HomeWild Blue YonderArticle Display

The views and opinions expressed or implied in WBY are those of the authors and should not be construed as carrying the official sanction of the Department of Defense, Air Force, Air Education and Training Command, Air University, or other agencies or departments of the US government or their international equivalents.

Assessing Russian Cyber Effects

Wild Blue Yonder --

In the context of the National Security Strategy’s conception of “great power competition” (Trump 2017), perhaps no nation-state has been as aggressive within the cyberspace domain as the Russian Federation. Furthermore, following two Russian campaigns to seize portions of Ukraine and Georgia’s sovereign territory, the question may not be if, but when will Vladimir Putin choose to annex another neighbor’s land. The Baltic states, for example, have received much of the same pre-crisis attention from Russia that Ukraine and Georgia did, and their annexation would further Putin’s apparent strategic goal to re-establish buffer states between Russia and NATO (Galeotti 2019). An escalatory crisis scenario in the Baltics will most likely follow the pattern exhibited in both Georgia and Ukraine. Building on pre-existing divisions within a region, such as between Russian-speaking minorities and the central government, Russia will utilize both real and imagined incidents to further increase tension. As the tensions escalate and inevitably erupt in violence, Russia will seize the opportunity to maneuver ground forces onto key terrain. These maneuvers will be simultaneously denied, misattributed to local ‘patriots’ and claimed as mere ‘peacekeeping’ forces meant to protect Russian speaking minority groups. Then, with their strategic end state all but achieved, Russian leadership will call for peace and diplomacy. This sequence of operations appears to be Vladimir Putin’s playbook to rebuild the Soviet era buffer states and ‘Sphere of Influence’ in eastern Europe (Cunningham 2020). Given that Russian cyber capabilities have demonstrably created strategic advantage via the information domain, tactical advantage by exploiting network-centric nature of adversaries, and operational advantage by creating asymmetric opportunities for conventional force maneuvers, US commanders and planners must be prepared to contest the information domain, fight in a degraded information environment, and train both with and against realistic, meaningful cyber effects to prevail in future conflicts.

In both Georgia and Ukraine, the United States and NATO did not intervene in any meaningful way to thwart Russia, in part due to the unprecedented level of information warfare. As Russian forces moved to secure South Ossetia, Georgian government websites, media outlets, and public facing infrastructure were targeted repeatedly with Distributed Denial of Service (DDoS) attacks, rendering them inaccessible for periods ranging from minutes to hours (Deibert, Rohozinski and Crete-Nishihata 2012). In conjunction with a robust strategic messaging campaign, these cyber-attacks enabled Russia to control the information narrative of the flow. Expanding on this success, the mobile devices of Ukrainian parliamentary members were specifically targeted with both an internet protocol and telephony-based denial while Russian forces moved to seize telecommunications infrastructure within Crimea (Geers 2015). While technologically simplistic, Russia’s cyber-attacks sowed uncertainty and created decision disadvantage for Georgian and Ukrainian leadership at a pivotal moment. In any future conflict, it is almost certain that Russia will employ the same blend of DDoS attacks, government website defacements, and targeted information leaks in order to delay civilian leadership decisions and influence public opinion (Korns and Kastenberg Winter 2008-2009). During the conflicts with Georgia and Ukraine, Russia was able to leverage the cyber domain to further their strategic objective of preventing the United States and NATO from deploying forces.

Outside of these strategic effects, however, Russian cyber effects did little to support tactical commanders in South Ossetia. It would not be until 2014, with the invasion of Crimea, that Russia would demonstrate the integration of cyber warfare at the tactical level (Sprang 2018). In one case, Russian military intelligence ‘Trojan-ized’ an Android app indigenously developed by a Ukrainian officer to improve the rate of fire for a specific artillery piece, the 122 mm D-30. By inserting malicious code into the legitimate app, the locational data from compromised devices could be passed to Russian forces to enable targeting of Ukrainian artillery units. According to open-source assessments in 2016, over 80 percent of Ukrainian D-30 Order of Battle had been attritted, compared to only 50 percent attrition for other types of Ukrainian artillery (Meyers 2016). While this represents a niche case, it is clear that by integrating cyber capabilities with conventional military forces, Russia has leveraged the cyber domain to create tactical advantages by exploiting the ubiquity of devices and applications in modern militaries.

Tactical effects like these are unquestionably relevant on the modern battlefield, but fundamentally are just a new mechanism to gain information advantage over the adversary. However, the cyber-attacks on the Ukrainian power system in 2015 represents a new attack vector for non-kinetic effects. In this attack, a malware known as ‘Black Energy’ was able to gain a foothold within the networks that supported Ukrainian regional power distribution centers (Ackerman 2017). Utilizing this foothold, the attackers were able to gain legitimate credentials and pivot to the industrial control systems (ICS) that directly controlled the power distribution grid for large portions of Ukraine (SANS 2016). Subsequently, the attackers were able to manipulate breakers directly in at least 27 sub-stations across three disparate locations, effectively denying power to any customers reliant on those nodes (SANS 2016). Simultaneously, the attackers layered telephonic denial of service on the customer call center, significantly delaying the mitigation response until the power interruption was observed. In addition, malicious firmware was also uploaded to network gateway devices, denying the ability to send remote commands to the affected breakers and necessitating physical maintenance (SANS 2016). Subsequent analysis of the Black Energy malware has led to attribution to Russian threat actors (FBI 2016). The tempo and timing of this three-pronged attack demonstrates a robust ability to plan and execute cyber operations across a large force, against multiple independent targets, to achieve a complex, synchronized end state. Furthermore, although this particular cyber-attack occurred independent to conventional force maneuvers, such an attack against a power grid supporting adversary command and control nodes represents an asymmetric operational advantage for Russia if executed at a pivotal moment in time.

In the last decade alone, Russia has demonstrated a wide range of cyber capability, from technologically unsophisticated DDoS attacks to deface government websites, to extremely advanced supply chain compromises such as the 2020 SolarWinds compromise, which gained a foothold across hundreds of US federal government systems in 2020 (Mehrotra and Sebenius 2021). These capabilities offer a wide range of advantages at every level of warfare, and US forces must base their planning assumptions potential effects to be successful. In particular, both commanders and warfighters must regularly train in contested or denied environments to develop tactics and techniques to overcome disruptions. Currently, the majority of training in the Air Force is focused around conducting the core mission of the unit. F-16’s train to conduct suppression of enemy air defenses, F-15C’s train to conduct air superiority, and offensive cyber operators train to conduct offensive cyberspace operation. Even in the exercises nominally predicated on the integration of these dissimilar capabilities, such as Red Flag and weapons school integration, cyber effects are often disconnected from the actual operational mission. This stove-piping leads to a poor understanding of the nuance of cyber warfare by non-cyber personnel, and a poor understanding of conventional force employment within the cyber community. Even within the intelligence career field, which typically serves as the bridge between disparate operational communities, the cyber domain is often regarded as too technical to understand without years of specialized training. In reality, the fundamentals of cyber are no more complicated than the fundamentals of electronic warfare that intelligence Airmen are required to master to support flying squadrons. Intelligence Airmen must understand how networks are structured, how they are defended, and how they are attacked if they are to provide cyber domain threat intelligence to the base commander in a crisis. Moreover, given that the preponderance of cyber-attacks are predicated not on network security flaws, but on compromises through the human element such as spear phishing, cyber literacy for all personnel must move beyond the dated cyber awareness computer based training.

Captain Patrick ‘HOWLER’ Meissner

Captain Patrick 'HOWLER' Meissner is an Intelligence Weapons Officer assigned to the 19th Weapons SQ, United States Air Force Weapon School, Nellis AFB, Nevada. At the time of writing, Captain Meissner was assigned to the 659th Intelligence, Surveillance, and Reconnaissance Group at Fort George G. Meade, Maryland, which directs focused cyberspace ISR operations and digital network exploitation analysis in support of 16th Air Force, US Cyber Command, and the National Security Agency missions.

Bibliography

Ackerman, Robert K, "Girding the Grid for Cyber Attacks," Signal 30-33, 2017.

Bryant, William D., "Cyberspace Superiority: A Conceptual Model," Air & Space Power Journal, 25-44, 2013

Cunningham, Conor, A Russian Federation Information Warfare Primer, (Research Report, Seattle: University of Washington, 2020).

Department of Defense, Cyber Defense Strategy, (Official Publication, Washington DC: DOD, 2018). https://media.defense.gov/.

DOD, Joint Publication 3-12 Cyberspace Operations, (Joint Doctrine Document, Washington DC: DOD, 2018).

Duffy, Ryan, The US military combined cyber and kinetic operations to hunt down ISIS last year, general says. 29 May 2018. https://www.cyberscoop.com/.

FBI, GRIZZLY STEPPE - Russian Malicious Cyber Activity, Joint Analysis Report, JAR-16-20296A: National Cybersecurity and Communications Integration Center.

Galeotti, Mark, The Baltic States as Targets and Levers: The Role of the Region in Russian Strategy, 1 April 2019, https://www.marshallcenter.org/.

Korns, Stephen, and Joshua Kastenberg, "Georgia's Cyber Left Hook," Parameters, Winter 2008-2009, 60-76.

Meyers, Adam, "Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units," Crowdstrike, 22 December 2016, https://www.crowdstrike.com/.

Mueller, Robert S, Report on the Investigation Into Russian Interference In the 2016 Presidential Election, (Department of Justice Report, Washington DC: Department of Justice, 2019).

SANS, Analysis of the Cyber Attack on the Ukrainian Power Grid, (ICS Case Study, Washington DC: Electricity Information Sharing and Analysis Center, 2016).

Sprang, Ryan, "Russia in Ukraine 2013-2016: The Application of New Type Warfare Maximizing the Exploitation of Cyber, IO and Media," Small Wars Journal, 2018.

Tucker, Patrick, A Big 2020 Election Hack Never Came. Here's Why, 4 November 2020, https://www.defenseone.com/.

Weisgerber, Marcus, As Russia Improves Its Surface-to-Air Missiles, US Looks to Counter, 8 April 2015, https://www.defenseone.com/.

Williams, Brett T, "The Joint Force Commander's Guide to Cyberspace Operations," Joint Force Quarterly, 12-19, 2014

USAF Comments Policy
If you wish to comment, use the text box below. AF reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The AF and the AF alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the AF, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying AF endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

AF does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. AF may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. AF does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the AF or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.

Wild Blue Yonder Home