Russia in Ukraine 2013-2016: The Application of New Type Warfare Maximizing the Exploitation of Cyber, IO, and Media
This case study for analysis focuses on Russian operations in Ukraine from 2013-2016. Russian decision-making in Ukraine has demonstrated the ability to use cyber and information warfare to influence operations to support military and political objectives, and continued preparation of the cyber environment to create a range of options for future action.[i] The Russians were able to use Ukraine operations as a test for New Generation Warfare (NGW) to enhance the deep battle concept. Russia has adeptly executed deep battle, creating time and space to effectively employ limited ground forces and special operations to achieve desired effects. The employment of the cyber domain created windows of opportunity for success and simultaneous execution of offensive and defensive tasks across the strategic and operational levels and other domains. Additionally, the cyber capabilities employed allowed the Russians to achieve three critical strategic effects; 1) troop levels were minimized through integrated cyber operations and operational advantage gained; 2) Russian leadership maintained plausible deniability through effective cyber and information operations delaying international intervention; 3) cyber operations achieved desired effects and kept the threshold for violence below an international outcry for intervention or interference allowing the Russians to achieve the strategic objective to control key terrain in Ukraine.[ii]
Russia has used several techniques to enhance its advantage and gain opportunities to exercise reflexive control and achieve cross-domain synergy and advantage. Russian cyber activities have targeted Ukrainian government, law enforcement, and military officials through cyber espionage,[iii] passive intel collection, Distributed Denial of Service (DDoS) attack, integrated local and international information campaigns (using social media, mass media, and internet ‘trolls’ capacity), undermining of belligerent government and security apparatus institutions, credibility, and effectiveness, and finally has demonstrated the ability to create temporary and permanent effects on the Ukrainian national power grid.[iv] Russia’s strategy has been to use the information gained from its computer network exploitation campaigns to influence the decision making process and actions, intentionally shape public opinion, distort international perceptions and understanding of the situation to limit timely actions, and maintain its dominant position in Ukraine without international interference.[v]
The first research question is what are cyber capabilities in the defense? Russian cyber capabilities in the defense in Ukraine are rarely discussed in open source information. Unfortunately, to date, little has been reported about failed cyber-attacks by either side, so it is difficult to identify instances in which defensive cyber countermeasures were successful. Strategically, both Russia and Ukraine have taken measures to increase the defense of their respective networks.
The Russian response to the potential for cyber retaliation or counterattack has been primarily strategic level actions to limit access to the Russian internet and information apparatus. Russia has invested heavily in cyber capabilities development to break the reliance on foreign company technology. It has made efforts to harden its cyber terrain and passed numerous laws that limit diffusion of cyber access to Russian non-state actors over whom the state may not exercise sufficient control. Finally, Russia has created domestic laws to deny anonymity and ensured all information contained on the Russian internet is physically stored and registered to users.[vi]
In addition to strategic level investment in cyber infrastructure and controls on access, cyber has been used as a major focus for a defensive posture in the information war. Russia has used global and regional access through the cyber domain to shape the narrative and political environment. Russia has, “1) developed internally and externally focused media with a significant online presence; 2) used social media to guarantee that Russian narratives reach the broadest possible audience; and 3) polished their content in terms of language and presentation so that it rings true in various cultural settings.” [vii] The Russian ability to capitalize on traditional media, the internet, and social media has allowed them to shape the narrative domestically, regionally, and globally. The broad effort and capabilities allow Russia to control strategic and operational tempo through narrative, confusing the clarity of perceptions and situational understanding for other concerned international actors. The deliberate confusion and counter-narrative undermines Ukraine Government’s credibility while disrupting its ability to communicate with domestic supporters and the global community. Russian actions thus far are in keeping with the NGW and Deep Battle concepts facilitating effective informational environment defense and shaping for offensive operations and reflexive control.
The second question is what is the current US operational approach to the implementation of cyber capabilities at the operational level? Currently the focus of US application of cyber capabilities at the operational level focuses at the linkage among the national cyber strategy in The DoD Cyber Strategy, joint documents from JP 3-12 (R) Cyberspace Operations, and the recently released US Army tactical doctrine on the application of cyber and electromagnetic capabilities found in FM 3-12 Cyberspace and Electronic Warfare Operations. The current failing however, is the lack of operational level documents to link the tactical to the strategic. The particular power of this case study allows US operational planners to understand a current threat’s application of cyber across all three echelons to inform requirements for US cyber operations and lessons learned specifically from the Russian challenges with cyber at the operational level. These will be discussed more in depth throughout the remainder of this case study as well as in the analysis and findings section. Cyber capabilities offer significant opportunities to the force that can integrate effectively across all domains to gain temporary windows of advantage, improve operational reach, control tempo at echelon, and link tactical actions in time and space during a campaign to achieve strategic effects efficiently.
The third research question is what are the cyber capabilities in the offense? Russia has effectively implemented cyber capabilities within the deep operations concept and its modern evolution of NGW. Russian operations in Ukraine have provided a valuable practical exercise in cyber use within a limited conflict to achieve tactical, operational, and strategic objectives. During the outset of Russian operations in Ukraine in 2014, security experts accurately predicted the Russian cyber strategy will be a higher evolution in sophistication than the previous Russian attacks against Estonia in 2007 and Georgia in 2008, and that “Moscow is more likely to use narrowly focused, limited operations in support of strategic state objectives.”[viii] Russia has used a myriad of methods and has achieved mixed results with a decentralized application of proxy cyberwarfare, use of malware, advanced persistent threats (APTs), and DDoS.
The most notable proxy hacker incident occurred during Ukrainian Presidential election in May of 2014. CyberBerkut, a pro-Russian hacktivist group, launched a cyberattack against Ukraine’s Central Election Commission computers and posted false election results with a synchronized effort from Russian TV Channel One corroborating the false reports.[ix] The attacks undermined the credibility of Ukrainian government domestically, regionally, and internationally. Additionally, the results also provided fuel to support the Russian narrative that the ethnic Russian separatists were fighting corruption and needed help from Russia to achieve independence and protect their rights. The hackers displayed unique sophistication, conducting in-depth system reconnaissance two months prior, gaining administrator-level access to the election commission network, and employing advanced cyber espionage malware (Sofacy/APT28/Sednit).[x]
In addition to interfering with the Ukrainian 2014 election, Pro-Russian hacker groups have claimed responsibility for additional cyber events: the disruption of German government websites, intercept of US and Ukrainian military cooperation documents, DDoS attacks against NATO websites, blocking of Ukrainian government and media websites, and various negative messaging campaigns slandering pro-Ukrainian supporters.[xi] CyberBerkut is also actively undermining Ukrainian legitimacy and credibility for governance by attacking ineffective infrastructure management and the threat of nuclear power reactor failure. Additionally, they are publishing stories to discredit US credibility through ties of the Clinton Foundation to Ukrainian misuse of International Monetary Fund (IMF) funds.[xii]
The Russians launched sophisticated malware attacks against Ukrainian targets, such as a Snake/Uroboros malware exploitation of government computers, disrupted telecommunications infrastructure, and jamming of Ukrainian parliamentarians’ cell phones.[xiii] A deliberate cyber-espionage campaign known as ‘Operation Armageddon,’ has been active since mid-2013 targeting Ukrainian military, government, and law enforcement officials to gain intelligence concerning Ukrainian strategic, operational, and tactical plans.[xiv] A recent study identified two major classifications of target groups for the Russian attacks. Prior to the conflict, during shaping operations, the targets were the Ukrainian government officials, members of the opposition, and pro-opposition journalists. Once ground operations began the second target group included Ukrainian government and law enforcement focusing on those involved or located near Russian rebel operations.[xv]
The fourth question is what are examples of cross domain effects providing time, space and operational advantage? There are four primary examples from the Russian operations in the Ukraine: 1) phase zero information shaping operations, 2) cyber operations to disrupt and deny Ukrainian command and control; 3) SOF operations integrated with cyber to seize key physical and cyber terrain, and 4) cyber-espionage operations to gain operational and tactical advantage. First, the cyber/information warfare prior to the beginning of ground combat operations created strategic paralysis of international actors and Ukraine to create time and space for the Russian operational and tactical level commanders to seize key terrain, install rebel leadership, and create and promulgate a viable information campaign to support operations. Second, at the outset of the ground combat operations critical communication infrastructure was attacked with cyber capabilities to deny Ukrainian government agency communication and military command and control.[xvi] The cyber and information operations set the conditions for the third application. As the invasion progressed, Russian intelligence and special operations forces created cross domain effects through a raid on critical Ukrainian internet infrastructure. The ground forces installed data intercept devices and physically isolated Ukrainian internet and telecommunications infrastructure.[xvii] Finally, cyber-espionage has gained valuable intelligence through cyber reconnaissance to provide information on Ukrainian government, military and law enforcement planning and operations.[xviii] This actionable intelligence was used to create time and space, as well as maneuver and fires advantage to the Russian-backed rebels.
The fifth question is what can cyber do to integrate cross domain capabilities to buy time and space for the commander? Cyber capabilities are an effective tool at the operational level to create paralysis in the command and control architecture of an opponent. In addition, strategically it can provide temporary windows of advantage through a strategic narrative and coordinated information operations to prevent the international community from understanding the operational environment, thereby creating strategic paralysis and either a delayed or complete lack of response from potential alliance partners. Next, cyber operations can create time and space at the operational and tactical level through reconnaissance. The intelligence collection provides a detailed understanding of an opponent’s plan allowing commanders to shape operations with fires and maneuver to destroy an unsuspecting enemy.
The sixth question is what are the current enemy cyber capabilities and methods of employment at the operational level? Ukraine’s struggle with effective cyber defense against an able opponent, creates a framework and mirror for the cyber weaknesses of other international actors against a possible Russian cyber-attack. Ukrainian cyber capabilities, although less equipped than Russia’s, still include significant assets and highly trained personnel. Ukraine suffers from a lack of a cyber legal framework,[xix] a coherent strategy[xx] and operational linkage from the tactical application of available cyber assets and capabilities. Until a legal framework can be established within Ukraine and government agencies created, manned and trained effectively the majority of critical national infrastructure will rely on private sector approaches to effectively defend against Russian cyber-attacks.[xxi] Ukraine relies on reactive defensive capabilities as it hastily builds a structure which can provide a proactive approach and response.
The evolution of Russian capabilities between the two power grid attacks in December of 2015 and 2016 provide poignant lessons in cyber defense.[xxii] The advanced malware, extensive cyber-espionage and lengthy reconnaissance, and specifically the ability to highjack multiple power stations Supervisory Control and Data Acquisition (SCADA) systems demonstrate significant capabilities. The attack required a manual override of the system by Ukraine to bring the power grids back online.[xxiii] Russian hackers were able to use the supervisory role and remote through the system to gain access and control multiple switches and bypass Ukrainian cyber monitors and defense capabilities. The attacks demonstrate Russian ability to potentially permanently disrupt power to 100,000 users. Within the Ukraine, a power outage during the winter would create permanent infrastructure damage and loss of life. The demonstration provides an additional punitive coercive capability to force compliance and potential weaponization with catastrophic effects from cyber to physical domains and on a civilian population. Ukraine has made efforts to work with outside agencies to assist in identifying weaknesses within their systems but is still struggling to develop solutions.
The seventh question is what are the contributions to the Deep Battle concept and reflexive control? Russian attacks in the Ukraine have provided recent examples of the evolution of Russian Operational Art and testing of the modern, hybrid or new generation warfare.[xxiv] The effective employment of cyber capabilities has proven to create time and space across all three echelons of war. Udar or operational shock was achieved across every level within the enemy system (Ukraine) for decision making and C2. Additionally, cyber capabilities integrated with the Russian strategic information campaign achieved unprecedented strategic level shock limiting the international community’s understanding of the situation and greatly limiting the response. The shock achieved set the conditions for operational and tactical maneuver enabling the Russians to quickly seize key terrain within the Ukraine through rebels with minimal Russian footprint of unmarked and unclaimed special operations forces.
Reflexive control has accomplished significant strategic and operational integration to achieve the desired Russian end state in the Ukraine to control key terrain and gain access while limiting international interference. Maria Snegovaya, a leading expert on Russia and the Ukraine, identified the following five key elements of Russia’s reflexive control techniques used in the Ukraine:
- Denial and deception operations to conceal or obfuscate the presence of Russian forces in Ukraine, including sending in “little green men” in uniforms without insignia;
- Concealing Moscow’s goals and objectives in the conflict, which sows fear in some and allows others to persuade themselves that the Kremlin’s aims are limited and ultimately acceptable;
- Retaining superficially plausible legality for Russia’s actions by denying Moscow’s involvement in the conflict, requiring the international community to recognize Russia as an interested power rather than a party to the conflict, and pointing to supposedly-equivalent Western actions such as the unilateral declaration of independence by Kosovo in the 1990s and the invasion of Iraq in 2003;
- Simultaneously threatening the West with military power in the form of overflights of NATO and non-NATO countries’ airspace, threats of using Russia’s nuclear weapons, and exaggerated claims of Russia’s military prowess and success;
- The deployment of a vast and complex global effort to shape the narrative about the Ukraine conflict through formal and social media.[xxv]
A significant emerging aspect is Russia’s effective use of cyber-espionage. An emerging aspect of reflexive control is the effective use of cyber reconnaissance to gain intelligence and understanding of the enemy’s plans in detail. Rather than controlling the enemy’s response, the Russians have been able to understand Ukrainian plans and shape their fires and maneuver to destroy Ukrainian forces and support Russian backed rebels to achieve their objectives.
The eighth question is what critical capabilities across all domains are linked to cyber capabilities and critical vulnerabilities? JP 5-0 defines critical capabilities as the “primary abilities essential to the accomplishment of the objective.” Critical requirements are “essential conditions, resources, and means the COG requires to perform the critical capability.” Critical vulnerabilities are “those aspects or components of critical requirements that are deficient or vulnerable to direct or indirect attack in a manner achieving decisive or significant results.”[xxvi] The most critical capability to date has been the Russian information warfare apparatus and integrated NGW concept and execution. Russia’s critical requirements have been its myriad of cyber capabilities. Specific Russian capabilities include: proxy hackers, cyber espionage capabilities within the Russia and Ukraine, social media internet ‘trolls,’ and an effective operational level approach to the integration of cyber capabilities to synchronize and link tactical actions in time and space to the strategic aims. Russia’s critical vulnerability is the integrity, legitimacy, and credibility of the information campaign and a counter narrative from Ukraine.
This case study has highlighted the Russian operational approach to date and the evolution of the Russian operational art and concepts of deep battle and reflexive control. The next section, findings and analysis, will provide insight into an operational approach and framework to counter the Russian strategy and operational approach with respect to cyber domain capabilities applied within Russian New Generation Warfare.
This study relied on three hypotheses. First, when an operational approach arranges cyber capabilities across all domains it will create time and space allowing the operational level commander to shape the deep fight and control the tempo of joint operations. The evidence suggests this hypothesis is supported. Russian operations in the Ukraine demonstrate the operational commander’s use of cyber and EW capabilities to create cross domain advantage and synergy. The efforts created critically needed time to prioritize limited assets, capabilities, and manpower. Operational level leaders were able to mitigate risk and apply combat power at critical decisive points, using an indirect approach to attack the enemy COG. The applied cyber and EW assets prevented Russian culmination while operating at the limit of operational reach and consequently forced the opponent to culminate and conduct costly operations beyond his operational reach.
Second, when cyber capabilities are used across all domains they provide the operational commander time and space in the defense to expose and increase enemy vulnerability by forcing the enemy to concentrate forces. The evidence suggests this hypothesis is also supported. The case study illuminates critical lessons for operational commanders in the defense. Operational commanders assume the defense to regenerate combat power and build capabilities to regain the offense. The Russians effectively used cyber capabilities in a proactive defense through information operations to prevent international interference with operations. The Russians successfully conducted a strategic cyber defense through cyber and information operations while shaping the environment and conducting minimal force offensive operations to seize key terrain during initial ground operations.
Third, when cyber capabilities are employed across all domains the arrangement achieved will allow operational commanders the time, space and ability to seize, retain, and exploit the initiative, gaining the advantage against the threat. The evidence suggests this hypothesis is supported as well. The Russia in Ukraine case study demonstrates the use of cyber and EW capabilities to set the conditions to seize the initiative. Cyber and EW allow simultaneity and depth when used across the other four domains that cannot be achieved without them. The cross-domain synergy achieved in the case study provided multiple options for the operational commander, created shock and delay in the enemy decision-making cycle, and allowed the Russians to gain and maintain the initiative forcing operational level culmination of the opponent.
In summation, the evidence from the case study suggests that all three hypotheses are supported and that Russian operations in Ukraine have applied operational art to link tactical action to the desired strategic end state. Cyber and EW capabilities are critical in warfare and allow operational level commanders the opportunity to shape the deep fight and control the tempo of multi-domain, joint operations. An effective operational approach will provide the operational commander the opportunity to create temporary windows of advantage by leveraging the cyber and EW domain across other domains.
[i] James R. Clapper, Statement for the Record: Worldwide Threat Assessment of the US Intelligence Community, Senate Armed Services Committee, February 9, 2016, accessed November 13, 2017, https://www.dni.gov/files/documents/SASC_Unclassified_2016_ATA_SFR_FINAL.pdf.
[ii] Andy Greenberg, “How An Entire Nation Became Russia’s Test Lab for Cyberwar,” Wired June 20, 2017, accessed October 30, 2017, .
[iii] Looking Glass, Operation Armageddon: Cyber Espionage as a Strategic Component of Russian Modern Warfare (Lookingglass Cyber Threat Intelligence Group, CTIG-20150428-01, April 28, 2015), 3, accessed October 30, 2017, https://www.lookingglasscyber.com/wp-content/uploads/2015/08/ Operation_Armageddon_Final.pdf.
[iv] Electricity Information Sharing and Analysis Center, Analysis of the Cyber Attack on the Ukrainian Power Grid (Washington, DC: March, 2016), 1-3, accessed October 29, 2017, .
[v] Jen Weedon, “Beyond ‘Cyber War’: Russia’s Use of Strategic Cyber Espionage and Information Operations in Ukraine,” in Cyber War in Perspective: Russian Aggression Against Ukraine, ed. Kenneth Geers (Tallinn, Estonia: CCDCOE, NATO Cooperative Cyber Defence Centre of Excellence, 2015), 67-77, accessed November 9, 2017, https://ccdcoe.org/sites/default/files/multimedia/pdf/cyber warinperspective_full_book.pdf.
[vi] Sergei A. Medvedev, “Offense-defense theory analysis of Russian cyber capability” (monograph, Naval Postgraduate School, 2015), 37-40, accessed November 16, 2017, .
[vii] Keir Giles, “Working Paper: Russia’s Hybrid Warfare: a Success in Propaganda,” European Security and Defence College, 18 February 2015, quoted in James J. Wirtz, “Cyber War and Strategic Culture: The Russian Integration of Cyber Power into Grand Strategy,” in Cyber War in Perspective: Russian Aggression Against Ukraine, ed. Kenneth Geers (Tallinn, Estonia: CCDCOE, NATO Cooperative Cyber Defence Centre of Excellence, 2015), 36, accessed November 9, 2017, .
[viii] Jen Weedon and Laura Galante, “Intelligence Analysts Dissect the Headlines: Russia, Hackers, Cyberwar! Not So Fast,” FireEye Executive Perspectives, March 12, 2014, accessed November 13, 2017, https://www.fireeye.com/blog/executive-perspective/2014/03/intel-analysts-dissect-the-headlines-russiahackers-cyberwar-not-so-fast.html.
[ix] Nolan Peterson, “How Russia’s Cyberattacks Have Affected Ukraine,” December 16, 2016, accessed October 30, 2017, .
[x] Nikolay Koval, “Revolution Hacking,” in Cyber War in Perspective: Russian Aggression Against Ukraine, ed. Kenneth Geers (Tallinn, Estonia: CCDCOE, NATO Cooperative Cyber Defence Centre of Excellence, 2015), 36, accessed November 9, 2017, .
[xi] Sergei A. Medvedev, “Offense-defense theory analysis of Russian cyber capability,” 26.
[xii] CyberBerkut, accessed November 16, 2017, .
[xiii] Sergei A. Medvedev, “Offense-defense theory analysis of Russian cyber capability,” 28. See also Jen Weedon, “Beyond ‘Cyber War’: Russia’s Use of Strategic Cyber Espionage and Information Operations in Ukraine,” in Cyber War in Perspective: Russian Aggression Against Ukraine, ed. Kenneth Geers (Tallinn, Estonia: CCDCOE, NATO Cooperative Cyber Defence Centre of Excellence, 2015), 73, accessed November 9, 2017, .
[xiv] Looking Glass, Operation Armageddon: Cyber Espionage as a Strategic Component of Russian Modern Warfare, 3.
[xv] Ibid., 8.
[xvi] The Institute for National Security Studies (INSS), “The Ukrainian crisis- a cyber warfare battlefield,” Defense Update, April 5, 2014, accessed November 16, 2017, .
[xvii] Sergei A. Medvedev, “Offense-defense theory analysis of Russian cyber capability,” 29.
[xviii] Looking Glass, Operation Armageddon: Cyber Espionage as a Strategic Component of Russian Modern Warfare, 3.
[xix] Jan Stinissen, “A Legal Framework for Cyber Operations in Ukraine,” in Cyber War in Perspective: Russian Aggression Against Ukraine, ed. Kenneth Geers (Tallinn, Estonia: CCDCOE, NATO Cooperative Cyber Defence Centre of Excellence, 2015), 123-134, accessed November 9, 2017, https://ccdcoe.org/sites/default/files/multimedia/pdf/cyberwarinperspective_full_book.pdf.
[xx] Nadiya Kostyuk, “Ukraine: A Cyber Safe Haven?,” in Cyber War in Perspective: Russian Aggression Against Ukraine, ed. Kenneth Geers (Tallinn, Estonia: CCDCOE, NATO Cooperative Cyber Defence Centre of Excellence, 2015), 122, accessed November 9, 2017, .
[xxi] Ibid, 117.
[xxii] Andy Greenberg, “How An Entire Nation Became Russia’s Test Lab for Cyberwar,” Wired June 20, 2017.
[xxiii] Electricity Information Sharing and Analysis Center, Analysis of the Cyber Attack on the Ukrainian Power Grid, 24.
[xxiv] Andrew Monaghan, “Putin’s Way of War: The ‘War’ in Russia’s ‘Hybrid Warfare,’ Parameters 45, no. 4 (Winter 2015-16): 65-74, accessed October 30, 2017, .
[xxv] Maria Snegovaya, “Russia Report I: Putin’s Information Warfare in Ukraine,” Institute for the Study of Warfare: September 2015, 7, accessed October 30, 2017 .
[xxvi] US Joint Staff, JP 5-0, (2017), IV-25.