Week 6: Weapons of Digital Destruction
01001000 01100101 01101100 01101100 01101111 00100000 01100101 01110110 01100101 01110010 01111001 01101111 01101110 01100101 00100001 00100000 01010111 01100101 01101100 01100011 01101111 01101101 01100101 00100000 01100010 01100001 01100011 01101011 00100000 01110100 01101111 00100000 01110111 01100101 01100101 01101011 00100000 01110011 01101001 01111000 00100000 01101111 01100110 00100000 01101101 01111001 00100000 01110000 01110010 01101111 01101010 01100101 01100011 01110100 00100001 00100000
For those who don’t speak in binary code: Hello everyone! Welcome back to week 6 of my project!
This week, I’ve focused on the role of OSINT in the cyber war between Russia and Ukraine, where electronics and computers dominate a digital battlefield. Let’s get into it and crack this code!
As a refresher, for weeks 5-7, I am focusing on the use of OSINT in tactical intelligence (TACINT). TACINT is actionable data that can directly be given to troops and be used on the mission level. Although cyber threats may seem vague and contained to a digital realm, Russian attacks on Ukrainian military computers and critical infrastructure have significantly contributed to the invasion.
This week, I was going into a topic where I had very minimal experience and knowledge of the subject, so I started with definitions. Most sources define cyber intelligence as collecting data from cyberspace, a self-explanatory description that I was confused to not see expanded on. I soon discovered the reason for the lack of a more specific definition – a lack of consensus on what cyberspace includes. CYBINT is difficult to formally define because of the fast-paced evolution of electronic warfare, but attacks such as ransomware, malware, and phishing are common attacks by Russia on Ukraine and typically fall under the jurisdiction of CYBINT.
After defining CYBINT, I learned how open-source cyber intelligence (OS-CYBINT) works within the intelligence cycle. During the preparation phase, CYBINT attempts to discover cybersecurity issues through sources such as public records and past breach history, contrary to other methods of intelligence that begin the cycle with the issue in mind. Then, during the collection phase, analysts use sources like domain registration, dark web marketplaces, and social media to expand upon the problems they’ve discovered. Next, during the processing phase, analysts condense the huge amounts of digital data available by categorizing malware strains and eliminating data redundancies. After that, they begin drawing conclusions from that data in the analysis stage. Last, the dissemination phase, just like in other forms of intelligence, involves reporting the data to military/governmental groups that create responses.
The OS-CYBINT intelligence cycle also includes specific subsections of OSINT. When interacting with data on the internet, our digital footprint is constantly tracked. Because of this, there are two key methods of OS-CYBINT – active and passive OSINT. Active OSINT involves engaging with the target where your IP address or other identifying information may be revealed (Pagnotta, 2025). An example of active OS-CYBINT is Google Dorking, a specific search technique to undercover sensitive information on the internet. Passive OSINT, on the other hand, is collecting information by not engaging with the target. Active OSINT may provide more valuable information, but it has its security risks (Pagnotta, 2025).
After understanding the basics of CYBINT, I researched the general roles of OSINT in cyber defense. I broke this down into 3 main roles:
- Threat Detection: Similar to how Russian soldiers might post the details of a potential kinetic attack on social media platforms, potential cyber threats may also appear on various public digital forums. OSINT collectors monitor platforms and track past breach data to disseminate prevention mechanisms.
Example of Threat Detection: Public Breach Records From the National Vulnerabilities Database - Ethical Hacking: In some cases, vulnerabilities may be present but not visible at first glance. Ethical hacking is taking proactive action to safely discover breach points. OSINT data, such as exposed assets and open ports, can be used to fix vulnerabilities.
- Incident Response: Just like in other weeks, OSINT again has a purpose of getting defense information fast. If preventive or proactive OSINT measures fail, OSINT data on the scale of the attack can be used to create targeted responses to specific locations, strains of malware, etc.
In addition to having roles in defense, however, cyber criminals such as Russian state organizations and associated independent groups also use OSINT for offensive cyber operations. Their uses of OSINT include:
- Phishing: Cybercriminals use corporations’ websites, social media bios, and other online postings to identify victims or create realistic phishing emails (scam emails that contain links to malicious websites).
- Data Harvesting: In the same way defense OSINT collectors find vulnerabilities to protect them, cybercriminals find vulnerabilities to exploit them. While monitoring potential leaks, they also look for exposed passwords and emails.
- System Exploitation: Cybercriminals will use open-source data, such as information from identity theft or databases, to attack systems.
Now that we have established the foundations of OS-CYBINT, it’s time to apply this to conventional warfare in the Russian invasion of Ukraine. Russia has an extensive history of launching cyber attacks on Ukraine to maintain physical and psychological control over the nation. During the 2010s and the invasion of Crimea, Russia attacked the Ukrainian electrical grid, airports, water treatment plants, and military computer systems (Tech4Humanity Lab at Virginia Tech, 2023). In the year leading up to the invasion, Russia targeted critical infrastructure, including energy plants (oil/gas), agriculture, and healthcare. In 2022, Russia launched a successful coordinated cyber-kinetic attack on the Viasat satellite and a Ukrainian news agency. These joint attacks are more threatening to Ukraine because they can take out computer recovery and detection systems while hitting sites with air strikes or artillery. In the days leading up to the invasion, Russia began to run malware on 300 government systems and took out communications systems, which made troop mobilization near impossible (Tech4Humanity Lab at Virginia Tech, 2023). During the invasion, the FSB and GRU (Russian defense intelligence organizations similar to the U.S. FBI and CIA) have continued to launch attacks on government emails, civilian critical infrastructure, and the minds of civilians and soldiers through disinformation.
When considering the role of OSINT in the invasion, the cyber front has been different from previous examples. Ukraine has dominated the use of OSINT in kinetic defense and countering disinformation, but in the cyber war, Russia has been the actor taking advantage of OSINT. An example of this occurred in January 2023 when the FSB’s 18th Center Hacking Group, Gamaredon, used the social media forum, Telegram, to connect Ukrainian-based IP addresses to corrupt military computers. A month later, in February 2023, Gamaredon ran a phishing campaign on Ukrainian government organizations’ emails (Tech4Humanity Lab at Virginia Tech, 2023). OSINT has so far played the role of the cybercriminal, highlighting the importance of information security.
Because I am not a cybersecurity expert, my OSINT collection this week focused on building my databases to suggest short-term plans for Ukrainian defense. These open-sourced databases have been helpful to Ukraine because, typically, newer Russian attacks mimic previous malware/ransomware strains, so they can learn from past attacks to recognize threats faster. Thus, I practiced threat detection by tracking past Russian breaches. I organized substantial previous attacks into the categories of type of attack, organization carrying out the attack, target, and impact. I’ve inserted a spreadsheet presenting that data.
Based on these previous attacks, cybersecurity experts at CISA have suggested that Ukraine implement relatively simple solutions. These include implementing multi-factor authentication on government computers, monitoring Remote Desktop Protocols, and providing user awareness training to citizens. Others have recommended continuing to receive support from Western technology companies and updating current software. In the long term, it is recommended that Ukraine use network segmentation, which would make it more difficult for ransomware to spread between units (Tech4Humanity Lab at Virginia Tech, 2023). The main takeaway from these suggestions is that Ukraine must develop infrastructure to detect and respond to cyber threats fast, and OSINT may be a method of doing this. Additionally, Ukraine must continue to prevent joint cyber-kinetic threats that could cause major damage to defenses.
I finished up the week by meeting with Mr. Franklin. We discussed the evolution of electronic warfare through the acronym MIJI. MIJI (meaconing, intrusion, jamming, interference) was the tool used for electronic warfare back in the Cold War era by targeting different wave signals. Meaconing (receiving and rebroadcasting radio signals to confuse navigation), in particular, has been noted as an outdated measure, and digital warfare has expanded much beyond only using signals. We then discussed methods to prevent Russia from achieving successful joint cyber-kinetic attacks. He mentioned that the methods are complex, but Ukraine must get better at quickly identifying and patching the threat, and that attribution can come later in the process. Lastly, we discussed parallels between Russian and U.S. intelligence bureaucracies. A common reason why Russian attacks do not create impacts to the extent of Western predictions is because of deep competition and a lack of coordination between the FSB and GRU. I figured this was not unique to Russia, and Mr. Franklin confirmed that the lack of communication between the CIA, FBI, NSA, DIA, NGA, each military branch’s intelligence commands, and many more intelligence agencies did create a threat to U.S. national security.
That’s all for week 6! Thanks for following along!
References:
Pagnotta, S. (2025, February 14). OSINT Framework: How Open Source Intelligence Powers Cybersecurity. Bitsight. Retrieved April 15, 2025, from https://www.bitsight.com/learn/osint-framework
Tech4Humanity Lab at Virginia Tech. (2023, April 27). Ukraine War OSINT Analysis: A Collaborative Student Report. Virginia Tech Department of Political Science. Retrieved March 31, 2025, from https://tech4humanitylab.clahs.vt.edu/wp-content/uploads/2025/03/UkraineWarOSINTAnalysis-ACollaborativeStudentReport-SM-1.pdf