Russian forces remain stalled (see the current situation map from the UK's Ministry of Defence) and continue to resort to the area-destruction tactics they used against Syrian cities when Russia propped up the Assad regime (CNN has a reminder of what happened in Syria). Ukrainian forces have begun to see some success in their counter offensive, retaking ground near Kyiv and in other parts of the country. Reuters reports that the British government sees "a shift in momentum" in favor of Ukraine. In the south, Ukrainian forces have, CBC reports, destroyed a large Russian amphibious warfare ship (the Saratov, not, as early reports had it, the Orsk) in the Sea of Azov. The ship is said to have been carrying armored vehicles intended for Mariupol, where savage fighting continues, and it's also said to have been the first Russian vessel to enter the captured small port of Berdyansk.
Russia's Foreign Ministry yesterday shared its take on Russian progress in Ukraine: "Exactly one month since the start of the special military operation in #Ukraine; it is going according to plan, and all the stated goals will be achieved. Life is returning to normal in the territories already liberated from nationalists." No one else sees it quite this way.
"The dark art of the possible."
Two indictments against Russian government personnel the US unsealed yesterday are widely taken as showing the sort of active threat Russian operators pose to critical infrastructure. US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly clapped at the Justice Department over Twitter: "Good to see @TheJusticeDept indictments on Russian state-sponsored cyber actors. Along with our #FBI & @DOE_CESER teammates, we’re releasing a Cybersecurity Advisory w/info & actions to defend against related threats to the energy sector: http://go.usa.gov/xzwBe." An unnamed Justice Department official told the Guardian, "These charges show the dark art of the possible when it comes to critical infrastructure,”
The Washington Post reported this morning that, while the US Government has yet to make a public announcement of the determination, US intelligence analysts have now attributed the attack against Viasat services to Russia's GRU, the country's military intelligence service.
Ukraine has for some time claimed that Russia was behind the cyberattack, which Ukraine's military intelligence services viewed as Russian battlespace preparation. The Post writes, "Asked this week whether Ukraine knew who was behind the attack, Victor Zhora, deputy head of the State Service of Special Communications and Information Protection, Ukraine’s main cybersecurity agency, said: “We don’t need to attribute it since we have obvious evidence that it was organized by Russian hackers to disrupt the connection between customers that use this satellite system.” He added: “Of course, they were targeting the potential of [the] Ukrainian military forces first as this happened just before the invasion.”
California-based Viasat, which hasn't offered any attribution of the incident, told Air Force Magazine how it was accomplished: “The ground management network … that manages the KA-SAT network, and manages other Eutelsat networks—that network was penetrated. And from there, the hackers were able to launch an attack against the terminals using the normal function of the management plane of the network.” The company said the damage was limited. Only users who inherited their service from Eutelsat were affected. “Even on that [KA-SAT] network, none of our mobility and none of our government customers were affected—the controls we have around those users kept them safe."
Warnings against Russian cyberattacks (which remain relatively restrained).
That Russia has the ability and, up to a point, the will, to conduct cyberattacks against its adversaries in the hybrid war against Ukraine, is not in doubt. But at this stage of the conflict, Ukraine itself remains largely online, and the wiper and distributed denial-of-service attacks it has sustained since the run-up to Russia's invasion haven't seriously impeded access to the Internet. The Record's coverage suggests that this is largely due to the resilience of Ukrainian infrastructure and the hard work of the country's telecommunications sector, but Russia does seem to have pulled its punches. An essay in We Live Security, while cautioning that a major cyberattack certainly can't be ruled out, considers the possibility that Russia's apparent restraint may have been induced by effective deterrence. That would be both deterrence by denial and deterrence by promised retaliation.
Yesterday CISA and the FBI released Alert AA22-083A, "Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector." that provided background on the Russian cyberattacks addressed in the two indictments the US Department of Justice unsealed Thursday. The advice the Alert offers on hardening an organization against similar attacks is comparable to the advice the agencies have been circulating since CISA told everyone to go to Shields Up: familiar but nonetheless sound sets of best practices for both enterprise and industrial control systems.
Varun Talwar, CEO and co-founder of Tetrate, wrote to stress the importance of zero trust. “Enterprises need to secure their data and applications from the inside out, not just the outside in," Talwar said. The US government has set and enforced updated security standards and enterprises can use the same approach – implementing zero-trust approaches (ZTA) can immediately protect against cyberattacks of all kinds, whether they come from cybercriminals, freelance hackers, foreign governments or from within the enterprise itself.”
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.