Social Media Analytics on Russia-Ukraine Cyber War with Natural Language Processing: Perspectives and Challenges

The Russia-Ukraine conflict has seen cyberspace become a battleground where information warfare and cyber attacks support geopolitical objectives. Prior academic studies and news reports indicate significant roles for cyber warfare, including election interference, power grid disruption, destructive malware, surveillance, website defacement, and email leaks, as well as challenges in attribution and deterrence. Key events include Russian operations against Ukraine’s election systems (2014), power grid attacks (2015), NotPetya (2017), WhisperGate (January 2022), targeting of Ukrainian government and military networks, and retaliatory Ukrainian and hacktivist activities, including attacks on separatist and Russian propaganda sites and Belarusian rail infrastructure. In this context, social media platforms offer expansive, real-time, user-generated data that can be used to track incidents, corroborate evidence, attribute actors, assess public sentiment, and monitor propaganda and narratives. This paper aims to analyze the indispensability of social-media-based cyber intelligence for understanding and countering Russia’s cyber threats during the ongoing conflict with Ukraine, leveraging monitoring tools and NLP algorithms (sentiment analysis, entity recognition, word frequency, topic analysis) for proactive defense and attribution. Core contributions: (1) first critical Twitter-based cyber analytics on the Russia-Ukraine cyber war via the Twitter API; (2) innovative use of NLP algorithms (language detection, translation, sentiment analysis, LDA, TF-IDF, Porter stemming, n-grams) on live tweets; (3) a four-dimensional cyber intelligence framework covering geopolitical and socioeconomic, targeted victim, psychological and societal, and national priority and concerns; (4) analysis of 37,386 tweets from 30,706 users in 54 languages (13 Oct 2022–6 Apr 2023) to automatically generate cyber intelligence; and (5) identification of 12 challenges in using NLP on social media for reliable cyber intelligence.

Background Context and Literature: Before 2022, Russia’s offensive cyber operations included low-level cyber vandalism and incidents in Georgia (2008) and Crimea (2014). Since 2014, Ukraine has been a testing ground for Russian cyber activities, including election system compromise (2014), power grid attacks (2015 via Industroyer2), NotPetya (2017), and pre-invasion malware campaigns (e.g., WhisperGate, Actinium), as well as cyber incidents linked to geopolitical developments (e.g., Global Affairs Canada 2022). Ukrainian operations included defacements, hacks of separatist and Russian outlets, Surkov leaks, and disruption of Belarusian rail (2022). A multidimensional analysis of cyber threats emphasizes four lenses: (1) geopolitical and socioeconomic (actors, motivations), (2) targeted victim (impacts on victims), (3) psychological and societal (societal perceptions measured via sentiment analysis), and (4) national priority and concerns (policy and strategic priorities). Prior NLP/Twitter studies have used sentiment analysis to forecast cyber attacks, TF-IDF and classifiers for cyberbullying detection, topic modeling (LDA) to identify themes, and analyses of misinformation (e.g., COVID-19). While elements of NLP have been used sporadically, this study provides a comprehensive and systematic use of NLP techniques for social-media-based cyber intelligence, building upon and extending prior works.

Data source: Twitter. Collection: tweets containing the keywords “cyber” or “hack.” Period: 13 October 2022 to 6 April 2023. Pipeline: (1) Detect language for each tweet using Microsoft Cognitive Services Text Analytics API; (2) Split into English and non-English sets; (3) Translate non-English tweets into English using Microsoft Cognitive Services; (4) Perform sentiment analysis on English and translated tweets, producing fine-grained sentiment scores (negative, neutral, positive); (5) Group tweets by country mentions within text to form country-specific groups; (6) Compute term frequency for each country group; (7) Apply LDA topic modeling to uncover latent themes. Preprocessing includes lowercasing, stop-word removal, removal of markup, and tokenization. Additional NLP tools (e.g., Porter stemming, n-grams, TF-IDF) can be applied; the framework supports further steps shown in algorithms and flowcharts. Mathematical representation: T = tweets with “cyber” or “hack”; partition T into T_english and T_non_english by detected language; translate T_non_english to T_translated; sentiment S(t) for all English and translated tweets; group tweets by country names G; compute TF(g) per group; perform LDA(g) over TF(g). Tools: Microsoft Text Analytics API for language detection, translation, and sentiment; LDA for topic modeling; TF/TF-IDF for term significance. Outputs include per-country topics, key terms, and sentiment dynamics; deployment across desktop, mobile, and tablet platforms (iOS, Android, Windows) for real-time monitoring.

- Dataset: 37,386 tweets from 30,706 users in 54 languages (13 Oct 2022–6 Apr 2023); 8,199 HTTP requests for translations of non-English tweets. - Monthly dynamics (Table 4): tweets, unique users, and unique locations generally increased over time; number of languages remained stable; retweets varied monthly with a peak in Nov 2022; average sentiment scores remained stable across months with higher negative sentiment confidence than neutral and positive; December 2022 had the largest proportion of translations. - Sentiment comparison (Figure 7): average negative sentiment for Russian cyber-related tweets was 0.61, higher than worldwide (0.36) and Ukrainian (0.50) averages. - Topic analysis: For Russia (7 topics), high-weight terms included Russian/cyber/attack/blame/threat; cyber/Russian/Ukraine/FBI; hack/hacking; Russia/Russians/DNC; Russia/Invades/Cyber/attacks; Russia/hacked/cyber; Russian/Putin/using/Trump/story, indicating focus on hacking incidents, attribution, leadership figures, and geopolitical targets (e.g., DNC) and agencies (e.g., FBI). For Ukraine (7 topics), terms emphasized Ukraine/cyber/Russian/Ukrainian/hack and themes of state involvement, threats, infrastructure, roles of organizations, collaboration (e.g., FBI), cyberattacks/cyberwarfare, and awareness. - Regional contrast example: Posts from Australia emphasized scams and health system impacts, policing, data breaches; China-related content differed in subjects and vocabulary. - LDA performance metrics (Table 6) reported for Russia and Ukraine corpora (e.g., loglikelihood, perplexity, coherence), with Russia showing lower perplexity than Ukraine in this configuration.

The study demonstrates that social-media-derived cyber intelligence can illuminate the cyber dimensions of the Russia-Ukraine conflict. The elevated negative sentiment associated with Russian cyber-related tweets (0.61) versus Ukrainian (0.50) and worldwide (0.36) indicates stronger public perception of threat and harm related to Russian activities. Topic models reveal Russia-focused discussions on hacking, attributions, political entities, and leaders (Putin, Trump), as well as institutions such as FBI and references to DNC, reflecting narratives around offensive cyber operations and influence. Ukrainian discourse aligns with defensive postures, threat awareness, protection against leaks, and collaboration with international entities. Country-specific contrasts (e.g., Australia vs China) highlight that local concerns and incidents shape themes, showing the framework’s utility for geographic tailoring. These findings address the research aim by validating that NLP on social media can generate multidimensional cyber intelligence—covering geopolitics, targeted victims, societal perceptions, and national priorities—useful for monitoring, attribution support, and informing counter-messaging and defense strategies. The real-time, multilingual, and deployable nature of the system enhances relevance for practitioners and policymakers.

This work proposes and implements an NLP-driven framework for extracting cyber intelligence from social media in the context of the Russia-Ukraine cyber war. It introduces a four-dimensional model (geopolitical and socioeconomic; targeted victim; psychological and societal; national priority and concerns) operationalized through language detection, translation, sentiment analysis, TF/TF-IDF, and LDA applied to 37,386 multilingual tweets. Results provide granular insights into themes and sentiments associated with Russian and Ukrainian cyber activities, with Russian-related content exhibiting higher negative sentiment. The system demonstrates cross-platform deployment for timely decision support. Future research should integrate multi-source intelligence (e.g., threat databases, AV vendor feeds), enhance robustness against misinformation and fake accounts, reduce reliance on black-box APIs via tunable/transparent models, and improve cross-platform data alignment to increase reliability and generalizability.

- Data quality and misinformation: susceptibility to fake accounts, hoaxes, propaganda, and organized information operations; social media reflects public perception rather than verified ground truth. - NLP errors: sentiment analysis and entity recognition can misclassify; optimization to reduce error adds computational complexity. - Technical constraints: format changes, data overload, need for sophisticated big-data tools; limited coverage with keyword-based collection. - Ethical concerns: privacy, cultural and religious biases, adherence to relevant laws and human rights considerations. - Dependency on third-party APIs and black-box models (e.g., Microsoft Text Analytics) limits fine-tuning and transparency. - Cross-platform alignment: challenges in integrating signals from multiple social platforms (Twitter, Facebook, Instagram) not fully addressed. - Attribution limits: social media alone cannot confirm attackers’ identities or motivations; requires corroboration with external cyber threat sources.