What the cyber war in Ukraine says

Many Western analysts are currently betting on the imminence of a military invasion of Ukraine by Russia. A disaster scenario in which a discreet analyst—a fine connoisseur of Ukraine who cannot be suspected of Russophilia—has little faith: “Moscow is probably capable of stopping the country’s progress without a fight when it wants to: there is such a historical and cultural proximity between the two countries that its cyber warriors have long ago equipped its infrastructure with digital time bombs or recruited accomplices ready to act.” The indications in this sense have been accumulating since the outbreak of civil war in 2014 in this ‘border country’ (the actual meaning of the word Ukraine) hostage to the geopolitical “great game.” The latest cyberattack, in mid-January, paralysed dozens of websites of ministries, private companies, and not-for-profit organisations. It has further contributed to “thickening the fog of hybrid war” that is raging at a key moment in the Ukrainian crisis, notes Christine Dugoin-Clément, an academic associated with the “Risks” chair of the IAE Paris 1 Panthéon-Sorbonne research laboratory.

“Ukrainians, be afraid and prepare for the worst. All your personal data has been uploaded to the web,” said the banner that blocked for a few hours the digital portals of the Ministry of Emergency Situations and the Ministry of National Education. The paralysis lasted only a few hours—nothing like the last two major cyberattacks. At Christmas 2015, when the country was freezing cold, a computer breakdown affecting three electricity networks within 30 minutes of each other deprived 225,000 households of electricity in the Kyiv region for several days. In the spring of 2017, payment terminals in the country’s banks, railways, and airports suddenly stopped working. Western experts have been studying the virus used in this latest attack—dubbed NotPetya—because it has spread rapidly across borders, infecting both major Russian corporations and French companies such as the Saint-Gobain group. Russian in origin, they now claim, this digital bomb was intended to block the country, and it partially missed its target.

At first glance, the digital offensive of mid-January appears technically simple—almost a job for amateurs. According to Microsoft, which sounded the alarm, “dozens of government systems, private companies, and not-for-profit organisations” were temporarily paralysed by “malware designed to look like ransomware but lacking a ransom recovery mechanism and to render targeted devices inoperable rather than to obtain a ransom.” However, this “defacing” operation was accompanied by a compromise of the Kitsoft software company, whose clients include many government sites. This is thus a second attack through the supply chain—an increasingly common way of bypassing cyber defences—with potentially much more serious impacts. The only certainty is that tens of thousands of personal details of Ukrainian citizens were published on the dark web. “Not enough to panic Ukrainians (who are used to being targeted), nor Western experts (who only communicate about leaks beyond much higher critical thresholds),” explains Christine Dugoin-Clément, “even if this enriches the net pirates who trade in all kinds of illicit traffic with false identities.”

But Western experts question: what if it was in fact a diversionary attack aimed at distracting attention from a much more complex and dangerous manoeuvre? Careful observers will have noted—like Christine Dugoin-Clément—that the Ministry of Emergency Situations is in charge of activating a certain number of means of transport and logistical facilities for military units. And the academic points outs: “If Russia had launched an invasion of the territory at that time, Kiev’s military response would have been disorganised, and the cyberattack would have had strategic consequences.” She adds: “It can be read as a cold warning, a message saying, ‘We have the means to combine the effects of a cyber and kinetic offensive against you’.”

The Ukrainian authorities did not elaborate on the results of their investigations to avoid revealing the effectiveness of their defence systems. Kyiv has access to the platform created by NATO to share information on malware, particularly from the latter’s cyber defence centre of excellence in Tallinn, Estonia. The state can also count on independent cyber hackers grouped under the banner “Ukrainian Cyber Alliance” to join forces against the aggressor. Although the evidence is difficult to gather, experts point the finger at Russia. But which Russia are we talking about? In Moscow’s bosom, there is a complex private ecosystem of stakeholders acting out of patriotism, greed, or pressure that have established “two-way relationships with official services within the framework of a loose interpretation of the law,” explains Kevin Limonier, an academic and specialist in cyber space and the Russian infosphere. Last autumn, after Washington neutralised REvil, the latter’s twin—a group of Russian hackers that had once again attacked American banks, called the BlackMatter group and formerly known as DarkSide—disappeared from view at the very moment when senior CIA officials were being welcomed in Moscow. Some say that this was a way for Moscow’s leaders to send another message: we are not the bad guys, but we do have capabilities. Kevin Limonier concludes: “What we call cyber war extends from actions on digital networks to information operations.”