Electronic Weapons: Ukrainian Hackers Disrupt Russian Networks

Archives

February 8, 2024: The Ukrainian Blackjack internet hackers group, working in cooperation with the Ukrainian Security Service and the Defense Intelligence organization, carried out an extensive online attack on Russian networks in late 2023. This effort downloaded data on construction plans for more than 500 military bases in Russia and occupied Ukraine and erased the original Russian data files. This essential data was gone for good until there was time for it to be reconstructed. Also obtained was data on the plans and operations for Russian military headquarters at hundreds of bases. The facilities were located throughout Russia and included air-defense installations and arsenals where weapons are assembled and stored. Blackjack also stole massive amounts of data on Russian military plans and proposals as well as after-action reports on completed projects and operations. Again, all the original files were erased. The damage was restricted to assets useful to the Russian military. Outside the military there were vast quantities of untouched material that could, with some effort, be adapted to military use. Blackjack also destroyed large amounts of other Russian data stored online, along with most of the backups. This caused chaos among Russian construction supervisors. Work on projects was disrupted, interrupted, or put on hold because crucial information was missing or partially erased. Seven computer servers were corrupted as well as the computers used by 150 Russian individuals working for the military. The Ukrainians were primarily interested in how all this data destruction aided the Ukrainian war effort. It did so by eliminating assets the Russians used to fight Ukrainians.

The Russians have had some success with their own internet hacks. For example, Russian hackers obtained access to surveillance cameras in the Ukrainian capital Kyiv. This enabled precise selection of targets for missile attacks. Both sides’ hackers also carry out operations in the combat zone. For example, Ukrainian hackers hacked into the encrypted video feed from Russian FPV (First Person View) UAVs, providing the Ukrainians with real time information on where Russian troops are. FPV involves the UAV operator wearing a device on their face that enables them to see what the camera on the UAV sees and operate the UAV using that information for surveillance to fly an UAV carrying explosives into its target. The operator then takes control of another armed UAV and does the same again and again. Skilled FPV UAV operators are outside the combat zone and can freely move around if it is suspected that the enemy is tracking and targeting FPV UAV operators. Both sides use this technology. The Russian video camera operators see what is headed their way as they fly towards Ukrainian forces.

One complication is that military and civilian networks are generally separate and use different technology so that they are not interchangeable. That separation was revealed back in 2016, shortly after Russia had created a separate, encrypted Internet for its military. They call it CTDT for Closed Data Transfer Segment and it was tested in combat for the first time that year in Syria. This is similar to the classified Internet used by the American military. The U.S. Department of Defense has two private Internets using Internet technology, but not directly connected to the public Internet. NIPRNET (Non-classified Internet Protocol Router Network) is unclassified, and the primary network for American military personnel. SIPRNET (Secure Internet Protocol Router Network) is classified, and all traffic is encrypted so you can use it to send top secret material. NIPRNET is the largest private network on the planet, with over four million authorized users and over three times as many devices, including PCs, tablets, smart phones, and other electronic equipment connected. NIPRNET has grown steadily since it was created from the earlier MILNET in the 1980s.

In 2010 the U.S. Department of Defense spent $10 million to have a civilian firm create a roadmap for NIPRNET. This was an admission that, in effect, NIPRNET had gotten a little out of control and the roadmap program was meant to find out how big it had gotten, and exactly what was in there. The survey also sought to find any instances where unauthorized users had quietly joined the net. This was suspected and the survey was the start of a major effort to clean interlopers out. The survey also looked for weakness in security. The Department of Defense has made several major efforts since 2005 to improve network security. But those efforts also revealed that weaknesses can show up in the strangest places and that was another reason to keep many aspects of the investigations and subsequent fixes secret.

Russia has apparently learned from American problems with SIPRNET and got a major assist from a former NSA contractor, Edward Snowden. He had access to SIPRNET, stole large quantities of classified data from it and then fled to Russia in 2013. Because of that and what else Snowden told Russia about SIPRNET, CTDT has had a lot of additional security built in. Russia has not provided details but using CTDT in a combat zone for over a year was a challenge to the Americans and Israelis to have a crack at penetrating the new Russian network. Because of the intense secrecy there is nothing to report on that front, which is not to say anything has happened. In situations like this details become public much later.

The Department of Defense continues efforts to keep SIPRNET secure. You could say that effort got into high gear during 2008 when the Department of Defense banned the use of USB thumb drive data devices on their computers. This was all because they were having more problems keeping hackers out of its private Internet. But a year later the USB devices were allowed back, but only if they use new versions that have security built in. Military network software was modified to recognize the secure USB memory sticks and continue to block unauthorized devices.

The original panic about this began when a worm program got on to SIPRNET via a USB device. The problem in question was hacker programs called worms that automatically copy themselves to rewritable CDs and DVDs as well as memory sticks. Then, the next time a CD/DVD/memory stick is read by another program, the worm program copies itself onto that computer, and tries to secretly take over, and enable hackers to gain access and steal stuff. The existence of worms was a major threat to network security and the military promptly told troops to not use memory sticks on military computers. This caused problems in the combat zone, where there is not a lot of Internet capacity bandwidth for moving information around. Troops prefer to keep a lot of material on memory sticks. When the troops rebelled against these restrictions, that sometimes resulted in physically sealing USB ports on some machines. In the end, the troops won this round.

These worm programs could do all sorts of damage on the closed SIPRNET, and even presented the possibility of getting secret information off the secure net by copying data to a hacker program that then attempts to copy itself to other memory devices, and then PCs hooked up to the Internet, and then transmit the secret material back to the hacker, or spy.

Before the Internet came along, programs that automatically copied themselves were a common method for viruses and other malware to get around, slowly, but useful data did travel that way. NIPRNET is also vulnerable. Even though the Department of Defense installed new hardware, especially customized routers, and software to increase security, the worms were still getting into portions of their networks. Oddly enough the Department of Defense does not appear to have paid as much attention to a user simply copying data from SIPRNET and delivering the material to someone not authorized to have it.

The military was a major user of the public Internet from the beginning, and they have discovered that most of the intrusions via hacks and viruses were the result of poor configuration. This was mainly about not keeping the hardware and software set up correctly to defeat known vulnerabilities, or not installing patches and security updates in time. The rest of the intrusions come from more mundane problems, like using an easily cracked password, or no password at all. Network security has always been a people problem, and these recent incidents are a sharp reminder of that.

It's easy for troops to be doing something on SIPRNET, then switch to the Internet, and forget that they are now on an unsecure network. Warnings to users about the switch and subsequent vulnerability did not cure the problem. The Internet is very useful for the troops, especially for discussing technical and tactical matters with other soldiers. The army has tried to control the problem by monitoring military accounts, those ending in .mil, but the troops quickly became aware of that, and opened another account with Yahoo or Google, for their more casual web surfing, and for discussions with other troops.

The Internet has been a major benefit for combat soldiers, enabling them to share firsthand information quickly, and accurately. That's why the troops were warned that the enemy is actively searching for anything they post, and this material has been found at terrorist websites, and on captured enemy laptops. In reality, information spreads among terrorists much more slowly than among American troops. But if soldiers discuss tactics and techniques in an open venue, including posting pictures and videos, the enemy will eventually find and download it. The terrorists could speed up this process if they could get the right hackware inside American military computers. But right now, the enemy just Googles for useful chatter from Western troops.