Walking Into Spiderwebs: Unpacking the Ukraine Drone Attack

In the rapidly evolving landscape of modern warfare, technological innovations have contributed to some particularly stunning moments on the battlefield. Few compare, however, to the feat the Ukrainians pulled off on June 1, in an audacious and historically significant attack on Russian military infrastructure. The attack, codenamed “Operation Spiderweb,” was a massive special operation carried out by the Security Service of Ukraine (SBU) to target multiple Russian air bases, with a particular aim of destroying Russian bomber aviation fleets. The Ukrainian SBU claims that they struck 41 aircraft, although independent assessments have currently identified only about a dozen targets.

Operation Spiderweb was uniquely clever. Taking a page from the Greeks, the Ukrainians built their own Trojan horses—dummy modular wooden houses, containing special drone carriers inside the “roofs.” These unsuspecting, faux homes were then transported within a few kilometers of the targets, allowing the Ukrainians to penetrate deep inside Russia. Moments before the attack, the roofs were remotely opened and the attacking drones were released, which the Ukrainians operated under long-range control.

Operation Spiderweb has effects that will continue to inflict remarkable damage long after June 1. Russia now has to consider any ISO container a potential Ukrainian aircraft carrier, necessitating significant economic investment and carrying consequences for national morale. The Ukrainian attack is unlikely to be the last, as technological innovations make the possibility of a fully autonomous strike increasingly probable—with implications extending beyond the Russia-Ukraine conflict.

Unpacking the Operation

This was no easy operation. The SBU required months of meticulous planning, technical skill, and no small amount of luck to conduct the strike. This attack also demonstrates the unique nature of small drones: Their ability to adeptly deliver a small quantity of explosive, with substantial precision and a large range, means that any soft target, such as parked aircraft, logistics hubs, unfortified command centers, and political operation centers can be held at high risk.

At the same time, the attack revealed the current limitations of drone technology. While some have claimed that Ukraine used fully autonomous drones, there has been no substantiation of this. Rather, released footage suggests that they used Ardupilot (an open-source autopilot), which is able to navigate the drones to preplanned waypoints, where the drone can then either proceed to the next waypoint or wait for further commands.

The drone-eye footage released also showed the drones moving at the sedate speed of a DJI camera drone. Yet the actual race-drone-derived chassis (identified by others as probably this one from Osa) are capable of moving significantly faster: 40 meters/second (m/s) instead of the sedate 10 m/s seen in the extended videos. The first segment in one of the initial videos specifically shows a drone landing on the target’s wing. This is all expected behavior for a manually controlled drone over a higher latency network connection.

At the final waypoint, it appears operators took manual control of the drones and directed them at available targets. Such a design makes sense given the operating environment. These drones clearly have a digital control link—effectively, a network connection. (The alternative way for small drones to transmit video signals, an old-school analog broadcast, would have static not seen in the videos.) Ardupilot specifically supports receiving data over network connections when relayed through a suitable on-board host computer.

A fully autonomous attack would have unfolded differently. With full autonomy, there would have been no need to space out the launch. Instead, an autonomous swarm could launch, for example, 20 drones at once, which would both overwhelm defenses and ensure that any human-mediated defenses (such as enabling widespread jamming or shotguns) would have no time to react.

With full autonomy, fixed-wing drones would have been a better candidate for carrying out the attack. Fixed-wing drones are harder for humans to control and are unable to hover, but the benefits are substantial. Autonomy eliminates the difficulty involved in controlling a fixed-wing drone, and in return they are almost an order of magnitude more energy efficient than a quadcopter, enabling either a larger payload or a substantially longer range for the same amount of money.

Immediate Implications

The attack has likely significantly disrupted Russian bomber forces and airfield operations. Even the minimum confirmed damage assessment—of eight Tu-95 bombers, four Tu-22M3 bombers, and one An-22 transport—suggests that the strike was quite destructive. There were an estimated 50 Tu-95s, 50 Tu-22M3s, and 11 An-22s in Russian service before this strike, so even conservative estimates would equate to a significant blow. These sorts of aircraft are effectively irreplaceable, as there is no longer any production (the last Tu-95s and Tu-22M3s rolled off the assembly line in 1993), and replacement designs are years behind schedule

Beyond the loss of military capability, the attack is likely to cause economic and psychological damage as well. The strike is not only embarrassing for the Russians—they must now live with the paranoia of knowing that every ISO container is a potential Ukrainian aircraft carrier. Such containers are not rare: Russia processes millions a year. We have already started to see the insidious effects of paranoia of this scope and scale, nicknamed “truck phobia” on Twitter, with reports of massive traffic jams from trucks being inspected and wide-scale disruptions to internal transportation systems.

Searching these containers—with over 6 million TEUs (twenty-foot equivalent units) processed just at the ports—not only would be impossible but also poses a significant financial burden. Ukrainian ingenuity makes the problem even more difficult. Rather than filling an entire launch container, which could hold a swarm of hundreds, the Ukrainians slyly created a false top, under which the drones were covertly concealed. It would take careful measurement—or even an X-ray examination, rather than a cursory inspection—to distinguish between a normal cargo load and one that is a trap.

This creates substantial volatility for modern logistics, which rely heavily on the ability to coordinate everything remotely. To add to the damaging psychological effects of an operation like this, the Russian drivers of the Russian-contracted trucks appeared wholly unaware of the true nature of their payloads, a very common situation when hauling containerized freight. The notion that drivers may now be personally responsible for some form of “know your customer” will undoubtedly further disrupt civilian logistics in Russia, and it invites the type of suspicion and distrust that can further erode cooperation and efficiency.

Another likely victim of the ensuing chaos will be Russian cell-phone networks. The digital data-links displayed by Ukraine were of high quality. In terms of engineering, there are no suitable satellite transmitters small enough to fit into the drones themselves, and relaying directions to a satellite uplink on the launcher would be needlessly complex, especially with the bidirectional, digital data-link required.

The simple solution for Ukrainian engineers would be to couple an Ardupilot-based autopilot, a small computer like a Raspberry Pi, and a cellular modem. Ardupilot would fly the aircraft while the Raspberry Pi would handle communications. All these components would easily fit into the drones Ukraine used. Assuming the Ukrainians did use cellular links, this would significantly disrupt Russian communication networks. In the future, all possible Russian targets will need the ability to disable nearby cellular networks without notice. Obtaining this capability will require significant reengineering, and various false alarms will undoubtedly disrupt the daily lives of Russian civilians.

Of course, this attack is repeatable. A small drone can rest in a powered-down sleep mode for days or weeks. Thus, a Ukrainian saboteur would only need to smuggle a drone into Russia using whatever new or ancient technique desired, hide it within a 10 kilometer radius of the target and, days later, have a remote operator launch the attack long after the saboteur disappeared.

Looking to the Future

My side research interests have long focused on autonomy in small drones, as the physical hardware to enable basic autonomous operation is remarkably small and low cost. My personal prototype attempts suggest this technology can easily fit within the chassis of a small attacking drone and would cost roughly $200 a copy for the electronics in reasonable quantities.

This, minus the cellular modem, is effectively equivalent to the hardware that both Russian mil-bloggers and I suspect the Ukrainians used. Since this hardware should be capable of supporting full autonomy, the next attack by Ukraine could be fully autonomous, with the drones assessing targets for themselves—without an operator. This would eliminate the need for a reliable data-link.

Adding autonomy further complicates the defender’s situation. Autonomy would allow the attack to utilize much more efficient fixed-wing drones, increasing the range to perhaps 50 kilometers from point of launch (or even further if launched from a high-altitude balloon/missile sponge). Getting a 100 kilogram payload—enough for a flight of 20 drones—to within 50 kilometers of a target is much easier than getting the same mass to within 50 meters of the target.

To respond to autonomous attackers, similarly autonomous and kinetic defenses would need to be widely deployed. The warning time for an attack from a low-altitude swarm is measured in seconds—it is fundamentally impossible to respond until the attacking swarm, moving at perhaps 100 kilometers per hour and 100 meters above the ground, is spotted by a sensor.

This necessitates an automated response from a system that can detect and engage dozens or even hundreds of targets in the space of a few seconds, using weaponry that will not cause significant collateral damage in the event of inevitable false positives.

Autonomous drones like this favor territorial defense rather than attack. Disrupting an opponent’s bomber or logistics infrastructure (as Ukraine did here) is not an effective way to gain territory, but it can cause sufficient destruction to prevent an opponent from gaining territory, inflicting economic pain and damaging morale.

It Is Time to Prepare

These strategies aren’t limited to Ukraine. The next conflict the U.S. may face, even against a relatively remote and otherwise overmatched adversary like Iran, could easily feature similar tactics or new delivery enhancements, such as autonomous narco submarines full of drones. Such potential adversaries are undoubtedly taking notes and, even before Ukraine’s success with this attack, developing their own domestic capabilities.

U.S. and NATO warfighters must prepare both offensively and defensively—preparation that may require the same measures. For example, the best way to detect incoming drones a kilometer away from a base may be to maintain a combat air patrol of small autonomous drones. The image processing for a small drone to identify and track a target is effectively the same as the software to track said drone from a ground-based air-bursting mini-cannon.

Operation Spiderweb was just a preview of what’s to come: Russia may be the first country to walk into this spiderweb, but it is unlikely to be the last.