A Cyber History Of The Ukraine Conflict

The CTO for the US Cyber Consequences Unit offers a brief lesson in Russian geopolitics and related cyber flare-ups, and explains why we should be concerned.

John Bumgarner, Chief Technology Officer for the U.S. Cyber Consequences Unit

March 27, 2014

4 Min Read

For the second time in recent history Russia has flexed both its military and cyber muscles. The latest incident is playing out in The Autonomous Republic of Crimea (Ukraine). The previous incident occurred in South Ossetia (Georgia) in 2008. Both countries were once integral pieces of the vast Soviet empire, which crumbed more than two decades ago. Russia has also flexed its cyber power in the former Soviet states of Estonia (2007) and Kyrgyzstan (2009).

Over the years, the international community has closely monitored each of these worrisome incidents. The Georgian incident was especially troublesome, because it was the first time cyber attacks were used in concert with traditional military operations, which included tanks storming across the border of a sovereign nation. 

My post-analysis of this incident concluded that 11 Georgian websites were knocked offline prior to the Russian military invasion. The official website of the President of the Republic of Georgia and several media outlets (e.g., www.news.ge) were among those impacted by the initial cyber barrage. The attack method used to disrupt these key sites was a distributed denial-of-service (DDoS) attack, launched from botnets controlled by Russian cyber criminals -- most likely cooperating with the Russian government. The attacks didn’t wane from their targets for the entire duration of the Russian military campaign against Georgia; they stopped immediately after Russia and Georgia signed a preliminary ceasefire agreement.

Flash forward to today and the situation in Ukraine. While the current state of affairs there is complicated, it’s clear that Russia isn’t running the same cyber playbook it used in Georgia. For instance, when Russian forces invaded Crimea they didn’t blind the Ukrainian government with massive cyber attacks. Such attacks were not launched, because the strategic and operational environments in Ukraine and Crimea were much different from those in Georgia. 

In the current crisis, Russian forces severed the Internet and other communication channels that connect the Crimean peninsula with the rest of Ukraine. Some cyberwar experts have referred to this incident as a cyber attack, although information surrounding it points to physical sabotage by a military force, for example, cutting cables and destroying equipment. What this means is that the recent incident wasn’t a cyber attack in and of itself, even though it interfered with communication services delivered by cyber technology.    

Jamming or cyber attacks? 
There have also been numerous reports that the mobile phones belonging to key Ukrainian government officials are being targeted. The Russian military has the capability to employ sophisticated electronic warfare techniques (e.g., jamming), which would disrupt cellular communications within Ukraine. This type of jamming normally hits a wide range of frequencies over a large geographic area. Based on open-source reporting it’s unlikely that the mobile phones in question were victims of military jamming. It’s more likely that Russian intelligence or pro-Russian sympathizers targeted these specific mobile phones through a Ukrainian cellular provider.  

There is some historical precedent that supports this argument. For instance, in January protestors in Ukraine received an ominous text message, which read: "Dear subscriber, you are registered as a participant in a mass disturbance."

This text message was only sent to individuals located in a specific geographical location in Kiev. Ukrainian cellular providers have denied providing subscriber metadata to the government. Based on the January incident it’s highly-probable that someone -- Russia -- targeted the mobile phones of Ukrainian government officials via subscriber information, such as telephone number, or the international mobile equipment identity (IMEI) number. But without additional details about these isolated incidents, it’s difficult to confirm that the mobile phones of these government officials were impacted by cyber attack.  

Over the last few months Ukrainian websites (within the TLD .ua) have seen their fair share of defacements. Evidence indicates that Muslim hacking groups with pro-Syrian or anti-Israeli agendas conducted the majority of the defacements. A recent round by a group named Cyber Berkut is particularly troubling. Based on the targets attacked and symbolism used it’s very clear that the Cyber Berkut is pro-Russian. Some of the group’s tactics, techniques, and procedures (TTPs) are similar to those used in cyber operations in 2007 and 2008 by the Kremlin against Estonia and Georgia.  

While these attacks are truly unsettling, they provide only a small window into the cyber capabilities of the nations embroiled in this conflict. Tomorrow’s attacks may paint a sharper picture of those cyber capabilities and how they are wielded on the battlefield. What is clear is that "cyber" will continue to play an important role in future military operations. 

About the Author(s)

John Bumgarner

Chief Technology Officer for the U.S. Cyber Consequences Unit

John Bumgarner is Chief Technology Officer for the U.S. Cyber Consequences Unit, an independent, non-profit research organization that investigates the strategic and economic consequences of possible cyber attacks. He has work experience in information security, intelligence, psychological operations and special operations. During his career he has done work for various organizations in the U.S. government This work has taken him to more than 50 countries on 6 continents. He has been an expert security source for national and international news organizations, including Business Week, CNN, The Wall Street Journal and The Guardian in London. He has published articles in several leading security publications, including the journal of the Information System Security Association, the Homeland Security Journal and the Counter Terrorist magazine. He has spoken at various events, including the Cyber Conflict Policy and Legal conference in Estonia, the Information Assurance and Security in Defense conference in Brussels, the National Defense Industrial Association Cyber Security Symposium in the United States and at institutions such as the Center on Terrorism and Irregular Warfare, Naval Postgraduate School, Monterey, California. John is the author of the U.S. Cyber Consequences Unit's much-acclaimed definitive analysis of the August 2008 cyber campaign against Georgia. He is also the co-author with Scott Borg of the US-CCU Cyber Security Check List, which is currently being used by cyber security professions in over eighty countries. . John is featured in the International Spy Museum's "Weapons of Mass Disruption" cyber warfare exhibit in Washington, D.C. He has been a guest lecturer at the Fletcher School and the Naval Postgraduate School.Specialties:Certified Information Systems Security Professional (CISSP),GIAC Certified Advance Incident Handling Analyst (GCIH),NSA InfoSec Assessment Methodology (IAM) Certified, NSA InfoSec Evaluation Methodology (IEM) Certified,System Security Certified Practitioner (SSCP)

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights