Russia Shifts Cyber Focus to Battlefield Intelligence in Ukraine

Russia’s cyber activities in Ukraine have shifted away from strategic civilian targets towards pursuing tactical military objectives, according to a report published by the Royal United Services Institute (RUSI).

Multiple Russian cyber units are targeting frontline Ukrainian military computers and mobiles ahead of the Kremlin’s anticipated Summer offensive, which will aim to take territory regained by Ukraine in its 2023 counter-offensive.

These “significant and underappreciated” changes highlights how Russia’s intelligence services have adapted their cybersecurity strategy to the demands of a long war in Ukraine, according to the report author Dan Black, Manager of Cyber Espionage Analysis at Google Cloud’s Mandiant.

“Much Western analysis to date has fixated on Russia’s highly visible opening cyber offensive, the merits of its approach, and the potential for a renewed destructive campaign of a similar nature against Ukrainian critical infrastructure,” Black noted.

“This focus is misplaced, however, and has anchored Western understanding of the war’s cyber dimensions to Russia’s countervalue strategy to amass societal pressure via the widespread sabotage of computer networks,” he said.

Russian military intelligence (GRU) and its domestic security service (FSB) have united around this strategy, despite their renowned rivalry and mistrust.

Russia’s Shifting Priorities in Cyberspace

Russia’s initial cyber strategy after invading Ukraine in February 2022 was based around launching destructive attacks against civilian infrastructure in the region, such as power networks.

This approach was built on misplaced assumptions about a short war in the region, but has not been the primary objective since early 2023.

Black acknowledged this represents a relative shift in priorities rather than a complete overhaul of Russia’s wider strategy, with patterns of operational activity continuing to target Ukrainian critical infrastructure that holds no immediate intelligence value.

“What is clear, however, is that Moscow has rebalanced its overarching concept of operations to emphasise targets that can provide more direct and tangible battlefield advantages to its conventional forces,” wrote Black.

Primary Attack Techniques 

The RUSI report found that the refocusing of Russia’s cyber campaign in Ukraine has largely revolved around a few main areas, designed to meet an increasing demand for tactical-relevant signals intelligence (SIGINT).

Hacking Devices Used by Ukrainian Soldiers 

Russia has recognized that smartphones used by frontline soldiers provide an invaluable source of location data to establish patterns of movement and locate and target Ukrainian positions. Additionally, the Ukrainian military’s dependence on free encrypted messaging applications (EMAs) creates opportunities to eavesdrop on these communications.

Hacking such devices and apps for these purposes is a significant challenge, particularly due to the cryptographic protocols used by EMAs.

A common approach that has been observed is masking malware as versions of mobile applications, which generally rely on highly tailored social engineering campaigns, such as directly interacting with targets over Signal and Telegram chats to build rapport.

Another technique has been to siphon messages through the device-linking feature built into common EMAs. Black noted that one Russian military-affiliated unit has dedicated its focus to social engineering Ukrainian soldiers into linking Russian-intelligence controlled instances of EMAs including Signal, Telegram and WhatsApp to their accounts.

Additionally, the GRU engages in close-access exploitation of mobile devices and other systems captured by Russian forces on the battlefield to achieve similar access.

Penetrating Ukrainian Command Control Systems 

Digitized battlefield management systems like Delta and Kropyva used by the Ukrainian army have also been a targeted by Russia to uncover operational plans.

These operations have focused on social engineering attacks designed to trick soldiers into giving up their credentials.

Locating Ukrainian Military Equipment and Positions 

The RUSI report also highlighted Russian efforts to compromise webcams in population centers to locate Ukrainian air defenses and other critical infrastructure objects.

These operations have been designed to locate and map military positions and equipment for later physical seizure.

Black said Western nations providing assistance to Ukraine should factor in the potential risks of this cyber-enabled surveillance activity.

Responding to Russia’s Changing Tactics

Black said Russia’s shifting cyber campaign in Ukraine highlights that mobile devices have “become a critical center of gravity” to these efforts.

He expects operations that place premium on the ability to collect signals from soldiers’ devices and the digital networks that connect them to become more common as the war continues.

This reality needs to be recognized by Ukraine’s Western partners in providing support for the region.

“Ukraine’s impressive defensive feats aside, Russia’s adapted force employment demands renewed attention on how to best sustain international support for Ukraine’s cyber defenses,” wrote Black.