UKRAINIAN HACKERS AND UNINTENDED CONSEQUENCES
by Jeemes Akers
“Consider what happened in the past under what some people call the “Law of Unintended Consequences.” This rule is a variant of Murphey’s Law, the familiar notion that if anything can go wrong, it will. Unintended consequences seem to occur with the gravest results in war. Large-scale military engagements can shake up political, economic and social conditions profoundly. Big wars often produce extraordinary changes over the years—changes not foreseen by those who planned the initial actions.”
Robert Brent Toplin
“No technology that’s connected to the internet is unhackable.”
The Gospel of Technology
Russia’s almost completely unprovoked invasion of the Ukraine has—and will—open a Pandora’s box of unintended consequences. This is particularly true in the gray world of hackers and cyber-related activities. These activities are, in turn, the most recent front in an ongoing “War in the Shadows.”
Today (Wednesday, 27 April 2022), I read an interesting article in WIRED magazine about how Russia is being targeted—by “IT Army” DDoS and designer malware—at levels unprecedented in history. Of course, it is hard to feel sorry for Russia (a country which has traditionally harbored and encouraged hacktivists and cyber extortionists) or Putin (a cold-hearted thug who has looked the other way regarding such activities). In the West—because our sympathies lie with the underdog Ukrainians—we are now applauding such activities. After all, so the logic goes, the Russians are only getting what they deserve, aren’t they? Leaving that point aside for the time being, I’m more interested (in this missive) to explore some of the possible unintended consequences of what is now occurring in the cyber realm on a second-by-second basis.
The scale of today’s cyberattacks targeting Russia is mind-numbing. In an attempt to disrupt everyday life in Russia, Russian on-line payment services, government departments, aviation companies, and food delivery services have been targeted. Most of these attacks—launched by a legion of hacktivists, Ukrainian cyber groups and outside groups—consist mostly of DDoS attacks, but lately “researchers have spotted ransomware that’s designed to target Russia and have been hunting for ‘bugs’ in Russian systems, which could lead to more sophisticated attacks.” Ukraine, for example, has created a “bug bounty program” for people to find and report security flaws in Russian systems—so far over 3,000 reports have been filed—or, as one Ukrainian official noted: “There are so many bugs, so many open windows.”
Another interesting development, in my view, is the involvement of the shadowy hacker activist group Anonymous, which (through its popular Twitter account) declared a “cyber war’ on Russia over three weeks ago. Anonymous claims over 7.9 million followers—with over 500,000 gained since the start of Russia’s invasion—and is taking responsibility for disabling prominent Russian government, news and corporate websites as well as releasing large tranches of data from entities such as Roskomnadzor (the Russian agency responsible for censoring Russian media).
What is the objective of most of these activities? According to senior Ukrainian cybersecurity officials, the goal of this tsunami of cyber-intrusions is nothing less than “to stop the war.”
On Moscow’s side, in addition to cyber operations providing tactical support to Russian military units (see below), GRU and intelligence-linked hacker groups like Sandworm and Fancy Bear continue targeting Ukraine’s Viasat military satellite network (with “wiper” malware), communications-sector companies, and major internet providers.
But the big question being asked by cybersecurity insiders is why hasn’t Russia hit back harder at the Ukraine and those countries in NATO supporting it? An announcement by US cyber authorities this week indicates they are certainly bracing for an anticipated wave of future attacks, warning organizations to be ready for exploits by “malicious cyber actors.” In addition, U.S. intelligence agencies, President Biden and large companies like Google are warning about the growing and unprecedented threat of cyberattacks from Russia (along with China, Iran and North Korea) targeting “our innovation, our trade secrets, and our intellectual property.” All of this is what we’ve come to expect as a certain level of hybrid warfare.
But U.S. officials remain puzzled as to why Putin hasn’t yet used the reputed weapons in Russia’s cyberarsenal: they expected by now—over sixty days into Putin’s “special operation”—that Russian hackers would bring down Ukraine’s power grid, fry the cellphone system, and cut off Volodymyr Zelensky from the world.
Four possible explanations occur to me:
First, there is a growing notion that Russia is limited in its ability to respond in kind. As the head of Ukraine’s cybersecurity agency notes: “The enemy now mostly spends time on protecting themselves, because it turns out their own systems are vulnerable.” Moreover, as a study released this week by Microsoft shows, Russia’s “A-team” hackers focused on coordinating activities with incoming missile strikes or ground attacks, on a daily 24/7 basis since the conflict began (amounting to at least 237 operations against Ukrainian businesses and government agencies). One problem for Moscow is that even hackers fall under a centralized umbrella: according to Ukrainian cyber officials, Russia’s digital approach is “monopolized, and it leads to the scale of corruption and graft that is becoming increasingly apparent as the war continues.”
Secondly, even Ukrainian officials have been surprised by how ineffective Russia’s digital war has been. Ukrainian cyber-defense measures, for example, have been remarkably effective against Russian hacker groups such as Armageddon. Following a series of sophisticated cyberattacks on the Ukrainian power grid in 2015, U.S. cyber officials sent the first teams of American soldiers to help bolster Kyiv’s cyber defenses. In short, the Ukraine has had eight years to prepare for a cyber onslaught. (Boosting Ukraine’s cyber defense capabilities is only one prong of a massive and unprecedented real-time intelligence-sharing operation with Kyiv.) Aided by Western experts, for example, high-grade malware from a different Russian hacking group—dubbed Sandworm—was discovered inside computers at a power station serving millions. Speaking of Sandworm, U.S. officials have stepped up their hunt for the six Russian intelligences officers who reportedly comprise the group by offering a $10 million bounty for information that identifies or locates its members. In addition, Ukrainian officials claimed last month that they had “neutralized” a cyberattack on the IT infrastructure of Ukrtelecom, the country’s largest internet provider.
Third, Russia may be holding this digital “trump card” back for maximin effect at a later point (Putin may be pulling his punches, for the time being, to avoid further antagonizing NATO).
Fourth, behind the scenes, the elites may have already reached a deal on what cyber red lines constitute acceptable loss.
All of this leads me to briefly discuss cyber-related unintended consequences. I have been thinking about this topic for several years. In late October 2019, for example, I told a group of young conservative political activists from various countries in Latin and South America, that I fully expected a major global war to occur during the next 15 years. I further predicted that the kinetic stage of the war would be preceded by a massive cyberattack and that, for all intents and purposes, the course of the war would be decided in the first 15 seconds.
Quite honestly, I am still surprised that did not happen in Ukraine.
In this vein, during my history courses at the College of the Ozarks, I suggested that one of the true turning points of the post-Cold War era was the first use of a government-sponsored cyberweapon called Stuxnet in 2010. The weapon was amazingly effective, both as a computer worm and rootkit to hide malicious files, it targeted foreign-made supervisory control and data acquisition systems (SCADA) essential to centrifuges at Iranian nuclear facilities (reportedly destroying one-fifth of Iran’s centrifuges and setting back Tehran’s Iranian nuclear weapons program for years). Although neither country has publicly acknowledged their role in the weapon, it is generally recognized that it was the result of Operation Olympic Games—a joint U.S.-Israeli collaborative effort beginning as early as 2005.
How did it work? In my last missive I mentioned the power of screens. At Natanz nuclear enrichment facility, for example, the Iranian engineers saw screens that gave normal readouts even as the critical centrifuges were spinning to self-destruction.
They trusted their screens too much.
And the unintended consequences? Stuxnet succeeded in setting back Tehran’s nuclear program, but in its wake launched a string of global government investigations, international recriminations, Iranian revenge attacks and copy-cat malware programs like Duqu, Flame and others. In the years since, increasingly sophisticated cyberattacks and ransomware attacks have become an accepted reality of modern-day life.
Since Stuxnet, we live in a different world.
The mutual Ukrainian and Russian cyberwar exchanges are merely the latest wrinkles of this new world.
Take for example Ukraine’s deployment of the controversial face recognition program ClearviewAI to identify killed and captured Russian soldiers, then using this information to contact their families. Ukrainian officials defend using the program on two grounds: by notifying families it serves a vital anti-war message, and it serves the humanitarian purpose of letting families know about the fate of their sons when Russian authorities may be reluctant to do so. At the same time, critics point out potential legal issues with the approach as well as noting that the face recognition program has been liberally used by police forces across North America.
What can go wrong huh? Think how such face recognition programs—now being fine-tuned in the war—can be used by authoritarian-minded rulers and politicians to provide the monitoring muscle behind future social credit programs.
And that is just for starters.
Another unintended consequence may take years to play out: only then, insiders say, will we discover the true extent of cyber-related espionage activities flowing out of the Russo-Ukrainian digital conflict.
 Robert Toplin, “War and ‘The Law of Unintended Consequences,’” Origins: Current Events in Historical Perspective (Ohio State University), Oct. 2001. This is a very interesting article on the topic: Toplin is a professor of history at the University of North Carolina, Wilmington.
 Matt Burgess, “Russia Is Being Hacked at an Unprecedented Scale,” WIRED, Apr 27, 2022. For example, some 316,000 digital volunteers have signed up for the “IT Army of Ukraine” Telegram account (see Pitrelli below).
 Monica Buchanan Pitrelli, “Anonymous declared a ‘cyber war’ against Russia. Here are the results.” CNBC, Mar 16, 2022.
 Burgess, “Russia is being hacked.”
 Zack Whittaker, “US offers bounty for Sandworm, the Russian hackers blamed for destructive cyberattacks,” techcrunch.com, Apr 27, 2022. Sandworm is best known for the “NotPetya” ransomware attack in 2017 which disrupted Ukraine’s power grid.
 Monique Beals, “Federal agencies issue warning on exploited cyber vulnerabilities,” The Hill, Apr 27, 2022.
 Jalen Small, “U.S. intel, Google warn of cyberattacks from China, Russia, North Korea,” Newsweek, Apr 28, 2022.
 Kate Conger and David E. Sanger, “Russia Uses Cyberattacks in Ukraine to Support Military Strikes, Report Finds,” The New York Times, Apr 27, 2022.
 Burgess, “Russia is being hacked.”
 Conger and Sanger, “Russia Uses Cyberattacks.”
 Justin Ling, “Ukraine’s Digital Battle With Russia Isn’t Going As Expected,” WIRED, Apr 29, 2022.
 Mehul Srivastava and Anna Gross, “Preparing for Armageddon: Ukraine’s tactic against Russian hackers,” Financial Times, Apr 14, 2022.
 Ken Dilanian, et.al., “U.S. intel helped Ukraine protect air defenses, shoot down Russian plane carrying hundreds of troops,” NBC News, Apr 2022.
 Srivastava, “Preparing for Armageddon.”
 Whittaker, “US offers bounty.”
 Since the attack in 2010, Stuxnet has been extensively studied by numerous government cybersecurity experts and investigative journalists. See, among others, Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, New York: Crown Publishing, 2014; Steve Kroft, “Stuxnet: Computer Worm opens new wave of warfare,” 60 Minutes (CBS), Mar 4, 2012; and Ralph Langer, “Ralph Langer: Cracking Stuxnet, a 21st century cyber weapon, TED, Mar 2011.
 “Confirmed: US and Israel created Stuxnet, lost control of it,” Ars Technica, Jun 2021; Ellen Nakashima, “Stuxnet was work of U.S. and Israeli experts, officials say,” The Washington Post, Jun 2, 2012.
 Ling, “Ukraine’s Digital Battle.”
 Burgess, “Russia is Being Hacked.”