2022

Russia, Ukraine, and The Impending Cyberwar: What does it mean for us? Part 1

Russia, Ukraine, and The Impending Cyberwar: What does it mean for us? Part 1

As soldiers are facing off in the streets, tanks are rolling through fields, and missile strikes are leveling buildings, a silent war is also being waged, and its consequences may be even more deadly without firing a single shot.

While there is debate over the definition, simply put, the term “cyberwarfare” is usually referring to hacking, the gaining of unauthorized access to data or computers, that is carried out by a state rather than an individual or cybercrime group. Hacking, or cyberattacks, can come in many different forms and are frequently categorized as “hard” or “soft” threats, but even these broad characterizations are often blurry. A hard threat would include forcing satellites to crash or otherwise disabling critical infrastructure while a soft threat would include espionage or propaganda.

Soft threats occur on a daily basis and many of us have probably unknowingly experianced them, specifically cyber propaganda. Several states, notably Russia, employ vast numbers of fake social media accounts called social bots. As its name suggests, these accounts are able to run mostly autonomously and engage in limited interactions with other users on social media like Instagram, Twitter, and Reddit. These bots are used to spread misinformation, bias public opinion, influence morale, and produce artificial support or dissent. Most relevant today, social bots were used to generate phony approval for the Russian Invasion of Ukraine.

While this is a somewhat harmless example of social bots being used to sway public perception, much more nefarious use cases also exist. A wartime example may include false information about a “safe zone” being propagated to draw fleeing citizens into a trap or bogus reports of soldiers being over run to demoralize defending troops.

Other soft threats include general espionage such as the sustained, three years long breach of the Coreu communications network used by diplomats of the European Union that occurred in 2015-2018. Riding the line between soft or hard threats are Denial of Service (DoS) attacks which aim to make a network resource unavailable. Typically, this is done by overloading the targets system with excessive requests or more rarely by physically disconnecting the target from the internet. These attacks can be as benign as taking down a single website, or as powerful as my new personal favorite example where a single man completely disabled North Korea’s internet with a few well-placed DoS attacks that occurred in February this year.

While soft threats can certainly have detrimental effects, hard threats are generally what people fear when they think of cyberwarfare, and rightfully so. These types of attacks can be used unaccompanied or in combination with military actions and can deliver devastating results in both cases.

In modern day, nearly every electric device more complex than a light bulb includes at least a primitive computer; importantly, “computer” not only refers to appliances like laptops or smartphones, but also less sophisticated microcontrollers that might accomplish functions like monitoring a temperature sensor. While your thermostat is unlikely to be the target of a cyberattack, although it has happened, a nuclear powerplant would be a high-profile, strategic target for a belligerent nation or terrorist group, and both are theoretically suspectable to cyberattacks because of their integrated computers.

One of the most obvious, terrifying applications of a hard cyberattack would be seizing control of nuclear power plants which could be forced into a meltdown. While that is literally the “nuclear option”, less drastic actions would include simply depriving an area of electricity, which would still have devastating results. Cyber-Superpowers like Iran, China, and Russia all at least claim to currently have these capabilities, and an Iranian hacker group, likely supported by the government, even demonstrated this by depriving over 40 million Turkish citizens of electricity in 2015.  Russia and China had also both gained access into the US power grid in 2009, and when Former Michigan Governor and current Secretary of Energy was asked in an October 2021 interview if hackers had the capability of disabling our electrical grid she somberly stated, “Yeah, they do.”  Other, more military based exercises of hard threats would likely focus on disabling missile defense and critical logistics systems to pave the way for traditional assault and disrupt the opposing forces.

Combined arms theory is the idea of coordinating different types of combat units to simultaneously act and achieve an objective. This could be as simple as archers firing at the enemy until sword bearing soldiers reach hostile lines, or be more complex like the Germans in WWII, developing modern doctrine to integrate infantry, armor, artillery, and air support.  Why am I talking about combined arms? Because cyberwarfare is the newest component to combined arms warfare and Russia is at its vanguard. We can think of cyberwarfare like other weapon systems like bombs, tanks, and soldiers, all of which are powerful on their own but bolster each other's effects when used together.

Most experts expected the Russian assault on Ukraine to open with calamitous cyberattacks to wreak havoc before a single tank crossed the border, but this didn't really happen. There is lots of speculation surrounding why this didn't occur, and of course, I have my own hypothesis. However, we likely won't know with certainty for years.  While the strategic analysis of the Russian Invasion is not the topic of this article, it is important to share that I believe the lack of cyberwarfare so far was a deliberate decision of the Russians, and I expect to see much more of it materialize in the future.  Agreeing with me is former National Coordinator for Security, Infrastructure Protection, and Counterterrorism, Richard Clarke, who says, “We still believe retaliation, including cyberattacks, is coming.”

My hypothesis for the lack of cyberattacks is based on a few variables, but largely centers around the idea of a “Zero-Day Exploit”, which is the utilization of a vulnerability that the target is unaware of or has only recently been alerted to and not yet patched. A key component of a Zero Day Exploit is that the particular infiltration method can only be used briefly or once since its use will alert the target of the breach. This was summarized by Jake Williams, a former National Security Agency hacker and faculty member at IANS, when he was asked why Russia had not engaged in more cyberwarfare, “If I wipe a bunch of their computers today, I can’t do that tomorrow. A big question is: When do you pull the trigger?” To put it more plainly, we can think of a personal cell phone with a password. You assume that nobody else knows the password to your phone, but unbeknownst to you, your, albeit bad, friend has secretly obtained your password. They occasionally go through your phone, but never do anything else, until eventually they delete and install some apps from the device. The next time you use your phone, you notice these apps and discern that somebody has discovered your password and thus change it. Now, the password your strange friend had memorized no longer works and they lose access to the phone.

In the context of the current conflict, I believe Russia is all too aware of the limitations of Zero Day Exploits and US-Ukrainian cyber collaboration. Accordingly, they do not yet wish to play their potentially powerful hand. As an act of both support and self-interest, the US has offered continuous cyber aid to Ukraine, and while this is certainly helpful for Ukraine, it also gives US teams the chance to interact with and investigate Russian cyberattacks. I hypothesize that Russia is first going to attempt to improve their strategic position by encircling major cities, controlling major transportation corridors, and seizing or destroying other objectives specifically, Internet Exchange Points, and Internet Service Provider (e.g. Comcast, Cox, etc.) centers.

Without diving too deep into the architecture of the internet, it’s important to understand a few key concepts. The internet is composed of tens of thousands of networks called Autonomous Systems (AS), which are frequently Internet Service Providers (ISPs), and no single AS has direct connections to all the devices on the internet- rather only devices on the same network. This means that multiple ASes must join together at various physical locations to allow computers on different networks to communicate. These locations are called Internet Exchange Points (IXPs), and they also frequently provide locations for consumer ISPs to connect to Trunk Lines or the Internet Backbone which are massive subterranean or submarine fiberoptic cables used to carry data long distances, often internationally.

Figure 1 depicts the RETN internet backbone and its data centers. The RETN backbone appears to be the single most used path for web traffic in Ukraine. Map provided by RETN.

Physically controlling these important internet nexus points would yield an enormous amount of power over the internet in the region, and this technique is exactly how many countries, like China and Russia conduct their digital censorship. Up until 2015, the Chinese government only allowed three points to be connected to the global internet, Beijing, Shanghai, and Guangzhou. This made it relatively easy to control international internet traffic through their Great Firewall, the program that facilitates most of Chinese internet censorship.  Both China and Russia also force strict protocols onto their respective ISPs to control access to content through various methods. Within their own borders, these governments police these policies through legal means.

In Ukraine, Russia could simply destroy all of these nexus points to disable internet for the majority of the country, but I suspect they have other goals in mind. Some points will likely be targeted for annihilation, but many will be left in place. While they may not be able to impose their internet policies onto Ukrainian ISPs through legal means, a few well-placed soldiers and tanks outside of data centers are likely to make Ukrainian ISPs more amenable. In fact, we have already seen exactly this behavior in Crimea, 2014 when armed guards forced Ukrtelecom, a major Ukrainian ISP, staff to abandon their office and allow Russian-backed Krymtelekom to commandeer operations. Once Russia gains control of key data centers they will be able to locally implement internet traffic control through ISPs, route traffic through Russia, and threaten to disconnect the internet almost entirely. Rerouting traffic through Russia would also subjugate it to the Runet, Russia’s internet, which employs control technology jointly developed with China.

Once Ukrainian internet is placed in a stranglehold, Russia may begin to conduct cyberattacks with impunity, and allies like the US would struggle to deliver cyber aid through the new Digital Iron Curtain. Russian propaganda would dominate the internet, encircled cities would have their utilities disabled to enhance siege effects, and air-defense systems will be rendered useless finally delivering air supremacy to Russia. Importantly, the global audiance would no longer be able to bear witness to these events as Ukrainian social media access would be revoked. During the chaos, corporate and government cybersecurity operatives will likely be focused on their survival rather than going to the office, if it’s even still standing, and Russian cyberwarfare teams could use this opportunity to attack unguarded systems. Long term, this could be used to hold the Ukrainian economy and population hostage as corporations that refuse to cooperate with their new leaders are threatened by the dismantling of their digital systems and loss of their data. In January this year, as a prelude to the invasion, similar attacks compromised government computers and displayed a message stating that their computers would be wiped- rendering them unusable and sensative information would be released to the internet for exploitation. It appears the data was neither wiped nor released, but that is clearly within the attacker’s capabilities.

So, how achievable is this for the Russians? The answer is somewhere between “easier than you would think” and “very difficult”. The subterranean Internet Backbone of Ukraine is supplied by a Single provider, RETN, and runs through a few major cities like Kiev, Odessa, Liviv, and Kharkiv, as seen in Figure 1. Internet Exchange Points, displayed in Figure 2, are also seen in just seven Ukrainian cities. Russia has already secured or is seriously threatening five of these cities. With the seizure of Kiev and Odessa, which also contains the ITUR and BSFOCS submarine fiberoptic cables, most cities east of that line will be forced to route internet traffic through Russia. Acquiring five out of seven major data center locations will also profoundly aid in governing the internet since even if access to the west bound RETN Trunkline is not under Russian control, local data traveling through those centers can still be rerouted to pass through Runet and be censored by newly implemented protocols. We have already seen this tactic employed by both states in the Donbas region before the invasion as each country fought to have packets travel through their own jurisdiction.

Figure 2 depicts the locations of the Internet Exchange Point (IXPs). All of Ukraine's IXPs are located within seven cities of, Kiev, Kharkiv, Donetsk, Mariupol, Odessa, Liviv, and Ivano-Frankivsk. Map provided by TeleGeography.

Of course, this description is an oversimplification of the situation, and it is within these very complexities that Ukraine may be able to mount a formidable defense. First, Figure 1 portrays a seemingly simple depiction to a fiberoptic network that is actually very complex. Comparatively, we can see in Figure 3 that the internet infrastructure is vastly more interconnected than all connections going to seven data centers and conglomerating on the RETN backbone, and this is even an incomplete cable map. Tier 2 ISP Ukrtelecom, who was forced out of Crimea, alone has sixteen international exits to bordering countries. Atrakom, a major fiberoptics cable lines company also has several exit points as seen in Figure 4. In total, I was able to identify 32 international exit points. This means that Russia may not be able to assert complete command over every corner of Ukraine’s internet, let alone completely disable the internet, thus keeping a portal open for foreign cyber aide. Intricacies in mind, being able to control a vast majority of Ukraine’s internet with a few leaks seems entirely possible, and I would argue probable.

Figure 3 shows a more comprehensive map of major fiberoptic data cables. Map provided by ITU.INT

We are yet to see how much of this and what else will actually unfold, but already developments holding potentially even greater global impacts are occuring. As hacktivist groups around the world align themselves with The West and Russia, the cyberwar is escalating. Already, Western aligned, non-government cyber groups have reportedly taken control of railway systems in Belarus, and are allegedly targeting Russian nuclear powerplants. Many hacktivist groups probably feel they are fighting the good fight, and perhaps they are, but with that comes enormous potential for spillover.

Please revisit our page soon to read Part II where the global implications of the cyberwar will be discussed.

Figure 4 is a map of Atracom's fiberoptic cables in Ukraine. Red circles containing and M signify locations where the fiberoptic cable crosses into another country. Map provided by Atracom.