Russia’s feared state-sponsored hackers were caught off guard: Putin kept his own people out of the loop

When Russian President Vladimir Putin’s mighty army crossed Ukraine’s borders on 24 February last year, it came as a surprise to most of the world leaders.

In fact, it was only the American and British intelligence services that had warned that “Russia is coming”.

In fact, much suggests that even the Russian intelligence service did not expect that the invasion would become a reality, says Stefan Soesanto, researcher at the Center for Security Studies at ETH Zurich, who has been following the digital part of the war closely since the invasion.

“Putin kept everyone out of the loop—even his own people. This meant that Russians suffered heavy losses in the initial phase of the invasion—and that neither his cyber experts nor the armed forces had prepared their respective battle positions,” he says.

Heavy losses and a silent cyber front

So, Vladimir Putin did not only send his best troops in ceremonial uniforms to war on what would turn out to be a deadly and hopeless mission to take Kyiv.

Russia’s feared state-sponsored hackers also did not get a chance to prepare for the war in cyberspace, which could have supported the Russian combat units at a safe distance from Moscow and St. Petersburg.

Indeed, the public knows of only one Russian attack from the beginning of the war, which will go down in history as an example of effective, modern cyber warfare: the hacking of satellite operator Viasat’s vital infrastructure.

The attack crippled several European satellite receivers and forced Ukraine to ask the West for alternatives to traditional satellite communications—including the relatively new American Starlink satellites in low Earth orbit.

The attack on Viasat was the first salvo of the cyber war, and its effects could be both seen and felt. But since then, as far as we know, Russia’s cyber army has been in retreat along with the rest of the Russian forces.

Slow warfare

A contributing factor is that compared to traditional warfare, cyberattacks require a relatively long preparation time, Stefan Soesanto explains.

“First you have to identify which systems it would be advantageous to hit, and then you have to either compromise them or the people who operate them. When you are in retreat, as the Russians are now, it’s almost impossible to prepare meaningful attacks.

At the same time, Stefan Soesanto and several of his professional peers from the Royal Danish Defence College with whom Ingeniøren’s IT media site Version2 has spoken emphasize that there may have been cyberattacks that the public is not aware of.

The many attempted intrusions that Ukraine is reporting on at the moment thus only represent a minimum in relation to the total pressure that Russia can deliver in cyberspace.

Infrastructure in Microsoft’s cloud

“One must also not underestimate the efforts of the Ukrainians and their allies to protect their infrastructure,” the Swiss researcher says and refers, among other things, to the fact that Ukraine has moved large parts of its digital infrastructure to cloud services provided by Microsoft.

The American company has thus assumed a decisive and somewhat atypical role in an armed conflict. And a large part of the information that Danish and foreign researchers have about Russian cyber war efforts comes from the reports that Microsoft regularly publishes about the cyber conflict.

Ukraine’s propaganda war is particularly directed towards the West, and it’s kind of like preaching to the choir.

“One thing that stuck with me is that Microsoft uses two-thirds of the space available in its reports on describing the information war that is currently raging between Russia and Ukraine in particular,” says Jeppe Teglskov, who as an assistant professor at the Royal Danish Defense College researches state-sponsored acts in cyberspace and has continuously analysed Microsoft’s reports.

“It tells me that this is where a large part of the pressure is placed. And that we have to see the war about the narrative as part of the cyber war,” he says and is supported by Stefan Soesanto, who believes that the war about the truth has made cyber war more relevant than ever before.

“According to both the Russian and the Ukrainian way of thinking about cyberwar, a large part of it is winning the battle for the narrative. And when it comes to that, Ukraine is currently in the lead—at least in terms of securing support from the West for Ukraine,” the Swiss researcher says.

“This means more political support, more money, and more weapons for Ukraine, so even if we haven’t seen any spectacular hacks, the cyber war means a lot to both Ukraine and Russia.”

Preaching to the choir

Ukraine has now taken over both on land and in cyberspace, but there is still a long way to go.

“Ukraine’s propaganda war is particularly directed against the West, and it’s kind of like preaching to the choir. It is important for support in the West, but there are still many across the world who do not see the war as Ukraine and the West do. Including especially in Russia,” Jeppe Teglskov says.

However, a shift is taking place in the way the Russian state media itself refers to the war. Where before there was talk of “a special military operation”, it is now acknowledged that this is a war. The absence of Russian success stories is also beginning to make noise in Russia, but according to Jeppe Teglskov, it is difficult to determine how much can be attributed to the digital pressure of the Ukrainians compared to the indisputable victories Ukraine has won on the battlefield over the past months.

“It can be incredibly difficult to measure the concrete effect, but it has become an important domain that we in the political and military world have become more aware of,” Jeppe Teglskov says.

Help from abroad

In addition to the massive arms aid and Microsoft’s atypical responsibility for an entire state’s infrastructure, Ukraine has invited IT experts all over the world to join the so-called IT Army of Ukraine.

Over the past several months, they have been trying to get people from all over the world to put pressure on Russian sites and services with simple overload attacks. They are easy to set up and create a lot of noise—just as was the case when Russia fired back with the same weapon at the European Parliament at the end of November.

Stefan Soesanto has written a scientific article about the atypical organization, which consists of very different people from all over the world. And they mainly communicate with each other in an open channel on the encrypted messaging platform Telegram.

“They started with an idea to block everything with congestion attacks—now it’s a bit more targeted at, for example, the banking sector, authorities, and most recently Christmas shopping. They try to be as disruptive as possible for ordinary Russians,” Stefan Soesanto says.

“While it may seem somewhat futile, the resonating effect of this kind of simple attack is significant, and it’s one of the ways in which one can remind ordinary Russians that their nation is at war,” Stefan Soesanto explains but at the same time says that the IT Army is largely falling apart.

"The number of active members has fallen from 320,000 to 20,000, and they are currently losing up to 100 members a day. If it continues like this, it won’t be many months before there are none left,” the Swiss researcher says.

“I feel like it doesn’t make a difference”

A little more than half a year ago, Version2 was in contact with one of the many thousands of Ukrainian members of the IT Army. He is among those who are no longer an active part of the group.

“I feel like it doesn’t make any difference. This is why I’ve stopped following the instructions from the group,” says the anonymous Ukrainian, whose identity is known to Version2. He has fled through Europe with his family and wants to instead focus on getting a job so he can send money to the war effort and to people he knows in Ukraine.

It seems that smaller parts of the IT Army are developing into a so-called active persistent threat actor.

Stefan Soesanto also says that the Ukrainian intelligence service and the other actors behind the IT Army are currently doing everything they can to continue engaging people. Members who support the IT Army’s automated bots receive, among other things, log information about the effect and size of their attacks.

In addition, they have automated many of the attacks, so they require even less technical effort and time to take part in.

A persistent threat actor?

One thing Stefan Soesanto has noticed as part of his research into the IT Army is that it is maturing—despite shrinking.

“It seems that smaller parts of the IT Army are developing into a so-called active persistent threat actor,” Stefan Soesanto says, referring to the Russian counterparts that have existed for decades. This includes Fancy Bear, a group that, among other things, is believed to have been behind the attack on the email infrastructure behind Hillary Clinton’s campaign in the 2016 US presidential election.

“The development is evident from the fact that skilled foreigners run increasingly sophisticated things in separate and more secret channels than the IT Army’s Telegram channel, where most of it has otherwise taken place out in the open until now,” Stefan Soesanto says.

According to the cybersecurity researcher, this means that skilled people from all over the world receive instructions from the Ukrainian intelligence services. Ukraine itself does not have the necessary capacities, and they have therefore chosen to try using foreign hackers, which is atypical according to the Swiss researcher.

“The big question now is whether this way of running things will survive after the war. I think that the Ukrainians will try to hold on to these capacities. It will be really fascinating to follow, because it will be the first time a sophisticated threat actor has emerged in this way,” Stefan Soesanto says.

However, Jeppe Teglskov is a bit more sceptical:

“The IT Army is not insanely skilled, and we know that there are others who pretend to be them. And that muddies the picture,” Jeppe Teglskov says but completely agrees with Stefan Soesanto’s following conclusion:

"We will probably only find out exactly what it looks like when the war is over, and the curtain hopefully falls.”