAC and many others. But this is not the end of the road—the ability to provide cyber defense assistance will be important in the future. As a result, it is timely to assess how to provide organized, effective cyber defense assistance to safeguard the post-war order from potential aggressors.

The conflict in Ukraine is resetting the table across the globe for geopolitics and international security. The US and its allies have an imperative to strengthen the capabilities necessary to deter and respond to aggression that is ever more present in cyberspace. Lessons learned from the ad hoc conduct of cyber defense assistance in Ukraine can be institutionalized and scaled to provide new approaches and tools for preventing and managing cyber conflicts going forward.

I am often asked why where weren’t more successful cyberattacks by Russia against Ukraine. I generally give four reasons: (1) Cyberattacks are more effective in the “grey zone” between peace and war, and there are better alternatives once the shooting and bombing starts. (2) Setting these attacks up takes time, and Putin was secretive about his plans. (3) Putin was concerned about attacks spilling outside the war zone, and affecting other countries. (4) Ukrainian defenses were good, aided by other countries and companies. This paper gives a fifth reason: they were technically successful, but keeping them out of the news made them operationally unsuccessful.

Posted on February 23, 2023 at 7:27 AM22 Comments

Comments

Winter February 23, 2023 8:48 AM

(4) Ukrainian defenses were good, aided by other countries and companies

I think eight years of Russian cyber-warfare have forced the Ukrainian defenses, and infrastructure, to be very resilient.

Key lessons from Ukraine’s eight-year struggle against russian cyber warfare
What can the Ukrainian experience teach others about building cyber resilience?
‘https://kpmg.com/ua/en/home/media/press-releases/2022/11/key-lessons-from-ukraines-eight-year-struggle-against-russian-cyber-warfare.html

Many experts correctly predicted that kinetic military actions in Ukraine would be synchronized with extensive cyber operations. The russian invasion of Ukraine proves that we live in a world where businesses and governments must consider simultaneous threats as inherently intertwined: both nation-backed cyber-attacks on local IT systems and infrastructure, and traditional military threats directly resulting from war. Since the beginning of russia’s full-scale war in February 2022, Ukraine has been the target of numerous cyber-attacks that have impacted public institutions, private organizations, and individual citizens. This includes attacks on energy, telecommunications, media, and financial entities considered part of Ukraine’s critical infrastructure.

What can the Ukrainian experience of successful defending infrastructure teach other countries about building cyber resilience? And how can other countries best implement these lessons?

Russia’s war on Ukraine: Timeline of cyber-attacks
‘https://www.europarl.europa.eu/RegData/etudes/BRIE/2022/733549/EPRS_BRI(2022)733549_EN.pdf

Steve February 23, 2023 1:19 PM

In relation to this story, a report in The Register, it appears that hackers, purported to be of Ukrainian origin (if you take the propaganda at face value, which you probably shouldn’t), are faking “missile attack” alerts in Russia.

Rather horrifying if these are actually taking place, since they potentially push us to a disastrous nuclear exchange with Russia, which nobody will win.

Winter February 23, 2023 1:39 PM

@Steve

are faking “missile attack” alerts in Russia.

(if you take the propaganda at face value, which you probably shouldn’t),

I see basically two types of actors who would try such a thing:

    1. Ukrainians or allies want to show Russians how the Ukrainians feel
    1. Russian propagandists want to create a war spirit against Ukraine/USA/NATO

Ted February 23, 2023 2:42 PM

The Record provides some additional background on the development of the Cyber Defense Assistance Collaborative (CDAC).

It also links to a Click Here episode (and transcript) featuring a personal account from CDAC’s founder Greg Rattray and others.

https://therecord.media/exclusive-rounding-up-a-cyber-posse-for-ukraine/

TEMPLE-RASTON: It was the Ukrainian version of one of those old Brooklyn deals: He knew a guy who knew a guy who might know some other people who might lend a hand. It turns out that around the same time Vol began looking for extra help protecting Naftogaz and other critical infrastructure in Ukraine, Greg Rattray was looking for ways he could help.

GREG RATTRAY: I think the invasion was on a Thursday. On the Monday following, I started to call people.

Clive Robinson February 23, 2023 3:38 PM

@ Bruce, ALL,

Re : Lessons that should be learned.

These cyber-attacks as we now call them have a long history of institutional failure for profit behind them going back oh four decades or so to my certain knowledge.

This is a little long, but hopefully worth the read by most people as it has important lessons from repeated failings in it.

Long term readers will know that I think using the Internet to carry critical infrastructure “command and control” to save a few pennies is not at all wise because it makes attacking that much easier thus cranks up, or should crank up the costs of defence (but usually does not… due to short term thinking for profit).

In essence the “no free lunch” maxim applies.

I’ve been saying this since before the Oil Industry unwisely started connecting SCADA systems via the Internet over three decades ago before most readers here even knew what “Supervisory contnol and data acquisition”(SCADA)[1] ment, let alone how they functioned and could be so easily attacked[2] due to the way they were designed so “openly”[3]. Worse and what that means for the personal security of private citizens now and in the near future[4].

ICS-SCADA can be found both as little RTU-MTU and plant or country/state wide systems (think Colonial Pipeline disaster).

But worse further cutting back of manpower costs in the Utility Infrastructure Industry in an aim to improve shareholder dividends ment it was not just “up stream supplier” ICS that got ridiculous cut backs it’s now down stream individual customers like you me and everyone else that leads a grid connected life, and generally has no choice to do otherwise.

As I’ve mentioned before the utility infrustructure industry has implemented “Drive-by Control” of consumer end systems that control valves and plant in peoples roads. Many of these use PMR and plaintext protocols with near zero security of any kind. Some even use 2G SMS messaging from inside consumers homes.

The industry having failed to learn any lessons are pushing such insecure systems into “Smart-Meters” with the ultimate aim of “Smart-Grids” where they control your home heating, air conditioning, hot water, food storage and preperation by controling freezers and cookers. Which is obviously wonderfull news for attackers at the communications level as modern “Software Defined Radio”(SDR) and extramly low cost VHF/UHF radio equipment are now ay “Pocket Change Pricing” and “Single Board Computers”(SBC) to control them sub 100USD and in some cases sub 5USD.

Worse for privacy the current crop of Smart-Meters can do “power envelop analysis” that has two significant consumer disadvantages,

1, They can freely control “power factor” control charging so you pay oh anything above ten times the price per unit for real energy usage.

2, All electrical and nearly all electronic equipment, especially the more energy efficient types, have “power signitures” that enable anyone with control of your Smart-Meter to know what you have powered up. But worse can tell when you have a shower, open your fridge door, or what you watch or listen too on your entertainment systems[4].

[1] A “Supervisory Control And Data Acquisition”(SCADA) system, is comprised of software, hardware, and importantly communications elements that form part of an “Industrial Control System”(ICS) that organizations can use to Control industrial processes both at local and or remote locations of any size and value. By Monitoring / gathering, instrument and physical control data and in real-time process and display the data so that supervisory control can be carried out by just one or two people in control centers often well away from the actual physical process. Part of this is predicting when operating states are heading out of the green operating zone, such that remedial action can be taken in a timely fashion.

[2] The desire of attackers is to get into the ICS communications from the physical plant such that they can hi-jack control without operators or the alert systems becoming aware of their activities, then push the plant systems out of the green zone so that actual physical harm to the plant or plant products happens (think dumping excess lye into drinking water that happened not long ago).

[3] Contrary to what many think actually getting into the ICS SCADA communications has historically always been near trivial and still is though slightly more techbical sophistication is needed than four decades ago. As they are engineered to be easy to diagnose and interface to, almost at an RS232 terminal level (which is how many ICS developments started in the late 1970’s early 1980’s). The hard part for an attacker back then was “getting physical access” to the communications nodes or cables to “croc-clip in”. As the push to “Private Mobile Radio”(PMR) systems started in the 1980’s to reduce cabling costs and alow remote control at greater distances (think platforms in mid UK North Sea back to land then on to London). The physical access over alarmed fences etc ceased to be an issue. All that apparently happened was 4wire modems were introduced, that worked as well over radio links as their predecessors had over leased-lines. Of course there was no coresponding increase in security (remember WEP in local area networks? that happened in part because of these early failings). This carried on into the early 1990’s when the cost of radio licences quickly rose above the then falling cost of the nascent Internet. So ICS-SCADA operators accountants and managment shifted it over. More importantly for them it enabled them to shift from expensive “shift operators” to much lower cost “on call operators” who could access from any Internet connected point. Security was thus at the lowest and several people myself included started realy agitating for an increase in security. Seeing the level of push back resistance by “managers” supposadly driven by share holders, that included destroying peoples careers “I got the heck out of dodge” in the 1990’s before it happened to me. Since then there have been a lot of incidents that were “sat on” but a few made it sufficiently public that the UK Government were forced into taking “regulatory acction” around “critical infrustructure” especially nuclear power plants that had more than a couple of illicit “no-knock”, “no-alarm” entries around their physically well armed doors and alarmed fences… (Terry Pratchett had one or two “hair-whitening stories from his time working Press-Office in the industry).

[4] In the UK we have “Television Licencing” which has a history of using top of the line type “Signals Inteligence” techniques to discover those watching but not paying. As prople have moved from “Broadcast” to “Cable” and now “Internet” catching non payers has got harder. The ability to connect into a “radio enabled” smart meter now alows such information to be all to easily ascertained. The company behind the collecting of non-payment fines has not long ago anounced the use of “new technology” that uses hi-tech “secret methods” to catch non-payers. Now it may just be a “Scare them silly” stunt to make the very thugish collectors lives easier, but the technology is definitely there if they want to use it, and the power utilities alow them access. Now, as readers here know, keeping a secret gets almost impossible after a few low payed low ethic workers get access to it. By definition those thugish collectors are both low payed and compleatly morally and ethically untrustworthy as are their managers all the way upto “Director” and “Board Member” level as they have all either condoned or participated in false applications to courts for “Warrants of Entry”. Which they might “tut-tut” about but grossly profit by (so won’t stop their behaviours).

Steve February 23, 2023 4:02 PM

@Winter: I agree with your comment. That’s why I added the parenthetical about propaganda.

While it is fairly clear who is the aggressor in the conflict, I don’t necessarily believe anything coming from either side.

As some anonymous person put it, truth is the first casualty of war.

Clive Robinson February 23, 2023 5:38 PM

@ Steve, ALL,

Re : First casualty.

“As some anonymous person put it, truth is the first casualty of war.”

Whilst it is a nice sound byte, the anonymous person got it wrong…

In reality the first casualty is always “humanity” and “respect” for others.

Wars are generally not started by what many would consider “ordinary people”, though they might end up being blaimed.

Wars are started by those who suffer from incurable aberrant personality disorders / mental disease. Known in psychology, since a 2015 paper
by Chabrol, et al[1] as the “Dark Tetrad”. It comprises of the aberrant personality traits of

1, Narcissism.
2, Sadism.
3, Psychopathy.
4, Machiavellianism.

In some measure or combination of measures. It once would have contained Sociopathy after Psychopathy, but the view has changed that although the symptoms and diagnosis are different they are effectively the same.

The order indicates overlapping movment from vanity through vicious oppression wielding of power through to puppeteer and chess master control of others and entire societies.

But in all cases people with these aberrent personality traits have no actual humanity or respect for others as the rest of us would consider it. When a person says of their boss “He’s an untrustworth 13astard just out for himself” they are very probably correct. Such aberrant people tend to gravitate by their lack of humanity and respect of others up the managment or political heirarchies,

“To their point of maximum harms.”

With the more “Machiavellian” being some what more intelligent / smarter using those with “narcissism” and “sadism” as their “front men”. So they can slip away behind them when the inevitable happens and people get hung from lamp posts etc. Which alows them to wait a little then they can start back again with their “just your humble servant” routine.

[1] “The Dark Tetrad: Identifying personality profiles in high-school students.”

https://www.sciencedirect.com/science/article/abs/pii/S0191886915002366

Henri Chabrol, Tiffany Melioli, Nikki Van Leeuwen, Rachel Rodgers, and Nelly Goutaudier.

From “Personality and Individual Differences” Vol 83, Sept 2015 pages 97-101

JonKnowsNothing February 23, 2023 7:27 PM

@Clive, @Steve, All

re: The first casualty is always “humanity” and “respect” for others.

It’s not just a factor in wars but in a good number of social settings.

RL tl;dr

During a chat with a very politically conservative neighbor, I was surprised when they offered the opinion that people should embrace our differences instead of rejecting them. It was not a statement I expected.

I told him about a fiction story set in Afrika and how that story had altered my views too. In the story there is a woman who has nothing but the clothes she is wearing. In the story she finally earns enough funds to buy an old emug and acquires a small shelf-cupboard to set it on. This is her entire sum of worldly wealth.

He thought about that a moment.

I told him one of our differences is that we do not recognize other peoples wealth or what they have as wealth. If it does not meet our own interpretation, then they have none.

I pointed out that homeless-houseless people have wealth but it is not recognized by society. They manage to get tents, sleeping bags, warm jackets when they have nothing. Our cities do not recognize this as wealth so they feel free to destroy it whenever and however they want. The police have often taken to wholesale permanent destruction of this wealth and feel compelled to destroy anything that’s left which the person cannot carry away.

People living in cars, vans, converted buses, RVs also have wealth and this wealth is not recognized either. The city officials consider sleeping in your car to be a marker of non-wealth so they arrange to tow the vehicle and set such egregious fines and fees for recovery that a person living in poverty cannot hope to reclaim it.

Of course, the dichotomy is that these very same items in the possession of someone with recognized wealth is not subject to wanton destruction, seizure or forfeiture.

He thought very carefully about this.

===

Alexander McCall Smith

The No. 1 Ladies’ Detective Agency (novel & series)

Winter February 24, 2023 1:05 AM

@JonKnowsNothing

The No. 1 Ladies’ Detective Agency

That is one great series of books. From those that have been there, I hear that Botswana is a great country. If you can, watch A united Kingdom about their first president.

Winter February 24, 2023 2:19 AM

@Steve

I don’t necessarily believe anything coming from either side.

Neither do I.

But the Ukrainians tend to be more tight lipped than the Russians. Where the Ukrainians tend to say as little as possible (and then might refrain from telling the truth), the Russians simply deny everything and blame it on the Ukrainians.

As a result, I am willing to ponder the truth of what the Ukrainian side tells us, and I simply ignore what the Russians say. [1]

[1] If you always deny, the information content of your statements is simply the same as white noise: 0 bits.

Clive Robinson February 24, 2023 3:15 AM

@ Winter, Steve, ALL,

“I am willing to ponder the truth of what the Ukrainian side tells us, and I simply ignore what the Russians say”

Whilst I agree that what the Russian’s currently under Putin’s command say, is basically propaganda for “Domestic Consumption” thus near worthless.

I regard the Ukranian comments as likely to be true.

The reason is simple, Ukrainian troops need foregin equipment / amunition support or aid. Which unlike Russia with China / Iran support or aid, comes from nations where the views of the public can strongly effect the giving of aid Ukranians need to defend themselves.

Thus as we know, and Ukraines leadership know, “lies get out” and that they are being 100% watched around the clock by satellites etc of those giving the aid / support as well as Russia and it’s allies. And importantly independent commercial organisations.

With any thing Ukranians say being subject to such scrutiny they know that most forms of lying by them would be detected rapidly and potentially turn public opinion against them in the nations giving them aid and support…

Thus whilst Ukrainians can say little as an option, that won’t get them sympathy they need. Whilst what they chose to say has to be fairly honest and correct (there will always be some “fog of war” issues).

So yes I tend to regard what Ukranian leadership and spokes persons say as probably being accurate within the limits of what can be known at the time it’s said.

Winter February 24, 2023 3:35 AM

@Clive

So yes I tend to regard what Ukranian leadership and spokes persons say as probably being accurate within the limits of what can be known at the time it’s said.

Indeed, but there are cases where the Ukrainians need to avoid the truth anyway. Like their the number of Ukrainian causalities.

Also, I do find it very likely that it was Ukrainian operatives that murdered Daria Dugina. That was probably by accident as the likely real target would be her father. But the Ukrainian government initially kept insisting that it was not them.

Gert-Jan February 24, 2023 7:52 AM

It might be a bit early to draw conclusions.

I’m sure Ukraine has many learnings. And of course it’s good to assess them and if deemed useful, adopt them.

While Russia and Ukraine are still at war, it is unlikely that either side will admit to any cyber attack they suffered from. They might not even admit to a successful cyber attack they performed, as to not give away any future advantage.

I expect more information when the war is over. Right now, all you can expect right now from those countries and close allies is propaganda. And obviously the propaganda of both sides is that they never experienced any successful cyber attack and are not worried about it either.

Winter February 24, 2023 9:32 AM

@Gert-Jan

While Russia and Ukraine are still at war, it is unlikely that either side will admit to any cyber attack they suffered from.

Right now, all you can expect right now from those countries and close allies is propaganda.

Many allies help Ukraine with their defense. It is, therefore, unlikely that much can be kept secret in their camp. We do get quite a lot of information about cyber attacks and defenses from Ukraine. Much less so from Russia, indeed.

So I think you are too pessimistic.

But we will, indeed, only know the full story, or at least a lot of it, after the war is over.

I am afraid I can’t do that Dave February 25, 2023 1:14 AM

One thing I can’t really understand is why do we always seem to be surprised by what despicable acts people can do to each other ?

ResearcherZero March 2, 2023 1:16 AM

“secure by default” and “secure by design”
‘https://security.googleblog.com/2023/02/the-us-government-says-companies-should.html

Prepare to defend against destructive and disruptive attacks

Russian information operations have regularly been deployed in tandem with destructive cyber operations in Ukraine.

Telegram channels of XakNet Team, Infoccentr, and CyberArmyofRussia are coordinating their operations with GRU-sponsored FROZENLAKE/APT28.
‘https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf

Peter March 2, 2023 9:39 AM

Sixth reason: Russia doesn’t have effective cyber warfare units; this type of work requires very high levels of motivation and creativity, but most of the talented and educated young Russians became very demoralized as soon as the bullets started to fly, many of them even escaping the country. Those who remained are usually not the brightest, not particularly motivated to attack, underpaid and unappreciated.
Meanwhile Ukraine has all the resources the entire NATO could offer, from money to zero days, and being on the defense, they are better motivated.

Clive Robinson March 2, 2023 1:15 PM

@ Peter, ALL,

Re : Russia & skilled CompSec individuals.

“Those who remained are usually not the brightest, not particularly motivated to attack, underpaid and unappreciated.”

You forgot to add,

“But motivated by a Jack boot on the neck”.

As I’ve mentioned one of my neighbours is Russian, nice enough bloke in his late twenties working in the ICT sector and was sending money back to his family.

Apparently not only has the money been taken by Putin’s cronies, his brother has been arrested and his parents have been told unless he returns to Russia his brother will be tried for what sounds like “sedition” and put in prison indefinately…

As you can imagine this has put a lot of stress on him and his family, with his father insisting he come back to do his duty etc.

My neighbour has to make a choice, I’ve indicated that going back based on previous history of Putin’s cronies is it will not get his brother freed, all it will do is make his brother a hostage to blackmail so that my neighbour will do as he is told.

I’ve told him it’s not a game he can win, or even draw at, only loose, so the best strategy is not to play at all.

Speaking to a couple of other Russians I know this afternoon, apparently this is becoming normal… And it almost sounds like Putin’s cronies are trying to set up a “fifth Column” in the West… But rather more than being a faux-news organisation.

Winter March 2, 2023 1:30 PM

@Clive

Speaking to a couple of other Russians I know this afternoon, apparently this is becoming normal…

At the start of the war, the words was that Russia was becoming alike to North Korea. And it has.

It is also a sign of desperation.

Clive Robinson March 3, 2023 12:19 AM

@ Winter, ALL,

“It is also a sign of desperation.”

But it needs to be emphasized not on it’s own. It also requires a lack of morals and ethics.

For instance there are many who have starved to death rather than eat human flesh.

Likewise many have withstood torture and oppression because of their morals and ethics, as well as gone to their deaths to protect others.

There is an old English saying of,

“Manners maketh the man.”

As “manners” is not just the mores, ethics and morals of society but the behaviours towards others and things that arise from them. We can draw certain conclusions about those who realy are not in any extremis or existential threat, that effectively have no manners or drop them on the slightest of pretexts.

As Shakespeare had Mark Antony note, in the “Friends, Roman’s, Countrymen” speach in the play “Julius Caesar”,

“The evil that men do lives after them, the good is oft interred with their bones, so let it be with Caesar. The noble Brutus Hath told you Caesar was ambitious, if it were so, it was a grievous fault, and grievously hath Caesar answered it.”

So let it be with all despots, dictators, and tyrants as well as their supporters. Let their names be remembered if at all only in infamy as a vile but abject lesson in wrongs against mankind.

Winter March 3, 2023 1:25 AM

@Clive

But it needs to be emphasized not on it’s own. It also requires a lack of morals and ethics.

and

“Manners maketh the man.”

If Russia looks in every way like a country ruled by psychopaths, that is because it is. And it has a long tradition of psychopath rulers.

Clive Robinson March 3, 2023 2:27 AM

@ Winter,

Re : Russian for “Et tu brute?”.

Maybe I should have left in,

“I come to bury Caesar, not to praise him”

I suspect there are a lot who wish for that sentiment to be a reality and soon, very soon.

And to be honest, who can blaim them…

P.S. Russia is one of the few places in the last century where cannibalism was a norm as a result of “State Policy”, 1921, 1930’s and during WWII with easily recognisable body parts on sale in the street. A search on the Internet gives multiple independent refrences going up and into this century with photographs. Plus there is the latest, suspected cases of Russian soldiers castrating etc Ukranian Soldiers, that caused Ukrainian presidential adviser Mykhailo Podolyak to tweet,

“All the world needs to understand: Russia is a country of cannibals who enjoy torture and murder. But the fog of war will not help to avoid the punishment of the executioners. We identify everyone. We will get everyone.”

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.