Cyberwar creates chaos, 'it won't win the war'

Russia's invasion of Ukraine has been a hybrid war from the start, a mix of conventional military strategy — traditional "boots on the ground" — and a slightly more unconventional, digital or cyberwar.

The global technology company Microsoft has said its Threat Intelligence Center (MSTIC) detected "destructive cyberattacks directed against Ukraine's digital infrastructure" hours before the first launch of missiles or movement of tanks on February 24.

Those attacks, which Microsoft dubbed FoxBlade, included so-called wipers — malicious software or malware — that make their way inside computer networks and literally wipe the data from all connected devices.

Cybersecurity experts in Germany have said there have been over a hundred cyberattacks, in various forms, since then. But their effect has mainly been psychological.

The fog of cyberwar

"There is the fog of war, so we can't see everything," Matthias Schulze, a cybersecurity expert at the German Institute for International and Security Affairs (SWP), told a virtual press briefing on March 2.

"So far we have collected details on 150 cyber incidents, including information or propaganda events, and we're starting to make our observations," said Schulze. "The first is that we have yet to see the kind of thing that people fear most in a cyberwar."

He said the attacks have largely focused on espionage and disinformation. There have been at least three wiper attacks that have deleted data on networks run by Ukraine's authorities. But they have not seen any widespread power cuts or cyberattacks on critical infrastructure, he said. 

The situation could get worse, said Schulze, "but these are the limitations of cyber warfare in a conventional conflict. There is no indication that any of these attacks have helped Russia strategically on the battlefield."

Three main types of cyberwar

Experts have detected three main types of cyber tactics utilized so far in the Russia-Ukraine conflict: wipers, DDoS attacks (distributed denial of service) and defacement.

All three essentially do the same thing: They stop people from accessing information — but in different ways.

• Wipers

Wipers delete information on a network, stopping people on that network from being able to access their own data. They have a potentially long-term destructive effect.

Thorsten Holz, another expert at the briefing, said the use of wipers in this war indicates that Russia had been preparing some of its cyberattacks for months.

That implies that these wiper attacks are firmly rooted in Russia's war strategy. Schulze, who sees Russia's progress as less well-organized, disputes that assessment. But the fact is that the attacks are happening.

Wiper strategy includes the use of ransomware attacks, where a target's data is blocked until a ransom is paid.

Ransomware attacks imply — but do not confirm — a criminal element, which may or may not be associated with the Russian government, in the war. Determining who is responsible for any attack is one of the hardest parts of cyberwar, the experts said.

"Hacktivists" like the group Anonymous also appear to be involved in the conflict, but the extent of their involvement has yet to be verified.

• DDoS attacks

DDoS attacks take down websites. That means people on the outside are unable to access information or advice from, for instance, a government website in times of emergency.

This form of attack involves overwhelming a system via an excessive number of "requests" — people trying to access a website — in a short space of time. If that number of requests surpasses a maximum that the system can handle, the system stops responding altogether. So, to the outside world, it shuts down.

"Technically, it's a simple attack," said Holz, a faculty head at the CISPA Helmholtz Center for Information Security in Germany.

• Defacement attacks and fake news

Defacement attacks delete information on a website or change the information that appears there — it's a basic misinformation tactic that can mislead the general public into thinking fake information is reliable. And that fake information can spread fast.

It's one of the oldest war tactics and it's called obfuscation, when actors in a war flood a civilian population with misleading information. Its effect is largely psychological, but very effective.

Other types of cyberwar are more open and official. Meta, the company that owns the social media platform Facebook, has blocked some Russian media on its platforms. In a counter maneuver, Russia has limited access to Facebook.

"It's becoming difficult to tell what's real and what's fake news," said Holz. "It's happening on both sides."

Ukraine has the upper hand

Schulze said Ukraine is dominating the information war at the moment. Its president, Volodymyr Zelenskyy, is "very skillful with strategic information," he said.

"We tend to see the Ukrainian version of events before the Russian version in the West: Stories shaming Russian troops, stories about prisoners of war and hero or martyr stories aimed at mobilizing Western support," he said.

And it seems to be working, he added.

That, however, leads to the question of the risk of this war spilling over into other countries. What would it take for that "Western support" to make allied countries targets in their own right?

When Microsoft detected the first of the wiper attacks in February, a report by The New York Times suggested that United States government officials were immediately worried that the computer virus would spread to the Baltic states, Poland and other European countries.

There is a recent precedent for this fear: In June 2017, a malware attack called NotPetya was apparently launched by Russia directly at Ukraine but quickly spread globally, causing an estimated $10 billion (€9 billion) in various forms of damage. 

Schulze said the risk of Russia launching a direct cyberattack on another country's critical infrastructure exists. They could attempt to knock out energy networks or bank ATMs, for instance. But he said it's unlikely at this time, because that would be a significant escalation that would draw NATO into the conflict.

Does cyberwarfare kill people?

Misinformation campaigns have in previous conflicts led to people dying. If, for instance, one side intentionally leaks "intelligence" to suggest that its target is one place and everyone flees to safety in the next best, obvious location, they become vulnerable targets. 

But Schulze said "people are dying through conventional acts of aggression in Ukraine. These cyber tactics will not determine the war."

He said that's because Russia appears technically incapable of combining its conventional war with its cyber tactics — they remain separate.

"The biggest impact we've seen so far is psychological," he said.

The bottom line is that everything and anything that is online can be hacked and exploited in a cyberwar. But "we're not seeing a full cyberwar," said Holz. "The cyberattacks create chaos, but we really should not overestimate the threat at this time."

Edited by: Clare Roth