HomeWild Blue YonderArticlesArticle Display


The views and opinions expressed or implied in WBY are those of the authors and should not be construed as carrying the official sanction of the Department of Defense, Air Force, Air Education and Training Command, Air University, or other agencies or departments of the US government or their international equivalents.

Assessing Russian Cyber Effects

  • Published
  • By Captain Patrick Meissner
Wild Blue Yonder --  

In the context of the National Security Strategy’s conception of “great power competition” (Trump 2017), perhaps no nation-state has been as aggressive within the cyberspace domain as the Russian Federation. Furthermore, following two Russian campaigns to seize portions of Ukraine and Georgia’s sovereign territory, the question may not be if, but when will Vladimir Putin choose to annex another neighbor’s land. The Baltic states, for example, have received much of the same pre-crisis attention from Russia that Ukraine and Georgia did, and their annexation would further Putin’s apparent strategic goal to re-establish buffer states between Russia and NATO (Galeotti 2019). An escalatory crisis scenario in the Baltics will most likely follow the pattern exhibited in both Georgia and Ukraine. Building on pre-existing divisions within a region, such as between Russian-speaking minorities and the central government, Russia will utilize both real and imagined incidents to further increase tension. As the tensions escalate and inevitably erupt in violence, Russia will seize the opportunity to maneuver ground forces onto key terrain. These maneuvers will be simultaneously denied, misattributed to local ‘patriots’ and claimed as mere ‘peacekeeping’ forces meant to protect Russian speaking minority groups. Then, with their strategic end state all but achieved, Russian leadership will call for peace and diplomacy. This sequence of operations appears to be Vladimir Putin’s playbook to rebuild the Soviet era buffer states and ‘Sphere of Influence’ in eastern Europe (Cunningham 2020). Given that Russian cyber capabilities have demonstrably created strategic advantage via the information domain, tactical advantage by exploiting network-centric nature of adversaries, and operational advantage by creating asymmetric opportunities for conventional force maneuvers, US commanders and planners must be prepared to contest the information domain, fight in a degraded information environment, and train both with and against realistic, meaningful cyber effects to prevail in future conflicts.

In both Georgia and Ukraine, the United States and NATO did not intervene in any meaningful way to thwart Russia, in part due to the unprecedented level of information warfare. As Russian forces moved to secure South Ossetia, Georgian government websites, media outlets, and public facing infrastructure were targeted repeatedly with Distributed Denial of Service (DDoS) attacks, rendering them inaccessible for periods ranging from minutes to hours (Deibert, Rohozinski and Crete-Nishihata 2012). In conjunction with a robust strategic messaging campaign, these cyber-attacks enabled Russia to control the information narrative of the flow. Expanding on this success, the mobile devices of Ukrainian parliamentary members were specifically targeted with both an internet protocol and telephony-based denial while Russian forces moved to seize telecommunications infrastructure within Crimea (Geers 2015). While technologically simplistic, Russia’s cyber-attacks sowed uncertainty and created decision disadvantage for Georgian and Ukrainian leadership at a pivotal moment. In any future conflict, it is almost certain that Russia will employ the same blend of DDoS attacks, government website defacements, and targeted information leaks in order to delay civilian leadership decisions and influence public opinion (Korns and Kastenberg Winter 2008-2009). During the conflicts with Georgia and Ukraine, Russia was able to leverage the cyber domain to further their strategic objective of preventing the United States and NATO from deploying forces.

Outside of these strategic effects, however, Russian cyber effects did little to support tactical commanders in South Ossetia. It would not be until 2014, with the invasion of Crimea, that Russia would demonstrate the integration of cyber warfare at the tactical level (Sprang 2018). In one case, Russian military intelligence ‘Trojan-ized’ an Android app indigenously developed by a Ukrainian officer to improve the rate of fire for a specific artillery piece, the 122 mm D-30. By inserting malicious code into the legitimate app, the locational data from compromised devices could be passed to Russian forces to enable targeting of Ukrainian artillery units. According to open-source assessments in 2016, over 80 percent of Ukrainian D-30 Order of Battle had been attritted, compared to only 50 percent attrition for other types of Ukrainian artillery (Meyers 2016). While this represents a niche case, it is clear that by integrating cyber capabilities with conventional military forces, Russia has leveraged the cyber domain to create tactical advantages by exploiting the ubiquity of devices and applications in modern militaries.

Tactical effects like these are unquestionably relevant on the modern battlefield, but fundamentally are just a new mechanism to gain information advantage over the adversary. However, the cyber-attacks on the Ukrainian power system in 2015 represents a new attack vector for non-kinetic effects. In this attack, a malware known as ‘Black Energy’ was able to gain a foothold within the networks that supported Ukrainian regional power distribution centers (Ackerman 2017). Utilizing this foothold, the attackers were able to gain legitimate credentials and pivot to the industrial control systems (ICS) that directly controlled the power distribution grid for large portions of Ukraine (SANS 2016). Subsequently, the attackers were able to manipulate breakers directly in at least 27 sub-stations across three disparate locations, effectively denying power to any customers reliant on those nodes (SANS 2016). Simultaneously, the attackers layered telephonic denial of service on the customer call center, significantly delaying the mitigation response until the power interruption was observed. In addition, malicious firmware was also uploaded to network gateway devices, denying the ability to send remote commands to the affected breakers and necessitating physical maintenance (SANS 2016). Subsequent analysis of the Black Energy malware has led to attribution to Russian threat actors (FBI 2016). The tempo and timing of this three-pronged attack demonstrates a robust ability to plan and execute cyber operations across a large force, against multiple independent targets, to achieve a complex, synchronized end state. Furthermore, although this particular cyber-attack occurred independent to conventional force maneuvers, such an attack against a power grid supporting adversary command and control nodes represents an asymmetric operational advantage for Russia if executed at a pivotal moment in time.

In the last decade alone, Russia has demonstrated a wide range of cyber capability, from technologically unsophisticated DDoS attacks to deface government websites, to extremely advanced supply chain compromises such as the 2020 SolarWinds compromise, which gained a foothold across hundreds of US federal government systems in 2020 (Mehrotra and Sebenius 2021). These capabilities offer a wide range of advantages at every level of warfare, and US forces must base their planning assumptions potential effects to be successful. In particular, both commanders and warfighters must regularly train in contested or denied environments to develop tactics and techniques to overcome disruptions. Currently, the majority of training in the Air Force is focused around conducting the core mission of the unit. F-16’s train to conduct suppression of enemy air defenses, F-15C’s train to conduct air superiority, and offensive cyber operators train to conduct offensive cyberspace operation. Even in the exercises nominally predicated on the integration of these dissimilar capabilities, such as Red Flag and weapons school integration, cyber effects are often disconnected from the actual operational mission. This stove-piping leads to a poor understanding of the nuance of cyber warfare by non-cyber personnel, and a poor understanding of conventional force employment within the cyber community. Even within the intelligence career field, which typically serves as the bridge between disparate operational communities, the cyber domain is often regarded as too technical to understand without years of specialized training. In reality, the fundamentals of cyber are no more complicated than the fundamentals of electronic warfare that intelligence Airmen are required to master to support flying squadrons. Intelligence Airmen must understand how networks are structured, how they are defended, and how they are attacked if they are to provide cyber domain threat intelligence to the base commander in a crisis. Moreover, given that the preponderance of cyber-attacks are predicated not on network security flaws, but on compromises through the human element such as spear phishing, cyber literacy for all personnel must move beyond the dated cyber awareness computer based training.

Captain Patrick ‘HOWLER’ Meissner

Captain Patrick 'HOWLER' Meissner is an Intelligence Weapons Officer assigned to the 19th Weapons SQ, United States Air Force Weapon School, Nellis AFB, Nevada. At the time of writing, Captain Meissner was assigned to the 659th Intelligence, Surveillance, and Reconnaissance Group at Fort George G. Meade, Maryland, which directs focused cyberspace ISR operations and digital network exploitation analysis in support of 16th Air Force, US Cyber Command, and the National Security Agency missions.

Bibliography

Ackerman, Robert K, "Girding the Grid for Cyber Attacks," Signal 30-33, 2017.

Bryant, William D., "Cyberspace Superiority: A Conceptual Model," Air & Space Power Journal, 25-44, 2013

Cunningham, Conor, A Russian Federation Information Warfare Primer, (Research Report, Seattle: University of Washington, 2020).

Department of Defense, Cyber Defense Strategy, (Official Publication, Washington DC: DOD, 2018). https://media.defense.gov/.

DOD, Joint Publication 3-12 Cyberspace Operations, (Joint Doctrine Document, Washington DC: DOD, 2018).

Duffy, Ryan, The US military combined cyber and kinetic operations to hunt down ISIS last year, general says. 29 May 2018. https://www.cyberscoop.com/.

FBI, GRIZZLY STEPPE - Russian Malicious Cyber Activity, Joint Analysis Report, JAR-16-20296A: National Cybersecurity and Communications Integration Center.

Galeotti, Mark, The Baltic States as Targets and Levers: The Role of the Region in Russian Strategy, 1 April 2019, https://www.marshallcenter.org/.

Korns, Stephen, and Joshua Kastenberg, "Georgia's Cyber Left Hook," Parameters, Winter 2008-2009, 60-76.

Meyers, Adam, "Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units," Crowdstrike, 22 December 2016, https://www.crowdstrike.com/.

Mueller, Robert S, Report on the Investigation Into Russian Interference In the 2016 Presidential Election, (Department of Justice Report, Washington DC: Department of Justice, 2019).

SANS, Analysis of the Cyber Attack on the Ukrainian Power Grid, (ICS Case Study, Washington DC: Electricity Information Sharing and Analysis Center, 2016).

Sprang, Ryan, "Russia in Ukraine 2013-2016: The Application of New Type Warfare Maximizing the Exploitation of Cyber, IO and Media," Small Wars Journal, 2018.

Tucker, Patrick, A Big 2020 Election Hack Never Came. Here's Why, 4 November 2020, https://www.defenseone.com/.

Weisgerber, Marcus, As Russia Improves Its Surface-to-Air Missiles, US Looks to Counter, 8 April 2015, https://www.defenseone.com/.

Williams, Brett T, "The Joint Force Commander's Guide to Cyberspace Operations," Joint Force Quarterly, 12-19, 2014

Wild Blue Yonder Home