Some thoughts on offensive cyber ops (OCOs) & influence campaigns in the context of Ukraine. Both potential and reality.
(1) Influence campaigns - while not technically offensive cyber - are essential to this conflict. A sustained projected image of resilience did a lot to galvanize global response towards Ukraine. There are tectonic shifts in geopolitics.
(2) That Russia did not (a) cripple Ukrainian internet access and (b) dominate the wartime narrative was a massive strategic error. Public perception in conflict is an accelerant to intervention and countermeasures. Confidence comes from compelling narrative.
(3) I often make the distinction between two types of offensive cyber ops: event-based (immediate, usually tactical, also usable from the field) and presence-based (often first intel ops, intentional lateral movement, usually run in the rear). Russia has potential for both.
(4) Considering the origin of most Ukrainian hardware, Russia should be able to use event-based cyber alongside or directly as part of their electronic warfare platforms. Difficult to see evidence of this even if it is happening, that's not easily discernible to OSINT watchers.
(5) Considering the invasion was extensively planned and the Russian history of targeting Ukrainian networks, it would have helped them to preposition for strategic presence-based ops to facilitate initial success in suppressing Ukraine.
(6) Maybe strategic OCOs were not prioritized (miscalculation), maybe they were detected (opsec errors), or maybe their effects failed/under-delivered (operational errors).
(7) We're also seeing a lot of opportunistic attacks, both presence-based (e.g. compromising RU news sites, infra, gov websites) and event-based (e.g. DDoS). Those are not likely to make a massive difference on their own considering they were initiated mid-conflict.
(8) That's not to say they don't matter. They introduce adversarial noise and increase perception of the sassy defenders punching above their weight and rallying support. So they serve the broader influence campaign even if they mostly don't matter militarily.
(9) If a target happens to be vulnerable and actionable even within a compressed wartime timeline, an attacker may even create a meaningful effect. This is particularly true of internet-connected aging or underresourced critical infra. Also, not all critical infra is ICS.
(10) We haven't seen thus far what OCOs could do if wielded intentionally, with strategic forethought, as part of a combined arms approach. It's possible, even if not on display here.
(11) It is also entirely possible, considering the medium, that there are many aspects we do not have visibility into. Perspective bias colors our analysis, and our view is heavily skewed by what official reports, news coverage, and civilians are able to show us.
(12) Let's not read too much into what Russia vs Ukraine means about the landscape of possible offensive cyber ops.
(13) Let's not read too little into what Russia vs Ukraine means about how cyber blends into an influence campaign and the role of crowdsourced ops. Also, draw too many undisciplined civilians into the mix and the risk of collateral increases as well.
(14) We're not remotely done, so everything in this thread is "as of now".
• • •
Missing some Tweet in this thread? You can try to
force a refresh
