The intensive cyber bombardment of Ukraine by Russia in previous years has generated the expectation that the current military conflict will intensify the firing of virtual howitzers. However, this has not yet happened to a greater extent. But what has not may yet come, writes cybersecurity guru Ales Špidla in his analysis.

First, let's go back in history for a moment. Perhaps the most famous attack on the Ukrainian-Russian theatre of war was Black Energy. In December 2015, Russian hackers managed to take control of 30 electricity substations belonging to three Ukrainian distribution companies. According to forensic analysts who analyzed the attack in retrospect, the attack was highly sophisticated and essentially unstoppable. The techniques used were such that it was highly unlikely that it was carried out by a small group of hackers. The analysts' conclusion was that the attack must have been perpetrated by the state or state-sponsored actors.

Picture: The intense cyber bombardment of Ukraine by Russia in previous years has generated the expectation that the current war conflict will intensify the firing of virtual howitzers. (illustration photo) | Shutterstock

Penetration of information systems was not that complicated, but spear-phishing was used, where a selected target - usually a VIP employee (also in terms of access permissions to information systems) of the institution that is planned to be attacked, receives a credible email that has been "tailored" to him. The victim opens the attachment and the attack code spreads and does damage. In this case, it allowed the systems that control the substation technology to be taken over. Of the 30, 23 were unmanned, remotely controlled, making them all the easier to control. The malicious code was also able to cover its tracks.

Subverted mobile phone networks that locate soldiers

Cyber warfare on the frontline between separatists and the Ukrainian Army was also interesting. This front was covered by a number of spoofed mobile networks and also spoofed wi-fi networks. All one had to do was move around the front line with a smart mobile phone and these networks offered themselves one after another. The Russian hackers managed to identify the operators of the Ukrainian howitzers this way and, more importantly, to locate their position. They also used the technique of spoofed "like" text messages from mom or partner with the content "Go home, run away. Mom (or Masha)". The moment the soldier responds, he is located, targeted, and the rest you can probably imagine.

In the context of contemporary warfare, the term hybrid warfare has often been invoked with an emphasis on one of its major elements, namely cyber attacks. It has often been said, both in the media and among the professional community, that Russia will launch massive cyber-attacks on Ukraine's critical infrastructure, thereby withdrawing the capacity to deal with the problems that have arisen.

It is a fact that a well-executed cyber attack can lead to the physical destruction of the attacked entity. These are mainly attacks conducted against information systems and technologies that control technological processes. Such an attack on a chemical plant, for example, can have fatal consequences for the wider environment. The question is why this has not happened yet. I am not an expert on war strategy, but the explanation offered is that Russia assumed a quick victory by brute force. It is also an undeniable fact that Ukraine has made significant strides in the quality of its cyber defense provision since 2015. It was simply the attacks of 2015 that taught them lessons: Black Energy was not the only one; NotPetya, which spread around the world, is also worth mentioning. Russian activity in the cybersecurity field has essentially trained Ukrainian specialists. And apparently there was also concern about virtual alliances and the resulting support for cyber defense and possible counterattacks. Such alliances can be made very quickly. And they probably already exist.

But it cannot be said that activity on the cyber battlefield has died down. Techniques for locating the enemy similar to those used previously continue to be employed. Certainly there is an ongoing battle in the field of cyber espionage. The purpose of all espionage is to gain an advantage in understanding the adversary, his intentions, mindset, capabilities, communications and equipment. And cyber spies are working hard to do this, using all sources of information to do so. Often they fall into what is called OSINT (Open Source Intelligence), which is open, publicly available information.

Individual information obtained in this way is often of little news value, but the combination of more information from more sources can have news value. The key is to be able to combine this information with that obtained through traditional intelligence activities.

Information operations are then an important component of hybrid warfare. Information operations are not only used in wars, they also work in times of peace. They aim to disseminate information that will arouse emotions in the target group, which will cause a change or confirmation of moods, attitudes, opinions, etc. They rely on the fact that many people approach information on the basis of 'I agree with it, so it must be true'.

Robotrolling as part of information operations

In the age of the Internet and social networking, the implementation of information operations is greatly simplified. Just imagine the impact of such an operation using leaflets thrown from an aeroplane compared to the impact through social networks. One of the weapons of information operations is disinformation. Especially on social networks, it spreads very quickly and just as quickly finds its consumers and disseminators. Advanced technologies are also being used in this area. Information operations using robots, i.e. systems with artificial intelligence elements, are documented. The documented example of robotrolling dates from 2017. Two of the three Twitter accounts that wrote in Russian about NATO's presence in Eastern Europe were artificially created. A full 84% of such messages were artificially created. Robotrolls can react to tweets, change their tone, etc., which is a very powerful weapon of information operations.

The use of systems with artificial intelligence elements is part of virtually all social networks and not only them. Information operations are used by all sides of conflicts, there is no doubt about that. Equally, all parties are trying to counter their effects. Disinformation is often difficult to spot and the most dangerous are those that pretend to have a rational core - "there is something to it". However, it is a dangerous weapon and we must defend against it. 

In the Czech Republic, some disinformation websites have been blocked on the basis of intelligence information. Today's world is technology-driven, and it is often possible to verify a lot of information by combining information from several sources. CCTV footage, satellite images and communications records are available, which makes it difficult for disinformation to get through. Unless, of course, the consumer of disinformation is a victim of his own self-confidence according to the principle mentioned above. 

However, cyber-warriors outside the official structures are also involved in the current conflict. Ukraine has been convening "cyber reservists", i.e. hackers who are willing and able to fight on the cyber warfield. They are forming an "IT army". It is not that simple, as these people have to be vetted to see if they are on the right side of the front. 

Much publicised is the involvement of Anonymous (a hacktivist movement of hackers - activists), which has publicly sided with Ukraine. I am afraid that this current movement has little in common with the original Anonymous movement. In my opinion, Anonymous has become a kind of franchise. But that doesn't matter at all, their activity consists, among other things, in showing what they are capable of. From DDoS attacks on Russian institutions, publishing their sensitive information, etc. Anonymous has been joined by a number of other hacker groups. It should be noted that hackers on the Russian side of the front are likewise being activated.

Hybrid warfare, and the one in Ukraine undoubtedly is, has many forms and layers. Cyberspace is one of the battlefields, because by the time the soldier's foot enters the conquered territory, the hacker's foot is already there (virtually).

So why isn't this conflict taking place in the force that was originally envisioned? According to experts, there are several possible reasons. Russia may consider cyberattacks insufficient in terms of impact. As I mentioned, Russia may also fear massive retaliation, which is not entirely easy to determine where it came from. Thus, it is difficult to say "NATO attacked Russia". Another possibility is that Russia is saving its cyberspace for later. This would be suggested by the increased activity observed in cyberspace scanning, which is the search for vulnerabilities or, if you like, holes in the information systems of various institutions, especially in the west of Ukraine. Experts also mention the possibility that the strength of Russian cyber forces has been overestimated, even in Russia itself.

It is not difficult to be a soothsayer in what is happening in cyberspace. Just say "It will get worse" and it will come true.

Picture: Ing. Aleš Špidla | Aleš Špidla’s archive

Ing. Aleš Špidla 

Ales Špidla works as a cybersecurity manager at the Centre for Cardiovascular and Transplant Surgery and as a cybersecurity manager at the Prague 5 Municipal Office and collaborates on a number of cybersecurity projects.

He is the president of the Czech Institute of Information Security Managers, guarantor and teacher of the MBA study programme "Management and Cyber Security" and co-supervisor and teacher of the LL.M programme "Information Protection" at the CEVRO Institute. He is a zealous evangelizer of cyber and information security issues in all its aspects.