Russia's current emphasis on the Donbas is a departure from prewar planning, a departure driven by the invasion's failure in the northern part of Ukraine. The British Ministry of Defence yesterday offered a terse rebuttal of President Putin's claim that his war against Ukraine was going according to plan. "The Kremlin says [its] war in Ukraine is going to plan. But it's not. Russia's plan is failing." As evidence the MoD cites the loss of "at least six Russian generals" killed in action, instances of Russian troops turning on their commanding officers, and 2151 vehicles, artillery pieces, or aircraft "damaged, abandoned, destroyed or captured," (that is, more than three times the rate of comparable Ukrainian losses), the forced retreat of Russian forces into Russia and Belarus, and Russian aircraft lost to friendly fire, All armies face friction in real war, but Russia's record seems to go far beyond the normal difficulties, and it hardly seems that much at all has gone according to plan.
Indestroyer2 and Ukraine's power grid.
The GRU's attempt against the Ukrainian power grid appears to be the cyberattack most people were expecting back in February, especially because of the way it tracked earlier GRU takedowns of sections of Ukraine's power grid. It also appears to have failed, and that failure may be attributed in part to successful Ukrainian defenses as well as to the methods Russia chose to use. In cyberspace as well as on the ground, Ukraine appears to have proved a tougher opponent than Russia expected.
In the December 2015 attacks, the GRU's Sandworm unit pivoted into the grid via spearphishing emails that carried BlackEnergy malware as their payload. The outages then induced lasted up to six hours. The 2016 attack against Ukraine's grid used Industroyer malware (also called Crashoverride), an updated version of which was used in this month's attempt. ESET, which provided some of the initial response to the attacks, did not speculate on how the GRU gained access to the systems it hit, but the Record cited CERT-UA as saying that the attackers moved laterally between different network segments “by creating chains of SSH tunnels.” While the overall effect of the recent attempt on the grid may have been negligible, reports obtained by MIT Technology Review indicate that the attack did succeed in taking some electrical substations offline.
Update on last week's distributed denial-of-service attack against Finland.
Security Scorecard has published a study of the distributed denial-of-service (DDoS) attack against Finnish government sites last Friday. The incident coincided with an address to Finland's government by Ukrainian President Zelenskyy, and during a period of speculation that Finland is preparing to apply for NATO membership.
The researchers attribute the DDoS attack to the Zhadnost ("Greed," in Russian) botnet, which they had observed in attacks against Ukraine in late February and early March. Security Scorecard says they've identified some three-hundred-fifty bots, most of them located in Bangladesh and a range of African countries. "The majority of the bots are MikroTik routers, running various MikroTik services, or devices running Squid Proxy and vulnerable Apache web servers," the report says. Attribution is, as usual, difficult and heavily circumstantial, but Security Scorecard assesses, "with moderate confidence," that Russian units or some threat actor aligned with Russian interests were responsible for the attack. The consequences of the attack were temporary and not particularly damaging, but the researchers add that subsequent attacks might be more consequential. If one were to bet on form, one would expect the next move from the "Russian cyber threat actor playbook" to include deployment of wiper malware.
Anonymous claims to have doxed Russia's Ministry of Culture.
The hacktivist collective, which is working in sympathy with if not under the direction of Ukraine, has released 446 GB of data to the DDoSecrets dump site, emails for the most part. According to HackRead, Anonymous claims now to have hit the following Russian organizations during Russia's war against Ukraine: Forest, Aerogas, VGTRK, Petrofort, Mosekspertiza, Marathon Group, Capital Legal Services, the Tver Governor’s office, the Blagoveshchensk City Administration, the aforementioned Ministry of Culture of the Russian Federation, and the Russian Orthodox Church's Department for Church Charity and Social Service.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.