This is a long thread on Russian cyber war in Ukraine, in which I will try to explain cyber war and comment on the Russian cyber war in Ukraine. /1
For those who don’t know me or what credentials I have. I am a civilian threat intelligence expert at @truesec, but I have previously worked 35 years in intelligence, mostly in Sigint. /2
@Truesec First, we need to define a few things, because words like “cyber war” are being thrown around and misused a lot.
Cyber Operations are the use of cyber capabilities, either in war or clandestinely in peace. Just like Special Forces operations. /3
@Truesec Cyber War is war in the cyber dimension. Just as “air war” refers to the air campaign of a battle or war, the “cyber war” is the cyber campaign of a war. (So, no war means no cyber war!) /4
@Truesec Offensive Cyber War capabilities focus on destruction. It is the capability to breach critical networks and destroy data in a way that impacts the adversary in the physical world negatively. Defensive Cyber War capabilities are the ability to prevent or mitigate such attacks. /5
@Truesec Cyber Intelligence is another form of Cyber Operations. If you breach a network only to steal data it’s cyber espionage, and that is NOT an act of war. /6
@Truesec The catch is of course that once you have breached a network it can literally take seconds to go from espionage to cyber war, by uploading some new bad code. /7
@Truesec Now that we have laid the groundwork, let’s talk about a unique feature of cyber war, compared to war in other dimensions.
All combat is shaped constant technological evolution and innovation. Measures always lead to countermeasures. /8
@Truesec One side develops a new tank, the other develops a missile that can pierce the tank, so someone develops a defensive system that protects the tank from missiles.
The same is true in cyber war, but everything is just so much faster. /9
@Truesec A good tank for example can be excellent for 20 years. With some upgrades of key components, they can be perfectly useful in combat for up to 40 years. /10
en.wikipedia.org/wiki/M1_Abrams
@Truesec By contrast a cyber weapon can lose most of its potency in just a few days.

Consider this. Someone discovers a previously unknown vulnerability in a common application, like Microsoft Exchange, a so-called “Zero-day”. /11
@Truesec This vulnerability is a mistake in the code that allows hackers to breach any network that uses Microsoft Exchange and get access to the computer. /12 proxylogon.com
@Truesec If they can then find a couple of other such Zero-days they can build a cyber weapon that can infect millions of clients all over the world and wipe all of them, causing untold damage. Such as the infamous NotPetya attack. /13
wired.com/story/notpetya…
@Truesec Such cyber weapons can be very potent, but the minute someone is aware of these vulnerabilities, it will take Microsoft a few days to create an update that removes the vulnerability. This patch will make your weapon cease to function. /14
@Truesec Not entirely, because there are always those who don’t apply patches properly, but the weapon has still lost most of its potency.
Building a cyber weapon is consequently a bit like building a rocket. You build the rocket, and you fire it at the enemy, and it is gone. /15
@Truesec Now you must build a new rocket, but unlike a real rocket you need to start with a new blueprint, because the old rocket can no longer hit the enemy.
Constructing a sophisticated cyber weapon can take months to prepare. /16
@Truesec You need a method to access the target networks. You need to carefully chart the breached networks, to determine how to propagate the attack inside the network and where a cyber weapon can cause maximum impact. /17
@Truesec All this preparation for one cyber weapon and you may only get one good shot and that is all, so you must make it count. You must know exactly where to strike, but also when to strike. /18
@Truesec It is always possible to hack systems manually. Instead of building a super cyber weapon, a skilled team of hackers can use scripts and hacks step by step until they have control of a network and can finally start wreaking havoc. This is how ransomware gangs work. /19
@Truesec The problem with this approach is that it takes time and effort to bring down a company’s network, and criminals prefer to go for easy targets, companies that have neglected cyber defenses. It would take a lot of effort to seriously impact the financial stability of USA. /20
@Truesec And during that time you can be sure U.S. Cyber Command would not sit still and do nothing! /21
@Truesec I believe Russia knew all this and planned accordingly. Russia’s plan was to use “Shock and Awe” and overrun Ukraine, making their command structure collapse and most Ukrainian forces surrender or at least remain passive as elite Russian forces conquered and took over Kyiv. /22
@Truesec The plan for the Russian cyber war was all based on supporting this initial attack. Key target was the Ukrainian command structure. A limited, but achievable goal. /23
@Truesec The most well-known Russian cyber warfare unit is GRU unit 74455, also known as Sandworm. This group appears to be responsible for cyber war support for the Russian army. They are essentially a form of cyber-Spetsnaz (Russian SOF). /24 en.wikipedia.org/wiki/Sandworm_…
@Truesec If Sandworm could knock out communications and key government ministries, they could hopefully paralyze the Ukrainian forces. Then it was just a matter of entering Kyiv and taking over. /25
@Truesec The first Russian cyber operation was conducted on January 14. This was a preparation attack. It was mostly a show of force, to frighten. The attack was amplified with simple DDoS attacks that did little actual damage but created headlines. /26 truesec.com/hub/blog/state…
@Truesec It was meant to instill fear and signal that Russia owns Ukraine’s all digital secrets, that resistance was futile. In the military jargon this is called setting conditions for the battle. /27
@Truesec The real cyber attack, the coup-de-grace that was going to seal Ukraine’s fate started 23 February, just hours before the invasion. Here Russia used two carefully prepared cyber weapons that had been prepared for months. /28
@Truesec Hermetic Wiper was a sophisticated destructive malware hitting government networks in Ukraine. Acid Rain was another wiper, aimed specifically to destroy routers used by a commercial communications satellite used by the Ukrainian armed forces for communications. /29
@Truesec Together Hermetic Wiper and Acid Rain were intended to effectively shut down the Ukrainian government’s ability to lead their army, hours before the war began. /30
@Truesec With the information we have available now, it actually seems like the Russian cyber weapons that were deployed on the eve of the invasion were highly successfull. There are reports that European leaders had problems contacting president Zelensky or his staff that night. /31
@Truesec When president Zelensky reached out to his country that night, in an historic appeal to fight the invasion, it was on his cell phone, not from a studio. /32
@Truesec The Acid Rain attack had also been lethal. Ukrainian commanders had to borrow civilian cell phones to contact high command. /33 wired.com/story/viasat-i…
@Truesec Later, the U.S. government would rush deliveries of StarLink terminals to replace the equipment damaged by Acid Rain, but in the first critical hours, improvisation was the name of the game. That and President Zelensky's social media skills. /34
@Truesec Ultimately Russia failed to take Kyiv, and when the Russian army retreated from Kyiv to lick their wounds and prepare for the battle of Donbass, the Russians had already used their best cyber weapon. /35
@Truesec In April Sandworm attempted to attack the electrical grid in Ukraine, but this time they had weeks of preparation, when they had had months the first time. So, they only had limited success. /36
cyberscoop.com/ukrainian-elec…
@Truesec It’s easy to conclude that Russia’s cyber war capabilities have been overrated. Sandworm’s attacks on Ukraine suffered from the same problem the Russian army always has. Command is based on following a fixed plan and struggles if the plan fails. /37 thenationalnews.com/world/us-news/…
@Truesec It’s also possible to conclude that cyber war itself is not able to live up to all the hype. As I have shown, cyber war has its real limits. It should be wielded like a rapier, not a cudgel. /38
@Truesec When used properly however, I believe it can be a crucial part of modern warfare. Personally, I believe that the battle of Kyiv may have been a more close-run thing those first 48 hours, than we think now. /39
@Truesec If Russia had won, I also believe we would today be reading about how the mastery of Russian cyber warfare had been the crucial element that won the war in three days. /40
@Truesec After all, some suggested that the era of the tank on the battlefield may now be over, when brave Ukrainian soldiers started to destroy Russian tanks in droves with anti-tank missiles. /41
19fortyfive.com/2022/03/does-t…
@Truesec That is, until the armored fists of the Ukrainian mechanized brigades started to scatter the Russian defenses in Kharkiv and Kherson. /42 bbc.com/news/world-eur…
@Truesec End Thread. Thank you if you stuck with me this far.

Slava Ukraini!

#cyberwar #ukrainewar #ukraine

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mattias Wåhlén

Mattias Wåhlén Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(