The digital side of the war in Ukraine

Due to the ongoing digitization and the amount of information, many people are much closer to what is happening in Ukraine than in previous wars. In addition to masses of posts on social media, there are many different sites that collect and analyze different information as comprehensively as possible, e.g., MapHub and Ukraine Live Map. This is also known as Open Source Intelligence (OSINT). As everywhere, one should question all information, since a lot of fake news and propaganda is also being spread [1].

Digital Attacks on Ukraine in Advance

For months and especially shortly before Russian troops invaded Ukraine, there had been numerous digital attacks (HermeticWiper, Sandworm/VoodooBear, etc.) on Ukrainian infrastructures, cf. Ukraine-Cyber-Operations. In addition to espionage, attacks on critical infrastructures can also serve to stabilize the population from within, see Sun Tzu and Cyber War by Kenneth Geers.

For example, the day before the invasion, the Wiper-Malware spread to numerous Ukrainian systems, particularly companies that are contracted by the Ukrainian government. A wiper is an erasure attack to make computers up to entire systems unrecoverable. The malware was probably written starting in November 2021 and is currently attributed to Russia.

However, Ukraine has been a playground for digital attacks since 2014. It started with a larger-scale attack on the systems of the largest media company Starlight Media and an attempt to influence the election. However, the Snake toolkit used for this began to infiltrate the computer network as early as 2010. In 2015 and 2016 there were attacks on the Ukrainian power grid, which resulted in power outages lasting several hours. The NotPetya attacks in summer 2017 caused great damage in the country and also caused many western companies. The malware appeared as ransomware (paying a ransom to decrypt the data) but was a wiper that permanently deleted the data. The malware spread with an update to Ukrainian tax software, affecting everyone who had business connections with Ukraine. It is possible that attackers still have backdoors in some Ukrainian systems.

Years of attacks have accumulated expertise in Ukraine. However, based on EaPEC talks in 2018 (in line with an EAP-Report), activity up to that point was less pronounced than in Estonia (2007) and Georgia (2008) after attacks by Russia. For example, NATO established a Cooperative Cyber Defence Centre of Excellence in Tallinn a year after the Estonia attack, while Georgia’s CERT.GOV.GE started operations in 2011. The documentation “Russias New Soldiers” though shows some changes.

Due to the fact that conventional attacks were accompanied by cyber operations in the previous conflicts, many IT security experts, see, e.g., [2], assumed a similar approach (DDoS, attacks on military command posts, disinformation, attacks on critical infrastructures). It is likely that fewer of these have arrived than is widely assumed [3]. Presumably, this can only be evaluated afterwards, since the information is distributed like pieces of a puzzle and may not all have been laid yet.

Digital Attacks on Russia by Anonymous and Individuals

There is (so far) no cyberwar, but support from this environment. An attack can be anything that can usually be carried out over the Internet and is aimed at an IT system, from fake news to phishing to unauthorized system encryption or data extraction.

The collective Anonymous (a loose network of various groups and actors) has declared cyberwar on Putin and has received some applause for hacktivism. Many Russian websites (websites of the Russian administration, government websites, website of the Kremlin, news portal of RT) were overloaded on February 24th, 2022 during the DDoS attacks by numerous repeated requests and thus paralyzed (aka sit-in blockade). Shortly thereafter, Russia restricted access to their Internet services through geolocation, which means that many sites can only be accessed from the IP range of Russia (i.e., in Russia or via VPN). Soon, Russia plans to cut off.

Other claims, such as the leak of data from the Russian Ministry of Defense, appear questionable to implausible [4][5]. A relatively recent example is the Gazprom database hack. The Gazprom.7z compressed file is 380 KB in size and mainly consists of Python and Javascript files, plus YAML and Docker. There is some data in the Javascript files, but at first glance, the leaked material is not a database but a website. The claims may sound plausible at first, but not everyone can easily verify them. This makes it difficult for the general public to evaluate the truthfulness. In principle, anyone can use the name Anonymous and not everyone will follow this codex. Many free riders and wannabe hackers have also joined the bandwagon.

Critical infrastructure is always (or should be) operated separately from public services. Theoretically, critical infrastructure can be permanently destroyed by hacker attacks, but this is quite complicated, requires detailed knowledge and does not necessarily succeed (cf. power supply in Ukraine at the end of 2015) [6]. In the military, too, some devices are digital or at least partially digital, such as radar and radios. Attacking it is anything but trivial and takes time. This shows that while hacktivism can make a difference and encourage people, it is unlikely to impact Russia’s critical infrastructure. The war will not be decided online.

With the Tallinn Manual (The Tallinn Manual) rules that states can use as a guide in the event of digital attacks. However, this does not apply when private individuals or collectives like Anonymous become active. According to Prof. Dr. Dennis-Kenji Kipker, these world rescue actions are, therefore, risky and legally problematic [7]. Section 202c of the StGB (hacker paragraph), which was very controversial when it was introduced in 2007, punishes the production, procurement, and distribution of computer programs whose purpose is to commit a criminal offense under Sections 202a and 202b of the StGB. However, this is not the case with a passive scan (see below), which would rather fall under Section 202a of the StGB. A network scan is prior to accessing protection and is, therefore, usually not welcomed, while the exploitation of found vulnerabilities clearly falls under Section 202a of the Criminal Code, as long as there is no suitable framework (e.g. contract for a pentest). Manuel Atug aka HonkHase: “I see the danger that a lot of destruction and vandalism will happen under the guise of supposed legitimacy, which will not affect Putin, but the population.[8]

Activism can be good depending on the execution and not all hacktivists are lumped together, but it is important to classify the actions. In my view, unrealistic facts and actions that harm private individuals or animals miss their target. Likewise, these actions can be viewed as involvement in the war; especially since it is unknown how Putin and hackers will react to the many attacks and sanctions (cf. also [9]). I personally think the latter is more likely. These could be directed against individuals, but could also result in a massive digital attack on NATO countries. The asymmetry favors the attacker (see Sun Tzu and Cyber War, among others), which also applies to a potential counterattack. In addition, some cybercriminals use the current situation as a topic for their malware, see Mustang Panda.

Fazit

So far, there have been digital activities on both sides, each with a different intensity. While breaking something in the right context (e.g., in your own test environment) can be fun, it has a different scope in real life like in war. You can use your own knowledge better, for example, by finding and reporting weak points. Based on previous experience, improving the defensive, i.e., the defense against attacks, is important in order to be able to guarantee the necessary supply of critical infrastructure. This is part of cyber resilience, i.e., maintaining and improving the resilience of critical infrastructure in particular. Weaknesses in Ukraine can be reported to the Ukrainian CERT, for example, so that the supply is ensured (cf. [9]).

Vulnerabilities can also be found in critical infrastructures [10] in Germany and should be reported immediately to the system operators and government agencies such as the BSI or the CIRBw (possibly via proxies). The scope of the Orion network management software from Solarwinds [11] is still unknown in this context.

Of course, anyone can take part in the many relief efforts that have been started and try to unmask fake news. Information on the Internet helps as long as it is factual and friendly – especially since it is important for all parties to read as many different messages as possible in order to form their own picture of the situation.

What I personally take with me (unfortunately) are many practical examples for my lectures, e.g., the use and exploitation of default credentials [12]. Finally, I would like to refer to information suitable for children, e.g., by the mouse (in German).