The UK's Ministry of Defence continues to track Russia's shift of its forces into Ukraine, as troops formerly occupying Georgia have been redeployed. "Russia is redeploying elements of its forces from Georgia to reinforce its invasion of Ukraine. Between 1,200 and 2,000 of these Russian troops are being reorganised into 3 x Battalion Tactical Groups." That doesn't seem to have been part of the force generation plan. "It is highly unlikely that Russia planned to generate reinforcements in this manner and it is indicative of the unexpected losses it has sustained during the invasion."
Attempting to evolve rules of cyber conduct during a hot hybrid war.
A meeting this week of the United Nations' "open-ended working group for security and the use of information and communications technologies," a body established some time ago at the instigation of Russia, continued its deliberation concerning international norms of conduct in cyberspace. Bloomberg says the sessions were dominated by sharp Western criticism of Russian cyber aggression and misconduct and Russian rejoinders to the effect that it, and nobody else, is really the injured party in cyberspace. Vladimir Shin, the Russian representative, said that accusations of Russian cyber offensives were "completely unfounded," and that he was confident he spoke for "the silent majority."
The technique of unlikely insistence was also seen earlier this week in a statement issued by Russia's Ministry of Foreign Affairs. Remarkable for mendacity even by the low standards of Russian diplomacy, the Ministry's statement is worth reading in full as a distillation of Moscow's talking points about its hybrid war.
In truth there are indeed hacktivists (or "anti-Russian IT professionals," as Moscow puts it) working against Russia and in sympathy with Ukraine's cause. Some of their activities are risky, posing as they do an implicit threat to software supply chains. Checkmarx describes more protestware, open-source code written to make an ancillary point (Russia get out, stop the war, down with Putin, etc.) in addition to performing its other functions. The latest protestware, like its predecessors, was found in two NPM packages widely used by developers, “styled-components” and “es5-ext." The protestware is written with features intended to prevent it from executing anywhere other than on Russian devices, but it's wishful thinking to assume that the safeguards will always and everywhere work as intended.
Waiting for major Russian cyber operations.
The widespread and damaging Russian cybercampaign against Ukrainian and Western targets that's been widely expected has yet to appear, although Russian operators have maintained at least a continuous nuisance level of attacks against Ukrainian networks. But Western authorities continue to warn that such attacks are likely, and that organizations should prepare to withstand them. The US Cybersecurity and Infrastructure Security Agency's (CISA) Shields Up alert is representative. The Register, talking to private sector experts, notes that Russian cyberattacks have increased over the past month, and that industry sees itself as having a narrow window in which it can improve its resilience to such attacks. ExtraHop CEO Patrick Dennis told the Register that he expects the rising effects of sanctions to increase the likelihood that Russia will retaliate in cyberspace against economic warfare it's unable to counter in other ways.
Viasat terminals were hit by wiper malware.
SentinelLabs researchers have concluded that Russian wiper malware, specifically a variant they call AcidRain, was deployed against Viasat modems, and Viasat has substantially confirmed SentinelLabs' analysis. "AcidRain is an ELF MIPS malware designed to wipe modems and routers," the researchers explain. "We assess with medium-confidence that there are developmental similarities between AcidRain and a VPNFilter stage 3 destructive plugin. In 2018, the FBI and Department of Justice attributed the VPNFilter campaign to the Russian government." AcidRain is the seventh wiper deployed against Ukraine since the beginning of its hybrid war, the others being WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero. The Viasat attack is noteworthy because it alone had significant spillover into operations outside Ukraine proper. It's regarded as the most serious cyberattack of Russia's war so far, and the most likely suspect is the GRU's Sandworm APT.
Additional US Treasury sanctions.
The US Treasury Department yesterday announced new sanctions against Russian actors implicated in the war against Ukraine. The sanctions concentrate on "sanctions evasion networks," for the most part elaborate shell companies, but they also include measures against those responsible for the Triton attack against a Saudi petrochemical plant.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.