The online attacks against infrastructure and information operations used by both sides in the conflict between Russia and Ukraine fulfill the definition of cyberwar and hold lessons for governments and companies, two researchers plan to say this week at the Black Hat USA conference in Las Vegas.
Cyberattacks preceding Russia's invasion of Ukraine on Feb. 24, 2022 — and ongoing operations since the initial push into eastern Ukraine — qualify as cyberwar because they involve state-sponsored actors, use tactics designed to support Russia's objectives, and focus on specific targets and motivations, says Tom Hegel, a senior threat researcher at threat intelligence firm SentinelOne, who will present the research at the conference. The threat actors aimed to support the overall war effort, in the case of Russia-linked actors, or the support for Ukraine's defense, in the case of Ukraine-linked actors, he says.
In their Wednesday, Aug. 10, presentation, "Real 'Cyber War': Espionage, DDoS, Leaks, and Wipers in the Russian Invasion of Ukraine," Hegel and colleague Juan Andres Guerrero-Saade plan to outline how attackers have used seven different families of malware and denial-of-service (DoS) attacks to attack everything from telecommunications infrastructure to oil and gas firms.
"We want to challenge the idea that cyberwar has not occurred, but also lay out a road map of what we have seen over the past few months in terms of actors and the types of activities," Hegel says. "The Russian threat actors, while there is not a clear line that they have crossed that makes it cyberwar, we have seen the initial wave of wipers, then community-focused hacktivism that took off, and finally a long tail of destructive attacks."
The presentation is the latest research attempting to define what constitutes cyberwar and cyber conflict.
The most formal definition comes from the second version of the Tallinn Manual on the International Law Applicable to Cyber Warfare, published in 2017, which defines cyberwar as "a cyberattack, in either an offensive or defensive cyber operation, that is reasonably expected to cause death to persons, damage, or cause destruction to objects." The manual, however, often uses the words cyberattack and cyberwar interchangeably and excludes cyber operations that could be supportive of war efforts, such as information operations and attacks on financial systems, neither of which aim to cause physical damage or death, two professors stated in a review of the manual in 2017.
In the current conflict, cyber operations have similarly supported the aims of either Russia or Ukraine rather than attempting to necessarily inflict physical damage or death.
"The connection to war is focused on destruction or disruption of infrastructure, or gaining an upper hand during an armed conflict, even if the coordination of the kinetic attacks with cyber operations is not there," Hegel says.
The playbook used by Russia in the early days of — and even prior to — the invasion of Ukraine included initial waves of damaging attacks focused on infrastructure, especially telecommunications systems. During Russia's buildup of forces on Ukraine's border, threat actors used a variety of attacks, such as WhisperGate and HermeticWiper, to target organizations in Ukraine with destructive wipers.
"In many conflicts, there is an aspect that has been modernized on the cyber side, but this is the first time that we have a really clear example of cyberwar," Hegel says.
The Rise of Influence Campaigns
While not traditionally considered a facet of cyberwar, the most enduring strategy of the current conflict may be information operations, he says. Russia has pursued a disinformation strategy to change worldwide opinions and gain support for its claims of Ukrainian territory, while Ukraine has pursued information operations to undermine Russian support for its invasion and bolster support for supplying the country with weapons.
"The disinformation side is a big piece of this war, but even more so, the weaponization of public information that is already out there," Hegel says. "A good example is the Amnesty International report, for example, and social media accounts supportive of Russia amplifying pieces of the message critical of Ukraine."
The researchers also had a message for corporate information-security teams. Companies should take note of the activities used by each side in a cyberwar, because the conflict can quickly impact participants who otherwise would be distant from the war. Organizations that take side or a stand in a conflict will often be targeted, but collateral damage is also a problem. The cyber-physical Stuxnet attack on Iran's nuclear processing capability, for example, spread to non-Iranian systems, although the payload did not affect those systems in the same way. Two even worse attacks, WannaCry and NotPetya, are both thought to have been cyber operations and both spread far beyond the original targeted group of organizations, causing billions in damages.
"A lot of what we have seen is not just government attacking government, but businesses in the middle being impacted," Hegel says. "It is not just because of their function being impacted, such as a telecommunications company's infrastructure, but also because their messaging made them a target. So even though you are not taking a step in a conflict, you will likely get pulled in, if your business operates in those regions at all."