Behind the veil: Information warfare in Ukraine paves a shadowy path to war

by Olivia Savage & Anika Torruella

Ukraine experiences major information warfare campaign in February. (MoD Crown Copyright 2015)

Tensions have been rising in eastern Europe since late 2021 when Russia started amassing troops on the border of Ukraine, a former member of the Soviet Union. Michael Carpenter, the US ambassador to the Organization for Security Co-operation in Europe, detailed on 18 February that 169,000–190,000 Russian personnel had moved to the border, up from previous estimates of 150,000 Russian personnel.

On 21 February Russian President Vladimir Putin recognised the so-called Donetsk and Luhansk People's Republics in the Donbas region as independent states and directed the Russian defence ministry to deploy troops in the regions to carry out supposed “peacekeeping” functions. Putin announced a military invasion of Ukraine on 24 February, although the first explosions were heard outside the capital, Kyiv, early 23 February.

In the days leading up to the invasion, Ukraine has experienced a series of critical cyber attacks on its national infrastructure and has been the target of a disinformation campaign. Such tactics are commonly described as ‘hybrid warfare' – where non-traditional force multipliers such as cyber and social media intelligence attacks are employed – and use network infiltration, denial of information, denial of internet services, and other advanced persistent threats (APTs) to achieve strategic political and military effects.

Warfare in the cyber domain

According to the State Service of Special Communications and Information Protection of Ukraine (SSSCIP), cyber aggression in the form of distributed-denial-of-service (DDoS) attacks have been ongoing since 15 February, but intensified on 23 February.

Cyber attacks on Ukraine's infrastructure have been prevalent recently, so much so that on 14 February, NATO Secretary General Jens Stoltenberg stated that the alliance would sign an agreement with Ukraine to help improve cyber co-operation between the two entities, and allow the country to access NATO's malware information sharing platform.

On 15 February Ukraine experienced the largest DDoS attack in its history, where multiple devices attempted to overload and disrupt its systems. The attacks targeted government websites including the Ministry of Defence, armed forces, and the financial sector, rendering them temporarily inoperable.

A joint briefing of leading Ukrainian ministers and representatives commented on the attacks. The country's First Vice Prime Minister and Minister of Digital Transformation, Mykhailo Fedorov, said that the attacks would have cost millions of dollars and was intended to sow panic among Ukrainians. Natalia Tkachuk, head of the Information Security and Cyber Security Service of the National Security and Defence Council of Ukraine, stressed at the joint briefing that there was a significant change in the purpose and mechanisms of the most recent cyber attacks since there was a clear pivot away from obtaining intelligence information and personal data, to attempting to destabilise, discredit, and manipulate the country.

Tkachuk attributed the attacks to the so-called ‘aggressor country', noting that the cyber attacks had become a tool of the special information operations country. In conjunction with this, Head of the Cybersecurity Department of the Security Service (SBU) of Ukraine, Ilya Vityuk, added at the briefing that they were investigating suspects, and had detected traces of foreign intelligence services activity. They have determined, based on this and current realities, that Russia is the likely culprit. The UK's National Cyber Security Centre (NCSC) similarly determined, based on technical information from the DDoS attacks on 15 and 16 February, that the Russian Main Intelligence Directorate (GRU) was behind the attacks on the financial sector.

Victor Zhora, deputy head of the State Service for Special Communication and Information Protection (SSSCIP) of Ukraine, explained that the extent of the disruption was limited, as they were able to reduce the level of malicious traffic on its servers by restricting access control lists and configuring policies to combat DDoS-type attacks. Ukraine was able to avoid serious damage, with little losses and interruption, Deputy Secretary of the National Security and Defense Council of Ukraine, Serhiy Demedyuk, added.

The Computer Emergency Response Team of Ukraine (CERT-UA) – a team that handles cyber attacks in Ukraine – issued a warning on 21 February about possible attacks on more web browsers. This was followed by an announcement on 23 February by the SSSCIP that the country was experiencing another wave of DDoS attacks, targeting the websites of the Cabinet of Ministers of Ukraine, the Verkhovna Rada, the Ministry of Foreign Affairs, the Security Service of Ukraine, and other authorities. At the same time, the SSSCIP stated that “phishing attacks on public authorities and critical infrastructure, the spread of malicious software, as well as attempts to penetrate private and public sector networks and further destructive actions have intensified”.

Slovak Republic-based ESET and California-based Broadcom's Symantec cyber-security companies noted a new type of malware that wipes data, was used against Ukraine in the 23 February attacks. The malware was novel because it attacks the master boot record (MBR) of computers. Additionally, the malware may also have been active in Latvia and Lithuania, which could indicate intentional or unintentional regional spread. Pierluigi Paganini, a cyber-security expert, researcher, and instructor with the Infosec Institute, noted that the executable compilation timestamp of one of the samples was “2021-12-28”, “suggesting that the cyber attack might have been in preparation for almost two months”. ESET also stated that “temporal evidence points to potentially related malicious activity beginning as early as November 2021”. According to ESET, it was tracking the disk-wiping malware (Trojan.Killdisk) as ‘HermeticaWiper' in its analysis and noted it was targeted against “financial, defence, aviation, and IT services sectors”. HermeticaWiper appears as an executable file, which is signed by a certificate issued to Hermetica Digital Ltd. “The wiper abuses legitimate drivers from the EaseUS Partition Master software for corrupt data,” ESET stated on its blog.

The Ukrainian SSSCIP attributed the 23 February attacks to the Russian Secret Service, based on the use of specific bot networks. Critically, the DDoS attacks on 23 February occurred some 12 hours before Putin ordered a full-scale invasion of Ukraine. This evokes similarities with Russia's incursion of South Ossetia in Georgia, which US Army Colonel Bob Killebrew (retd) noted in his report ‘Russia-Georgia: Early Take' in Small Wars Journal , that Russian cyber attacks were used prior to and in sync with conventional attacks on the country. Similarly, while Russia commenced its invasion of Crimea in 2014, a major cyber offensive targeting Ukrainian officials and news agencies occurred. Given the timing of these attacks, it is likely that the attacks were co-ordinated by the GRU.

Social engineering, propaganda, and disinformation

Unconfirmed sources on Twitter have revealed specific propaganda and social engineering attacks, sent via SMS messages, to the personal devices of Ukrainian troops. These encourage abandoning posts, putting down arms, and other – more grisly – threats. Basically, using mobile platforms as the digital age equivalent to dropping propaganda leaflets.

Before it's invasion of Crimea in 2014, Russia employed cyber-warfare activities, including, but not limited to, intelligence collection, increasing message visibility, psychological warfare, distributing misinformation, and identifying scattered mobile targets. A noticeable difference is that Ukrainian media sites do not seem to be affected to the extent of similar websites and services in Crimea – perhaps because part of Moscow's strategy is to have a live, broadly distributed account of the invasion.

Ukraine has also repeatedly stated that it has been a victim of disinformation, with misleading or false narratives being spread about its forces and actions in the Donbas region. NATO's Digital Forensic Research Lab (DFRLab) has discovered 10 false and misleading accounts from Kremlin-controlled and pro-Kremlin media outlets in Russia regarding Ukrainian aggression over the past few months. This method of warfare has intensified since the beginning of February. DFRLab highlighted notable accounts of alleged disinformation, including the so-called Donetsk Peoples Republic's (DNR) defence ministry reporting that security services had managed to prevent a bombing of the Donetsk administrative building on 1 February by the Ukrainian special forces. However, the separatists did not provide any evidence that a bomb had been found or that Ukraine had been behind it.

Additionally, DFRLab documented that the Russian Defence Minister, Sergei Shoigu, claimed that US private military firms were preparing biochemical components to provoke fighting in eastern Ukraine, while the leader of the DNR, Denis Pushilin, added that Donetsk's water supply was planned to be poisoned. In direct response to this, Pentagon Press Secretary, John F Kirby, denied the allegations made against Ukraine. Similarly, the Ukrainian Ministry of Foreign Affairs spokesperson, Oleg Nikolenko, refuted the accusations stating that the messages were part of a Russian disinformation campaign.

The Commander-in-Chief of the Ukrainian Armed Forces, Lieutenant General Valery Zaluzhny, claimed on 21 February, that Moscow was continuing to spread disinformation about Ukraine forces. Lt Gen Zaluzhny alleged that Russia falsely claimed that Ukraine had started shelling areas in the Rostov region of Russia. According to Lt Gen Zaluzhny, these attacks were a deliberate attempt at provocation and were entirely false, especially considering that Ukraine's artillery units were 21 km away from the line of contact, exceeding the maximum firing range of Ukrainian rocket launchers.

Since the invasion, the Ukrainian Adviser to the Head of the President's Office, Mykhailo Podoliak, said on 24 February that its media and citizens had to be wary of any information, as disinformation was currently one of the greatest threats.

The use of information warfare – through information, disinformation, propaganda, and psychological warfare techniques, as well as the degradation of an enemy's information networks and output – is a common technique used by certain states. The intention is often to sow chaos, destabilise, discredit, and stoke fear and anxiety in a country. NATO Strategic Communications Centre of Excellence stated that “both states and non-state actors use hybrid approaches to pursue their political and military aims ... combining military operations with cyber attacks, diplomatic and/or economic pressure, and information (propaganda) campaigns”.

It should be noted that a report published by the Chief of the General Staff of the Russian Federation Armed Forces, Valery Gerasimov – as far back as 2013 – detailed that the very rules of war have changed, the role of adopting non-military means of achieving political and strategic goals have grown, and future warfare takes place not just in physical dimension but also in the information space.

Tensions have been rising in eastern Europe since late 2021 when Russia started amassing troops on t...

Request Consultation

Request a free consultation to discover how Janes can provide you with assured, interconnected open-source intelligence.