While Ukraine’s experiences on the frontlines of Russia’s war is providing Nato and allied countries with opportunities to take notes of real-world combat lessons, so too are operations the cyber domain offering valuable insight into Moscow’s digital grey-zone tactics.
Ukraine has found finds itself combatting Russian operations in the digital domain on a daily basis, as Moscow seeks to leverage state and non-state tools at its disposal to meet its goals.
Delving into lessons learned in combatting Russian cyber-attacks, Ukraine has created a synthetic cybersecurity platform centre dubbed TRYZUB (Trident), intended to offer training experiences from what it termed “the trenches of the first-ever cyberwar”, via high-fidelity cyber-attack emulations.
The TRYZUB centre offers participants the role of a cybersecurity team facing cyber incidents from Gamaredon and Sandworm threat actors and related hacker groups, which have targetted sectors such as defence, energy, and other critical civilian infrastructure in Ukraine.
Scenarios for TRYZUB were developed by CERT-UA, part of Ukraine’s State Service of Special Communications and Information Protection of Ukraine (SSSCIP), which together with US-based CYBER RANGES created the examples of real-world operations, incorporating modern digital defence tactics.
Brig Gen Oleksandr Potii, head of Ukraine’s SSSCIP, said the use of real-world scenarios in TRYZUB would “undoubtedly help train security officers in the most modern methods of countering cyberattacks”.
Nato “must learn” from Ukraine’s cyber experience
Cyberattacks on Ukraine by Russian paramilitary forces or aligned groups have become increasingly common, with a recent disclosure by the UK’s National Cyber Security Centre (NCSC) singling out Unit 29155, a specialist military unit of Russia’s GRU, as having carried out attacks at scale.
A joint advisory issued in September 2024 by the NCSC – a part of GCHQ – and a range of Nato agencies as well as Australia and Ukraine, revealed Unit 29155’s operations had targetted organisations for espionage purposes, causing “reputational harm” by the theft and leaking of sensitive data, defacing of websites, and “systematic sabotage” caused by the destruction of data.
The group differs to more established GRU-related cyber groups Unit 26165 (Fancy Bear) and Unit 74455 (Sandworm).
At a recent Nato cybersecurity conference, a senior UK government official singled out Unit 29155, as a particular threat, warning it had attacked government services, the financial sector, transport systems, and energy and healthcare in Nato member countries.
To this end, Nato “must learn” from Ukraine’s experience in operations in the digital domain, according to Chancellor of the Duchy of Lancaster Pat McFadden, speaking at the Nato Cyber Defence Conference at Lancaster House on 25 November 2024, where the UK announced the creation of a new AI security research laboratory.
Ukraine provides a great example, because it has displayed unimaginable courage and innovation in the face of a daily barrage of cyber-attacks. It has worked tirelessly with industry and civilian organisations to bolster its cyber security,” McFadden said.
Cybersecurity market growth in years ahead
According to GlobalData's Thematic Intelligence: Cybersecurity in Defense (2024) report, the global cybersecurity market is forecast to hit $290bn by 2027, growing at a compound annual growth rate of 13% over the period.
Typically, cyberattacks target critical infrastructure in grey-zone operations, part of a hybrid warfare approach that offers a degree of deniability by state actors.
Crucially, analysis indicates that defence companies have adopted a 'zero-trust' model, and collaborate to combat cyber threats.