A Bear of a Problem: Russian Special Forces Perfecting Their Cyber Capabilities
On the front lines in the Donbas region of eastern Ukraine—an area known as the Joint Forces Operation, formerly the Anti-Terrorist Operation zone—ground combat operations are evolving and incorporating new features.
Previous installments of this column have examined information operations and electronic warfare in this context. But increasingly, cyber is also playing an impactful role, presenting a potential vision of future cyber-enabled conflict.
The use of cyber by Russian Spetsnaz (special forces) and their proxies in the Donbas may not be sexy. Bits and bytes still cannot take and hold territory. Cyber capabilities do not allow soldiers to avoid the cold, wet grind on a contact line with hundreds to thousands of daily cease-fire violations. Nor has the vision of a future conflict conducted at a computer terminal in a headquarters where the violence of warfare is somehow sanitized by strokes of a keyboard materialized. Instead, tactical cyber has devolved and intermingled with information operations and electronic warfare, becoming yet another daily part of the slog to maintain territory, the operational readiness of forces and the tactical viability of equipment.
In 2014, the U.S. Army released its first manual on cyber electromagnetic activities (CEMA), defining them as “activities leveraged to seize, retain, and exploit an advantage over adversaries and enemies in both cyberspace and the electromagnetic spectrum, while simultaneously denying and degrading adversary and enemy use of the same and protecting the mission command system.” Since the publication of Field Manual 3-38, the U.S. has struggled to incorporate CEMA at the tactical level.
Meanwhile, Russia has been perfecting its tactics, using the conflict zone in Ukraine as a low-cost test environment to field new technologies. The continuous tactical testing of technologies against a dynamic and adaptive adversary enables Russian forces to improve integration and agility of technologies and to hone the tactics, techniques and procedures associated with employment of CEMA and information operations at the tactical level.
On the battlefields of Ukraine, Russian forces conduct information warfare (informatsionnaya voyna) meant to provide specific tactical advantages and further increase the fog of war on the front lines and beyond. Russian concepts of information warfare have long frustrated the discrete distinctions of cyber, electronic warfare and information operations used within U.S. doctrine.
In a draft of the 2014 concept of Russia’s Cyber Security Strategy, Russia subordinated the concept of cyber within the broader concept of information security. The strategy noted the impact information manipulation can have on individuals, the broader public consciousness, information infrastructures and information ecosystems.
Russian utilization of cyberspace at the tactical level is dynamic: It attacks an adversary’s capability to wage war at multiple points while simultaneously seeking to minimize risks. In Ukraine, this has meant frequent and sustained attempts to undermine the hardware, software and members of front line units.
In 2017, a team from the Army Cyber Institute at West Point traveled to Ukraine and met with members of regular and volunteer battalions who had fought along the Anti-Terrorist Operation zone from 2014 through 2017, members of the Information Assurance Directorate of the General Staff, representatives of the Security Service of Ukraine and researchers at Ukrainian universities.
Mobile Phone Attacks
The team documented the use of SS7 mobile phone infrastructure attacks conducted by Russian RP-377L signals intercept platforms to engage in distribution of malware to personal mobile devices of front line soldiers, as well as man-in-the-middle attacks in which Russians inserted themselves between unsuspecting Ukrainian forces communicating with one another. These attacks intercepted the voice and text communications of soldiers. In some cases, soldiers had malware delivered to their phones in the form of pictures of spouses or families sent via text message. The phones of Ukrainian soldiers were compromised with malware indicating their geolocation. Some spouses or parents received messages indicating their husbands or sons had been killed on the front lines, or imploring them to ask their husbands or sons to give up and return home. Ukrainian service members also received texts in the early phases of the conflict informing them their battalion staffs had retreated and that they were surrounded and should give up.
Beyond targeting front line soldiers, Russian signals and electronic warfare units also rapidly disabled Ukrainian unmanned aerial vehicles (UAVs) along the Anti-Terrorist Operation zone via electronic warfare and cyber means. Russian units also employed distributed denial-of-service attacks against Ukrainian hard-line secure voice and data communications between company and battalion levels. These attacks reduced confidence and communications capabilities and limited tactical coordination among units.
Android App Targeted
Even more brazen attacks by the cyberespionage group “Fancy Bear” are believed to have targeted an android application developed by Ukrainian artillery officer Yaroslav Sherstuk to aid in Ukrainian artillery targeting. While seemingly fanciful that a modern military would use an android application developed by one of its own artillery officers to aid in the targeting of enemy positions, the conflict in Ukraine has not followed a traditional weapons development and acquisition framework. Ultimately, this malware allowed the Russians to retrieve communication and locational data.
The extent of Russian cyber, electronic warfare and information operations in Ukraine highlights many of the future tactical challenges likely to arise in large-scale combat operations. The sustained tactical utilization of CEMA and information operations can provide the enemy tactical insights into American movements and communications, damage the effectiveness of “cybered” weapon systems (systems connected to networks), and target the psychological resilience of front line soldiers and their support networks at home. Some recommendations to mitigate this threat follow:
Training and Education. The Army must understand the threats and recognize the potential vulnerability of its systems. In 2008, a malware-laden flash drive inserted into a laptop at a base in the Middle East caused what was determined at the time to be “the most significant breach” of U.S. military computers ever. Likewise, blue-force tracker systems, the Advanced Field Artillery Tactical Data System, UAVs, GPS and GPS-enabled weapons, and our command, control and communication systems are vulnerable to attack. Beyond simply education, training at combat training centers and other locations should include scenarios in which some of these systems are compromised. Soldiers, therefore, must know how to navigate without a GPS, manually fire artillery systems, or fire and maneuver without use of blue-force tracker capabilities and communication systems.
Resilience. Given that soldiers are unlikely to entirely disconnect from social media while deployed, soldiers and their families must be prepared for the enemy to use cyber-enabled information operations to degrade troop morale and popular support for the conflict. The Army must ensure that the families of soldiers are prepared in order to minimize the impact of these enemy efforts.
Techniques, tactics and procedures. The Army must continue to develop its offensive and defensive cyber capabilities. Cyber defense, unlike a piece of military hardware, is not something developed, fielded, then developed again over a multiyear cycle. It must be constantly developed as new vulnerabilities are identified.
The world is in the early phases of the digital era. The changes to come are likely to increasingly challenge the Army and the nation as the number of internet-connected devices grows from 17 billion today to more than 100 billion in the decade to come. A failure to continuously evolve and adapt effective means of addressing new technologies will leave soldiers and the nation vulnerable to the actions of potential adversaries in ways that exceed the experiences of Ukrainian soldiers today.