Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:15 PM
John Bumgarner
John Bumgarner

A Cyber History Of The Ukraine Conflict

The CTO for the US Cyber Consequences Unit offers a brief lesson in Russian geopolitics and related cyber flare-ups, and explains why we should be concerned.

For the second time in recent history Russia has flexed both its military and cyber muscles. The latest incident is playing out in The Autonomous Republic of Crimea (Ukraine). The previous incident occurred in South Ossetia (Georgia) in 2008. Both countries were once integral pieces of the vast Soviet empire, which crumbed more than two decades ago. Russia has also flexed its cyber power in the former Soviet states of Estonia (2007) and Kyrgyzstan (2009).

Over the years, the international community has closely monitored each of these worrisome incidents. The Georgian incident was especially troublesome, because it was the first time cyber attacks were used in concert with traditional military operations, which included tanks storming across the border of a sovereign nation. 

My post-analysis of this incident concluded that 11 Georgian websites were knocked offline prior to the Russian military invasion. The official website of the President of the Republic of Georgia and several media outlets (e.g., www.news.ge) were among those impacted by the initial cyber barrage. The attack method used to disrupt these key sites was a distributed denial-of-service (DDoS) attack, launched from botnets controlled by Russian cyber criminals -- most likely cooperating with the Russian government. The attacks didn’t wane from their targets for the entire duration of the Russian military campaign against Georgia; they stopped immediately after Russia and Georgia signed a preliminary ceasefire agreement.

Flash forward to today and the situation in Ukraine. While the current state of affairs there is complicated, it’s clear that Russia isn’t running the same cyber playbook it used in Georgia. For instance, when Russian forces invaded Crimea they didn’t blind the Ukrainian government with massive cyber attacks. Such attacks were not launched, because the strategic and operational environments in Ukraine and Crimea were much different from those in Georgia. 

In the current crisis, Russian forces severed the Internet and other communication channels that connect the Crimean peninsula with the rest of Ukraine. Some cyberwar experts have referred to this incident as a cyber attack, although information surrounding it points to physical sabotage by a military force, for example, cutting cables and destroying equipment. What this means is that the recent incident wasn’t a cyber attack in and of itself, even though it interfered with communication services delivered by cyber technology.    

Jamming or cyber attacks? 
There have also been numerous reports that the mobile phones belonging to key Ukrainian government officials are being targeted. The Russian military has the capability to employ sophisticated electronic warfare techniques (e.g., jamming), which would disrupt cellular communications within Ukraine. This type of jamming normally hits a wide range of frequencies over a large geographic area. Based on open-source reporting it’s unlikely that the mobile phones in question were victims of military jamming. It’s more likely that Russian intelligence or pro-Russian sympathizers targeted these specific mobile phones through a Ukrainian cellular provider.  

There is some historical precedent that supports this argument. For instance, in January protestors in Ukraine received an ominous text message, which read: "Dear subscriber, you are registered as a participant in a mass disturbance."

This text message was only sent to individuals located in a specific geographical location in Kiev. Ukrainian cellular providers have denied providing subscriber metadata to the government. Based on the January incident it’s highly-probable that someone -- Russia -- targeted the mobile phones of Ukrainian government officials via subscriber information, such as telephone number, or the international mobile equipment identity (IMEI) number. But without additional details about these isolated incidents, it’s difficult to confirm that the mobile phones of these government officials were impacted by cyber attack.  

Over the last few months Ukrainian websites (within the TLD .ua) have seen their fair share of defacements. Evidence indicates that Muslim hacking groups with pro-Syrian or anti-Israeli agendas conducted the majority of the defacements. A recent round by a group named Cyber Berkut is particularly troubling. Based on the targets attacked and symbolism used it’s very clear that the Cyber Berkut is pro-Russian. Some of the group’s tactics, techniques, and procedures (TTPs) are similar to those used in cyber operations in 2007 and 2008 by the Kremlin against Estonia and Georgia.  

While these attacks are truly unsettling, they provide only a small window into the cyber capabilities of the nations embroiled in this conflict. Tomorrow’s attacks may paint a sharper picture of those cyber capabilities and how they are wielded on the battlefield. What is clear is that "cyber" will continue to play an important role in future military operations. 

John Bumgarner is Chief Technology Officer for the U.S. Cyber Consequences Unit, an independent, non-profit research organization that investigates the strategic and economic consequences of possible cyber attacks. He has work experience in information security, intelligence, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
4/1/2014 | 7:21:05 AM
Re: Fascinating history lesson
That's quite a comprehensive and enlightening post, Pierluigi. Thank you for sharing it. I encourage readers to read the article in its entirety, but I'm reposting your conclusion, which is a worth keeping in mind as the situation continues to unfold:  

What to expect in the future? It's difficult to say. While diplomacy will continue to work, deep in cyber space the attacks will increase. It is premature to define the tensions in cyber space as a cyber war between Russia and Ukraine. On one side hackers who are pro-Ukraine will intensify their activities against Russian entities, while Russian cyber units and patriotic hackers will increase their offensives against Ukrainian opposites. I made a rapid tour on principal social media, andf I noted that on both sides there has started a misinformation campaign. On the one hand, Putin's supporters are publishing disconcerting stories and images about atrocities committed by Ukrainian forces in Crimea, and on the other side of Putin it is possible to read everything.

And also:

With the escalation of tensions in Crimea, the number of cyber attacks will sensibly increase, and there is the concrete risk that other critical infrastructure in the country will be impacted.

User Rank: Ninja
4/1/2014 | 4:06:14 AM
Re: Fascinating history lesson
Hi John,

excellent post. Let me share with you an analysis I made a few days before the Russian escalation.


The situation is very active in the cyberspace, especially for the hacktivism underground. Unfortunatelly many groups, in my opinion have been already infiltrated. Attacking a foreign state system uncovering the operation behind the name of a new group of hacktivists could be an excellent military option.

No doubts ... the number of attacks will increase in the next weeks.


Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
3/31/2014 | 2:44:03 PM
Re: Fascinating history lesson
Thanks, John. I hope you will keep us posted on this thread! 

User Rank: Apprentice
3/28/2014 | 5:03:22 PM
Re: Fascinating history lesson

In this post I was trying to highlight a few incidents (e.g., cyber attacks) that were most likely not conducted by hacktivists.  I also thought that it was important to briefly mention the Estonian and Georgian cyber incidents. From a historical perspective those incidents and the current one in Ukraine have some interesting similarities, beyond Russian involvement.

Concerning the distributed denial-of-service (DDoS) attacks against Russian government websites. These DDoS attacks were most likely launched by pro-Ukrainian hacktivists and not by the government of Ukraine.  It's worth noting that the websites of NATO and the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE) were also disrupted by DDoS attacks. There's evidence that suggests that these latter cyber attacks were orchestrated by the Russian government.  

We should expect to see more cyber attacks if the situation in Ukraine deteriorates.

Cheers, John

Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
3/27/2014 | 2:50:04 PM
Fascinating history lesson
Very interesting blog, John. thanks for enlightening us! Are the cyberattacks mostly one way --from Russia to Ukraine. Or is there a back and forth between both nations? The Christian Science Monitor has reported that Russian government sites were also hit with a powerful wave of denial-of-service attacks, which they said was "apparently in response to their cyberattacks on Ukrainian."
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-12
Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Website SEO Keywords" field on the page "admin/info.php?shuyu".
PUBLISHED: 2021-05-12
An Information Disclosure vulnerability exists in dhcms 2017-09-18 when entering invalid characters after the normal interface, which causes an error that will leak the physical path.
PUBLISHED: 2021-05-12
evm is a pure Rust implementation of Ethereum Virtual Machine. Prior to the patch, when executing specific EVM opcodes related to memory operations that use `evm_core::Memory::copy_large`, the `evm` crate can over-allocate memory when it is not needed, making it possible for an attacker to perform d...
PUBLISHED: 2021-05-12
A Cross SIte Scripting (XSS) vulnerability exists in Dhcms 2017-09-18 in guestbook via the message board, which could let a remote malicious user execute arbitrary code.
PUBLISHED: 2021-05-12
Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/signup/update' via the 'surname' parameter.