Ukraine: Beyond Kinetics

Emma Raffray

Ukraine: Harm from cyberattacks and operations during an armed conflict

28 February
Computer Weekly
03 March
Deutsche Welle
09 March
The Guardian
20 March
Financial Times
 Ukraine cyber attacks seen spiking, but no destructive cyber war yetUkraine: Cyberwar creates chaos, ‘it won’t win the war’Catastrophic’ cyberwar between Ukraine and Russia hasn’t happened (yet), experts sayThe cyber warfare predicted in Ukraine may be yet to come

Russia has previously demonstrated its cyber capabilities by relentlessly attacking Ukraine’s critical infrastructure and information space through campaigns spanning several years. With this in mind cyber and legal experts predicted a more destructive and visible cyber offensive further to the military invasion by Russia in February. Through strategic reasoning and prediction these same experts have spent the past few weeks trying to explain why we have not yet seen more severe cyberattacks in Ukraine and why they believe these attacks are yet to come

These debates are important as they test the existing assumptions about the potential impact of cyber operations during an armed conflict and remind the world that in hostilities waged brutally by conventional weapons, the resort to subterfuge, and cyber operations with relatively limited impact, is not necessary.

The truth about harm lies in the data

The framing of harm from cyberattacks and operations during an armed conflict has focused on the expectation of death and destruction and significant material harm to infrastructure whilst paying little attention to physical and psychological harm to people. To fully understand societal and individual harm stemming from cyber operations, we need to focus on attacks beyond those that would deliver a decisive strategic blow in a conflict or cause headline-grabbing destruction. Behind the headline news, there is another story to be told. One in which cyberattacks are increasing, significantly, in Ukraine and have been for some time. The Record, reporting on statistics from Ukraine’s information security service, states that in “December, Ukraine registered 135 attacks. In January it was 262. The total number of cyberattacks in 2022 has increased sevenfold compared to the same period the previous year.”

Identifying and documenting cyberattacks is crucial. Whether they make the headlines or not, cyberattacks on the civilian population, and on infrastructure essential for its survival, cause differing degrees of harm, from undermining trust in institutions, disrupting core civilian and humanitarian services, spreading disinformation and preventing or impeding communication. 

In this blog the CyberPeace Institute aims to leverage the data collected on cyberattacks in Ukraine to raise awareness of the direct and indirect effects cyberattacks have on Ukrainian individuals, organizations and communities including their physical, psychological and social well being. 

The many faces of harm and the three Ds

Cyberattacks against Ukrainian civilian objects are numerous and varied, from wiper malware attacks to SMS spam campaigns, distributed denial of service (DDoS) attacks to website defacements. Many of the sectors targeted or impacted by these attacks fall into the category of infrastructure essential to the survival of the civilian population. Although we might not have, today, a full picture of the impact and harm of these attacks, older incidents can help shed light on how these cyberattacks lead to the destruction of systems, the disruption of services and the spread of disinformation ultimately impacting Ukraine’s civilian population.


15 February
SMS Spam Campaign Civilians

15-16 February
DDoS Attacks
Financial & Public Sectors

23-24 February
Wiper Malware Attacks
Financial, Private & Public Sector

24 February
Wiper Attack on
Satellite ISP
Communication Sector
“Some users of Privatbank received a message alerting them that the bank’s ATM machines were not working. Privatbank didn’t send those SMS messages.”
The Record

“Customers at Ukraine’s largest state-owned bank, Privatbank, and the state-owned Sberbank reported problems with online payments and the banks’ apps.”
PBS NewsHour

“We remain especially concerned about recent cyberattacks on Ukrainian civilian digital targets, including the financial sector, agriculture sector, emergency response services, humanitarian aid efforts, and energy sector organizations and enterprises.” 
Microsoft

“…satellite modems belonging to tens of thousands of customers in Europe were knocked offline…” Reuters
“a partial network outage—impacting internet service for fixed broadband customers in Ukraine and elsewhere on our European KA-SAT network.” The Stack
DisinformationDisruptDestroyDisrupt

Destruction

Destroying and encrypting data and systems

In 2022 six wiper malware attack campaigns have been documented as deployed against Ukrainian organizations with some in development for months before their release. Wipers are specific types of malware which aim to corrupt or destroy data on the systems they infect.

13 January
Whispergate
Private, NonProfit & Public Sectors
23 February
HermeticWiper
Financial, Private & Public Sectors
24 February
IsaacWiper
Public Sector
24 February
AcidRain
Communication Sector
14 March
CaddyWiper
Unknown Sector
17 March
DoubleZero
Unknown Sector
“ a destructive malware operation targeting multiple organizations in Ukraine” MicrosoftA number of organizations in Ukraine have been hit […] and impacted hundreds of computers on their networks.” ESET “evidence of wiper attacks against machines in Lithuania. BroadcomA second attack that affected a different Ukrainian organizationESET“while most users were unaffected by the incident, the cyber-attack did impact several thousand customers located in Ukraine and tens of thousands of other fixed broadband customers across Europe.”
Viasat
“[…] was spotted on several dozen systems in a limited number of organizations.ESET“Cyberattack on Ukrainian companies using the DoubleZero destructive malware” 
CERT-UA

What is evident when reading through the various publicly available reports relating to these attacks, is that there is a significant omission of details other than technical ones. Not only do we not know the actual number of organizations targeted / impacted by these attacks but even less the extent of destruction and impact that these attacks have had on the organizations infected and affected.

Throwback to destructive attack (2017)

An attack with the NotPetya wiper malware targeted public and private sector entities in Ukraine. The attack was highly disruptive in nature as it disabled computers by wiping hard drives and spread independently to companies that used a popular tax-filing software. The attack spread globally. 

Impact and Harm: The malware impacted around 49,000 systems across 65 countries and led to estimated global economic losses exceeding USD 10 billion. Ukrainian entities suffered significant economic losses as data was irreversibly encrypted as the malware infiltrated networks including systems of the National Bank of Ukraine, Kyiv Boryspil International Airport and the capi­tal’s metro. The radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline.

Disruption

Destructive cyberattacks may lead to the permanent destruction of data and systems but disruptive attacks have proven to have a particularly negative impact on the ability of targeted organizations to maintain critical services thus impacting the civilian population’s access to these. 

Obstructing access to telecommunications and internet services

Two significant attacks on the communications sector in 2022 have had a direct impact on the civilian population’s access to internet services in Ukraine as the armed conflict escalated. 

On 24th February, the day of Russia’s full scale invasion of Ukraine, a cyberattack disabled modems that communicate with Viasat Inc’s KA-SAT satellite network. On 31st March this attack was documented as a wiper attack using the AcidRain malware.  The impact was felt well beyond Ukraine as internet access went offline for some users for more than 2 weeks, nearly 9,000 subscribers of a satellite internet service provider were deprived of the internet in France, around a third of 40,000 subscribers of another satellite internet service provider in Europe (Germany, France, Hungary, Greece, Italy, Poland) were affected and a major German energy company lost remote monitoring access to over 5,800 wind turbines.

On 9th March Triolan, a Ukrainian telecommunications company, was targeted by a cyberattack that brought its network down across several regions in Ukraine for 12 hours.

Cyberattacks on telecommunications and internet service providers have a direct impact on civilians. Targeting these services on the day of the invasion and in the weeks that followed doesn’t only have an impact on military objects but also on civilian ones who depend on their services in order to contact loved ones, seek medical support, access online services, coordinate rescue efforts and much more. Targeting telecommunications networks adds to the confusion and fog of war and the impact for civilians is accentuated during hostilities.

Limiting access to money

DDoS attacks against financial institutions in Ukraine have been reported since before the invasion. Bank customers reported problems with online payments, banking apps and, in very limited cases, accessing ATMs, whilst one of the attacks was combined with fraudulent SMS messages sent to Ukrainian phones in an attempt to create panic. Limiting the civilian population’s access to money immediately during the invasion is particularly distressing as individuals seek to retrieve their financial assets in order to buy provisions, make logistical arrangements and seek to protect themselves and their communities from harm. 

Interrupting access to news

DDoS attacks on the Kyiv Post from the day of the invasion incapacitated their systems and they had to use alternative means to publish the news, including by posting shortened stories on Facebook, Twitter, and LinkedIn. This created logistical problems for personnel as systems weren’t functioning and it made it more difficult to communicate amongst employees. 

Access to news and information during an armed conflict is a vital public interest in that it is a means to broadcast official information from national or local authorities. News from media outlets can also help to inform the decision making of the population about the risks to safety, to flee or remain in an area, access to humanitarian aid, etc. 

Denying access to electricity, heating and water

Throwback (2015)

A cyberattack compromised systems of three energy distribution companies in Western Ukraine. Prior to the outage, the threat actors launched a telephone denial-of-service attack against customer call centers.

Impact and Harm: The attack impacted 16 substations, leaving them unresponsive to any remote commands from operators and led to power outages for approximately 230,000 consumers for 1-6 hours. Customer call center telephone lines were also taken down preventing customers from calling in to report the outage and seek information. The attack was viewed as an attempt to weaken the trust in Ukrainian power companies and / or the government.

Throwback (2016) 

A cyberattack hit a substation in Kyiv impacting the capital and its surrounding area. Researchers describe the malware used in this attack as only the second-ever known case of malicious code purpose-built to disrupt physical systems and that the malware could automate mass power outages and included swappable, plug-in components that allowed it to be adaptable to different electric utilities and could be launched simultaneously across multiple targets.Impact and Harm: the power cut resulting from the attack amounted to a loss of about one-fifth of Kyiv’s power consumption at that time of night and the blackout lasted just over an hour. Reports indicate the potential impact could have ranged from turning off power distribution, cascading failures and more serious damage to equipment.

Disinformation

Undermining trust in institutions through information manipulation

Ukraine has long been subject to disinformation campaigns spread by the Russian Federation . These attacks have played a role in trying to undermine trust and confidence in state institutions and trying to control the information space based on geopolitical objectives.

Cyberattacks with a focus on the spreading of disinformation have also found their way into the armed conflict. From SMS spam campaigns spreading false information about technical malfunctions of ATMs, to cyberattacks on TV stations in which information is falsely displayed on the news ticker or deepfake videos are streamed, through to threat actors compromising email accounts in order to gain access to the social media accounts of high-profile Ukrainians in order to post disinformation. As referenced in the IRRC, “disinformation in armed conflict may pose several distinctive forms of harm to civilians: exposure to retaliatory violence, distortion of information vital to securing human needs, and severe mental suffering.” Thus access to accurate, timely and reliable information is a civilian necessity during periods of armed conflict and measures are required in order to prevent the spread of, or counter, disinformation.

Throwback (2014)

A wave of cyberattacks to disrupt and manipulate the 2014 Ukrainian Presidential Elections, in which one arm of the three-pronged attack (Malware, Wiper Malware and DDoS), aimed to fake results and portray the far-right candidate as the winner. While the attack failed, Channel 1 Russia displayed these results. 

Impact and Harm: The attack attempted to spread false information and led to delays in the final election tally. It was reported to be an attempt to discredit the election system in the eyes of the public. 

Harm as a means to reaching accountability

Cyberattacks will continue to be used by states and non-state actors during the armed conflict in Ukraine to destroy data and systems, disrupt critical infrastructure and services and control the information space. The three dimensions of cyber harm – destruction, disruption, disinformation – require two things:

  1. a strong and coordinated defense to protect critical civilian objects,
  2. a solid accountability process that takes into account the harm inflicted on people.

Failing to do so will inevitably lead to physical and psychological harm to individuals and impede individuals’ rights to redress following a cyberattack. 

The CyberPeace Institute calls upon all actors to spare civilians and other protected persons, civilian objects and infrastructure which are ensuring the delivery of essential services in line with international humanitarian law. This is an obligation of all parties to the armed conflict. Respecting this law is important to save lives and reduce suffering.

Although we may not today have seen the high-impact destructive and disruptive attacks previously seen in Ukraine we ask ourselves how the attacks documented to date are not harmful to people? The civilian population is subject to attacks on all fronts as a result of a combination of kinetic and cyber attacks – a physical risk to life, the blocking of humanitarian aid from reaching a population and then the disabling or disruption of systems that people increasingly depend on through cyber means. We ought to ask ourselves if cyberattacks have perhaps, both contributed and caused in part, the fear and displacement of 10m+ people in a single month?


This blog was researched and written by Emma Raffray (Senior Cyber Data Analyst), with the support of the Analysis Team of the CyberPeace Institute.

© Copyright 2023: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.

Donation

Support the CyberPeace Institute

Individual lives can be changed dramatically by the acts of cyber criminals. We need your support to assist victims of cyberattacks in the NGO, humanitarian and healthcare sectors.

Newsletter

Subscribe to our newsletter

Receive monthly news on what’s happening at the Institute: our impact, publications, events and important milestones.