Between Two Nerds: The evolution of cyber ops in Ukraine

A

Hello everyone, this is Tom Uran. I'm here with another edition of Between Two Nerds. G', Day Grok, how are you?

B

G', day Tom. Fine, and yourself?

A

I'm very well. This week's edition is brought to you by OCTA, the identity platform. Find them@okta.com so this week, Gruk, I thought we'd, or we thought we'd revisit the Ukraine war and examine how different organizations or different countries, I suppose have been learning by doing when it comes to cyber espionage and also cyber effects operations that deny, disrupt, degrade, discombobulate. Yes, exactly. We've spoken about this a couple of times, many times. And the very brief description from my point of view is that when it came to the Russian invasion of Ukraine, there was a period at the beginning where they had a couple of destructive operations that were really well coordinated with conventional on the ground military operation. They weren't enough to change the outcome, so they've ended up in this long grinding war. There was another phase where there seemed to be willy nilly destructive operations on all sorts of different things that weren't well coordinated with conventional operations and those kind of seem pointless. And now it's moved into a phase where the main focus seems to be espionage. Things like battle, damage assessment, using it for targeting. And I think, I actually think you've got five or six phases in your research, is that right?

B

There are multiple phases, but one of them is a single week long.

A

Right.

B

So you have like the opening phase where there's like they had everything planned out for a three day war and then the war didn't end, they didn't have anything to do. So they spent a week going like, you know, what are you looking at me for? I did everything I was supposed to do. Then they spent nine months going, look, I'm busy, I'm doing stuff, I'm not going to be sent to the front line. I'm a valuable contributing member of the military over here from the rear. And then they started figuring out ways to actually provide value. And I think what's been interesting is that it looks like operationally, very early on they knew where they provided value, but their leaders I think didn't see that. They just saw you guys aren't doing anything. All you get is this intelligence stuff that's very, very useful for us, but why aren't you doing anything? And so they would just sort of like they would do these disruption and destruction attacks and all this stuff. And in a way that sort of culminated with Kevstar where they did this sort of big, massive, huge, spectacular wiping

A

of the major mobile network.

B

Yeah. 50% of Ukraine's mobile users were taken offline for probably an afternoon, as long as it took them to get a SIM card for another operator.

A

Right, right. Yeah. I think the outage for the network was in the weeks.

B

Yeah. It was about. It was like it was seven days until they were back online. But everyone I spoke to said, like, it was super annoying because they had to like, go to a store and buy another SIM card.

A

Yep.

B

Which was like a hassle. It that. That wasn't coordinated with anything either. So it was just a, you know, on a Tuesday, we're doing this. Yeah.

A

So you could imagine that maybe if it had occurred right on day one, that maybe makes sense in terms of coordination. But the reason we think it's a bit weird is because, like you say, out of nowhere, there wasn't any conventional military gain to be had. So last week or so there's this report in the record. Ukraine says cyber attacks on energy grid now used to guide missile strikes. So back earlier in the war, you would have some sort of destructive operation that would be launched at the same time as a missile. And it's like, what's the point in that? Like the missile.

B

So in October of 22. Yeah, in October of 22, there were two attacks against the grid that cumulatively took the grid out for several hours in, like, they took out a substation which had like a small region and they knocked it offline for two hours or so twice. Whereas, like a shahed that has like a close miss would take out the same substation for like three months.

A

Right, yeah. You know, so I mean, it seems like even if you're successful and you're like, the effects are very limited anyway, so this article goes on. Russian cyber forces are increasingly focused on collecting intelligence to guide missile strikes rather than immediately disrupting operations. This information is from Ukrainian cyber security officials. Cyber attacks on critical infrastructure never happen on their own. They are always part of a broader operation. So that's from Oleksandr Poty, head of Crane's State Service of Special Communications and SSSCIP Communications and Information Protection. He said attackers now appear more focused on mapping facilities, tracking repair crews and assessing how quickly energy systems can recover after strikes, rather than causing immediate power outages. So you've spoken previously about Russians getting into emergency services so they can do battle of damage assessment because all the reports flow up through emergency services. This is very consistent with that.

B

Yeah.

A

So this to me, like, entirely makes Sense seems like a reasonable use of that sort of capability.

B

Right. And that is a surprising thing

A

because it's what, four years after the start of the war.

B

Yeah. And they're finally doing something smart. But so, so, like, here's the way I see it is I strongly suspect that at the, the operator level, at the sort of the ground level, these guys knew that spending months to take down the grid for a few hours was not the best use of their time. It was probably technically challenging and exciting. And they like the work. Right. Like, it would have been an exciting challenge to, to, to struggle with all of that. But they're not going to think like, you know, this is the decisive war ending move. You know, this is the, the killer blow. They're going to know like this is not super effective, when in order for us to do this, we've had to learn so much about the operations that we could tell you exactly which, which things to blow up to cause the most damage. And.

A

Yep.

B

What I think is interesting is now not just their commanders recognize this, but the commanders of other services seem to recognize that. And I say that because in order for this sort of coordination to work and continue to work, there needs to be some sort of, like, you're doing something for me and like, I will do something for you. So, like, this is very helpful for my missile service. So I'm going to promote how much help you've been to the boss.

A

Yeah. It implies some sort of integration between the conventional forces. Like there's a little sentence here, different official speaking. Cyber intrusions, she said, can occur both before and after missile attacks, first to help calibrate strikes and later to assess their effectiveness. So that's Natalia Takat Duke, head of information and cybersecurity at Ukraine's National Security and Defence Council. So again, that totally makes sense. Now what? A couple of months ago we spoke about the opposite attacks on Poland's electricity grid. And I think this is really like an interesting foil because Ukrainian officials are saying Russian cyber espionage groups really know what they're doing. Like they have a purpose. Like, this totally makes sense.

B

Right. It's planned out, it's integrated, it's part of a combined, combined arms operation. There's like a before, during and after. This is part of a long term strategy that they expect to be able to execute on for years if they have to.

A

Yeah. Whereas it's making the most of their missile forces.

B

Right. And the most of their cyber forces. Right. They're saying like, here's the things that you do best, you should do those best with each other. And that's, I think, a side of maturity which is very interesting. However. Yeah.

A

So the Polish attacks were right before the end of the Russian financial year. Presumably some sort of reporting. Just to recap very briefly, they were rushed, they didn't seem to have any point. So our hypothesis was that they were entirely driven by internal reporting dynamics. And I think it's interesting that they occurred outside the target country now because it's. We can cause this disruption and it doesn't upset our access for something we really care about.

B

Right. And it seems to be sort of like a. We can afford to like mess around and screw up because this isn't actually an important theater. It's not relevant to the war. It falls within the remit of like hybrid warfare in the gray zone. Outside of like all of this stuff, it's an area where like newsworthy. Right.

A

It's not militarily significant.

B

Exactly, exactly. Like, it's. It's enough to cause headlines, but not to cause invasions, I guess.

A

Yeah. So now I must admit that this hypothesis is attractive to me based on my internal biases. So I've got no idea.

B

It's a very strong vibe check that has confirmed that this feels right. So it's probably absolutely true.

A

Yeah. So I think it's like it shows the Russian is it doctrine cohesion coordination has improved. The example where the attack doesn't make sense, like, I think it actually makes that less. Less nonsensical in a way because it's in a theater that doesn't matter. If you look back at Keevstar, like, that's still inexplicable, but if you put it in an arc of is it operational improvement over time?

B

Yeah.

A

They were doing silly stuff back then and they seem to have moved beyond it now.

B

What's sort of interesting is like in 2022 they tried the grid attack and it worked. And in working it proved just how useless it was. Right. Like if it hadn't worked, they'd be like, oh, damn it. You know, we were this close to causing widespread disruption, but because they succeeded and it was such a non event that no one knew about it until it was announced months later. Right. I think that that demonstrates just how ineffective it is overall. Like, I think that these were cases that allowed people to sort of viscerally see and recognize the limitations of what they were trying to do.

A

Right. It's like burn after reading that film where at the end they're like, I don't know what that was, but let's never do that again. So I was going to say that you can at least imagine that maybe if they were more competent, they could have had longer lasting or wider effects. But I guess the point of the examples we have is that's what they did achieve under the operational pressures they had at the time. So I guess shifting to a different strategy is a reflection of the reality on the ground rather than some hypothetical, yes, if we were even better, we could have taken the grid down and it would be the Ukrainian equivalent of cyberpearl harbor or whatever.

B

You're lucky I was this close to killing you, but, you know, I tripped over my own feet, so, I mean, next time, man. But one of the things that I find interesting here is that the integration of these two service arms, like this intelligence collection and the missile arm, to get sort of the maximum value out of both of them is a sign of sort of operational maturity. Not, not just at the technical level, but sort of higher up. Like you have people at the planning and staff level who are going, wait a minute, you know, I've got a bright idea. Why don't we use these two things together to make them more effective?

A

Right?

B

And someone else is going, yes, that is a good use of our resources as opposed to going like, but I thought cyber was supposed to take things out. And so the fact that there seems to be some sort of understanding of how to use these assets, how to use these technologies and capabilities within services that are not cyber. I think that's the insight here that's very interesting. I don't know if any other military in the world has that. If there's anyone else where you could go to the artillery corps and say, how do you integrate cyber with your ops? And they go, oh, what we do is. And then they sort of lay it out. Whereas it appears that they have an answer here. And that's like far more advanced than anyone else in the world. Not to praise the Russians for anything. It took them four years to figure out the most obvious thing ever.

A

Yeah, I once gave a talk at Australia's, what was it, Combined Arms Training School. They had me down there just to talk about how other states were using cyber. And these were all tank guys and artillery guys. And the reason that the commanding officer put it on was exactly that. Like, people are talking about this cyber stuff, but how are we actually going to use it?

B

Right?

A

And they had a hacker type military person who talked about hacking phones or something like that. I can't remember the exact details.

B

They were like, classified is what you mean to say you couldn't. No, no. They were classified. I couldn't tell you if I wanted to. They were really important and I remember all of it.

A

But back then, and this was quite a few years ago, it was totally unclear to me how it would actually.

B

Right.

A

How this would actually work. Right. Whereas this makes sense.

B

Yes.

A

Now, I guess, to pivot a bit, to sort of. I guess I'd call it the strategic level. There's this really interesting piece in the Spectator, or maybe I should say there's a really interesting paragraph in the Spectator, and the whole piece is dealing with the relationship between the US and the uk, particularly the Trump Keir Starmer relationship. And I'll just read out this paragraph. Intercepted phone calls and messages from senior Russians ridiculing Trump have been shared by the British with the Americans. We have continually shown them intelligence that shows the Russians are lying. A senior security source revealed the Russians are privately mocking Trump over his naivety about Putin's intentions. Putin doesn't want to end the war. So I thought this was a delightful little paragraph. And it struck me as this is potentially the sort of intelligence that could change the outcome of the war.

B

Right, right. It's sort of. It's not the traditional use of intelligence. Right.

A

Yeah, yeah, yeah. So it made me think of. Right at the beginning of the war, in the Biden administration, they released several pieces of. I don't know if I'd call it intelligence, but intelligence products to try and head off the war by revealing Russia's intentions. And that seems like the same sort of thing. Right. If. If that lands. Right. It potentially heads off the war. That would be huge.

B

Yeah. You know what this reminds me of, actually, is the. The Zimmerman Telegraph, which was back in 1917, where the Germans messaged Mexico to say, if we do something, will you invade the US to keep them out of the war? And the British were like, this is perfect. Excuse me, Mr. America, we have something for you. And the Americans were like, oh, my God, we better invade Germany.

A

Yeah, I'd heard the. I'd heard of it, but I didn't know the story.

B

It's particularly amusing because, as I recall, it was that the American people did not want the war, but the American ambassador to England did. And so the British sort of called him in early and said, look, we've got this thing. Is this going to. Would this help get America involved? And he's like, yeah, yeah, this is great. This is. What you do is, like, you call me and my deputy in and you reveal this to Us and we are shocked and gasp and we have to go public. And so, like, the next day they show up and there's all like, oh, my God, what is this? A telegram to the Mexicans from Germany. Oh. Saying that they want Mexico to invade. This is a complete shock. We will have to.

A

So there's also, ironically, in Trump's first term, I wrote about senior leaders using phones because there was a story that President Trump liked using his phone and that it had been intercepted by various services. And I spoke about the protections that other presidents had used. And the story back then was that the Chinese, for example, George Washington, didn't

B

use Twitter at all.

A

So the story was the Chinese were using that intelligence to shape their arguments that they would present to people who are close to Trump. So it was espionage, informed lobbying. And this is kind of the. What is it? Is it the exact opposite? It's using intelligence to shape opinions by revealing truth.

B

I don't know. It's information warfare. And that. The broadest rubric of, like, the broadest possible interpretation of information warfare, I would even call it cyber to a degree.

A

Yeah.

B

Right. Like, if you look at the British proportional cyber paper, where they talk about using cyber effects to do, like, cognitive effects against small groups, this is textbook, you know, proportional cyber cognitive effect against a very small group to attack trust, for example,

A

you know, the intelligence releases before the war, thinking back, they didn't make any difference because Putin. Putin didn't care. Like, he had his heart was set on it. These intelligence, I guess they're not even disclosures. Right. They're intelligence sharing is. It's targeted directly at Trump's personality, what he cares about, and, like, perhaps that is more impactful. I don't know so far. Obviously not.

B

Yeah. So two. Two similar uses of intelligence, both equally impactful. Yeah.

A

And so I guess to contrast it with more tactical or more operational use we spoke of earlier, that one, it's targeting and assessing damage of missile strikes, which has been a theme for different types of missile strikes, not just on the electricity grid. And that seems to be. Yeah, that's good.

B

But.

A

But it's not going to change the.

B

It's not a decisive. It's not going to have a strategic impact. It will have operational impact, and you

A

can be sure that you will gain some benefit with very high confidence.

B

It's very much measurable. You could say, before we were doing this, our missile strikes were 50% effective, and now they are 67% effective. We have.

A

But these strategic examples, it's like, oh, yeah, we may Get a jackpot. But maybe not.

B

Right. And I, you know, the example of that would be, I think a similar sort of operation where you remember a few years ago where the Germans were considering whether to hand over, I believe it was the, the Taurus missile.

A

Yep.

B

Right. And one of their generals was in Singapore at a conference.

A

Yeah.

B

And use the hotel wi fi to connect to like a zoom call. And the Russians captured and released that in a similar move to sort of use intelligence leaking or sharing to preempt the political moves of someone else. I guess by one measure it has been successful in that the Germans haven't shared the Taurus missile. But by another measure were they ever going to. Right.

A

Like is there a causal relationship? You know, we spoke about that leak in BTN 72.

B

Yeah. Deep cut for long time listeners way

A

back in March of 2024. So we've spoken a lot about the Russians. You sent me an example of how they.

B

Right. Another, another example from the Ukraine war is I sent something to you yesterday, I think from Inform Napalm and they're talking about a hacktivist group called Phoenix. And Phoenix Group was announcing that they had spent the last six months with access to the Shahed drone operators computers and they were able to monitor as they were planning and as they were monitoring missions and guiding their things. And they've got little screenshots where you can see like the chat messages of like tell comrade Commander that you know, we're on track and all this stuff. And I think the Ukrainians are not in the same situation as the Russians where they like, the Russians have so much capability in cyber that they can afford to say like, do some destruction attacks now. Okay, do some espionage game. Give me 10 disruptions by the end of the month. They could do that and they just have so many people that they can do it again next month. Whereas I think Ukraine with its significantly smaller resources has to be much more careful about how they use their access. And if you have access to the drone operators of the Shaheds, the people who are receiving that intelligence are not going to go, okay, this is useful, but could you wipe their computers and take them out for one day? I suspect that that wouldn't happen. And so they can sort of immediately see the espionage value that comes from this access.

A

So what were they using it for? Like was it early warning and to try and shoot them down and stuff?

B

Try and shoot them down. And also they tried to locate any headquarters units that were involved that they could then target. They claim that they hit a whole Bunch of them. But seems unlikely that they had. That the Shaheds were being controlled from inside Ukraine. Like, that just doesn't really make sense to me, but.

A

Right. I mean, they are doing strikes in Russia, though.

B

Right, Right. But those have been strategic, though. Like, they've been. They've been looking at going after, like, the manufacturer of, like, propellers for UAVs or refinement.

A

Yeah. And so why has that piece of news come out? Like, usually those.

B

Right.

A

They talk about that once the operation's done and dusted.

B

Yeah. So here's my thinking. Right. So they say that they had this access for six months, and then on, like, February 23rd, they come out with this article saying it's no longer of operational value to us. The espionage value has been used up. And so we're now announcing it, which to me means that they lost access and they can't get back in.

A

And so, I mean, the starlink was cut. I don't know that they were using Starlink on Shaheds, though. I think it was.

B

They were at one point.

A

Right.

B

But they. I don't. I don't think that that was the primary use case. And that wouldn't have impacted this either, I suspect.

A

I mean, I was just thinking that if the. For the Russians Starlink, they can't use it anymore. So maybe that meant that the types of missile attacks or drone attacks were not like the early warning was yet less useful because.

B

Right. It wasn't being controlled by the same.

A

Yeah.

B

Mechanism. Right, that. That would make sense. Yeah.

A

I mean, I don't know.

B

No, I mean, that's entirely plausible. I read it as we've lost access. We can't get back in. Let's milk the last possible drop of value from this by just announcing it in the hopes of getting some media attention. What we've covered is the use of cyber at all three levels of warfare, at the tactical level, the operational level, and the strategic level. That was by the Ukrainians at the tactical, the Russians at the operational, and the British at the strategic. And what's sort of interesting to me is that none of those ways of using cyber were the sort of ways that were predicted as how you would use cyber during war. All of these have been sort of developed from practice, I guess. None of them are purely theoretical. This is what we imagined we would be doing, and now we're doing it. It's all like, we've tried all the other stuff and given all of the options, this is what's most effective. So you know that I think that shows that cyber is maturing, right? Like, it's. It's arrived. It's been kicked off the couch and told that it has to get a real job, but it can no longer sit there being like, one day I'm going to be a fighter pilot.

A

Thanks a lot, grant.

B

Thanks a lot, tom.