The multiple coordinated attacks on Ukrainian government cyber infrastructure is a very interesting development in the field of cyber warfare. This may be the first public example of multiple types of attacks, not directly linked via the same penetration, being used in coordination to attempt an effects based operation.
The website defacements were used to message the Ukrainian population in a sort of cyber mimicry of the old strategic “terror bombing” theory. Collective punishment of a civilian population in order to apply political pressure against their leaders.
Historically, this type of pressure has only worked when the country is engaged in a limited war. When that is the case, the population does not accept the costs of the violence as an acceptable price for the war effort. In an existential or total war, the opposite happens — the population draws together against a common enemy. [Mack 1975]
Will cyber terrorism based on releasing PII work as a coercive measure against a population? Clearly it is well below the threshold of physical violence, death and destruction. But, importantly, it does have some negative impact on the victims. It is not without some capacity to coerce people.
Moving to analysis of the operation itself, it seems to me that the attackers failed in their coordination and that seriously impacted the operation. The website defacements were known locally on January 13th, and internationally on the 14th. There was a day of ridicule because, quite frankly, a website defacement does not demonstrate a credible cyber operation capacity.
Early reports from Ukraine emphasised that the attack’s warning about releasing data was an empty threat as no data was accessed. This analysis is completely in line with the impact and effects of a website defacement. Typically, there just isn’t anything to steal on a web server or CRM system.
It was not until January 15th that it became apparent that the defacements were not isolated incidents. Multiple systems and networks were also attacked with a datawiper malware that masquerades as ransomware. This has a superficial resemblance to NotPetya, but critically the malware is not part of an autonomous system. These attacks appear to have been manually installed, like typical ransomware.
It is too early to know what else happened during the malware incident. What is clear, though, is that there was not a data dump associated with the website defacement messages. The operation was less effective because the messaging was not linked to an action.
The failure to follow through on the threat detracted from the website defacement as a messaging channel. Defacements are common so there is no indication that this defacement is genuinely state sponsored, rather than a “patriotic hacker.” The sophistication level is too low to function as a signal of authenticity.
The poor coordination between the events had immediate consequences on how they were perceived. Without a corresponding destruction or leak, the defacement appeared as just an empty threat. Possibly not even from a serious threat actor. By the same token, the wiper malware had nothing to contextualise the attack as a political action with meaning.
The delay between the incidents meant that each was interpreted independently. If the coordination was done properly they would have been more than the sum of their parts, but as instead they were less.
One inference that could be drawn from the poor timing coordination is that the two ops were executed by different threat actors. Difficulties in managing multi-state multi-service operations could easily lead to synchronisation failures. Coordinating multiple operations is feasible within a single organisation. Across multiple services in multiple states however, the difficulties grow exponentially. This is precisely why there are joint services trainings.
The most interesting feature of cyber warfare this attack demonstrates is the use of multiple types of attack (website defacement, data destruction, data leaks?, etc.) combined into a single operation. This is a superficial sort of “combined arms operation” where different weapon systems are used in combination to achieve an effect.
There is a lot of analysis to be done about the use of cyber to coerce a population as a means of indirectly applying political pressure. That will have to wait for another post.
The takeaway for this incident is that websites defacements are simply tactical options that a state sponsored threat actor can choose for an operation.
This doesn’t mean website defacements are now state level hacking. What it does mean is that state sponsored hacking can meaningfully include website defacements.
Mack, Andrew. “Why Big Nations Lose Small Wars: The Politics of Asymmetric Conflict.” World Politics 27, no. 2 (1975): 175–200. https://doi.org/10.2307/2009880.