Much attention has been lavished on Russia’s strategic cyberwarfare waged against Ukraine’s critical national infrastructure. Russia’s use of cyberwarfare at tactical and operational levels, particularly in the land domain, receives less coverage, but has important implications for NATO and its Allies.
London’s Royal United Services Institute (RUSI) thinktank recently published a paper by Daniel Black, manager of cyber espionage analysis at Google Cloud’s Mandiant cybersecurity subsidiary, entitled ‘Russia’s Cyber Campaign Shifts to Ukraine’s Frontlines’. The paper casts much-needed light on the operational and tactical aspects of the Russian military’s cyberwarfare battle against its Ukrainian opponents.
Russia’s initial invasion of Ukraine in February 2014 generated some analysis of Russian tactical/operational cyberwarfare. The use of X-Agent malware was uncovered by the CrowdStrike cybersecurity company in 2018. X-Agent was deployed by Fancy Bear, a cyber espionage group also known as Pawn Storm, Sofacy Group, Sednit, Tsar Team, and Strontium, close to Russia’s GRU military intelligence service. The malware infected the Correction D-30 battle management software providing fire control information for Ukrainian Army PJSC 2A18/D-30 122 mm howitzers. Correction D-30 was designed for use on smartphones and tablets using the Android operating system. X-Agent was believed to be transmitted by Russian Army RB-314V Leer-3 Electronic Warfare (EW) systems. Leer-3 is deployed with army EW brigades at the operational level. X-Agent will have overcome cybersecurity protocols protecting these devices; it is possible that the malware had several tasks. For example, it may have ascertained a device’s location, providing useful fire control coordinates for Russian counterbattery fire. The malware may have also been able to implant misleading or incorrect data into Correction D-30. Corrupting data could have potentially devastating consequences regarding Ukrainian call-for-fires if data were modified to target friendly troops.
As well as using malware to disrupt tactical/operational command and control (C2), Russian cyberwarriors appear to be using cyber effects to aid communications intelligence (COMINT) collection. Cyberwarfare is also increasingly supporting the Russian armed forces’ reconnaissance-strike complex. Russia’s practice of tactical/operational cyberwarfare has implications for NATO and its Allies as they embrace the multi-domain operations (MDO) philosophy.
As they were during the Donbas War, Ukrainian tactical/operational digitised battle management systems appear to be in the crosshairs of Russian cyberwarriors. In his report published by RUSI, Daniel Black wrote that “(m)ounting evidence, stretching back to the months preceding Ukraine’s counteroffensive in 2023, indicates that multiple Russian cyber units have shifted their sights away from strategic civilian targets toward soldiers’ computers and mobiles … to enable tactical military objectives on Ukraine’s frontlines.” He posits that the GRU and Russia’s FSB foreign intelligence service, long rivals, may have now coalesced their tactical/operational cyberwarfare approaches. This is not to say that Russian cyberattacks have moved away from Ukrainian strategic targets as critical national infrastructure remains a major Russian cyberattack priority. Nonetheless, “Moscow has rebalanced its overarching concept-of-operations to emphasise targets that can provide more direct and tangible battlefield advantages to its conventional forces.”
COMINT
Hacking into a Ukrainian soldier’s tablet or smartphone can yield useful intelligence. Despite the more attritional nature of the war following Ukraine’s 2023 summer offensive, data and technology remain central to the conflict. A July 2023 article by The Economist’s defence editor Shashank Joshi entitled, ‘The war in Ukraine shows how technology is changing the battlefield’ underscored how homegrown Ukrainian digital technology is impacting the battlefield. Joshi discussed the Kropyva software application used by Ukrainian unmanned aerial vehicle (UAV) pilots to mark the position of Russian targets. Kropyva lets target coordinates and imagery be shared rapidly with Ukrainian artillery in the locale.
One of the most famous homegrown Ukrainian software applications, Delta, federates an eye-watering array of different intelligence feeds. As Joshi notes, these feeds can include imagery collected by UAVs or intelligence gleaned from Russian social media sites. These feeds are merged with commercially-available satellite imagery and/or signals intelligence (SIGINT). Merging a host of disparate feeds into one location deepens situational awareness while reducing information deluge. The user does not need to waste time individually consulting disparate intelligence sources. Instead, all the information is in one place.
Tactics and targets
In his report on Russia’s cyber campaign in Ukraine, Black highlighted several tactics used by Russian cyberwarriors to deliver their attacks. One tactic involves building a rapport with the target via encrypted messaging applications (EMAs) such as Signal or Telegram. Chats help to build a relationship with the Ukrainian EMA user before the cyberattack is delivered. EMAs often link one, or several, specific devices to the messaging service. The service is then used as the gateway to gain access to these devices. Black says that analysis performed by Microsoft notes that files have been stolen from desktop computers using the Signal for Desktop software application. By hacking into this incarnation of the software, Centre 16 (the FSB’s main SIGINT unit) has accessed “the target’s private Signal conversations and attachments”.
Another approach is to exploit Ukrainian devices captured on the battlefield not only for intelligence, but also to devise methods by which similar devices can be hacked. Black and his colleagues wrote an interesting analysis of this tactic entitled, ‘Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm’. Published in April 2024, the analysis discusses the activities of the GRU’s Main Centre for Special Technologies. Like Fancy Bear, the Main Centre for Special Technologies has other monikers, notably APT44 and Sandworm. This report says that the Main Centre provides infrastructure and technical guidance assistance to Russian troops when they capture Ukrainian digital devices. The Main Centre will assist the exploitation of Telegram and Signal traffic on these devices.
In one incident, the Main Centre was reportedly responsible for deploying the Infamous Chisel malware into Ukrainian military communications networks; malware targets were connected to SpaceX Starlink Satellite Communications (SATCOM) terminals, some of which were hit by a Russian cyberattack shortly after Moscow’s full-scale invasion in February 2022. These terminals began to arrive in Ukraine from 28 February and were used to support military and civilian communications. Starlink cyberattacks have been mitigated through the rapid deployment of software updates for the terminals. Black argues that Moscow is not only performing cyberwarfare against Ukrainian tactical/operational software applications to cause disruption; in some cases, the Russian military has been keen to develop exact replicas of these applications for their own use.
While Black’s analysis has focused on the efforts of Russian cyberwarriors vis-à-vis Ukrainian tactical/operational software applications, this has not been the former’s sole focus. Operational intelligence has been gathered by attacking Ukrainian civilian devices. In some cases, webcams have been compromised by Russian cyberwarriors. Perhaps these webcams unwittingly show nearby potential targets outside a window such as a surface-to-air missile? By determining the location of the webcam, the target’s location can be similarly ascertained, providing useful targeting information.
The reconnaissance-strike complex
Russian military doctrine places a high premium on what is termed the reconnaissance-strike complex, which is analogous to the US military’s kill chain, or kill web. In essence, mechanisms are used to initially detect, identify and locate targets. These mechanisms can include visual, imagery, human or signals intelligence collected by reconnaissance assets. Targets are then tasked for attack by land manoeuvre units, artillery, close air support/battlefield interdiction and/or electronic warfare. Battle damage assessment determines the effects of these attacks and whether the target needs to be struck again. Russian tactical/operational cyber efforts add another dimension to the reconnaissance-strike complex.
Directing cyber efforts towards the tactical/operational battle means that targets can also be detected, identified and located through this vector. Incorporating cyberwarfare into the reconnaissance-strike complex marks a departure from standard Russian land forces doctrine. A source familiar with Russia’s psychological tactical/operational cyberwarfare disclosed that cyber effects, like Russian EW, is a component of the Russian information warfare doctrine. Cyber effects are intended to negatively shape the morale of the opposing force, as opposed to aiding targeting. The doctrinal pivot towards using cyber effects to aid the reconnaissance-strike complex seems to have begun about one year after Russia’s full-scale invasion in 2022. The source said that the pivot may have occurred as a response to Ukraine’s summer offensive launched on 4 June 2023.
There are limitations to the tactical/operational use of cyberwarfare herein. Tactical battles move quickly. Hacking a Ukrainian soldier’s smartphone may reveal their whereabouts at that moment but such information is perishable. By the time the phone is hacked and yields its secrets, the soldier may have already moved to another location. The tactical intelligence on that phone, such as the soldier’s objective at that moment may have changed an hour later. Time lags are slightly longer at the operational level, but they exist. Unless Russian sensor-to-shooter times are as short as possible, there is the danger that intelligence collected by hacking may expire before exploitation. Russian sensor-to-shooter times can be quite variable depending on the distances, target, and the weaponry involved. For optimal effectiveness, they would need to be in the order of minutes if they are to be meaningfully supported by cyber efforts. Analysis performed by RUSI associate fellow Sam Cranny-Evans says that Russian targeting cycles can be as short as three minutes, but also sometimes as long as 30 minutes.
Daniel Black surmised that the growing importance of cyber operations in the reconnaissance-strike complex may have resulted in the deployment of Russian cyberwarfare experts to the front. On the one hand, these deployments will shorten the time in which cyber effects can be used in support of the tactical/operational battle, but cyber effects can move at the speed of light. Conversely, having cyber operatives deployed some distance from the battlefield in St Petersburg or Moscow invariably slows down reaction times and hence battle rhythm. Embedding cyberwarriors in-theatre will improve synergies with other effects and with other Russian forces more broadly. However, deploying cyberwarriors in-theatre also creates vulnerabilities. Like all personnel, Russian cyber warriors will face the same dangers of death, injury and capture. Lost Russian cyber operatives, and their acumen, may not be easy to replace. The chances of such personnel defecting to Ukrainian lines and potentially giving up their secrets also cannot be discounted. The source added that Russian cyber warriors may have been deployed piecemeal to the front, having lesser immediate force weight than a larger deployment might have. Russian cyberwarfare efforts face a vexing challenge like that faced by EW cadres, the source continued. In electronic warfare, there is always an antagonism between those who want to exploit a target for intelligence and those who want to jam it. The latter invariably prevents the former: “Access is everything in cyberwarfare. Access is opportunity” said the source: “If you implant a destructive capability like malware into a device or network, you might risk losing valuable intelligence, and also access if revamped cybersecurity protocols prevent access in the future.”
Implications
In his report, Black pointed out that data-dependent devices on the battlefield, be those smartphones, tablets or laptops, not to mention data-driven systems used by materiel, “have become a critical centre of gravity in Russia’s cyber campaign in Ukraine”. By implication, this means that similar devices in NATO hands during any future confrontation with Russia would have similar importance to Russian cyberwarriors. Allied militaries have an ever-growing demand for data to support C2 and situational awareness. A report by Deloitte published in September 2023 entitled, ‘From open source to everything as a source: How militaries can use and protect themselves from information everywhere’ put matters into perspective. The report states that a US Air Force UAV can generate 70 TB (70,000 GB) of raw data every 14 hours. This quantity is seven times larger than the entire annual data output from the Hubble Space Telescope. As a comparison, the average internet user generates 146.8 gigabits (18.35 GB) of data daily, according to Edge Delta, a Seattle-based software company. Deloitte says that the entire US military currently only processes around 2% of the aggregate data it collects.
The United States Department of Defense (DOD), and the wider US military, is embracing the MDO mindset. Multi-domain operations emphasise the intra- and inter-force connectivity of all military assets (personnel, platforms, weapons, sensors, networks and capabilities) to facilitate synchronous operations at all levels of war. Such levels of interconnectivity should help militaries make better quality and quicker decisions than their adversary. Better quality decision-making prioritises the timely collection, interpretation and efficient dissemination of data. The goal of MDO is to ensure the blue force is continually moving around the OODA (Observe, Orient, Decide and Act) loop faster than their foe. The red force is thus forced to be continually reactive rather than proactive. Ukraine has shown that Russian forces have correctly identified data as a Clausewitzian centre of gravity. Using cyberwarfare together with kinetic means and EW to disrupt or deny the movement of data impairs the conduct of MDO.
What Russia’s actions in Ukraine, and the US and Allied embrace of MDO, illustrate is that militaries may already be embarked on a data-driven arms race. As one side relies increasingly on the rapid flow of relevant data around the battlefield, so the other side will seek to disrupt this and vice versa. Both sides will also be doing their utmost to secure their own data and the networks that carry them. The advent of artificial intelligence (AI) use by the military, and AI’s machine learning (ML) subdiscipline, will only heighten this competition. AI and ML techniques will help sort the torrents of data militaries will rely on drawn from a host of assets and sources. These sources will include the civilian domain as Russia’s exploitation of Ukrainian civilian devices has shown. At the same time, AI and ML techniques may rapidly identify tactical/operational cyber vulnerabilities. Once vulnerabilities are identified, AI and ML may help draft malicious code.
NATO and the DOD are not sitting idly by as the danger increases; the Alliance’s Joint Advanced Technologies Centre for Cyber Defence is tackling such threats and the DOD is manifesting the MDO approach through its Joint All-Domain Command and Control (JADC2) architecture. JADC2 federates disparate tactical, operational and strategic DOD and US armed services communications networks. The architecture also introduces capabilities such as cloud computing. So-called Combat Clouds will serve as the clearing houses for the myriad of data networked military assets will collect. Combat Clouds will disseminate these data across secure and redundant communications links to those who need it. JADC2 is being implemented by the DOD through several Lines of Effort (LOEs); cybersecurity is a key element of LOE-1, which establishes data standardisation protocols, while LOE-3 ensures that the network’s layers needed to move data have required resilience and redundancy. Ultimately, every digital device deployed tactically and operationally on the battlefield is likely to become both an asset and a potential vulnerability. NATO and its Allies must learn the tactical and operational cyberwarfare lessons from Ukraine as they look to enhance their own digital survivability on tomorrow’s battlefields.
Thomas Withington