Najave Software

Cyber Security Behind the Front Lines: Lessons from the Ukraine War

With the transition to the digital era, cyber security has found itself on the digital front lines, the borders of which are today stretched along satellite networks, swarms of drones, and even surveillance camera installations.

BY: Mirza Bahic: E-mail: mirza.bahic@asadria.com

In today’s modern warfare environment, cyber security has emerged as a key determinant of success or failure. Ukraine’s current conflict with its eastern neighbor has highlighted the importance of innovative security solutions on modern battlefields, especially those in the cyber domain. In fact, the events in this country served as the first mass demonstration of the importance of protecting peacetime resources from cyber attacks, primarily satellites, drones, and surveillance cameras.

As a novelty in the world of cyber warfare already at the beginning of the conflict, there emerged the Starlink satellite Internet system of billionaire Elon Musk, which enabled Ukraine to dispel the informational fog of war amid continuous attacks on its telecommunications infrastructure.

But after curbing support for Ukraine to use Starlink for a planned attack on Crimea, doubts have been raised about Musk’s claims to prevent “world war” and talk of problems Starlink has with interference from Russia’s entire complex of electronic warfare systems followed soon.

The captured tablets were used as an entry point for malware infiltration to collect data from the Starlink system

Starlink under attack

The Security Service of Ukraine (SBU) has revealed that Russian intelligence services are using custom malware to infiltrate Android devices, including tablets, to gain unauthorized access to Starlink satellite data.

In addition to tablets, mobile devices have also been targeted by malware known as Malware 4. STL which exploits these platforms to remotely collect data from Starlink systems. This software did this through API functions, and cyber security experts found the entry point for malware infiltration to be captured tablets on the battlefield.

After the security service identified at least ten different types of software targeting Starlink, the service issued a warning to soldiers to install special anti-hacker software on computers that use Starlink terminals to access the Internet.

Although the SBU claims that these “illegal activities” have now been stopped, it is no secret that after this revelation, concerns remain about the extent of access to compromised data and the possible implications for the future use of Starlink. In fact, as early as 2022, voices of caution were being raised about the potential for hackers to exploit vulnerabilities in Starlink’s infrastructure and gain unauthorized access to sensitive data transmitted via satellite communications.

Security researcher Lennert Wouters identified a weak point in Starlink’s systems that could be exploited with a simple modified chip made up of components that cost less than $25. These are fault injection attacks that can bypass Starlink’s security measures and infiltrate its systems. Although Starlink issued a public update in response to Wouters’ findings, this expert emphasized that removing this kind of fundamental vulnerability would require the development of completely new versions of chips for satellite terminals as well as the introduction of stricter cyber protection measures in satellite communications.

There have also been reports in the media that Russia has tested a space-based electronic warfare system called the 14Ts227 Tobol to jam Starlink communications. Speculation ran far enough that the Tobol, along with Russia’s truck-mounted Tirad-2 satellite jammer, is now considered a crucial factor in the disruption of communications with Starlink during the pivotal Battle of Bakhmut this summer.

In the absence of a search for a more permanent solution in wartime conditions, Ukraine was promised additional support from NATO countries for IT protection of military communication capabilities. The Swedish company Satcube 100 is supposed to supply this country with portable satellite Internet terminals that offer greater reliability and resistance to cyber attacks compared to Starlink.

In response to identified weaknesses in the previously invincible system, Starlink also implemented a paid bug-hunting program, offering cash rewards ranging from $100 to $25,000 to security researchers who identify weaknesses in its satellite systems.

Although the reward system for observed bugs has been used before in order to encourage ethical hackers to find and report vulnerabilities, potential challenges lie in controlling the activities of these actors who, by the very nature of their calling, operate independently of any surveillance system.

These are fault injection attacks that bypass Starlink’s security measures and infiltrate its systems

Is the satellite a military or civilian target?

Findings by Ukrainian security experts regarding weaknesses in Starlink systems only underscored the strategic importance of satellite internet in modern warfare. But that is not the only problem in the fight to protect satellite systems from cyber attacks. Given that its parent company SpaceX has an almost monopolistic status in the global satellite internet market, there is increasing pressure towards strengthening international cooperation in regulating and monitoring these systems. Despite this, major problems soon arose in terms of defining the status of satellite systems as military or civilian targets in cyber warfare.

The fact is that the involvement of private technology companies in matters of national security entails many challenges when it comes to treating the satellite network as a “valid” target in information warfare. An example is a situation where private entities, such as Starlink, offer civilian technology that virtually overnight becomes vital to military operations in conflict zones.

Initially, Starlink’s technology was classified exclusively as civilian, bypassing export restrictions and International Traffic in Arms Regulations (ITAR) requirements. However, the situation changed dramatically when the Ukrainian military began using civilian technology for military communications.

Thus, according to some, technology, originally intended for civilian use, turned into a weapon of information warfare. The logical course of future action would be for Starlink to be classified as a so-called dual-use technology subject to ITAR and military export restrictions.

Otherwise, the absence of military export regulations means that private technology companies can make unilateral decisions regarding the delivery and terms of their services during wartime. This lack of regulatory oversight can also lead to unpredictable outcomes and strategic vulnerabilities, such as situations where a company’s management can thwart the execution of field operations at its own discretion and judgment, as in Musk’s case.

Lack of regulatory oversight can lead to unpredictable outcomes such as situations where company management can thwart the execution of field operations

The battle for surveillance cameras

The need for rapid acquisition and dissemination of information in emergencies is not limited to satellite networks. It is crucial for the performance of the activities of all warring parties that identify cyber warfare as an integral part of their broader military strategy.

In the Ukraine war, both sides are recruiting teams of hackers and special forces for information warfare to penetrate each other’s systems, cooperate with military personnel on the ground, and make better use of available civilian technologies, such as surveillance cameras.

For example, Ukrainian teams regularly engage in hacking CCTV cameras in occupied territories to monitor Russian troop movements. At the same time, they are sending kamikaze drones to disable Russian cameras monitoring Ukrainian activities.

In response, Russian hackers have managed to gain unauthorized access to private security cameras in Ukrainian coffee shops on many occasions, using them to gather intelligence on military convoys passing near these facilities.

CCTV cameras, which local authorities and private companies use to monitor events in their immediate surroundings, were also the focus of their attacks. Hackers have shown ingenuity in their methods, including unauthorized access to public web cameras that have been used to monitor the movements of the Ukrainian military.

The IT Army of Ukraine, a hacking collective linked to the authorities in Kyiv, has undertaken a large-scale operation to detect security-compromised webcams inside the country. Their primary goal is to prevent Russian forces from gaining insight into the movement of Ukrainian troops, especially during planned offensive operations.

For this purpose, a “camera hunt” program was launched, in which security experts and other individuals are rewarded for identifying and reporting IP addresses and vulnerable points of public cameras to the authorities.

According to this hacker collective, hacked public webcams have already caused enough damage to the country’s defense because they monitored activities related to air defense systems and the transport of military equipment. According to local media, Russian forces allegedly used hacked webcams to identify Patriot surface-to-air missiles that were attacked in Kyiv in May.

Hacked webcams have already caused enough damage to the country’s defense, as activities related to air defense systems and equipment transport were monitored through them

Is national strategy more important than technology in cyber warfare?

The ongoing conflict in Ukraine represents not only an escalation of traditional military operations but also a multiple increase in the volume of activities in the field of information warfare.

However, what sets this kind of first large-scale modern cyber conflict apart is a kind of paradox that accompanies it and captures the attention of the security community and its professionals. It has to do with a paradoxical disparity between the intensity of cyber warfare operations undertaken and their outcomes.

More precisely, despite the rise in the frequency of cyberattacks, there has been no significant loss of resources or a complete collapse of the enemy’s information network. This mysterious trend has attracted the attention of experts from the Center for Strategic and International Research, who attribute its results to a change in the paradigm of national cyber protection that Ukraine copied from more experienced countries while drawing valuable lessons from the experience of fighting Russian cyber attacks in 2014 and 2016.

According to the Center’s 2023 report, a possible explanation for the relative ineffectiveness of Russia’s cyber endeavors lies in Ukraine’s focus on active defense within the domain of cyber warfare. A combination of innovative contributions from the private sector orchestrated state efforts, and the evolution of Ukrainian cyber doctrine have tipped the balance in favor of the concept of cyber defense.

Ukraine’s defense strategy in the cyber war thus focused on several key elements: proactive measures to protect potential targets, the establishment of intensive cooperation with international security entities, and rapid suppression of threats through monitoring of critical networks. In 2016, even before the invasion, Ukraine adopted a national cyber security strategy that prioritized strengthening data redundancy and resilience with expanded use of encryption.

A significant move was the wider use of third-party hosting services, i.e. for moving data and services outside the geographical boundaries of the conflict zone. This innovative approach was introduced to complicate and limit the planning of an opponent’s cyber attack. This method has shown how even smaller countries can design digital infrastructure and data systems with the help of external service providers, thus minimizing vulnerability to attacks and increasing resistance to them.

However, the less optimistic security experts believe that the relative absence of spectacular cyber attacks in this war is only a consequence of the fact that Russia achieves its cyber warfare goals by using conventional military weapons to destroy communication infrastructure. At the same time, more sophisticated tools for cyberattacks, they warn, can simply be kept in stock for large-scale cyberattacks on the communication systems of countries that support Ukraine, and in the event of an escalation of the conflict.

A significant defensive move was the wider use of third-party hosting services, i.e. for moving data and services outside the geographical boundaries of the conflict zone

Lessons for the future

The conflict in Ukraine has brought to the fore the critical role of cyber security in modern warfare. New strategic effects of cyber warfare, including innovations such as Starlink’s satellite internet system and national IT defense measures that include external hosting services, underscore the importance of protecting digital assets in the face of cyber threats. This conflict serves as an important reminder of the permanently changed environment of cyber warfare in which not only traditional infrastructure but also drones and webcams are being targeted by hacker activities. Lessons learned should help shape new defense strategies and approaches to international cooperation to protect peacetime critical infrastructure such as satellite systems, commercial drones, and surveillance cameras.

Digital infrastructure dispersion as a strategy

It is interesting to note that after the outbreak of the conflict, several international companies came together to strengthen Ukraine’s cyber resilience. For example, according to Microsoft, the synthesis of cyber threat intelligence and focus on endpoint protection has significantly strengthened Ukraine’s defenses against Russian hacking attacks. Further, Ukraine’s ability to “scatter” its digital infrastructure into the cloud has proven to be an important strategy in resisting coordinated attacks on its data centers. In this approach, Amazon Web Services (AWS) played an important role, ensuring the continuity of availability of services for the needs of the government of Ukraine. At the same time, both Cloudflare and Google have expanded their cyber protection services to key Ukrainian organizations. Accordingly, the defense of Ukraine’s national cyber domain has been transformed into a joint transnational enterprise involving contributions from both private and state entities.

Ukraine’s ability to disperse its digital infrastructure into the cloud has proven to be an important cyber defense strategy

Drones as a double-edged sword in cyber-warfare

Drones have revolutionized modern cyber warfare by enabling warring parties to gather extensive data from various sources, including the Internet, radio frequency transmissions, and GPS tracking information. However, in addition to monitoring the activities of opponents and participating in actions on the ground, drones have found themselves in the arena of cyber war due to their ability to disrupt communication networks and channels and thus reduce the flow of key information needed to launch hacker attacks on military and key infrastructure.

However, the application of drones to cyber warfare operations has not been without potential challenges. As the war in Ukraine has shown, drones themselves are vulnerable to being hacked or taken over by an adversary. In that case, a hacked drone offers access to the sensitive information needed to launch an attack on an adversary’s digital infrastructure. When capturing or hacking drones, speed is of essential importance because the task of military cyber teams is to extract as much data as possible from these devices and, at the same time, to hide for as long as possible the fact that the drone has fallen into enemy hands and is no longer in the service of the original users.

That’s why both Russian and Ukrainian intelligence services have moved some of their elite cyber teams closer to the front lines for easier coordination with the military and faster direct access to captured enemy devices before they are discovered to be compromised.

When hacking drones, speed is of the essence because the task of military cyber teams is to extract as much data as possible from these devices and to hide the fact that the drone has fallen into enemy hands for as long as possible

 

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *