RENEE MONTAGNE, HOST:
Next, we'll look into the hidden world of cyberwarfare. According to security experts, the Russian military is waging a sustained cyber campaign against Ukrainian military and law enforcement agencies. The purpose, to extract a steady stream of classified documents that can aid Russian-backed separatists in ground combat. NPR's Aarti Shahani has this report.
AARTI SHAHANI, BYLINE: The rules of warfare 2.0 or 3.0 are murky. Experts, pundits - they say that cyberwarfare is happening. And it makes sense, but it's been very hard to prove. Lookingglass, a security firm based in Arlington, Va., says it's documented a real-life instance - a cyberwar campaign that's persistent, but not sophisticated.
JASON LEWIS: We didn't think that anything about this was highly advanced.
SHAHANI: Jason Lewis is lead researcher.
LEWIS: They just continued to send the emails and change how they're doing things in a slightly small way.
SHAHANI: Lookingglass says hackers are getting Ukrainian military, counterintelligence, border patrol and local police to open emails with malicious attachments - only they look legit. It's masterful so far as manipulation goes because of what the attackers use as bait.
LEWIS: So I have an example from January 2015...
SHAHANI: It's a Microsoft Word file written in Ukrainian, Lewis says - an overview of the situation at the Russian-Ukrainian border, authored by Ukraine's State Border Guard Service. The words not for distribution are written on it.
LEWIS: So that document appears to be something that was on a Ukrainian military computer.
SHAHANI: Hackers stole it, then sent it to another Ukrainian security agency with the malware hidden inside.
LEWIS: So the idea being that someone would see, oh, this is news for today. Well, let me go and take a look and open it, and then infect their computer.
SHAHANI: Once inside, the hackers could extract more classified intel on the numbers of Ukrainian troops and reconnaissance battalions, the equipment they use, the rebel leaders they want. This so-called spear-phishing attack is the same kind that got Sony Pictures. Lewis, who used to work at the National Security Agency, says military officers are human, too.
LEWIS: You probably have folks that don't know better and will open documents without thinking twice.
SHAHANI: Lookingglass says the attacks focused on combat intel took off in late 2014. That's when Ukraine's acting president declared a military operation against pro-Russian separatists. And interestingly, when both sides negotiated a cease-fire last June, the cyberattacks stopped for that same period, as well.
FRED CATE: Wow, that is - I mean, that is incredibly interesting. It's like the adversaries are actually thinking of themselves as attacking.
SHAHANI: Fred Cate is a cyber-security expert and professor at Indiana University.
CATE: And so they stop those attacks when a cease-fire's in place, as opposed to thinking of themselves as just intelligence gathering, which usually continues even during a cease-fire.
SHAHANI: He says it looks like the hackers see themselves as part of the battlefield. This research is among the few documented examples of cyberwarfare. And while it doesn't pinpoint specific stolen data that reconfigured a specific battlefield, it does reveal the edge of a new weapon against enemies.
CATE: So if you can substitute fake constructions, if you can get them to do the wrong thing, if you can get them to send the troops were you want them sent, this could dramatically alter the way in which we think about warfare.
SHAHANI: And when hacking constitutes an act of war. In cyberattacks, it's hard to know exactly who the hacker is. Lookingglass names the Russian security service, what used to be called the KGB. And when Ukraine declared the same last September, researcher Jason Lewis says, the attackers tweaked their malicious software to slip under the radar again.
LEWIS: They said, oh, we've been discovered. We'll change to this new remote access tool.
SHAHANI: The Russian embassy did not respond to NPR's request for comment. Computer scientist Stefan Savage at the University of California, San Diego, says in many cyber investigations like this one, the evidence is circumstantial. Researchers have the digital version of tire tracks and gun casings, not the DNA and fingerprints. But from a technical standpoint...
STEFAN SAVAGE: There's not a fundamental limitation that would mean that only Russians could have carried it out. Then the question has to be, who else would have the motivation to do it, because this is a significant piece of work. It's effort.
SHAHANI: Lookingglass says neither country is its client, and it was not able to investigate if Ukraine is hacking Russia, as well. Aarti Shahani, NPR News. [POST-BROADCAST CLARIFICATION: Lookingglass has base offices in both Arlington, Va., and Baltimore. The audio of this story mentions only Arlington, and previous Web versions mentioned only one or the other.]
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.