Cyber and information operations in Ukraine have displayed a number of novel features alongside tried and familiar Russian tactics. Notably, private industry and individuals have been directly engaged in combat support for Ukraine, raising questions over their legal status.
State and commercial support for Ukraine
State support
At a state level, formal cybersecurity cooperation arrangements are in place between Ukraine and the US, and direct support in cyber operations by Western governments has been confirmed, although its nature remains understandably opaque. Canada is providing direct cybersecurity support to Ukraine as well as to Latvia, where Canada is the framework nation for NATO’s ‘Enhanced Forward Presence’ deployment. Designating both Ukrainian and Latvian networks as ‘systems of importance’ to the Canadian government mandates the provision of ongoing state assistance. Canada is also supporting satellite communications services in Ukraine to help maintain continuity of critical cyber systems. Paul Chichester, director of operations at the UK’s National Cyber Security Centre (NCSC), has described defending Ukraine’s networks as the ‘primary mission’ for both global private sector companies and British government cybersecurity agencies. The head of US Cyber Command, General Paul Nakasone, has confirmed that the US has ‘conducted a series of operations across the full spectrum; offensive, defensive, [and] information operations’ – although ‘offensive cyber operations’ were left undefined and thus potentially referred to activities ranging widely in nature, scale and impact. This support and the essential mutual trust it requires appeared to recover swiftly from the abrupt withdrawal from Ukraine of embedded foreign cyber support personnel, along with other military trainers from the US, UK and Canada, ahead of the invasion in February 2022.
At a state level, formal cybersecurity cooperation arrangements are in place between Ukraine and the US, and direct support in cyber operations by Western governments has been confirmed, although its nature remains understandably opaque.
Not all foreign support is the result of new measures following February 2022; some international support programmes were in place years beforehand. US Cyber Command deployed its largest ‘hunt forward’ package – an operation to examine and strengthen a partner nation’s networks – to date to Kyiv in early December 2021. According to Anne Neuberger, deputy national security adviser for cyber and emerging technology in the US National Security Council: ‘We shared a whole list of targets that the Russians had compromised to enable the Ukrainians to rapidly address them; we put a real focus on their energy systems, and the Cyber Command team focused on military and transportation networks.’ Other direct support measures date back much further. NATO’s ‘Cyber Defence Trust Fund’, established after the NATO summit in Wales in 2014, was designed to develop Ukrainian capabilities to counter cyberthreats. ‘EU4Digital: Cybersecurity East’ was an analogous project run by the EU since 2019. A US assistance package delivered through the USAID agency since 2020 has focused on the cybersecurity of critical infrastructure. As ever, the precise extent and practical effect of each of these programmes are unquantifiable without detailed insider knowledge, but their cumulative impact is widely credited with having transformed Ukraine’s defensive capabilities and resilience to cyber campaigns.
Private industry support
In addition to support provided at a national level, a wide spectrum of technology companies is providing an equally wide range of essential services in support of Ukraine. Imagery from commercial satellites has been a critical enabler for the Ukrainian war effort, not only contributing to situational awareness but shaping the narratives of the war. In response, Russia has reportedly adopted temporary and reversible countermeasures, such as jamming and non-destructive cyberattacks against satellite services. Support from Amazon and its cloud services was crucial in evacuating Ukrainian government data from fixed premises. This was a last-minute measure carried out shortly before the February 2022 invasion, but one with a clear precedent in other countries that consider themselves at risk of being overrun by Russian forces, as in the case of Estonia setting up overseas ‘data embassies’ in the previous decade. Microsoft and ESET, a digital security company, have been identified as particularly useful in facilitating cyber defence due to their pervasive presence on Ukrainian networks. This assists with situational awareness and the collection of telemetry which is then passed to Ukrainian authorities, complementing direct responses in the form of building protections against detected threat activity into software products so that not only Ukrainian customers but others worldwide can benefit. Google is providing support services for Ukrainian government functions as well as DDoS protection for government websites and embassies worldwide. The Cyber Defense Assistance Collaborative (CDAC), a coalition of service providers, is delivering assistance pro bono or funded by non-governmental philanthropic grants. Meanwhile, companies such as Microsoft, Google and Amazon have provided services either at their own cost, or funded by Western governments backing Ukraine – albeit while issuing occasional reminders of the cumulative financial value of the support they have provided to date.
Appreciation of the role and power that major technology companies have in modern conflict may vary between organizations. But there are constraints that are largely common to many of them, connected with the need to meet obligations to shareholders and boards and comply with regulatory regimes, both locally and at their global headquarters. While corporations routinely show greater agility than governments do, legal and organizational constraints on corporate action still inform decisions. Most corporations will also need to justify policy decisions such as taking sides in a conflict to their own workforces, in order to prevent internal disruption.
The issue of cost does not appear yet to have stopped any technology company from providing necessary support to Ukraine, but the question remains of how long this is sustainable. While the major players are large enough to write off the costs of support without significant financial impact, this does not apply across the industry, especially if support turns into a multi-year commitment. Eventually, shareholder discontent could have a significant impact on critical service provision
for Ukraine.
Companies will have learned from the experience of Ukraine that they need strategies and pre-agreed policies to cover the possibility that commitments turn out to be far more prolonged and costlier than anticipated.
Companies the size of Microsoft, for example, have dedicated disaster response divisions set aside for emergency or humanitarian contingencies. These departments could be considered the natural sources of corporate action in support of a victim of aggression. But with or without specific disaster response capabilities, companies will have learned from the experience of Ukraine that they need strategies and pre-agreed policies to cover the possibility that commitments turn out to be far more prolonged and costlier than anticipated. This is particularly the case because it would most likely be reputationally challenging for a company to withdraw critical support in mid-war. Support for a combatant also exposes corporations to the legal implications of being a party to the conflict, discussed further below.
In fact, rather than conforming to notions of warfare that takes place between states using national resources, the cyber and information aspects of the current conflict are heavily dependent on private commercial organizations. Providers of cybersecurity services, network components, software, cloud services and much more are all directly involved. And the embedding of the private sector in Ukraine’s information systems provides a warfighting advantage unique to this domain: when the enemy deploys a new weapon system (the cyber equivalent being, for instance, malware), that system can on occasion be identified and mitigated or neutralized at far greater speed than in conventional operations, and by organizations other than the state. A by-product of this syndrome is that private industry may have better situational awareness than governments, especially those that – unlike industry – are not directly party to the conflict. While no individual entity has overall visibility of what is happening in Ukraine or any other cyber conflict, the combined effect of industry insights into overlapping segments of networks or industries provides clarity that may not be directly available to state actors.
Overall, a transformative effect of the situation in Ukraine has been to improve the exchange of information and foster apparent deconfliction between notional competitors in the cyber and information technology industries. While competitiveness between major technology companies prevents full strategic cooperation, a shared sense of purpose sees them to some extent working together against a common threat in the same way that the coalition of states backing Ukraine cooperates to pool and share resources for best effect. Here, too, the distinction in behaviour between large corporations and states appears to be eroding. According to Microsoft’s president, Brad Smith, the process of getting involved in geopolitics was ‘unusual and even uncomfortable, but became indispensable for the protection of our customers’. The net result is that, to an unprecedented degree, ‘the conduct of war and other responsibilities in the realm of statehood are reliant on private actors’.
At present, those organizations have largely decided which side they are on; but in a future, more ambiguous conflict, their loyalties could span borders and they could find themselves offering services to both sides. Their own commercial exposure could be an additional determining factor. In a future conflict involving China, for example, consideration of potential loss of business as a result of backing the other side could be decisive. This has direct implications for future conflict. The capabilities of private sector security firms are an integral part of the cyber defence capability of Western states. The digital security of critical infrastructure, in particular, has largely been entrusted to private industry. This leaves open the questions of who is going to pay for the services of private technology companies when they are called on, and how to ensure that companies are going to be on the ‘right’ side – as opposed to neutral or even hostile.
Lessons from Starlink’s involvement in Ukraine
Of all the forms of foreign support provided to Ukraine, few have had such a visibly transformative effect as the Starlink satellite communications service, offered to Ukraine shortly after the full-scale invasion. A Ukrainian deputy prime minister, Olga Stefanishyna, has called the provision of Starlink services ‘a turning point in our survival’. However, the evolution of the Ukrainian Armed Forces’ relationship with Starlink also illustrates core problems of dependence on the private sector for defence capability – problems that go far beyond the context of Ukraine. In fact, given the nature and ownership of Starlink’s parent company, SpaceX, this crucial capability was dependent not just on a single company but on one man; and in this case, a man renowned for his mercurial nature.
Public frictions between Elon Musk and the Ukrainian government first arose over the issue of cost. A sudden realization in late 2022 that Starlink services could be abruptly withdrawn was deeply alarming for Ukraine, given the country’s already well-established dependence on them; the dispute was then exacerbated by Andriy Melnyk, then serving as Ukrainian ambassador to Germany, responding to a ‘peace proposal’ by Musk with public profanity. The fact that a fighting force could come to rely on a service which, it appeared, could simply be withdrawn by its owner at zero notice provides warnings for Western defence forces considering their future relationships with the private sector.
Starlink, although not designed as a military system, has features that were favourable for its adoption for military purposes. These include the phased array that reduces the need for physical alignment of the terminal and focuses signals in a tight beam, thus making the terminals harder to locate using EW means; the very high number of satellites in orbit, which renders jamming more challenging; and Starlink’s combination of high bandwidth, low latency, small size and mobility.
But the fact that this is a commercial service also carries drawbacks. ‘Geofencing’ – the limitation of service provision within virtual perimeters – meant that in October 2022, when advancing Ukrainian forces entered newly liberated areas, Starlink abruptly ceased to function, depriving those forces of critical communications capability at a vulnerable moment. In the absence of definitive comment from Starlink, it remains unclear whether this was a deliberate limitation on Ukrainian use or a measure specifically designed to prevent the use of captured terminals by Russian forces. In addition, more recent reporting suggests that Russian forces have developed means of targeting Starlink terminals, greatly increasing the vulnerability of users.
In February 2023, Starlink placed further restrictions on usage, saying the system should not be used for offensive purposes such as providing communications for controlling drones carrying out attacks on Russian troops. Rather than an attempt specifically to hobble or constrain Ukrainian operations and favour Russia, as suspected by some of the more hawkish of Ukraine’s public backers, the restrictions were presented by Starlink as a response to an unanticipated expansion of its uses, from communications in general to specifically enabling offensive operations. It is possible that an unspoken consideration was Starlink’s unwillingness to expose itself to greater risk through becoming a direct party to attacks on Russian forces and assets, following Russian threats of countermeasures against private entities that did so – threats that, while so far empty, unusually had an arguable basis in international law. The lessons for private sector engagement elsewhere were again clear: a vital warfighting capability can be made unavailable on the basis of a terms-of-service violation. This is a critically important issue: given the extent of Ukrainian reliance on support from the commercial sector, the withdrawal of support by a major private sector entity could potentially be just as damaging as a major national government leaving the coalition supporting Ukraine. The dangers of reliance on a private sector system, and the way in which lives can be saved or lost as a result of corporate decisions, were highlighted when a Ukrainian naval operation against Russian naval vessels launching missiles against Ukrainian cities was prevented from being carried out because of a personal decision by Musk not to allow the maritime drones involved to use Starlink navigation systems. Musk’s rationale for not enabling Starlink service to Sevastopol was that ‘then SpaceX would be explicitly complicit in a major act of war and conflict escalation’.
The withdrawal of support by a major private sector entity could potentially be just as damaging as a major national government leaving the coalition supporting Ukraine.
It should be noted that the Starlink example is an extreme one, both because of the Starlink network’s unique prominence in Ukraine’s publicly visible warfighting effort and because of its distinctive ownership and decision-making structure. But the issues it illustrates need to be addressed across the board. The balance of interests between a nation engaged in war and a corporation subject to legal and regulatory obligations, contractual obligations to customers worldwide, and obligations to a board and shareholders argues for the establishment of norms regarding clear roles, responsibilities and rules for private sector engagement in times of conflict in the distinctive operating environment created by contemporary information warfare. This would not only assist in setting expectations on both sides, but also aid corporations in their crucial decisions on whether to involve themselves in conflict, as well as informing their attitudes to possibly taking on the status of a combatant (discussed further below). At present, corporations have independently jumped in to help Ukraine, largely because they felt it was the right thing to do. The lack of any obligation to do so in future other than a moral one now suggests that governments and international organizations should do more to make it easy for those companies to decide to jump in on the right side in future conflicts too. Guidance, policy and legal cover to assist in ways that complement or supplement government action would make this decision more straightforward.
Information interdiction
In the years between 2014 and 2022, Russia devoted considerable resources to probing the vulnerabilities of civilian telecommunications infrastructure across the West, with the apparent aim of being able to disconnect this infrastructure when required and isolate target populations from outside information. However, as implemented in Ukraine, with the exception of the initial Viasat attack discussed above, Russia’s efforts at information interdiction were more localized and disjointed.
For Ukraine’s military, the combined effect of the Viasat attack and other early information interdiction measures such as those delivered through EW has been disputed, but reporting at the tactical level suggests that Ukrainian communications were indeed suppressed, forcing reliance on civilian mobile phones. This contributed to what a Ukrainian cyber official described as the later ‘total domination’ of the Starlink system in military communications, edging out other satellite communication systems. Meanwhile, attacks were also observed targeting Ukraine’s communications infrastructure in order to reduce Ukrainian citizens’ access to reliable news and information. These attacks included missile strikes on data centres and television broadcasting towers, in a clear case of kinetic operations designed for information effects. In late March 2022, attempts to target connectivity by cyber means achieved a severe but temporary impact on the operations of Ukrtelecom. Information interdiction is one area in which Microsoft has pointed to apparently coordinated Russian cyber and kinetic attacks, as on 1 March 2022 when a missile strike against a television tower in Kyiv coincided with the launch of the DesertBlade malware attack against a broadcasting company and a statement by the Russian military that it would be targeting ‘disinformation’ centres. ‘Attempts to compromise and or stage destructive malware on media companies is a trend that has continued throughout this conflict,’ Microsoft stated.
But these attacks also conflicted with a need to take over the same networks (and other infrastructure) undamaged; both sides had incentives to preserve the communications networks they were using rather than destroy them. In fact, the battle for access to Ukraine’s mobile phone network infrastructure provides an important case study of the interdependencies between cyber, information and physical capabilities, which can sometimes give rise to conflicting priorities.
In the initial stages of the invasion, with isolated exceptions, Russian forces preserved mobile phone infrastructure largely intact – a logical outcome of the original intent to seize Ukraine rather than destroy it, despite conflicting with the aim of information interdiction. But the fact that telecommunications infrastructure – including not just mobile phone sites but also internet exchange points and data centres – has largely not been subjected to systematic attack even once it became clear that it was not available for use by Russian forces has led to suspicion that Russia too exploits these facilities for access, including to government and military communications carried via encrypted channels on civilian networks. Ukrainian information practitioners point to the historical ownership by Russian business interests of telecommunications companies and subcontractors in Ukraine with access to critical data, citing this ownership as further grounds for concern that Russia’s intelligence services may have mechanisms for continuing access to Ukrainian digital networks and thus the information they carry.
Ukrainian defenders chose to block all inbound roaming subscribers from Russia and Belarus, which at a stroke made them unable to communicate and also wiped out a back-up communications system for the Russian invasion forces.
Meanwhile, the start of the full-scale invasion saw thousands of new mobile phones with Russian SIM cards appearing on Ukrainian networks as the Russian soldiers carrying them – despite years of efforts by the Russian army to improve OPSEC by dissuading soldiers from indiscreet use of connected devices – moved into the country. This presented the Ukrainian defenders with their own dilemma: to block these phones and render them useless, or to allow them to continue to function so that Ukraine could intercept their communications. The choice was made to block all inbound roaming subscribers from Russia and Belarus, which at a stroke made them unable to communicate and also wiped out a back-up communications system for the Russian invasion forces. The result of this move, combined with Russia’s own communications failures, was multiple instances of Russian forces stealing mobile phones from Ukrainian civilians, often with lethal force, to acquire communications capabilities and regain some degree of situational awareness. This in turn facilitated Ukraine’s interception of calls from Russian forces to Russia, which were subsequently exploited including through public release of audio of Russian soldiers phoning home to openly discuss and at times boast of their participation in war crimes.
Other emergency measures introduced by Ukrainian telecoms operators were designed to ensure uninterrupted connectivity for Ukraine’s own citizens. These measures included blanket national roaming, so that subscribers to any Ukrainian mobile network could use the other two main providers; and a coordinated decision between operators not to suspend any account for running out of credit – as users in Russian-controlled areas, for instance, would be unable to top up their accounts with Ukrainian networks.
Severe challenges in maintaining communications were reported on both sides in the earliest stages of the conflict – although just as in the invasion of Georgia 14 years earlier, on the Russian side this commonly resulted from inadequacies of equipment and planning, rather than from any action by the adversary. It was widely reported that the Russian military’s Era secure communications system was dependent on 3G mobile phone coverage, and so when these networks were destroyed or unavailable, the system was inoperable. This reportedly led directly to losses among Russian commanders forced to communicate over insecure systems, revealing their locations and intentions. If this reporting is accurate, it provides another incentive to exploit rather than destroy connectivity infrastructure. According to one assessment: ‘[C]yber war is deemed by the Kremlin to impede rather than enhance battlefield conditions. Attacks over the internet that are designed to damage or destroy are not nearly as attractive as maintaining access in order to collect information, shape perceptions, and gauge the effects of one’s actions in other domains.’ In at least one instance, access by advancing Russian forces to telecommunications infrastructure was thwarted by the destruction of critical software – the digital equivalent of retreating troops blowing a bridge so that it cannot be used by the enemy.
Information interdiction as apparently planned by Russia beforehand has been most easily achieved in occupied territories, where routing internet and communications access through Russia has enabled Moscow to suppress access to outside media, especially Ukrainian news platforms and essential services. This has had the dual effect of enabling Russian monitoring of internet communications, through the SORM system installed by default by Russian internet service providers, and of leaving the population with no sources of information other than Russian propaganda. Each Russian combined-arms army is supposed to have a dedicated unit tasked with ‘informational isolation of the battlefield’. And documents leaked from Russia’s Vulkan corporation indicated that the ‘Amezit’ project was designed, among other functions, to apply ‘information restriction of the local area’ and create an ‘autonomous segment of the data transmission network’ – but that this required gaining physical access to communications infrastructure.
Even where Ukraine retains control of territory, Russia has achieved local success when isolated towns or communities close to the front line receive their information primarily from Russian television and radio broadcasts. This has had substantial impacts on those Ukrainian populations, to be discussed further below. For other states that are potential victims of Russian aggression, the implications are clear: resilience through diversification and redundancy is critical to maintaining communications between a government and its citizens in the face of attempts at information interdiction.
Coordination
Publicly released analysis has arrived at mixed conclusions on whether Russian forces have successfully coordinated or integrated cyber effects with kinetic effects.
The head of the UK’s NCSC has stated that ‘Russian cyber forces from their intelligence and military branches have been busy launching a huge number of attacks in support of immediate military objectives’, but it is hard to identify supporting evidence from open sources. In April 2022, Microsoft concluded that ‘it is unclear whether computer network operators and physical forces are just independently pursuing a common set of priorities or actively coordinating’, even though ‘threat activity groups often targeted the same sectors or geographic locations around the same time as kinetic military events… high concentrations of malicious network activity frequently overlapped with high-intensity fighting during the first six plus weeks of the invasion’.
A subsequent Microsoft report in June 2022 included much more definitive language:
But Microsoft’s references to coordination between cyber and kinetic warfare were called into question by members of the expert community, and later surveys struggled to find clear examples of successful cyber–kinetic coordination. Instead, there is sporadic evidence not only of lack of coordination but even, potentially, lack of communication between Russian cyber and conventional units. The UK’s GCHQ points to ‘red-on-red’ incidents in which ‘Russian military strikes took down the same networks that Russian cyber-forces were attempting to infect – ironically forcing the Ukrainians to revert to more secure means of communication’.
In those limited instances where information on apparent coordination between Russian cyber and conventional units is available, it comes with caveats. It is claimed that a facility for US information warfare support for Ukraine in the Kyiv region was among the first targets for long-range precision strike missiles at the outset of the February 2022 invasion. But, if true, this would be reflective of target lists drawn up long in advance rather than evidence of ongoing integrated planning. An example of coordinated action identified by cybersecurity company Mandiant, a subsidiary of Google, can be found in the attacks on the Ukraine 24 website and in a TV broadcast timed to promote and validate the contemporaneous release of a deepfake video of President Volodymyr Zelenskyy appearing to call for surrender. Yet this does not provide an example of coordination across domains, since all the effects delivered were in the information space and no kinetic operation was involved, either as enabler or enabled. And even in examples like this, it is impossible to be certain that coordinated action was the intent rather than an accidental outcome. Assuming that congruence in time and location is evidence of prior planning rather than coincidence may be influenced by a common tendency to ascribe better coordination to the adversary than may be the case in real life.
Similarly, there has been sporadic reporting of Russian cyber forces trying to use captured Ukrainian military information technology such as tablets to gain access to Ukrainian networks; but without knowledge of how this access was to have been exploited, it is not possible to tell whether this should be considered an espionage campaign, an attempt to facilitate conventional operations, neither, or both.
Russia’s integration of cyber effects into its military campaign appears to have evolved in parallel with the distinct phases of the war itself.
Gavin Wilde, an expert on Russian information warfare, suggests that an apparent paucity of evident integration with kinetic operations may result from the operating ethos of Russia’s cyber forces, since ‘Russia’s premier offensive cyber capacities are housed within agencies focused on intelligence and subversion – the key tool kits used against Ukraine since 2014 – rather than combined-arms warfare’. Consequently, Wilde continues, ‘even the most brazen and destructive cyberattacks historically unleashed in Ukraine appear to be part of a sociopolitical pressure campaign, not particularly intended to achieve any discrete, time-bound, or geographic objectives’. While this observation relates primarily to the period before 2022 and the arrival of full-scale open conflict, even with the caveat that there is little public knowledge of incidents targeting Ukraine’s military it is notable that the majority of observed Russian cyber activity since that point still represents ‘countervalue’, rather than ‘counterforce’, targeting. This includes attempts at exploitation of successful (or even unsuccessful) cyber operations to demoralize the Ukrainian civilian population. This in turn indicates how, in keeping with Russia’s holistic concept of information operations, ‘Cyber operations are a form of modern political warfare, rather than decisive battles. These operations don’t win wars, but instead support espionage, deception, subversion and propaganda efforts.’
This highlights the limitations of considering Russian cyber fires as a direct alternative, or substitute, for kinetic activities to achieve a given effect. Cyber operations instead provide a supplementary capability with a different range of effects to the physical destruction of the target. Accordingly, Russia’s integration of cyber effects into its military campaign appears to have evolved in parallel with the distinct phases of the war itself. The initial wave of attacks before and during the February 2022 invasion aimed to produce disruptions to shape the battlespace and create a more permissive environment for the follow-on conventional activities. As the war developed, access operations to gain situational awareness became more prominent, targeting Ukrainian military applications such as Delta and Bachu, or webcams and CCTV services both in the area of operations and on Ukraine’s western border to try to identify the delivery of Western aid. The Russian campaign against Ukrainian energy infrastructure in the autumn of 2022 indicated operational-level coordination of different disruptive cyber capabilities with kinetic strikes to maximize both physical and psychological impact. This evolution points to an agility and adaptability on the part of Russia’s cyber forces that in turn suggest further increases in sophistication are likely as the war continues.
Overall, combined cyber and kinetic operations have been far less visible than might be assumed by Western audiences, especially if there is an assumption of cyber power being exercised primarily for kinetic or physical effect. As the war has moved on, the potential physical impacts of cyber operations have faded still further in relative significance. Wiper malware attack campaigns were noted against a wide range of targets both before and after February 2022, but during Russia’s campaign overall, any physical impact achieved through cyber means was entirely overshadowed by the direct effects of missile and drone strikes. In part, this is a simple function of the asymmetry of investment required in delivering destructive effects through cyber or kinetic means. One analysis makes the following argument about like-for-like comparisons:
Cyber effects beyond the theatre
Another unfulfilled expectation was that there would be widespread international spillover from cyber operations against Ukraine, with uncontained cyber weapons causing significant damage either deliberately against the West or accidentally against the world. Yet despite an intensive Russian campaign against overseas Ukrainian diplomatic missions, which on occasion presented softer targets than the Ministry of Foreign Affairs in Kyiv, the expected direct and intentional impacts on the US and other Western countries did not materialize in the early stages of the escalation. The pace and intensity of publicly reported Russian and Russian-backed cyber campaigns against Western targets appear to have remained largely comparable with the period before 2022, and Google ‘didn’t observe a surge of attacks against critical infrastructure outside… Ukraine’.
The period of intensified fighting in Ukraine has coincided with a rise in frequency and impact of cyber incidents globally, but analysis by SecDev, a digital resilience foundation, attributes this more to the rapidity of digital transformation than to interstate competition. According to Ciaran Martin, the former head of the UK’s NCSC, speaking in November 2022: ‘Despite all the hype, Putin has not seriously troubled the West at all in cyberspace since the invasion.’ Another, unnamed, British official concludes that Russia was keen to confine the impact of its attacks to Ukraine in order to avoid a confrontation with NATO nations.
The cyber incident that caused the most widely reported collateral damage outside Ukraine itself was the Viasat attack at the outset of the new invasion, which resulted in a partial interruption of KA-SAT’s satellite broadband service. The attack affected not only tens of thousands of broadband customers across Europe, but also the operations of 5,800 wind turbines in central Europe. More recently, Russia has shown itself willing to carry out cyber, but not kinetic, attacks on the logistics chains and organizations delivering aid to Ukraine through Poland. Notably, one attack on Poland used Prestige ransomware, providing a degree of deniability and disguise as criminal activity now seen less frequently in attacks within Ukraine itself. The same efforts to avoid detection were evident in Russia’s covert campaign to instigate sabotage of Poland’s rail network. This could indicate that Russia’s understanding of NATO’s Article 5 agreement on collective defence is shaping the boundaries of Russian actions – and that cyber activity is still considered less escalatory than direct kinetic attack.
This interpretation will have been confirmed, in Russian eyes, by Western reactions to the Viasat hack and the collateral damage it caused. Western governments confined themselves to ‘condemning the attack in the strongest possible terms’ – in other words, just as with warlike acts directed against Europe in the period 2014–22, they did not respond in any manner that would be meaningful to Moscow. This implies that if Russia wishes to escalate the conflict further as part of its deterrent strategy, direct and more damaging cyberattacks against Western interests would provide a more attractive option than the nuclear strike option that is far more prominent in Western public discussion.
Meanwhile, Russian cyber operations directed further afield since 2022 have received relatively scant publicity. In February 2023, a joint report by the Netherlands’ intelligence and security services listed a wide range of both cyber and physical ‘espionage and preparatory acts for disruption and sabotage’ – but this was an exception. In a distinctive break from the apparent pattern of openness and transparency that briefly marked the preceding period, Western security and intelligence agencies have relapsed into their previous habit of secrecy around specific threats to the societies they protect.
Reporting on successful offensive cyber operations by Ukraine is isolated, patchy and insufficient for forming overall conclusions as to the nature of the campaign Ukraine might be waging.
Similarly, limited information is available in the public domain to assess the success or impact of Russian cyberattacks against Ukrainian government or military forces, or indeed those of Ukraine against Russia. This is because Ukraine’s habitual reticence regarding cyber operations it has carried out against Russia is mirrored by a successful policy of not disclosing the impact of attacks against itself. The result is that reporting on successful offensive cyber operations by Ukraine is isolated, patchy and insufficient for forming overall conclusions as to the nature of the campaign Ukraine might be waging.
Incidents that have been attributed to Ukrainian cyber action include destructive attacks on Russia’s oil and gas infrastructure, sometimes allegedly repeated due to Russian inability to address vulnerabilities. One report quotes an alleged Ukrainian government cyber operative as commenting: ‘Same pipeline. Same exploit. Everything same as before. They did nothing at all to their security. Those *&@#* never learn.’ Russian defence industry installations have allegedly also been targeted by Ukraine. Operations may include false flag attacks designed to exploit internal divisions within Russia. One apparent example may have been an incident disrupting Russian military satellite communications, which in one account was attributed to a group aligned with the Wagner private military company in the wake of its abortive mutiny in June 2023.
Effects are delivered not only by Ukrainian state agencies, but also by civilians acting independently. According to one assessment, these individuals may choose from a wider target set than ‘official’ cyber forces. They may engage in vandalism to impose costs on the Russian economy – such as by targeting railway systems or the national food quality authentication system, or facilitating information operations by enabling broadcast of pro-Ukrainian messaging across Russian television and radio networks. This latter campaign has reportedly had a severe impact on domestic television channels broadcasting within Russia, with jamming or hacking becoming so effective that at one point the national transmitter operator, RTRS, sought to protect the main domestic channels by rebroadcasting their programming via a military satellite.
Legality and legitimacy
One of the fundamental distinctions between the parties to the conflict is that Ukraine is a democracy governed by the rule of law, while Russia has no such constraints. This has obliged Ukraine to adapt its legislative framework for information and cyber activities rapidly under the pressure of war.
For many countries, the demonstrated need for data evacuation ahead of a conventional conflict may clash with peacetime data security requirements that might specify that government data must be held on sovereign territory. In the case of Ukraine, this challenge was addressed by rapid amendments to data protection law, enacted by Ukraine’s parliament as late as 17 February 2022. Other legal initiatives have included attempts to regulate and regularize the status of Ukraine’s ‘IT Army’ of volunteer cyber activists, and the adoption of special legal measures authorizing remote access by Microsoft to computers across the country (this access was needed to turn on controlled folder access in Microsoft Defender security systems in order to mitigate the impact of Russian malware attacks). The rapid passage of legislation demonstrates an administrative agility and degree of national consensus that might be hard to achieve in other states. On a more academic and theoretical level, it also raises the question of what precisely constitutes adherence to the rule of law when the law itself can be so deftly adjusted to suit current circumstances.
Other legal considerations arise from the nature of the conflict as a war of national survival calling on all citizens to be involved in defence – specifically, from concerns over the erosion of the distinction between combatants and civilians.
The involvement of private citizens in cyber and information activities mirrors the efforts of other volunteer groups supporting all aspects of Ukraine’s war effort. Ukraine’s ‘Diia’ civilian government services app incorporates an ‘e-Enemy’ function to allow private citizens to report Russian troop locations and movements. Information from this function feeds into ‘Delta’, the Ukrainian military’s situational awareness platform. Thus civilians are encouraged to engage in combat support activities. The collection of open-source information also aids in establishing accountability for war crimes and atrocities. This, too, could be considered an operational impact – at least, Russia has indicated so through its previous actions targeting organizations such as the World Anti-Doping Agency and the Organisation for the Prohibition of Chemical Weapons because they held evidence that promised reputational damage for Russia. In Ukraine, being detected by Russian forces in the occupied territories or near the front line as having reported troop movements or holding compromising evidence of this kind invites inevitable swift, vicious and potentially fatal consequences. This is a particular hazard if apps route sensitive communications over messaging services such as Telegram. Ukrainian citizens who have returned from Russian captivity have reported that their FSB interrogators had copies of their Telegram messages, even though the former prisoners believed these to have been securely deleted months previously – one of many possible explanations being that the messages were intercepted through Russia’s SORM system described above.
There is a strong legal argument that smartphone users reporting military movements forfeit their protected status as civilians. This principle is said to have been applied, for example, by Western forces in theatres such as Afghanistan, where individuals engaging in this activity could be treated as enemy combatants. In the case of Russia’s war on Ukraine, the point is largely academic, since Russia does not observe principles of international humanitarian law (IHL) so the protections this provides are moot in practical terms. However, the widespread engagement of civilians in direct support of hostilities could potentially undermine their entitlement to protection in the view of the international community too. According to one analysis, such engagement implies not only that Ukrainian civilians can be lawfully killed or injured by Russian troops without any corresponding legal right to fight back, but also that, if detained, they have none of the notional protections of prisoners of war. Furthermore, according to one analysis, ‘widespread civilian participation in the targeting process can make it more difficult to prove Russian breaches of IHL and thus make it more difficult to prosecute members of the Russian armed forces for the war crime of intentionally directing attacks against civilians’.
The Delta system further potentially blurs the legal status of commercial entities. In February 2023 Ukraine announced plans to host the system on cloud servers outside Ukraine, for the same rationale of resilience that led government data to be evacuated from Ukraine and hosted by Amazon. Whose servers precisely were intended to host Delta remained, understandably, unspecified; but if a military system facilitating active combat operations is hosted on a civilian cloud service, there seems little doubt that Russia would consider that civilian commercial entity a valuable target for direct action of some sort designed to compromise or deter its operations.
Thus, while the risk to individuals within Ukraine is immediate, there is a further issue regarding the practical risk that civilian enablers of Ukrainian offensive or defensive operations further afield may be exposed to – for example, the staff of foreign cybersecurity and technology companies providing services and assistance to Ukraine. That risk is not, as yet, known to have been borne out by attacks on these civilian personnel by Russia, but Russia has shown itself able and eager to reach into Western countries to target individuals through active measures, so this remains a distinct possibility in the future, and one for which Western commercial entities should be fully prepared.
Conversely, there is also a strong argument that Russian cyberattacks on civilian infrastructure could be prosecuted as war crimes. However, this notion faces the same challenges as enforcement of accountability for Russia overall – up to and including the International Criminal Court warrant issued for President Vladimir Putin himself – so remains in the realm of theory and may not present any practical deterrent to continued illegal actions. The speed of events in open conflict is also prejudicial to investigation and accountability: the need for instant remediation of cyber incidents to keep systems running has at times to be prioritized over the long and labour-intensive process of collection and preservation of evidence for intelligence, prosecution or deep analysis use. Just as standalone cyber operations have the luxury of time for their developers to design, perfect and deploy them, while tactical cyber operations in wartime often do not, so defenders will often not have the time or resources to invest in the data collection required for subsequent detailed analysis of attacks for forensic or intelligence purposes.
Personalized identification of individuals for attack is in part a function of the huge expansion of potential targets available for exploitation, including personal phones and connected devices. The early stages of the war exposed the critical – and in fact lethal – nature of personal data in general. Russia had directed focused efforts at gaining access to public and private databases, including not only government information such as tax and residence records but also medical records and commercial data like details of insurance accounts. This information was then used to identify individuals to be detained, imprisoned or murdered in the occupied territories, with those with prior military service at particular risk. Meanwhile, an initial lack of awareness of these dangers meant that large amounts of personal information were being insecurely collected in the context of large population movements across the country and beyond it. Urgency led to the recording of personal information, identity documents and relationships in insecure spreadsheets at locations near Ukraine’s borders, which were then translated and/or transmitted using insecure systems and apps, all presenting a soft target for exploitation by hostile actors. The weaponization of information as apparently innocuous as health records provides another vital lesson for countries that may at some future point find themselves under attack by Russia or any other state that may be inclined to adopt similar methods.