A top Ukrainian cybersecurity official said this week that the Russian campaign to wrest control over internet and phone networks in occupied Ukraine continues to grow, even as Russian forces intensify their shelling of telecommunications infrastructure.
The Russian outlet The Moscow Times reported Thursday that in areas of eastern Ukraine that Russian troops are occupying, a telecommunications company run by + 7 Telecom — a likely subsidiary of the Russian telecom giant MTS — has replaced Ukrainian mobile services. The news outlet quoted Ukrainians complaining about the poor reception and internet censorship that accompanied the shift.
“+ 7 Telecom’s arrival on the scene replaced the Ukrainian telecom operators in occupied territory [and] there’s a range of circumstantial evidence indicating the Russian telecom giant MTS is the ultimate beneficiary,” said Gavin Wilde, a disinformation expert at the Carnegie Endowment for International Peace who formerly served as a Russia director at the National Security Council. “As with so many schemes out of Moscow, third parties, cutouts and intermediaries obscure what otherwise seems self-evident: Russian power players have already begun carving up the information infrastructure in newly occupied Donbas.”
MTS is owned by an oligarch and its networks are linked to the Russian System for Operative Investigative Activities, or SORM, which the Russian government has long used surveil and silence dissenting voices inside Russia.
Victor Zhora, a top Ukrainian cyber official, said Ukrainian ISPs were able to control the Internet in the occupied territories until about two weeks ago, when he said the Russians reconfigured networks and rerouted traffic through Crimea to Russia.
”The destructive nature of these attacks is far less than of kinetic [active warfare], obviously, so we understand that the objective is to sow disinformation, to sow panic and instability,” Zhora, deputy head of Ukraine’s cybersecurity agency, the State Service of Special Communications Service (SSSCIP), said in an interview with CyberScoop.
The situation is made more difficult because the Ukrainian network management center is under martial law, he added.
“We’ve got seven requests from local Kherson providers, in order to make them clarify what to do in this situation when they’re forced to reroute traffic and [whether] to let Russian invaders having access to these equipment, and our position is to avoid risk for their lives,” Zhora said.
Russian troops stormed an internet service provider’s (ISP) offices in the Kherson region last month, forcing the company’s executives onto Russian networks.
Cloudflare Radar, which monitors Internet trends, reported on June 13 that Ukrainian provider Khersontelecom was routing traffic upstream through Russian-controlled digital service providers Miranda and Rostelecom. The SSSCIP has said that some 20% of Ukrainian telecom infrastructure has been damaged or destroyed since the war began, according to Wired.
Thwarted by technology
A former senior leader of U.S. Cyber Command said the Russians are narrowing — or what he called ‘canalizing’ — the Ukrainians’ cyberspace and physical terrain simultaneously. Speaking at an American University Washington College of Law cybersecurity conference on Wednesday, Rear Adm. TJ White, who led Cyber Command’s cyber mission force until 2018 and Fleet Cyber Command after that, said the Russian focus on information operations has been unyielding.
But Russian information war objectives have been thwarted to a large degree by Elon Musk’s Starlink satellite internet constellation and by the fact that many Ukrainians have virtual private networks (VPNs), White said.
Last week Brig. Gen. Steve Butow, director of the space portfolio at the Defense Innovation Unit, told Politico that Starlink “totally destroyed [Russian President Vladimir] Putin’s information campaign. He never, to this day, has been able to silence [Ukrainian President Volodymyr] Zelenskyy.”
About 150,000 Ukrainians use Starlink on a daily basis, Mykhailo Fedorov, Ukraine’s digital minister, tweeted last month. Top10VPN, an organization that researches and ranks worldwide VPN usage said that between mid-February and late March VPN usage in Ukraine surged by 609%.
Using telecom control to surveil, censor occupied Ukraine
Zhora said the Russian’s haven’t given up on the information war. Their propaganda is extensive and is customized region by region with a goal of beating down occupied Ukraine’s ability to resist the occupation, he said.
“It is to make people understand that they have been forgotten,” Zhora said. “The Ukrainian army is losing their last chance to return to normal life, so please get these Russian passports, continue collaborating, etc.”
Zhora said Russia has used both its SORM surveillance network and deep packet inspection (DPI) technology to surveil Ukrainians and censor their news diet. DPI is an advanced method of examining and managing network traffic.
Russia is desperate to control the Internet in Ukraine for several reasons, according to Andrei Soldatov, a nonresident senior fellow with the Center for European Policy Analysis think tank and a Russian investigative journalist who is the founder of a news organization aggressively covering the Russian secret services. (Russia placed Soldatov, an expert on SORM and the larger Russian surveillance apparatus, on a wanted list earlier this month and froze his bank accounts).
Soldatov said that leveraging SORM’s snooping capabilities is doubtlessly a large motivator for the Russian effort to force Ukrainians onto Russian networks. He said such surveillance will give the Russians the political control they need and also will bolster the Russian military.
“They need a way to monitor and surveil traffic of Ukrainian civilians because these Ukrainians report Russian military troops’ movements to the Ukrainian army,” Soldatov said.
SORM is a powerful tool which functions like a wiretap, but Soldatov said it needs to be targeted to focus on specific individuals and does not work on a mass scale.
Like Zhora, Soldatov believes the Russians are using DPI to filter Ukrainians internet content. But he said filtering doesn’t work well from a distance, meaning Russia would have had to bring DPI technology into Ukraine — and Soldatov said Russia does not mass produce DPI devices.
“I suspect strongly that there might be some DPI equipment developed somewhere in the West or maybe in Israel, because this country (Israel) is extremely active at selling DPI devices to Russia, so maybe some sort of foreign made equipment might be found in occupied territories,” Soldatov said.
Limits to sowing disinformation
Disinformation scholars said that even with the benefit of a VPN or Starlink connection it seems clear that the average Ukrainian’s information flow is sharply attenuated. But Herb Lin, a disinformation scholar at Stanford University, said that most Ukrainians will be unmoved by the propaganda since the Russians can’t take away the country’s democratic legacy.
“One of the most important things to realize … is Ukrainians will remember a time when they were not cut off,” Lin said.
Wilde said he believes the war has undermined Russia’s standing as an information warfare elite.
“Ukraine’s resilience to these [Russian information warfare] efforts … raises questions in my mind about the core assumptions of [the Russian information warfare] doctrine, because in many ways, Russian information operations in Ukraine have galvanized the very institutions they were intended to degrade,” Wilde said. “If the objective, particularly since 2014, was to use cyber and information operations to strategically alter Ukraine’s geopolitical trajectory, it has proven a costly failure.”
Lessons for the U.S.
Even with the mixed results of Russia’s information operations in Ukraine, White suggested such operations are central components of effective cyberwarfare — more than the U.S. appears to realize.
“If I was to offer a criticism of the DOD today … I would say we haven’t decided yet what is or isn’t information operations, information warfare, cyberspace operations, operations in cyberspace that enable information operations,” said White, who led the Cyber Mission Force at Cyber Command until 2018. “Is it about spectrum, is it about IP [internet protocol] space, OT [operational technology] space, is it about cognitive operations, beliefs and understanding and motivations for operations? … We just haven’t yet decided.”