The GRU has emerged as the primary cyber espionage actor conducting the cyber war on Ukraine, far surpassing the FSB, during the Russian war on Ukraine. The cyber war has consisted of both cyber-attacks and cyber espionage campaigns; continuously gathering information against strategic or military targets, while attempting to inflict pain to those organizations via network disruptions and leaks from so-called hacktivist collectives.
In practice, this is a delicate balance to strike. Yet, with a previously unseen fervor, clusters of GRU cyber activity have managed to wage a cyber war with constant disruptive and espionage operations – almost in tandem – by “living on the edge” of target networks and compromising edge infrastructure (e.g. routers and mail servers). This allows them another chance at access after they’ve burned systems with a wiper operation.
Our presentation will tell the story of the GRU in Ukraine since the invasion while delving deeper into how cyber war really takes place, strategically and tactically. First, we will analyze current analytical frameworks for how cyber operations take place and recontextualize these for our observations of cyber war. We’ll then go into details on individual examples, analyzing what types of strategic operations and the tactical components that make up the cyber war on Ukraine. In particular, we’ll show a tactical view of how the GRU has compromised and leveraged edge infrastructure to consistently access Ukrainian targets. This compromised edge infrastructure enables the disruption operations – wipers and leaks – that come next. In doing so we will also highlight never-before-shared examples of how these fast-paced operations can go wrong: Proving that life on the edge can be beneficial, but it’s also easy to fall off.