The Russian military strategy is often described as a strategy of “active defense.” This means that their strategy includes both the preventative measures taken before a conflict breaks out and the tenets for conducting the war.
Russian military strategy is comprised of operational concepts that represent defensive and offensive constructs without clear distinction. Active defense devalues strategic ground offensives, privileging the aerospace domain, maneuver defense, and forms of noncontact warfare.
Center for Naval Analyses: Russian Military Strategy: Core Tenets and Operational Concepts
Cyber warfare plays a significant role in the military Russian doctrine. Over the past several years, Russia has shifted how it conceptualizes warfare to include non-military means in parallel with armed violence. This change is exemplified by how much more relevant information warfare is in the Russian doctrine. Information warfare includes both cyber and information operations and is integrated into how modern conflicts are conducted. The Russian approach to information warfare and those groups executing these types of operations are almost certainly driving current and future cyber policy and strategy in Russia.
This is why, whenever Russia is involved in a conflict, one could expect to see force being applied on the cyber domain as well, bringing global cybersecurity impacts. Indeed, Russia itself has significant offensive cybersecurity capabilities, including nation-state and criminal elements, which is why we have already seen significant cyberattacks against Ukraine. In the past few days, a Ukraine border control station has been struck by a data wiper cyberattack, slowing the process of allowing refugees to cross into Romania. These attacks thrust Ukraine into the past as they continue to struggle to process the necessary information for border passage using only pencil and paper.
Well-known Russian threat groups, such as Dragonfly, are able to persist undetected, collecting data for lengthy periods of time, from months to years. In the spring of 2021, massive ransomware attacks on Colonial Pipeline and the meat processor JBS were traced back to Russian cybercriminals, causing additional disruption and confusion amid the supply chain issues related to the COVID-19 pandemic. In December 2020, the National Security Agency issued a cybersecurity advisory that Russian state-sponsored malicious cyber actors were exploiting vulnerabilities in a system used broadly in the federal government. These types of attacks have been recorded for decades, and we should expect to see more attacks in the context of the Russian invasion of Ukraine as well.
Why is cyber an appealing tool for warfare?
The world is increasingly dependent on the Internet, much of it reliant on cloud services. We look to the Internet for news and services — banking, communicating, listening to music and podcasts, watching television, and the Internet of Things, which encompasses our lights, home security, garage door openers, watches, and so much more. Critical infrastructure is also vulnerable to cyberattacks, further increasing the impact that cyberattacks may have on a country or region. Regardless of whether it’s a denial-of-service attack, malware, a wiper virus, or something else, it’s possible to significantly disrupt a country and its inhabitants through cyber warfare.
Cyber also offers an appealing level of deniability — it’s much harder to determine definitively who carried out the attack while still exerting considerable power during a conflict. Even when researchers can attribute an event to a specific attacker, the attacker can easily deny it. It’s hard to make a direct attribution and doing so can take months or even years of effort. Even then, the attackers can claim it’s a false flag, and still deny responsibility for the activities.
Casus Belli: an event or action that justifies or allegedly justifies a war or conflict
Another reason cyber warfare appeals to nation states, such as Russia, is because they can be considered a non-lethal weapon, below the casus belli threshold. It may not be lethal, but it certainly causes harm. In addition, you can cause considerable disruption and distress through cyberattacks without being a particularly powerful adversary. Building a powerful cyber force doesn’t require the country to be a global superpower, which gives smaller countries an advantage they don’t have in traditional warfare. Unlike other weapons, which take considerably more time to order, receive, and deploy, the weapons in cyberwarfare can be applied all over the world at the speed of light... or however fast your internet connection may be.
Cyber warfare touches on the sensitive points of the Western democratic countries, creating deterrence. These countries anticipate attacks on their critical infrastructure, healthcare, media, and government agencies, impacting physical, financial, and data assets. Because cyberattacks impact not only government entities but also organizations, impacts can be broad and felt across these democratic countries, impacting individuals in many ways, and increasing reluctance for other countries to join the conflict.
Cyber attackers invested years in preparation
Armies and nations that use cyber as a weapon for war invested years in preparing these tools. Cyber teams spend considerable time finding zero-day vulnerabilities, getting access to networks, leaving backdoors behind, and checking them regularly to ensure that they still have the access they need when they are ready to apply force. You won’t know they are in your environment because they have silently been preparing the access needed. Then they can choose which one to activate and when, deleting or encrypting data, conducting a distributed denial of service attack, or carrying out another type of attack. When they need to apply force, they already have a set of options to pick from. There is a misperception that attacks are happening now, when in fact the attackers are just waiting for the right time to use their assets.
So why aren’t we seeing more attacks?
We’ve seen only part of the Russian cyber warfare capabilities so far. There is probably a list of targets ready to be deployed, with potential impacts ranging from light to heavy. When using the tools in your cyber arsenal, you need to consider whether this is the right time or if you want to keep a tool for later. While using the tools provides value, it also poses risks. For example, you may lose capabilities: once applied, these tools cannot be used again easily; there is potential for collateral damage; or you may lose access to an asset for intelligence purposes.
We are also not aware of every attack that has already occurred. Part of the game may be to hide the attacks fully or partially, or even to confirm the attack to change the impact. Sometimes, making an attack public is an amplification of the attack.
While both sides have almost certainly been preparing with cyber tools for attack, they have also probably been working on defensive measures, possibly with the help of other nations or private companies. Some of the capabilities prepared may also not be possible to deploy easily.
Another reason the Russian cyber campaign is limited now is that the conflict has shifted to a new, kinetic phase. To paraphrase Ecclesiastes, there is a time to use bombs and a time to use cyber. Cyber is highly effective in a conflict before active warfare occurs. While preparing for the invasion, it makes sense that most of the force applied is on the cyber domain. When bombs, tanks, and airplanes can be used, cyber takes second place.
What can cybersecurity defenders do now?
Deploying new defensive cybersecurity capabilities now will probably not protect organizations fully or quickly. There is only so much you can do to prevent a cyberattack related to the Russian attack on Ukraine in the immediate future, because the cyber warfare has already been underway for months or years. Therefore, companies should be ready to increase their ability to detect, patch, and remediate against an increase in zero-day vulnerabilities. Increasing this capability isn’t going to happen overnight, and it won’t be easy. Many companies are still handling patching from Log4Shell, the critical zero-day vulnerability disclosed in December 2021. Attackers need just one way in, and they may already be there, so defenders should try to make infiltration as difficult as possible.
You should also focus on response. Keys steps to take include:
- Proactively look for new indicators of compromise (IOCs) and run them against your environment to see if you are under attack
- Stay on top of threat intelligence in the region
- Run drills and exercises, and include cloud and hybrid environments
- Make sure you have the right partnerships in place with Cybersecurity & Infrastructure Security Agency (CISA) or the Federal Bureau of Investigation (FBI)
- Have data recovery and incident response plans in place
These activities will help you increase your resilience, but it’s important not to do your drills and exercises once and move on. You need to keep doing them to ensure that your plans meet your requirements as they change. Cyber warfare has a global impact, highlighting the importance of focusing on cyber resilience. Make sure that your organization is ready, prepared to recover rapidly, and resilient if you get caught up in a wave of cyberattacks.