Russia’s full-scale war on Ukraine since February 2022 has led to many previous assessments of Russian military power being revised. This research paper examines Russia’s campaigns and Ukraine’s responses in the cyber and information aspects of the conflict.
This research paper surveys cyber and information activities observed in the context of Russia’s war on Ukraine in the period after February 2022. Its aim is to understand the nature of those activities, the principles informing them, and to determine whether lessons can be drawn that will assist in preparing for the information element of future confrontations with Russia, up to and including major conflict involving the United States or other NATO nations.
With that in mind, this paper refers to a number of specific instances of cyber and information operations against Ukraine or its backers, but the objective is not to dissect these operations in detail. This is not a technical report on cyber activities; instead, the aim is to observe patterns of behaviour and effects, and determine whether they provide useful pointers for the future.
Scope and definitions
This paper considers both cyber activities – those affecting technical systems and networks – and information operations – those seeking to bring about a cognitive effect on humans. Despite recent evolution in doctrinal approaches in a number of Western nations, these two areas of warfighting have not always sat comfortably together in defence and security thinking in much of the Euro-Atlantic area. Yet Russian concepts treat these two lines of effort – ‘information-technical’ and ‘information-psychological’ activities – as implicitly integrated. And since this is a war waged by Russia, any framing of operations other than the Russian one risks being misleading.
It follows that it is important to ground our understanding of Russian actions in Russia’s own concept of ‘information confrontation’. A current Russian definition for information confrontation describes it as ‘a form of conflict between parties… each of which attempts to cause the other defeat or damage by means of informational impact… [it has become] a form of combat in which information is both the tool, the environment, and the target’. Crucially, the ‘environment’ includes not only computers, other endpoints, and digital and cyber-physical networks. Its definition is much broader – encompassing, for example, public opinion in a target state and the thought processes of individual decision-makers. The reason for adopting this framing will become clear throughout this paper, given the multiple instances it documents of overlapping and interdependent effects between these domains – for example, between Russia’s attacks on Ukrainian technical capabilities or infrastructure and its use of disinformation or other tactics to attempt to manipulate opinion. An important factor here is the dependence of Russian cyber and information warfare on both the physical environment and human factors for its effectiveness. The paper thus includes a chapter on information effects designed to influence Ukrainian or Western policy primarily through non-technical means, as well as considering strictly defined ‘cyber’ operations and the relationship between the two.
Significantly, Ukraine also conceptualizes information security and cybersecurity as two complementary but interlinked areas of national security. This reflects both its partially shared tradition of defence and security thinking with Russia dating from Soviet times, and Ukraine’s practical experience of persistent hostile cyber and information operations carried out by Russia since 1991.
Notes on this paper
This survey of Russian cyber and information warfare is based on reporting to the end of June 2023. It relies on open, publicly available sources. Additional context and background for the information gathered from open sources were provided by members of a multinational and multidisciplinary study group, who reviewed an early draft of the paper in April 2023 and contributed important corrections and clarifications.
Reliance on open sources places a clear caveat on the findings of this paper; not least because it is impossible to arrive at a complete and confident picture of cyber operations without access to telemetry, much of which is classified or confidential. A further caveat arises from the fact that there is a disparity between the effectiveness of operational security (OPSEC) practised by Ukraine and Russia respectively. The more effective nature of Ukraine’s efforts to control information flows is evidenced in battlefield successes such as its launch of the Kharkiv counteroffensive in September 2022, to the apparent surprise of Russian forces as well as the world media. This also makes it difficult in many instances to determine the actual nature of cyber and information operations taking place in Ukraine, and close to impossible for outside observers to do so at the time they are taking place.
Although the author did not have access to specialized databases and repositories of information on cyber activities maintained by cybersecurity companies, the primary sources of information on cyber activity in the Ukraine theatre nevertheless remain public reporting by information and communications technology companies, rather than the Ukrainian state. The limits on what can be determined from open sources are illustrated by the way coverage of cyber activity in the early days of the invasion mirrored coverage of the air war in conveying the impression that nothing much was happening. Because cyber and air operations were not visible to outside observers and did not play out in front of the world’s media in the same manner as land operations did, it took time for the detail of what happened to emerge, leading to early descriptions of the conflict as a ‘cyberwar that never was’. In the case of air fighting, the true picture became clear in retrospective analysis and reconstructions by leading experts at defence think-tanks. In the case of cyber operations, subsequent surveys and reports by entities such as Microsoft eventually described and explained what had taken place months before.
Perceptions of impact can also be skewed by the fact that cyber operations in particular can remain effectively invisible to the public. As with espionage, some cyber operations are designed to remain undetected, but even those designed for palpable impact may remain unknown unless and until they succeed and damage or disruption is caused. Comprehensive reviews of operations in the first few months after February 2022 concluded that ‘the modest scale of Russia’s cyberattacks has fallen far short of … predictions’ and consequently that ‘cyber has not been a consequential front in Russia’s invasion of Ukraine’. However, as later explained by Sir Jeremy Fleming, the outgoing chief of the UK’s Government Communications Headquarters (GCHQ) signals intelligence agency, ‘There’s been plenty of cyber in this conflict. The thing that’s different is … that Ukraine has been very effective in defending itself.’ It has thus taken time for a clearer picture of the cyber and information aspects of the war to emerge.
By the time this paper was substantively complete in August 2023, however, despite gaps in visibility into specific technical aspects of cyber operations there was sufficient verifiable reporting on incidents across the entirety of information confrontation to arrive at a number of confident findings on how this conflict had confirmed, or run counter to, prior expectations.
The nature of the conflict
Ahead of 24 February 2022, there was a widespread expectation of a swift and devastating campaign by crushingly superior Russian forces. This did not take place, either in conventional or in cyber and information operations. This came as a considerable surprise to many commentators around the world who had not observed the way in which Ukraine’s military and information capacity had developed during the preceding eight years since Russia’s seizure of Crimea and initial invasion of eastern Ukraine. Fortunately for Ukraine, developments in the early stages of the full-scale 2022 invasion also came as a considerable surprise to Russia’s own armed forces and planners. This influenced the evolution of Russia’s cyber and information campaign over the subsequent months of war.
While Russia’s conventional military performance in Ukraine has been studied extensively, there are also lessons on capability and future conflict with Russia to be drawn from Russia’s cyber and information warfare campaigns. Just as in conventional warfare, events in Ukraine have triggered a substantial rethink of Russia’s real, as opposed to claimed, capabilities. Earlier analysis on this theme by respected colleagues and institutions working in this field is referenced throughout this paper.
Crucially, in information space, unlike in other domains, Russia’s lack of early success in Ukraine appeared not to have resulted from failures to implement doctrine and planning. Russia attempted precisely the types of cyber and information attack that it had been practising and developing over the preceding years, as described in multiple specialist publications both within Russia and beyond. These types of attack included information interdiction, personalized targeted deception delivered to connected devices, selective destruction of civilian telecommunications infrastructure, and attempts at integration of kinetic and cyber/information activity.
While Russia’s conventional military performance in Ukraine has been studied extensively, there are also lessons on capability and future conflict with Russia to be drawn from Russia’s cyber and information warfare campaigns.
However, many of these activities did not succeed, and other anticipated campaigns did not materialize. For example, large-scale and successful destructive cyberattacks on critical infrastructure were widely anticipated as a key element of swift Russian victory. Instead, Ukraine has largely prevailed against such attacks to date, and many of the apparent aims of Russian cyber and information activity have not been met. How and why this happened, and what this can tell us for planning of defence against Russia’s next war, is a major theme throughout this paper.
After consideration of the initial phase of Russia’s full-scale invasion of Ukraine in February 2022 and the underlying principles of successful Ukrainian resistance to information confrontation that this revealed, the paper has four main chapters. First, it considers those features of information confrontation that appear to be new and distinctive in this conflict. Second, it surveys the specific aspect of cognitive warfare – the battle for perceptions in pursuit of tactical, operational or strategic aims – as demonstrated in Ukraine itself, in and against Russia, and across the rest of the world. Third, the paper presents a summary of lessons observed that are pertinent to Western nations’ planning for future conflict. The paper concludes with a set of specific policy recommendations for Western governments and coalitions that might seek to defend themselves against Russian information confrontation methods and capabilities in the future.