Reports in recent days of cyber incidents involving Russia and Ukraine are largely unconfirmed and inconsistent. The scale and frequency of website defacements—of the kind the Russian government broadcaster RT reported over a week ago—is barely distinguishable from the ordinary background noise of hostile activity against any high-profile site. This is a vastly different situation to the mass denial of service (DoS) and hacking attacks that targeted Estonia in 2007 and Georgia in 2008.

The first incident to be definitively linked to the Russia-Ukraine confrontation came when an Internet exchange point (IXP, an important node for Internet traffic) located in Crimea was physically taken over by Russian forces on, or about, March 1. Ukraine then alleged that this facilitated attacks on the mobile phones of members of parliament in Kiev. There has apparently been no corroboration in open sources of the Ukrainian claim. But even if the incident was reported accurately, it simply underscores how little cyber activity there has been to date. Even the IXP incident was instead a physical action aimed at facilitating an information operation.

When on March 8 the long-expected DoS attacks against Ukraine were first reported, they apparently had only one target—the National Security and Defense Council. This too was in contrast to the much broader range of targets which came under attack in Estonia and Georgia. Considering that this specific Ukrainian target will be a key decision-making center for managing the crisis and any military response, some analysts have suggested that the attack could be a precursor to further military action by Russia. In this way, it is the reverse of the previous incident—namely an information operation designed to suppress communications preparatory to kinetic action.

Information war, not cyber war

Both of these attacks illustrate an important aspect of Russian planning. While they were reported as cyber attacks in the West, in Russia they fall under the much broader category of "information warfare." This is a wide-ranging, holistic area of offensive activity by the state which encompasses far more than technical cyber exploits. The multifaceted information campaign by Russia is well under way elsewhere too. The targeting of journalists in Crimea and the suppression of non-Russia-friendly broadcasting there are assertive steps by the Russian side to control the information environment and prevent the fictions presented by Russian media and leaders from being exposed. At the time of writing, local media in Crimea are still available online and reporting busily, but non-Russian regional media, and even foreign reporters, are finding their operations increasingly constrained. The turning back of OSCE observers attempting to enter Crimea, with warning shots fired, is another element in Russia's attempt to gain overall information control. Russia has clearly learned lessons from the armed conflict in Georgia in 2008. Back then, one of the strong criticisms expressed in after-action analysis was of poor performance in information warfare, especially in dominating the media narrative.

Similarly, on March 1 Russian media reported that Dmitry Yarosh, the leader of Ukraine's Right Sector group and a particular target for Russian criticism, had made an appeal through social media to Islamist insurgent leader Doku Umarov. Yarosh wanted Umarov to support Ukraine by attacking Russia. Yarosh claims this is not the case and that the appeal was planted after his account was hacked. Active measures, such as planting false information which supports the Russian narrative or discredits opponents, have been a familiar tactic since early Soviet times. Now it's translated into the new realm of cyberspace. If the Yarosh appeal was indeed faked, this could be another example from the current conflict of technical cyber capability being used not for its own sake, but for a broader information objective.

Stealth and sophistication

Russia used the criticisms of its military shortcomings in Georgia to give impetus to a massive program of armed forces reform and rearmament, including widespread digitization and automation of many command and control systems and networks. The Ukrainian military's spending and reform efforts have been vastly more modest. As a result, military experts in the region suggest that Ukraine would be less susceptible to pure cyber attacks on its networks, as opposed to more traditional forms of electronic warfare.

But it is implausible that the confrontation to date has seen no cyber offensive at all against civilian or government targets. Instead, it is likely that activity of this kind is more sophisticated and stealthy, sufficiently invisible to the point where it is simply not reaching open source reporting. However, small clues to what may be going on between Russia and Ukraine do emerge. On March 9, it was reported from India that confidential documents relating to Russian fighter aircraft operated by the Indian Air Force had been compromised as a result of an attack on Russian communications systems. While the descriptions of how this happened are so far incomplete and inconclusive, one inference is that somebody—not necessarily from Ukraine—may be taking an interest in acquiring current information on Russian air capabilities.

One thing that is not in doubt is the Russian capacity to launch highly sophisticated cyber operations. One current example is Snake, also known as Ouroboros and Uroburos, an espionage tool which has been detected in multiple instances in Ukraine and elsewhere. In some media reports, this advanced cyber weapon has misleadingly been tied to the current conflict, whereas, in fact, this is a long-standing exploit whose deployment dates back at least four years, with some elements of the software created as long ago as 2005. But it is widely assumed that the perpetrator is Russia. A detailed analysis by BAE Systems coyly refrains from pointing at a likely country of origin, beyond analyzing timestamps within the malicious software which show it was compiled almost exclusively during office hours in the GMT+4 time zone. That's a time zone which, as it happens, includes Moscow.

Thus Snake is not a result of the conflict between Russia and Ukraine; it's a precursor to it. Cyber espionage is a crucial part of positioning for Russian foreign policy in former USSR countries. Accessing the information systems of diplomatic, government, and military organizations over many years gives Russia a huge advantage in predicting the tactics and thinking of its neighbors. These cyber activities have received far less public acknowledgement in the past year than equivalent actions by the United States and its allies—mostly because of the absence, to date, of a Russian Edward Snowden to disclose them. But the intelligence advantage this espionage confers may tip the balance in the risk calculation that leads to the kind of assertive activity seen on the ground in Crimea today.

Brute force attacks on Ukrainian websites of the kind that were used against Estonia and Georgia would risk collateral damage by inconveniencing and alienating the Russia-friendly populations in Eastern Ukraine. Additionally, six years is a very long time in cyberspace. The reason for the relative cyber quiet of the current crisis could also be that the sophistication and precision of Russia's current cyber tools means that kind of cyber carpet bombing is simply no longer necessary.

Keir Giles (@keirgiles) is a leading expert on security issues affecting the Russian Federation. He has written extensively on the Russian approach to cyber security as well as on Russian military affairs. Giles is an Associate Fellow of the Royal Institute of International Affairs (Chatham House), a Senior Analyst with Wikistrat, and Director of the UK's Conflict Studies Research Centre. This piece will also appear at Chatham House.