On December 23, 2015, a temporary malfunction of the power supply in three provinces in Ukraine resulted in power outages that lasted up to six hours and affected 225,000 customers. Following the event, an investigation identified evidence that cyber-attacks had compromised several regional Ukraine power control systems. This was the first publicly documented successful cyberattack on an electric utilityÔÇÖs control system. Both asset owners and government officials around the world now are asking, ÔÇ£What happened, and could a similar cyber attack happen in our control systems?ÔÇØ (Whitehead, Owens, Gammel, & Smith, 2017). The cyber-attack was reportedly synchronised and coordinated, probably following extensive reconnaissance of the victim networks (US-CERT, 2016). According to the report, the cyber-attack at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities.
On December 17, 2016, a second power outage occurred in Ukraine and deprived part of its capital, Kyiv of power for over an hour. Although the official investigation is still ongoing, an assessment was made that a more advanced malware, Industroyer, was used in the second cyber-attack against the power grid in Ukraine (Cherepanov, 2017). This paper discusses the history of cyberattacks against Ukraine and provides an analysis of the Ukrainian conflicts, the malware used, and what constitutes cyberwar from a legal perspective.
 
The Ukrainian Conflicts
At the end of 2013, the Ukrainian President abandoned an Association Agreement with the European Union that would have strengthened ties between the entities significantly, triggering mass public demonstrations. A few months later, disgraced President Yanukovych fled to Russia, and Russia invaded the Crimean Peninsula. Throughout the Euromaidan protests and the resulting conflict, institutions and media outlets in both Ukraine and Russia fell victim to DDoS attacks, website defacement, and Remote Administration Tools (RAT) delivered by spear-phishing emails. These cyberattacks were used to either disrupt, spy on or damage the enemy. By employing non-state actors as proxy forces to conduct these attacks, the warring parties were also ensured of plausible deniability for their actions in cyberspace (Baezner, 2018).
The cyberattacks in the conflict between Ukraine and Russia can be categorised into three types: DDoS attacks, website defacement and malware infection by spear phishing. The first two tools are more accurately described as cyber-disruption, while the latter is oriented more strongly toward cyber espionage for intelligence collection and battlefield preparation for further kinetic offensives or cyberattacks (Torruella, 2014).
Ukraine gained its independence at the fall of the Soviet Union, but Russia still tried to maintain absolute control or influence over former Soviet Republics. Disputes, including the Orange Revolution, have characterised the relations between Russia and Ukraine during the Ukrainian elections in 2004 and disputes over natural gas supplies. Ukraine first initiated its rapprochement with the EU with an association agreement, but later turned back towards Russia instead. This decision precipitated the Euromaidan protests and provoked the departure of Ukrainian President Yanukovych. In parallel with the protests, DDoS and website defacement occurred on Ukrainian websites. A few months later, when Russia invaded Crimea, there was another increase in cyber-activities in Ukraine and Russia, but these then dropped again to a more or less constant low level. However, there were two spikes in the form of two attacks against the Ukrainian power grid, as discussed earlier.
The Hybrid War
Hybrid warfare has been defined by (Newson, 2014) as, a combination of conventional, irregular, and asymmetric means, including the persistent manipulation of political and ideological conflict, and can include the combination of special operations and conventional military forces; intelligence agents; political provocateurs; media representatives; economic intimidation; cyber-attacks; and proxies and surrogates, para-militaries, terrorist, and criminal elements. Hybrid war involves multi-layered efforts designed to destabilise a functioning state and polarise its society (Thiele, 2015).
During the 2000s, the use of the term ÔÇ£hybridÔÇØ became a common way to describe contemporary warfare, mainly because of the increasing sophistication and lethality of violent non-state actors and the growing potential of cyber warfare. Although there was no agreement that this necessarily constituted a new form of warfare, (GAO, 2010) definitions of hybrid warfare emphasised the blending of conventional and irregular approaches across the full spectrum of conflict (Wither, 2016).
In his study (Thiele, 2015), the author stated that the hybrid war appears vaguely connected. The pieces are a part of a whole. It is a war that appears to be an incomprehensible sequence of improvisations, and disparate actions along various fronts ÔÇö humanitarian convoys followed by conventional war with artillery and tanks in Eastern Ukraine, peacekeeping operations in Transnistria, cyber-attacks in Estonia, vast disinformation campaigns on mass media, seemingly random forays of heavy bombers in the North Sea, submarine games in the Baltic Sea, and so on. In essence, Hybrid tactics reflect an order behind the spectrum of tools used. In thinking through the ongoing hybrid campaigns, it is essential to understand that ÔÇ£hybridÔÇØ refers to the means of war as opposed to the principles, goals, or nature (Thiele, 2015).
As discussed before, RussiaÔÇÖs actions in Ukraine in 2014 intensified interest in the concept of hybrid warfare. For many Western commentators, ÔÇ£hybridÔÇØ appeared to be the best way to describe the variety and blending of tools and methods employed by the Russian Federation during its annexation of Crimea and support to separatist groups in eastern Ukraine. Russian techniques included the traditional combination of conventional and irregular combat operations, but also the support and sponsorship of political protests, economic coercion, cyber operations and, in particular, an intense disinformation campaign (Wither, 2016).
Information Warfare
The Russians generally do not use the terms cyber or cyberwarfare, except when referring to Western or other foreign writings on the topic. Instead, like the Chinese, they tend to use the word informatisation, thereby conceptualising cyber operations within the broader rubric of information warfare (Connell & Vogler 2017). The term, as Russian military theorists employ it, is a holistic concept that includes computer network operations, electronic warfare, psychological operations, and information operations (Adomeit, 2017), (Thomas, 2009). In other words, cyber is regarded as a mechanism for enabling the state to dominate the information landscape, which is regarded as a warfare domain in its own right. Ideally, it is to be employed as part of a whole government effort, along with other, more traditional, weapons of information warfare that would be familiar to any student of Russian or Soviet military doctrine, including disinformation operations, PsyOps, electronic warfare, and political subversion.
In the West, cybersecurity and information security are considered to be two different things. In Russia, however, cyber is subject to information security, which allows national security planners to oversee both technical data (e.g. the integrity of password files) and cognitive data (e.g. political information on websites). Thus, any information found on the World Wide Web could be a ÔÇÿmissileÔÇÖ fired at Russia that is more dangerous than a typical cyber-attack as currently understood in the West (Jaitner, 2015).
Russia has been using an advanced form of hybrid warfare in Ukraine since early 2014 that relies heavily on an element of information warfare that the Russians call ÔÇ£reflexive control.ÔÇØ (Snegovaya, 2015). Reflexive control causes a stronger adversary voluntarily to choose the actions most advantageous to Russian objectives by shaping the adversaryÔÇÖs perceptions of the situation decisively. Moscow has used this technique skilfully to persuade the U.S. and its European allies to remain mostly passive in the face of RussiaÔÇÖs efforts to disrupt and dismantle Ukraine through military and non-military means. The West must become alert to the use of reflexive control techniques and find ways to counter them if it is to succeed in an era of hybrid war.
The key elements of RussiaÔÇÖs reflexive control techniques in Ukraine have been (Snegovaya, 2015):
ÔÇó Denial and deception operations to conceal or obfuscate the presence of Russian forces in Ukraine, including sending in ÔÇ£little green menÔÇØ in uniforms without insignia;
ÔÇó Concealing MoscowÔÇÖs goals and objectives in the conflict, which sows fear in some and allows others to persuade themselves that the KremlinÔÇÖs aims are limited and ultimately acceptable.
ÔÇó Retaining superficially plausible legality for RussiaÔÇÖs actions by denying MoscowÔÇÖs involvement in the conflict, requiring the international community to recognise Russia as an interesting power rather than a party to the conflict, and pointing to supposedly equivalent Western actions such as the unilateral declaration of independence by Kosovo in the 1990s and the invasion of Iraq in 2003;
Simultaneously threatening the West with military power in the form of overflights of NATO and non-NATO countriesÔÇÖ airspace, threats of using RussiaÔÇÖs nuclear weapons, and exaggerated claims of RussiaÔÇÖs military prowess and success;
ÔÇó The deployment of a vast and complex global effort to shape the narrative about the Ukraine conflict through formal and social media.
Cyberwarfare
The focus in cyber warfare is too often on the technical details without understanding the strategic context. War is always a matter of policy, and a state operating in the cyber domain is a struggle for power and influence (Limn├®ll, 2015). Additionally, Cyber offers one more tool. From this, we must not turn a blind eye. Cyberwarfare should not be separated into its own as a standalone area as the broader political, strategic and geopolitical context.
Cyber operations have to be considered within the context of the whole conflict. Although cyber can be used as a standalone operation, the more likely case ÔÇö and this holds true in Ukraine ÔÇö is that cyber is used as a facilitator for other, more traditional types of warfare (Stinissen, & Geers, 2015). The law applicable to the conflict as a whole should be applied to the cyber activities that are part of it. In other words, the broader context determines the legal framework for cyber operations. Particularly relevant is whether the conflict in Ukraine is an ÔÇÿarmed conflictÔÇÖ that leads to the application of the Law of Armed Conflict (or international humanitarian law).
When analysing the cyber warfare in the (ongoing) Russo-Ukrainian war, it must be understood what kind of war there has taken place. The war in Ukraine is widely seen as the most significant security crisis in Europe since the end of the Cold War (Limn├®ll, 2015). Nevertheless, it is also seen as an example of what appears to be a new kind of conflict called hybrid warfare, which combines military, economic, diplomatic, political and other mostly nonphysical activities to achieve long-term strategic goals.
Today, more than 100 of the worldÔÇÖs militaries have some organisation in place for cyber warfare, and over 40 countries worldwide have published their National Cyber Strategy. (Singer, 2015), referring to war, the cyber instrument has become a domain like land, sea, air and space. Nation-states are spending more money in order to create their cyber capabilities, and the role of using cyber domain has become emphasised in National security and military strategies.
International law applies to cyberspace. During armed conflict, the Law of Armed Conflict applies to any cyber operation conducted in association with the hostilities. Until now, we have not seen a case where cyber hostilities between parties by themselves constituted an armed conflict. Instead, they have remained as one part of a more significant, traditional conflict. This dynamic has not changed during the conflict in Ukraine (Stinissen, & Geers, 2015).
During the conflict in Ukraine, cyber means have been used to gather intelligence, including Snake, Blackenergy, and Sandworm. Intelligence gathering and espionage are not forbidden by international law. Espionage, in the context of the Law of Armed Conflict, has a narrow scope: it refers to operations that are conducted clandestinely or under false pretences, taking place on the territory controlled by the adversary; ÔÇÿbehind enemy lines. For instance, a close access cyber operation where an agent is gaining access to servers being used by the adversary by feigning a false identity and extracting information by using a thumb drive could be espionage. An agent captured before reaching his own troops has no Prisoner of War ( PoW) status and can be tried as a spy. Gathering intelligence from a distance is not espionage in the meaning of the Law of Armed Conflict (Stinissen, & Geers, 2015). Black energy reportedly has a Russian connection.
BlackEnergy Malware
The reports about cyber-attacks on the Ukraine power grid revealed that one or more malware was deliberately developed to attack industrial facilities, with power systems as one of the primary targets. Once the cyber attackers have access to the power grid control system, an attacker could trigger cascading outages and thereby cause a large-scale load loss. Such cybersecurity threats have been considered and studied by the North American Electric Reliability Corporation (NERC) since at least 2012 (Huang, Majidi, & Baldick, 2018).
The BlackEnergy malware targeting critical infrastructures has a long history. It evolved from a simple DDoS platform to quite sophisticated plug-in-based malware. The plug-in architecture has a persistent malware core with easily installable attack-specific modules for DDoS, spamming, info-stealing, remote access, boot-sector formatting etc. BlackEnergy has been involved in several high-profile cyber-physical attacks, including the recent Ukraine power grid attack in December 2015 (Khan, Maynard, McLaughlin, Laverty, & Sezer, 2016).
According to research (Nazario, 2007), BlackEnergy is a web-based distributed denial of service (DDoS) bot used by the Russian hacker underground. BlackEnergy gives the attackers an easy-to-control web-based bot that can launch various attacks and control the bots using minimal syntax and structure. The BlackEnergy tools appear to have been developed by one or more Russian hackers. Also, at the time, most of the BlackEnergy command and control system (C&C) systems they have seen are hosted in Malaysia and Russia and are attacking Russian targets.
The role of malware in modern, sophisticated multistage cyber attacks cannot be ignored. The success of a cyber attack depends on the attackerÔÇÖs ability to install malware on a targeted system without being noticed by the system owner. The time malware can disguise itself and persist inside an infected system is also an essential factor for successful cyber attacks (Khan et al., 2016). BlackEnergy evolved as one of the most sophisticated and modular malware for targeting critical infrastructures since its first discovery. Initially designed for Distributed Denial of Service (DDoS) attacks, BlackEnergy evolved into a plug-in-based architecture easing the development of new attack-specific modules for espionage, DDoS, spam and fraud. BlackEnergy has been involved in several significant cyberattacks including coordinated DDoS attacks on GeorgiaÔÇÖs finance, military and government agencies, fraudulent bank transactions and the Ukraine power grid (Khan et al., 2016).
In the past two years, BlackEnergy has become one of the top malware families of interest to system administrators with the responsibility of protecting the networks of potential targets, to security researchers who have the family in their sights, and also to the media ÔÇö both technical and mainstream. BlackEnergy recently made the headlines again after researchers discovered that it was used in cyberattacks against electricity distribution companies, which resulted in massive power outages in Ukraine in December 2015.
According to a recent study (Cherepanov, & Lipovsky, 2016), one of the main reasons why the BlackEnergy attacks have grabbed so much attention is because they were ÔÇö and still are ÔÇö used amid a tense geopolitical situation in Ukraine. In addition to electricity distribution companies, the targets in that country have included state institutions, news media organisations, airports, and railway companies. Ukrainian officials were quick to point an accusing finger at Russia, and many others ÔÇö including security companies ÔÇö followed with similar allegations. The power grid compromise has become known as the first-of-its-kind confirmed cyber warfare attack affecting civilians.
The BlackEnergy malware has evolved significantly from its initial version first seen in 2007, which has little in common with the samples in the wild (and in the headlines) in 2016. Over the years, the malware family has been used for (petty) cybercrime, cyber espionage, and most recently, cyber sabotage.
While some security experts are sceptical about any involvement of the BlackEnergy malware in the power outage incident, the authors (Cherepanov, & Lipovsky, 2016) affirm that this malware was indeed detected in Ukrainian energy companies. Likely, attackers did not use the BlackEnergy malware to cause the outage itself, but the malware was used for the preparation of power outage attacks.
Conclusion
Russia has shown it can occupy whole slices of another stateÔÇÖs territory using no more than information warfare, deniability and a few highly disciplined special forces. The Russian military, supported by a substantial information warfare infrastructure, has employed the tenets of hybrid warfare remarkably skilfully. Such activities have, of course, to be countered by NATO and the EU to ensure Moscow cannot use these tactics so easily in future (Thornton, 2015).
In a traditional war, weapons and strategies are relatively well-understood; the international community and previous experiences have developed rules of the road for armed conflict. That is not the case with cyber. The most challenging is to understand how the cyber domain is blurring our dichotomies ÔÇö how we as humans tend to organise the world. In this sense, it can be said that we are just living in the dawn of the cyber warfare era and ÔÇ£cyber toolsÔÇØ will get more powerful and ÔÇ£cyber playbooksÔÇØ more sophisticated as the world becomes more connected and ever-more dependent on the cyber domain. (Limn├®ll, 2015). Also, the cyber operations in the Ukraine conflict have been used either to gather intelligence or as part of an ongoing ÔÇÿinformation warÔÇÖ between the parties. They were not launched to inflict damage to infrastructure and other military capabilities. As a result, most of these cyber operations have not yet risen to the level of activities proscribed or even governed by the Law of Armed Conflict. That would be different when cyber would be more integrated into kinetic warfare operations (Stinissen, & Geers, 2015).
In light of the Ukrainian experience, it seems more likely that cyber operations (even destructive) will in future wars and conflicts be deployed to shape and condition the battlespace rather than as specific activities in their own right. For future wars and conflicts as well as the skirmishes that precede them policymakers must expect the use of cyber capabilities as a disruptor or force multiplier, deployed in conjunction with more conventional kinetic weaponry. (Limn├®ll, 2015). However, in the Ukraine conflict, the publicly known cyber operations have not generally been considered to be sophisticated ÔÇö likely not corresponding to the real national capabilities of Russia and Ukraine. The prevailing assumption is that, except for some advanced cyber-espionage malware such as Snake, the known cyber-attacks could have been conducted by non-state actors. These hackers or hacker groups, trying to affect the adversaryÔÇÖs military activities, are participating in hostilities and have to conduct their operations following the Law of Armed Conflict (Stinissen, & Geers, 2015).