Intelligence in the Russia-Ukraine War

March 30, 2022

Images posted by Ukrainians on social media can be crawled by the Russian Intelligence Service (RIS) and evaluated with intelligence algorithms.
Ukrainian servicemen seen along the frontline outside of Svitlodarsk, Ukraine on January 30, 2022. Photo by Stringer via Anadolu Images

Following the Russian invasion of Ukraine, intelligence activities by the Russian Intelligence Services (RIS) in Ukraine have come under the global spotlight. The RIS consists of three components: the FSB, the domestic security service; the SVR, the foreign intelligence service; and the GRU, the military intelligence service. The FSB and the SVR are hierarchically linked to the Russian President Vladimir Putin, while the GRU is directly accountable to the Russian Armed Forces General Staff.

The Russian GRU is active in Ukraine, and there is information available in open sources allowing for the close examination of its operational capabilities. It’s worth remembering the Georgia experience in 2008 when the GRU failed terribly, shaking the credibility of the RIS. The appointment of Igor Sergun as the GRU director in 2011 was a turning point.

Thereafter, the GRU became successful in both planning cyber-operations and coordinating the activities of special forces units and pro-Russian separatists, especially before and during the Russian intervention in Ukraine in 2014. This increased Sergun’s prestige and power; however, in January 2016, Sergun died suddenly and unexpectedly from a heart attack at a relatively young age—a development that has been considered suspicious by some western sources.

The success of Sergun’s term at the GRU is related to the principles set by the Russian Chief of Staff Valery Gerasimov, outlined in the article “The Value of Science in Prediction” published in the newspaper Military-Industrial Courier in 2012.

With the Gerasimov Doctrine, Russia aimed to manage the close combat processes with less conventional means in order to reduce human loss and the costs by incorporating non-military methods into its military capacity.

This method entails the coordinated use of cyberattacks, psychological warfare, demoralization to break defense resistance, and damaging the target countries’ economy through demolishing their critical infrastructure. These methods have been actively used since 2014 in Russia’s military mobility and intelligence activities in Ukraine.

Russian Intelligence in Ukraine

In general, intelligence activities and operations in war zones follow certain patterns. RIS intelligence operations in Ukraine may have been affected by the environment of war as it becomes difficult to run an agent network, and to obtain intelligence from the existing personnel network at the right time. Therefore, the RIS may be interrogating Ukrainian prisoners of war for intelligence on Ukraine’s possible action plans.

Another source of intelligence for the RIS is the observations of pro-Russian locals as they observe the moves of the Ukrainian security forces firsthand. The RIS can use locals as an early warning network mechanism effectively. Interviewing people who have planted themselves among the refugees pretending to be ones is also a potential source of intelligence for the RIS, which will also be looking for electronic intelligence (ELINT) and signal intelligence (SIGINT) during the war.

Images posted by Ukrainians on social media can be crawled by the RIS and evaluated with intelligence algorithms, which can generate valuable information about regular and irregular Ukrainian security forces. Likewise, snapshots provided by satellites and UAVs are of crucial intelligence for the RIS.

Another important RIS task is countering and responding to disinformation in favor of Ukraine. Information obtained by friendly intelligence services, notably by Belarus, is important, and there is little doubt that the Russian hacker ecosystem associated with the RIS will also be actively used in the war.

Intelligence at Work during the Russia-Ukraine War?

There are some observable and striking shortcomings of Russian intelligence. Russia’s strategic intelligence on Ukraine seems to be flawed. It is reasonable to speculate that Russian intelligence has a deficiency and that intelligence is being leaked to Ukraine, a former Soviet territory.

It would appear that geographical factors—namely the weather and terrain conditions—the resistance ability of the Ukrainian army, the will of the Ukrainian people, and Zelenskyy government’s determined stance are being ignored by Russia. The Russian government seems overconfident in its military capacity.

The main actor of Russia’s tactical intelligence in the conflict zone is the GRU. It is not difficult to guess that the “civilian saboteurs,” who were caught in cities such as Kyiv, Kharkov, and Odessa, were organized by the GRU.

On the other hand, Ukraine seems to have accurate and timely intelligence by NATO member states. The Ukrainian intelligence service (SBU) is showing an effective counter-espionage capacity to Russia’s intelligence activities. For example, Denis Kireev, an important figure in the Ukrainian intelligence, who participated in the ceasefire talks between Ukraine and Russia, was detected spying on behalf of Russia and shot dead while resisting arrest.

The cyberspace struggle is another dimension of the conflict. Ukraine declared “cyber mobilization” on February 25, 2022, in the struggle against Russia: cyber teams formed with the participation of more than 500 hackers started carrying out DDoS (distributed denial-of-service)-based attacks on the Russian national cyberinfrastructure.

Information available in open sources shows that both Ukraine and Russia are carrying out cyberattacks against each other’s critical infrastructures. Russia received an unexpected cyberattack response from Ukraine in the first week of the war.

Russia was on the receiving end of a scraping cyberattack with the involvement of several non-Ukrainian hacker groups on the Ukrainian side. Their cyberattacks damaged Russia economically, while the internet infrastructure of Sberbank, one of the largest banks in Russia, was hacked.

In addition to Russia’s financial sector, Russian TV channels and the websites of government institutions were targeted by cyberattacks. The hacker groups operating against Russia may have been supported by Western intelligence services. One of the most outstanding supports to Ukraine in cyberspace came from the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), which announced that Ukraine will become a member of the center as a “contributing participant.”

Cyberattacks from Russia intensified against the critical infrastructures of European countries, which declared their support for Ukraine. According to news on social media, Russian cyber threat actors such as Conti, APT28, APT29, Turla, CyberBerkut, Sandworm, Gamaredon, and GhostWriter target not only Ukraine but also conduct cyberattacks against NATO, Europe, and the United States.

In addition to the cyberspace struggle, mutual disinformation activities continue on social media. The RIS and Ukrainian intelligence supported by Western intelligence services stand behind these disinformation activities. In fact, Western media sources have aptly described the current Russia-Ukraine war as the first “TikTok war” in history.

Ali Burak Darıcılı's areas of expertise cover cyber security, cyberspace, intelligence, security, and terrorism. Darıcılı has a 15 years long career as a Case Officer in the Department of Intelligence and Security in the Prime Ministry of Turkey. Since 2017, Darıcılı has been working as a full time associate professor in the Department of International Relations at Bursa Technical University.