Russia Ukraine war Cyberspace operations (2022-2024)

Russia Ukraine War: Cyberspace Operations
Papadakis Konstantinos, Cyber- Information Warfare Analyst & Cyber Defense/Security Consultant
Russia Ukraine War
Cyberspace Operations
In general
In the ongoing Russian-Ukrainian war, Russia, in parallel with conventional operations,
conducts a set of information operations which include psychological operations, cyber
warfare operations and disinformation operations. In this type of operations, Social Media,
telecommunications, mass media, and Internet providers play an important role in both
disseminating information about the war and shaping public opinion.
As far as the digital perspective of the conflict, it is tentative to characterize it as a high-
intensity1
hybrid conflict2
in cyberspace, or better in the wider unified informational
environment of which both cyberspace and the electromagnetic field are considered a part.
Analysis
1 The so-called high-intensity conflicts are symmetrical conflicts involving armed forces that use modern, large-scale technological
means. Practical examples that differentiate these conflicts from low-intensity conflicts are the absence or very limited use of
organized guerrilla warfare, the use of nuclear or non-nuclear ballistic attacks, the deployment of unusually large forces
(quantitatively and qualitatively) by sea, air and land (tanks, destroyers , bombers, etc.) and the declaration of war from one country
to another.
2 Hybrid conflict is a type of conflict that combines many unconventional methods of warfare, such as disinformation,
manipulation of public opinion, economic warfare, sabotage, terrorism, cyber attack, and guerrilla warfare. Actors involved in a
hybrid conflict may include states, terrorist groups, militias, private companies and individuals. In hybrid conflict as the actors
involved, often from increased complexity, may have different objectives and different methods of combat. It can be difficult to
determine who is responsible for actions in a hybrid conflict, as the actors involved may use plausible deniability tactics to hide
their involvement.

Russian strategy in the broader information environment has been influenced by
General Gerasimov's vision3
, as it was shaped by the evolution of the mode of conflict in the
early 2000s between hybrid conflicts and a blurred fine line between war and peace.
The new conflict perspective accepts that:
• The form of wars is changing, and the new trend requires the strengthening of the
influence on public opinion and civilian levers of pressure.
• The knowledge of information environment and cyberspace, from a technical and
tactical point of view, and its use as a lever of influence is now fundamental and imperative.
Russia
Russia is not talking about cyber security but for information warfare.
As indicated by the evolution of the Russian vision of the conflict and the blurring of
spatiotemporal boundaries between peace and war, as well as the evolution of modern conflicts towards
a hybridization between conventional and unconventional levers of power, Russian elites see cyberspace
as part of the wider information environment within which information superiority should be acquired
and maintained.
Therefore, they have created their own concept of what Westerners call "cyber security" under
the name "information security". Apparently, the same logic carries over from the defensive side to the
offensive side, where they refer to "information warfare" instead of cyber conflict. The Russian definition
includes, in addition to the vision of classical cyber security, a psychological and a cognitive dimension
which, with the help of technical means, can make it possible to control the information environment.
The information environment is not a transit space but a space that must be controlled with a
long-term perspective as it is a flexible space that allows influence in times of peace and dominance in
times of war. This fundamental understanding of information warfare has expanded beyond the
traditional Western approach to cyber security and is presented as follows by the Russian Ministry of
Defense:
"...Information warfare is a confrontation between two or more states in the information environment
aimed at causing damage to information systems, processes and resources, critical and other structures,
undermining political, economic and social systems, mass psychological manipulation of population to
destabilize society and the state, as well as forcing states to make decisions in the interests of the
opposing side...".
Considering the above new understanding, Russia proceeded with the following basic steps:
• Reorganized (quantitatively, qualitatively, institutionally) its cyber units into information
operations forces capable of supporting a set of information activities through cyberspace.
• Incorporated into its operational planning, private groups (hacktivist groups), to
upgrade technical capabilities in the field of cyberspace and to address problems such as assigning
responsibility for attacks on political targets or other countries outside of Ukraine.
A typical example is the KillNet network, which consists of several hacktivist cyber
groups of the same orientation and aims to:
o Publicity, which allows them to wage a war of influence aimed at hurting the
morale of the European population.
o Strengthening the image that states that Russia could intervene even where it
does not have troops.
3 This vision was confirmed by General Gerasimov in 2019 at the conference of the Academy of Military Sciences, where he
emphasized the importance of hybrid tactics and knowledge of asymmetric warfare:
“In modern conditions, the principle of waging war has been developed based on the coordinated use of military and non-military
measures [...] our Armed Forces must be ready to conduct wars and armed conflicts of a new type using classical and asymmetric
methods of action. Therefore, the search for rational strategies for waging war with various adversaries is of prime importance to the
development of the theory and practice of military strategy.”

o Strengthening the belief that European governments are not capable of
protecting their infrastructure and citizens on all fronts and fields.
o Concealing through publicity, the actions of infiltration groups constitute long-
term threats (Advanced Persistent Threats-APT).
• Enriched its arsenal with new types of cutting-edge cyberweapons (deletion software,
ransomware, etc.), which are undetectable and capable of creating serious problems for opponents.
Modus Operandi
Russia plans, conducts, and coordinates the following operations, as part of an upgraded cyber-
based information operations plan aimed at gaining information advantage in the broader information
environment:
• Initial contact operations on targets inside and outside Ukraine, with the aim of covertly
penetrating information systems and the purpose of their subsequent attack and destruction or
prolonged espionage and intelligence gathering.
• Targeted attacks (mainly within Ukraine) using malicious data deletion software (wiper-type
destruction malware), with the aim of destroying the targeted information systems and creating feelings
of confusion and disorientation for decision makers.
• Distributed Denial of Service (DDoS) attacks, with the direct effect of interrupting (for a certain
time) the offered website services and indirectly creating appropriate psychological effects (fear,
mistrust, etc.) in selected audiences. Attacks of this type aim for morale impact, attempting to create
and maintain a sense of insecurity about systems and infrastructure among targeted populations by
allowing sustained socio-political pressure to be maintained at low cost alongside a political or military
conflict. It also gives a political advantage (“leverage advantage” system)4
, conducting aggressive
retaliatory operations without diplomatically or militarily involving the state organizing the attackers.
• Attempts to alter the content of websites (defacement), with the direct effect of altering their
content and indirectly disorienting and misinforming their audiences.
• Disinformation campaigns targeting different kinds of audiences:
o The Russian population, aiming to maintain and support for the war.
o The Ukrainian population to undermine their confidence in Ukraine's ability to resist
Russian aggression.
o The European and American public to cast doubt on Western unity against Russia and
the importance of supporting Ukraine and dealing with domestic issues.
• Collecting intelligence through infiltrating networks and targeting governments outside of
Ukraine that are part of the coalition of countries supporting it. The main target is government agencies,
followed by NGOs (either humanitarian groups involved in aiding the civilian population or think tanks
providing foreign policy advice). Subsequently, several companies in critical sectors such as energy,
defense or IT have been affected by Russian cyber-espionage aimed at supporting its war effort.
4 The "leverage" system refers to the use of some resource or mechanism in order to achieve better results and with greater
impact than would be possible using only basic resources.
In finance and business, the concept of "leverage" often refers to the use of financial instruments, such as loans, in order to increase
the financial impact of an investment or business decision. In other words, using leverage allows a person or company to use a
little money to make a lot more money by taking advantage of the ability to borrow.
Leveraged advantage in cyber business refers to how a business can use technology and digital platforms to strengthen its
competitive position and create benefits. In cyber, the concept of leverage refers to how businesses can use technology, data and
digital platforms to enhance their operations, improve performance and create new opportunities. This may include the
development of new technological solutions, the effective use of data for decision-making, and the integration of digital platforms
to upgrade services and processes. By using leverage properly, cyber businesses can achieve a competitive advantage and enhance
their ability to provide effective services and products.

• Influence operations, much of which is conducted via the Internet and social media (SMS),
which have regularly been enhanced through the links gained between cyber and hacktivist groups in
the wider information environment. The new tactics are implemented in specific steps:
o First, Russian influence groups are trying to weaponize the fact checking process to be
able to spread the Kremlin's narratives.
o Second, pro-Russian groups are constantly spreading information purportedly from
leaks online targeting politicians and governments that support Ukraine.
o Third, the Russian government and its associated entities often organize press tours
throughout the occupied Ukraine in order to have international communication coverage from friendly
media and to facilitate the achievement of communication goals.
o Fourth, in addition to the operations targeting Moldova, Russia continues its influence
operations in the Ukrainian region and across Europe to widen the audience divide,
discredit pro-Ukrainian leaderships, and promote pro-Russian networks in these regions.
Countries targets of Russian cyberattacks inside and outside Ukraine are:
• Government Websites.
• Media websites.
• Banking system and financial institutions.
• Military infrastructure
• Critical infrastructure: Energy, water supply, transport.
• Satellite communications.
UKRAINE
Although Ukraine has limited counterattack capabilities in the cyberspace domain, it has
attempted to strengthen its cyber defenses through the following actions:
• Reorganization and upgrade of state cyber security services.
• Formation of an IT "army" with the participation of international volunteers.
• Involvement of the entire Ukrainian cyber community in the country's cyber defense.
• Public and Private Sector Partnerships.
• External assistance which includes:
o The exchange of cyber threat information.
o The dispatch by the EU and friendly countries of teams to deal with cyber-incidents.
o Participation of external hybrid actors (hacktivists) in cyber operations against Russia.
In retaliation for the Russian attacks, Ukraine has launched a large number of denial of service
(DDoS) attacks as well as data deletion attacks. Targets include Russian government targets, information
systems of large Russian media companies, financial institutions, defense installations, power grids and
railways.
As part of the cyber counterattacks, independent hackers from around the world have
intercepted and exposed Russian government and financial data, such as emails, information related to
banking activities, energy production and propaganda activities as well as classified details regarding
the Russian ED and the action of agents of the Federal Security Service (FSB). This sensitive information
is then shared with global activists as a way of punishing Russia for its crimes in Ukraine.
A side effect of the hackers' recent activities is their success in wreaking havoc on Russian cyber
systems and shattering the perception of Russia's impregnable cyber defenses.
European Union

In its resolution of 1 March 2022, the European Parliament called for the immediate and full
implementation of all decisions that would improve the EU's contribution to strengthening Ukraine's
defense capabilities, including cyber security. In addition, the Parliament urged the EU, NATO and other
like-minded partners to step up their assistance to Ukraine in the cyber field, while calling for the full
activation of the EU cyber sanctions regime against individuals, entities and bodies responsible for or
involved in cyber-attacks against Ukraine.
EU actions can be summarized as follows:
• Enhancing the resilience of the communications infrastructure.
Keeping Ukraine's telecommunications services operational is critical to ensuring the normal
functioning of the Ukrainian government, as well as alleviating the humanitarian crisis.
• Ban Russian propaganda in its war against Ukraine.
Combating war propaganda and disinformation is a particularly pressing issue in Russia's war
• Strengthening the EU toolbox against disinformation.
There are already proposals to increase the funding of Task Force East StratCom and to expand
the EU's early warning system on disinformation to cover Ukraine and other interested parties.
• Support Ukraine's fight against cyber threats.
A cyber rapid response team of EU experts has been deployed for this purpose.
• Strengthening the EU's cybersecurity capabilities.
Further initiatives to ensure the resilience of Europe's electronic communications
infrastructure and networks have been announced, including more cooperation at operational level, a
future cyber resilience act and the creation of a contingency fund for cyber security.
• Limit Russia's access to dual-use technologies.
The EU sanctions adopted on February 25, 2022 are primarily intended to limit Russia's access
to critical advanced technology. Dual-use technologies – specifically those that can be used for both
peaceful and military purposes – such as semiconductors or cutting-edge technologies, radio
communication technology and crypto-assets, must not be sold or otherwise provided for use in Russia
or a Russian entity.
CHINA
It is now known that Chinese hackers are carrying out cyber attacks against Ukraine, although
we can only speculate as to whether these (attacks) had any kind of state support. It is also known that
Chinese hackers taking advantage of the current conflict are carrying out cyber operations against
Russia as well.
The two-way relationship between China and Russia in the wider information environment and
especially in the field of cyberspace is implemented in two operational axes:
• Conducting cyber operations (attacks) before and during the Russian-Ukrainian conflict.
• Redoubling targeting and penetration efforts on both Ukrainian and Russian targets.
Key Points-Conclusions-Lessons
Lateralization and spreading risks.

The interconnectedness of information systems and the involvement in the cyber-operations of
independent hacktivist cyber-groups, with little or no state control, increases the risks of the spread of
cyber-attacks or their results beyond Ukraine.
The threat of cyber attacks on European soil has two aspects:
 First, attacks against Ukrainian networks could spread to European networks.
 Second, Russia could choose to launch direct attacks on European targets through its
intelligence services or cyber-criminal groups in order to disrupt Western actions in the Ukraine crisis.
Major Attacks and High Intensity Conflict
In the event of an escalation of the means applied and the radicalization of the conflict, the
intensity of business in the wider information environment and in particular in cyberspace may also
increase and therefore it is important, first of all, to return to the characteristics that it possesses, and
allows under certain conditions , to propose solutions where conventional means may be limited.
The issue of pre-positioning
When setting credible scenarios, the issue of preemption is essential because it allows Russia to
define a precise location for an attack on an organization, thus maximizing tactical and strategic results.
To prevent effective pre-positioning of Russian actors on Ukrainian systems, the US is
conducting defensive strike actions to disable the offensive capabilities of the Russian threat that have
already compromised Ukrainian infrastructure.
Malware as a service (MAAS)
It should be noted that today cyberweapons do not have to go through all the production
phases as in recent years almost everything is available as "as-a-service". In recent years, the possibility
of acquiring "malware as a service" (MaaS-Malware-as-a-Service) or "cybercrime-as-a-Service" (CaaS-
Cybercrime-as-a-Service) has emerged.
Malicious Network Control & Management as a Service
Command & Control as a service (C2aaS)
"Malicious Network Control" (C2aaS-C2 as a Service) services are becoming increasingly
available in the market. These services are designed to give technically inexperienced actors with few
resources the ability to launch primarily distributed denial of service (DDoS) cyberattacks. Such a service
offers a fleet of malicious computers (bots) to be used in attacks (DDoS). These capabilities suggest that
the number of cyber-actors in the Russian-Ukrainian conflict could increase along with the capabilities
of these low-cost services.
Hacker for hire
(Hacker for Hire or hacker-for-hire proxy or Hacker as a Service-Haas)
Russia's choice to use hacker-for-hire proxies to pursue its tactical and strategic goals allows it
to maintain a high level of denial of responsibility for its actions.
Risk of conflict escalation in the space field
Satellite infrastructures are essential systems in wartime as they allow the coordination of
ground troops through imagery and telecommunications, in this light, disrupting the adversary's

satellite infrastructure during operations allows significant tactical advantages to be gained in the
military field. Russia has anti-space or anti-satellite-ASAT capabilities, both kinetic (e.g. missiles, lazer
systems, etc.), and non-kinetic (US, cyber weapons), capable of causing physical and virtual reversible
and targeted damages making attribution complex.
Russia's military leadership views cyber weapons as a substitute and/or complement to Electronic
Warfare weapons, implying their possible use together in an operation (a US operation could precede
a cyber-attack on a system based on space and vice versa.
Military sector
Key observations and conclusions
Cyber attacks are capable of disrupting command and control (C2C) systems, which are critical
to the coordination and conduct of military operations. Attackers have the ability to infiltrate such
systems and interfere with communications to disrupt the decision-making process. Cyber-attacks
against the military sector can lead to the exposure of coordinated forces, leakage of military traffic
and/or planned offensive/defensive action data, making the protection of the military sector critical to
protecting personnel, equipment and gaining/maintaining superiority against the enemy.
Ukraine's military cyberspace is a high-intensity battleground with ongoing threats and attacks,
originating from different actors and different countries, mostly aimed at stealing data, conducting
espionage, and destroying assets in an effort to create an immediate and indirect impact on Ukraine's
ability to fight.
Ukraine had to significantly accelerate the development and strengthening of its cyber
capabilities in the military sector with new capabilities that upgrade "traditional" cyber defense
solutions:
• A separate unit within the military structure responsible for cyber defense, capable of
conducting intelligence acquisition activities, cyber operations, cyber information operations.
• Establish a mechanism to attract the necessary number of experts to repel cyber aggression.
• Ability to quickly create new secure communication channels, software solutions.
• Rapidly investigate new threats, deliver research results to cybersecurity entities as well as
produce, review and edit incident response plans.
• Establishing constant communication with foreign partners from military and commercial
sectors.
• Adaptation of rapidly developing cyber-protection systems to existing legislation and
regulatory directives.
• Although not specific to cyber defense, rapid deployment of GSM/4G communication towers
is recommended in case of military conflict or natural disaster. These are self-propelled (generator)
vehicle-mounted communication towers that span locations suffering from power outages and provide
voice and data communication via satellite or line-of-sight link, and can cover a range of 3-6 km.
Digital services in support of the war effort
Traditional communication and information channels (television, radio, news, etc.) are still
important but do not allow rapid warnings of dangerous events, such as airstrikes or artillery strikes,
natural disasters and cyber threats.
There is also a significant need for different kinds of feedback from the population, such as information
about enemy military units in occupied territories, damaged critical infrastructure, etc. Mobile internet,
various messenger systems, special mobile applications, are some modern digital services. , who can
best serve in this role.
On the other hand, the introduction of digital services increases the risk of cyber threats, both
to the services and to their users.
Here are several examples of digital services that have been created in Ukraine in support of
the war effort:

SERVICEs
SERVICE DESCRIPTION
National roaming
National roaming made it possible to connect to the network of other operators if the
connection was lost.
Emergency Population Warning
System
The new notification system works on the basis of Cell Broadcast technology, which
has significant advantages over SMS notification: faster receipt of notifications,
flexibility in choosing locations to be notified and the presence of an audio signal even
if the sound on the subscriber's smartphone is turned off. It is not necessary to install
anything specific on the phone - all Ukrainian users can receive the signals
Telegram bot
Owned by the Security Services of Ukraine @stop_russian_war_bot, created by the SSU
at the beginning of the large-scale invasion of Russia to allow people to send alerts
about enemy troops and vehicles, their locations, movements, war crimes,
collaborators, etc. On October 18, 2022, it was reported that the bot had received over
100,000 messages from Ukrainians. This helped destroy hundreds of units of enemy
military equipment and even eliminate several Russian generals.
Interactive map of the territory
The State Emergency Service of Ukraine has developed an interactive map of areas
potentially contaminated with explosives. This map shows the locations where
explosive devices have already been found or are likely to be found and the level of
threat they pose, according to information available to the State Emergency Service
(detection error is up to 30 meters). There is also a corresponding app for mobile
phones (both Android and iOS) with an interactive map, as well as recommendations
on how to detect dangerous objects, safety instructions, etc. It also contains an alert
function with an instant signal if the person enters the red zone.
eVorog Βοτ
Telegram bot developed by the Ministry of Digital Transformation of Ukraine, fully
integrated with Diia (Ukraine digital service) and advanced functionality to detect:
• Enemy equipment and troops.
• Activities of pro-Russian partners.
• Explosive or suspicious objects.
• Photos/videos of Russian military personnel in demilitarized settlements.
єППО
An air raid prevention warning system.
Ukraine has created a mobile phone application that will help air defense units fill in
radar information about aerial targets for their subsequent destruction.
How the application works: if a person visually detects an aerial target, for example, a
missile or a kamikaze drone, he must open the єППО application on his smartphone,
select the type of aerial target, point his smartphone in the direction of him, aim at
him and press the big red button. In this way, the data of the target (position, type,
etc.) end up directly in units of the Ukrainian Air Defense.
Ukraine has demonstrated expertise with the widespread use of digital technologies to ensure
stable communications between the population and state management bodies and vice versa during
the crisis period.
Communication methods demonstrate the importance of the population's sustainable access
to communication services and the internet, as well as informing all citizens of any potential threats,
thus allowing them to assist the armed forces in locating the enemy.
Each country or alliance should consider having a well-developed, tested and reliable public
communication and early warning system.
It is also worth noting that a stand-alone system is not sufficient in today's complex
communication landscape, and for this reason state security agencies and state government agencies
should maintain an online presence within such networks as Signal, Telegram, Twitter and other. The key
point is that accounts on such platforms must be verified and trusted. Trust and confidentiality in such
accounts must be at a high level to avoid impersonation or misinformation.
General Conclusions

The use of cyberspace as a field for conducting operations actually first started in 2007 with the
cyber attacks in Estonia, continued with the attacks in Georgia in 2008 where cyber attacks and cyber
influence operations were used alongside conventional operations.
The full integration of such operations into the entire military effort occurred during the war in
Ukraine, where cyber operations played, and continue to play, an important role even before the start
of conventional operations, crippling the offensive and defensive capabilities of the adversary, thereby
affecting his morale. Actions in cyberspace on the part of Russia had as their main objective the support
of conventional, mainly ground operations, but also the creation of appropriate psychological effects
on specific target audiences.
According to the statistical report of the State Cyber Protection Center of Ukraine, in 2022 there
were 2.8 times more cyber incidents than in 2021. The number of cyber incidents related to the spread
of malware and information recovery increased by 18.3 and 2.2 times respectively.
The number of detected incidents related to Russia increased by 26%. In 2022, 2194 cyber
attacks were detected and officially investigated (1655 as of February 2022).
Russia's aggressive cyber operations, along with electronic warfare, have failed to disrupt
Ukraine's command and control (C2) system and its critical private and public infrastructure for an
extended period of time. Ukraine, with the help of private companies and Western governments, has
managed not only to mitigate the majority of cyber-attacks against its infrastructure but also to develop
offensive cyber-capabilities of its own.
The biggest cyber threat to Ukraine is the hacker groups associated with the FSB, the GRU and
the SVR. To a lesser extent, financially motivated hacker groups and pro-Russian hacktivist groups also
pose a threat. The most active hacking groups are Sandworm, APT28, EmberBear, Turla, Gamaredon,
Calisto and APT29, while KillNet, NoName057, People's Cyber Army, Xaknet Team and RaHDit are the
most active pro-Russian hacktivist groups.
Findings in the Field (Cyberspace)
The two years of war in Ukraine have provided several conclusions regarding the use of cyber
capabilities during a conventional conflict:
• Russia developed and exhausted its initial cyber capabilities shortly before and during the
invasion on February 24, 2022. Russian cyber operations aimed to undermine Ukraine's military
operations, economic and government sectors, gain access to critical infrastructure as well as in denying
the public access to the information. Many attacks targeted Ukraine's critical infrastructure with the aim
of disrupting its operations.
• Russian cyberattacks have failed to create a serious long-term problem in Ukrainian critical
infrastructure.
• The Russians focus mainly on Distributed Denial of Service (DDoS) attacks, propaganda and
defamation operations, and phishing operations. As a result, Ukraine pays more attention to the specifics
of such attacks.
• Russia is trying to find new allies to help it in its cyber/military operations, which will potentially
create more damage as it tries to achieve its goals, possibly turning to China who hopes to take an active
part in the geopolitical situation in Europe.
• It is almost certain that Russian state-sponsored cyber threat actors will continue their
activities in furtherance of the Russian military's strategic and tactical objectives in Ukraine.

• Although Russian cyber-activities are mainly focused on targets in Ukraine, there is a high
possibility that the attacks will be transferred-expanded (diffusion) to Europe and the countries that
support Ukraine.
• Given Russia's focus on destroying or creating a significant problem in Ukraine's critical
infrastructure, it is safe to assume that cyber operations are and will be used in the future within cross-
sectoral operations planning in support of conventional mobile warfare operations.
• Ukraine managed to limit the damage to its infrastructure by moving many of its services to
cloud infrastructure outside the country. After each cyberattack, Ukraine's infrastructure systems became
less vulnerable. Initially, although defense was the main priority in infrastructure protection, over time it
has changed to an offensive strategy.
• Cooperation between institutions, organizations and states is a critical factor in maintaining
infrastructure protection at a high level.
• Cyber security is no longer a matter for experts. In every country, people are the first line of
defense against cyber attacks.
• Defense against a military invasion requires for most countries the ability to export and
distribute their digital operations beyond their borders to other countries.
• Russia from the beginning of the conflict targeted Ukraine's information infrastructure with
both conventional (missiles) and digital means (wipeware). However, Ukraine has managed to move and
thereby protect a large part of its civil and military digital infrastructure to cloud hosting mainly outside
the country.
• Recent advances in cyber threat intelligence and end-point protection have helped Ukraine
counter a large percentage of Russia's devastating cyber attacks.
In today's conflict, Russian cyberattacks are different from those seen in 2017 with the case of
the NotPetya malware. In this particular attack (2017) destructive malware was used which had the ability
to spread uncontrollably across interconnected systems within and outside the country. Today's Russian
attacks have seen a reduction in the spread of malware outside of Ukraine while increasing the effort to
synchronize cyber-attacks with the corresponding conventional operations. Defenders' use of artificial
intelligence (AI) threat intelligence processes as well as endpoint protection solutions enabled the rapid
distribution of software/protection code to detect and counter attacks.
• As a coalition of countries has assembled to defend Ukraine, Russian intelligence services have
stepped up efforts to spy and infiltrate information networks targeting allied governments outside
Ukraine.
Infiltration actions have been detected in 128 organizations in 42 countries outside of Ukraine.
The main target are countries that support Ukraine such as: the USA, Poland, the Baltic countries,
Denmark, Norway, Finland, Turkey as well as other NATO countries. The list of targets in these countries
includes government infrastructure, think tanks, humanitarian organizations, IT companies, energy and
critical infrastructure and their support companies.
• In conjunction with existing cyber activities, Russian agencies are conducting corresponding
global cyber influence operations in support of its war effort.

These operations combine tactics developed decades ago by the KGB with new digital
technologies and the Internet to give influence operations greater geographic coverage, speed,
adaptability, more precise targeting, and greater power. Such enterprises with sufficient planning and
know-how can take advantage of the immediacy and breadth of democratic societies.
The Russians focused their influence operations on four target audiences:
o Russian population: Continued support of the war effort.
o Ukrainian population: Undermining confidence in the country's will and ability to resist
Russian attacks.
o American and European audiences: Undermining Western unity and deflecting criticism of
Russian war crimes>
o non-allied audience: To maintain support for Russia in the UN and other organizations.
Russian cyber influence operations are directly linked to tactics created for other types of cyber
operations such as the Advanced Persistent Threat-APT (Advanced Persistent Threat-APT) tactics of the
Russian intelligence services, the Advanced Persistent Manipulation-APM (APM) teams associated with
government agencies and operate through Social Media and digital platforms.
These cyber-influence companies planted narratives in much the same way that other cyber-
enterprises planted malware on information systems. They then launched a broad and simultaneous
"reporting" of the specific narratives from websites that were under the control of the Russian
government while being magnified through Social Media exploitation tool technologies. Recent
examples include narratives surrounding biolabs and multiple attempts to cover up military attacks
against Ukrainian civilians. Russian cyber influence operations are estimated to have successfully
increased the spread of Russian propaganda since the start of the war by 216% in Ukraine and 82% in
the United States.
• Lessons from Ukraine require a comprehensive and coordinated strategy to strengthen
defenses against the full range of cyber operations whether they manifest in the form of destructive
cyber attacks, cyber espionage or influence operations.
While there are key differences between the above operations, the Russian government views
them as part of a broader information operation which, while having its own objectives and goals, is in
full sync with conventional operations. This new reality requires a completely different approach to
dealing with and preventing such threats.
The prevention of such threats should in principle be based on the following assumptions:
o Russian cyber threats are promoted by a common set of actors (groups, agencies, etc.) inside
and outside the Russian government who use similar digital tactics. As a result, advances in both digital
technology, artificial intelligence and data management will be needed to address them.
o Unlike the traditional threats of the past, responses to these types of cyber attacks must be
based on greater public and private collaboration.
o There is a need for close and joint multilateral cooperation between governments to protect
open and democratic societies.
o Defense doctrine should support free expression and avoid censorship in democratic
societies, even as new steps are needed to address the full range of cyber threats that include cyber
influence operations.
The Future
Given the growing close cooperation between Russia and China and the latter's effort to
upgrade its geopolitical position, an increase in the espionage activities of Chinese cyber groups, such
as e.g. APT27, APT30, APT31, Ke3chang, Gallium and Mustang Panda, against EU and NATO member
states, alongside ongoing threats from politically motivated Russian cyber groups.

Given the significant experience and capabilities of Russian special services, it is also important
to protect data storage and transmission infrastructure and network equipment from unauthorized
access and software that could allow attackers to gain remote access to target systems.
The future will see an ever-increasing investment in both defensive and offensive cyber
capabilities, which is necessary to mitigate security risks. Organizations can significantly reduce their
vulnerability to cyber attacks by implementing strong cyber security measures such as firewalls, intrusion
detection systems and employee training programs. Additionally, having a comprehensive cyber
defense strategy can help minimize the impact of a successful attack. Investing in cyber defense is
essential self-defense for businesses and governments against the growing threat of cyber attacks. The
cost of a successful attack can be devastating, and the risks are growing as our world becomes more
digital.
The technology revolution has reached even the most everyday people around the world, and
cyber threats have followed. Cyber security is no longer just for professionals. People are the first line of
defense against cyber attacks in any country. They are often the first point of contact with potential
threats, and their actions can either increase or decrease the likelihood of a successful attack. Educating
people about the risks and using best practices can help prevent attacks and minimize damage if an
attack is successful. From providing information through state and private media such as television and
radio, to education and training in schools and universities, cyber awareness and defense must be taught
and trained.
The recent explosion of artificial intelligence (AI) technology has the potential to be a game
changer in cyber warfare. Artificial intelligence is already being used in cyber defense to identify and
respond to threats more quickly and effectively, but it may well be used by attackers to conduct
sophisticated cyber attacks.
One way in which artificial intelligence can be deployed in cyberwarfare is through the use of
Machine Learning-ML Algorithms to detect patterns and anomalies in network traffic. It could ensure
real-time detection and response to threats and improved speed and accuracy of cyber defense.
Another potential use of artificial intelligence in cyberwarfare is the development of
autonomous malware that can adapt and evolve in response to changing conditions. It could conduct
cyber attacks, it would be harder for defenders to detect and counter. Overall, while AI has the potential
to be a powerful tool for cyber defense, it also poses significant challenges for those working in the
field. As such, it will be important for cybersecurity professionals to develop new strategies and tools to
address the threats posed by artificial intelligence in cyberwarfare.

Russia Ukraine war Cyberspace operations (2022-2024)

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Russia Ukraine war Cyberspace operations (2022-2024)

Ähnlich wie Russia Ukraine war Cyberspace operations (2022-2024) (20)

Mehr von Papadakis K.-Cyber-Information Warfare Analyst & Cyber Defense/Security Consultant-Hellenic MoD

Mehr von Papadakis K.-Cyber-Information Warfare Analyst & Cyber Defense/Security Consultant-Hellenic MoD (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Russia Ukraine war Cyberspace operations (2022-2024)