More than eight months into the Russia-Ukraine war, Europe is sailing on full speed towards a dangerous iceberg, that is now only showing its peak: the increasing concerns regarding energy supplies. A deeper dive into European affairs would reflect a challenging crisis encompassing different dimensions that are as complex as they are interrelated.
While some of them were triggered by the ongoing Russia-Ukraine war, others were pre-existing, and the evolution of the recent events had only served to amplify them. Such is the case for cyber warfare in the Eastern European context – a threat that reached a completely different level in 2022, teaching us valuable lessons about the battlefield of the future.
Lt. Gen. Maria Gervais, USA, deputy commanding general and chief of staff, US Army Training and Doctrine Command (TRADOC), a keynote speaker at AFCEA’s TechNet Augusta Conference that took place in Augusta, Georgia, back in August this year, emphasised in her speech that if one is interested to see how a modern battlefield is impacted by EW and cyber warfare, the events developing in Eastern Europe are a perfect example: “Everything that we are seeing in Ukraine has implications for a unified network, and almost certainly represents the type of threats we will see.” Bearing in mind that the invasion started by President Vladimir Putin on 24 February 2022, has been backed by a diverse arsenal of cyberattacks and expanding information war throughout Eastern Europe, the War in Ukraine proved to be the first full-scale cyberwar. While we think that we are only witnessing it in real time, we are just starting to notice and understand its heaviest consequences.
Growing Cyber Problem
The Eastern European states are no strangers to the threats of cyber warfare, and they have already faced the effects of digital technologies’ dual potential as tools for both societal advance, and weapons for international aggression. Leaving aside all that has been experienced so far, the current context marked by the War in Ukraine, changes the traditional understanding of cyber security in Eastern Europe, the first line on the battleground, and beyond it. Ever since the first cyber-attack by one state against another, Russia’s 2007 cyber-attack on Estonia, the threat of a future battlefield that is no longer limited to the physical space has pushed for the development of competing defensive and offensive strategies adapted to the complex digital capabilities that are no longer a matter of the future. After nine years, in 2016, NATO officially recognized cyberspace as a field of military operations alongside the more traditional domains of land, sea and air.
Google’s Threat Analysis Group (TAG) has been closely monitoring cybersecurity activity in Eastern Europe with regard to the war in Ukraine, and it has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. In line with several reports from both private and public sector institutions, TAG has underlined that threat actors increasingly target critical infrastructure entities including oil and gas, telecommunications, and manufacturing. According to the reports, government-backed actors from China, Iran, North Korea, and Russia, as well as various unattributed groups, have used various Ukraine war-related themes to get targets to open malicious emails or click malicious links. Financially motivated and criminal actors are also using current events as a means for targeting users.
The War in Ukraine is taking place both within the physical borders of the Ukrainian land, and, in a completely different environment – the digital space is not confined to Ukraine or Eastern Europe. Today, the main drivers of modern international security are being redrafted, and old cards are thrown to the table backed by new rules and new strategies, in a complex game of intersecting variables that target the fundamental elements of our societies. As our governments are struggling to adapt and learn to ride the new tides, we need to understand the track of the new currents: the main changes, their reasons and the consequences of a cyber warfare that has been developing in Eastern Europe long before the 24th of February.
New Generation Warfare
Nine years before the 2022 Russian invasion of Ukraine, back in February 2013, Russia’s Chief of the General Staff, General Valery Gerasimov, published an article in the weekly Russian trade paper Military-Industrial Courier. The short piece was drafted intentionally to provide a glimpse into the Russian perspective regarding the evolution of warfare. Under the title “The Value of Science is in the Foresight”, Gerasimov suggested that the “very ‘rules of war’ have changed,” and that in many cases, nonmilitary means have exceeded the power and force of weapons in their ability to effect change on the international stage. Arguing that new technologies have reduced gaps between traditional forces and their command and control, Gerasimov underlined the fact that “frontal engagements of large formations of forces at the strategic and operational level are gradually becoming a thing of the past.” Moreover, Gerasimov predicted that the future lay in “contactless actions” — cyber or other electronic means — being used as the main means of attaining military or intelligence goals.
The short article reflected in broad lines Russia’s thoughts on the evolving battlefield, adapted to the newest technological transformation, and proposing an evolved type of warfare, conducted in both physical and digital spaces, adopting a guerrilla approach on all fronts, with a wide spectrum of actors and tools as conventional and asymmetric military tactics. The problem set identified by Gerasimov eventually crystallised into a set of ideas referred to as ‘New Generation Warfare’ in the Russian military community, or ‘Cross-Domain Coercion’ in the West. In part, this held that traditional military hard power interactions could be either less necessary or much more effective when supplemented by newer and subjectively more effective indirect interactions in the digital sphere. This provided a framework for non-military measures to become a vital part of warfare, as important as the use of force, and, in the Russian perspective, the lower-cost way to win. Gerasimov underlined that the objective is to achieve an environment of permanent unrest and conflict within an enemy state. Nothing related to Gerasimov’s article was random or without a specific strategic target. Even the date chosen for the publication proved to be a warning before the 2014 Russia’s invasion of Ukraine, that was the result of both physical and digital tools, a technique practiced for longer than a decade in various forms and contexts such as Estonia in 2007 and Georgia in 2008.
Early Signs
Russia’s 2007 cyber attack on Estonia was initially targeted to prevent the relocation of a Soviet-era monument commemorating the Red Army’s “liberation” of Estonia. A few weeks after Estonia decided to relocate the Soviet-era statue from the centre of Tallinn to a military cemetery, unidentified hackers launched a series of distributed denial-of-service (DDoS) attacks. While for many Estonians, the monument represented the Soviet Union’s decades-long subjugation of the country during the Cold War, for Russia, it was a symbol of Soviet sacrifice in defeating the Nazis in World War II. The series of cyber attacks directed towards the Estonian government and information systems lasted for 22 days, and were backed by protests from Russian-speaking Estonians, and intense disinformation campaigns. However, Russia’s first practical attempt of this practice, did not include any military intervention.
Further on, the cyber-attacks targeting Georgia back in 2008 reflected a more complex plan: pre-formed botnets conducting a larger-scale DDoS attack, but now paired with an incursion of troops and tanks and a traditional military movement into South Ossetia.
In 2014, the first Russian invasion of Ukraine was perhaps the most complete example of ‘New Generation Warfare’ in practice: cyber-attacks conducted in parallel with military incursion and occupation. In the aftermath of the events, several international reports made a detailed assessment of Russia’s strategy, emphasising the main elements such as simultaneous attacks on media firms, an attack on the Central Election Commission’s website that triggered the announcement of an ultra-right-wing candidate as winner of the election, and a takeover of networks controlling local power grids. Chaos was achieved, and the Russian ‘New Generation Warfare’ passed its first major trial.
Eastern Europe’s Cyber Warfare Experience
The attacks that have targeted Eastern European reflected three different ways in which Russia plays its ‘cyber card’: as preparation for military conflict, as part of a ‘hybrid war’, or as an isolated threat signal and complement to diplomatic warnings. During the second invasion of Ukraine, in February 2022, the Russian attacks on critical infrastructure such as government websites, IT servers, banks, media outlets, and power plants provided the opportunity to further advance the military campaign.
The cyber attacks against Romania and Bulgaria reflect attempts at achieving lower-order effects, as small-scale cyber-attacks combined with disinformation campaign and civil actions, aim to create chaos and confusion among the population, making national coordination more difficult. Last, but not least, cyberattacks like the one that targeted Estonia back in 2007 are an example of the ‘cyber card’ used as diplomatic warning. A recent example were the cyber attacks on Moldova, following the country delivering its request for EU membership candidate status in May 2022.
All three ways of using cyber attacks reflect the Kremlin’s interest in using current technology to disrupt societies and organisations. During wartime, Russia deploys cyberattacks with greater frequency, targeting critical infrastructure and conducting military action simultaneously. In the context of political or hybrid war situations, cyberattacks are backed by disinformation and civil actions and seek to substitute for military action by achieving some goals with lower risk. At other times, cyberattacks accompany diplomatic warnings to other countries and international organisations.
On April 27, 2022, Microsoft’s Digital Security Unit issued a report of all known Russian cyberattacks on Ukraine in the first months of the war. The report concluded that the Russian military intelligence service (GRU), foreign intelligence service (SVR), and federal security service (FSB) “have conducted destructive attacks, espionage operations, or both, while Russian military forces attack the country by land, air, and sea.” The objective, the company added, was “to disrupt or degrade Ukrainian government and military functions and undermine the public’s trust in those same institutions.” The same report emphasised the increase in the number of cyberattacks at the end of 2021 and start of 2022, that could have represented a warning about the war that was about to start. The number of Russian cyberattacks against Ukraine identified by Microsoft rose from 15 in December (2021) to 125 in March (2022). According to Microsoft’s assessment, Russia began preparing for cyberattacks against Ukraine in March 2021, at around the same time as Russia began to deploy troops along their shared border. Therefore, the purpose of ‘preparatory’ cyberattacks was to collect military and foreign policy intelligence and gain access to critical infrastructure, such as energy and IT service providers.
Moreover, Microsoft concluded that “destructive attacks signal imminent invasion.” It noted that Russia unleashed the destructive WhisperGate wiper (which deletes the contents of hard drives and renders computers unbootable) on a limited number of Ukrainian “government and IT sector systems” when diplomatic talks between Russia, Ukraine, NATO, and EU nations failed on January 13, 2022. Russia followed with DDoS attacks on Ukrainian government websites. On the eve of war on February 23, 2022, Russia’s GRU threat group, ‘Iridium’, unleashed another destructive wiper, FoxBlade, on hundreds of Ukrainian military and government networks simultaneously. Microsoft also observed connections between specific military actions and cyberattacks. For instance, cyberattacks were geographically concentrated around Kyiv and in Donbas, and targeted Ukraine’s nuclear power supplier at around the same time that Russia occupied Ukraine’s largest nuclear power plant in Zaporizhzhia. During wartime, Microsoft concluded, cyberattacks are more frequent, more destructive, and coordinated with military action.
Lessons Learned and EU Progress
Acknowledging that the EU has made long-term changes which will improve its cybersecurity, especially through its most recent Strategic Compass, there is still a long way ahead to make the necessary short-term changes that will have the power to guard member states against potential Russian cyberattacks. Whatever change is to be made, it must be based on the lessons drawn from the 2022 invasion of Ukraine, as the most recent example of Russia’s ‘New Generation Warfare’. While the ongoing war can be regarded as the world’s first large-scale conflict featuring heavy use of cyber attacks, it will likely not be the last of its kind. Instead, the current times mark the beginning of a transformative change in the global understanding of traditional and modern warfare. From now on, it is hard to imagine future conflicts without taking into consideration the cyber component. Therefore, cyber security has become almost as important as a conventional military.
Emphasising the relevance of international cooperation for developing strong cyber capacities, we must also stress the importance of individual responsibility in the form of civil, national, and organisational strategies against cyber attacks. In this regard, access to verified information and developing a high level of digital literacy should be highly prioritised by our governments. Moreover, EU should continue updating and revising the Network and Information Security (NIS) Directive to further strengthen the security of supply chains, streamline incident reporting obligations, and introduce more stringent supervisory measures for many operators of essential services and enterprises across its political and economic space. Taking into consideration the obstacles faced so far, implementation of future strategies should aim toward commonality and harmonisation, instead of separate cybersecurity regulations. In addition to the struggle for unification of policies and rules, another goal for the EU should be discouraging and deterring cyber attacks by demonstrating the willingness to act and impose costs on perpetrators through coordinated attribution of cyber attacks at the EU-level. Further on, obstacles to intelligence sharing faced by member states will continue to provide opportunities for future attacks, and as such a solution here is vital. Equally important is the creation of a convergent cooperation mechanism for military security alerts – a goal that was part of the 2014 EU Cyber Defence Policy Framework. Despite its urgency in the current context, the cooperation mechanism is still not complete.
As the states in Eastern Europe continue to represent a direct target and the first line in the digital battle, one of the main lessons that both the EU and the international community needs to learn is that cyber operations should not be treated as an independent warfare tool. Instead, the current strategy should be adapted to fully integrate the cyber dimension into modern combat. In Eastern Europe, Ukraine has been regarded as the main cyber attack testing ground for Russia. At present there is little common agreement about Russia’s cyber potential, opinions varying from one European country to the other, mostly based on their own experiences. For instance, Lithuania’s head of cybersecurity, Colonel Romualdas Petkevicius, believes that the Russian ability to wage coordinated cyber and kinetic war is still limited. In agreement with Colonel Petkevicius, General Didier Tisseyre, head of France’s cyber defense force, made a similar observation about a disconnect between computer attacks and Russia’s military offensive on the ground. Bearing in mind the multitude of actors that became involved in a cyber attack, any kind of analysis or assessment needs to be taken with a grain of salt. Still, the current Eastern European cyber warfare experience represents our chance to understand and adapt to modern cyber operations, adding an important dimension to our understanding of war.
Andreea Stoian Karadeli