At a glance.
- Disinformation at the operational level.
- Disinformation at the tactical level.
- Disinformation as provocation and pretext.
- Beijing's take on the "Clean Internet."
Disinformation as operational battlespace preparation.
If the influence operations commonly seen appear to serve strategic goals--eroding an adversary's civil society, for example, or moving opinion among targeted groups in some desired direction, undermining hostile alliances, etc.--they can also have operational and even tactical purposes.
Reuters reports that a "massive" cyberattack hit Ukrainian government websites at the end of last week. Websites operated by the Ukrainian Cabinet and at least seven ministries were affected. Some of the defacements told their Ukrainian audience to "be afraid and expect the worst." The message, posted in Ukrainian, Russian, and Polish (all of which related Slavic languages are commonly spoken in Ukraine) read, in the Record's "rough translation": "Ukrainian! All your personal data has been sent to a public network. All data on your computer is destroyed and cannot be recovered. All information about you stab (public, fairy tale and wait for the worst. It is for you for your past, the future and the future. For Volhynia, OUN UPA, Galicia, Poland and historical areas."
The Moscow Times reported that Ukraine's SBU said services had been restored to normal within hours of the attacks. The attacks don't appear to have been doxing operations.
Ukraine's ministry of digital transformation argued that the cyberattacks represented, at one level, disinformation in the service of influence operations. "Its goal is not just to intimidate society, but to destabilize the situation in Ukraine by stopping the public sector's work and undermining Ukrainians' confidence in their government." Another senior Ukrainian official, Serhiy Demedyuk, sniffed at the low quality of the Polish-language site defacements ("It is obvious that they did not succeed in misleading anyone with this primitive method"). But such efforts seem at least partially directed at opening fissures in civil society that might serve to weaken resistance to any Russian incursion.
Kremlin spokesman Dmitry Peskov denied any involvement in any of the incidents, saying in a CNN interview, “We have nothing to do with it. Russia has nothing to do with these cyber-attacks. Ukrainians are blaming everything on Russia, even their bad weather in their country,”
Disinformation as tactical deception.
The cyberattacks may also have been intended to provide cover for other, more destructive operations. Demedyuk said that Ukraine viewed last week's website defacements as misdirection, and not operations to be taken at face value. "The defacement of the sites was just a cover for more destructive actions that were taking place behind the scenes and the consequences of which we will feel in the near future," he said. Follow-on communications by the attackers suggested that the incident was a ransomware campaign, but that too seems not to be the case.
Microsoft said last Saturday that its researchers were confident that the attacks involved the use of a wiper, that is, malware whose intent was the destruction of data, not their temporary denial (as in a conventional ransomware attack) or their theft. The operation is being called "WhisperGate." and Microsoft has given the unidentified threat actor behind it the temporary tracking identifier DEV-0586. The Microsoft Threat Intelligence Center (MSTIC) reported:
"While our investigation is continuing, MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom....
"Given the scale of the observed intrusions, MSTIC is not able to assess intent of the identified destructive actions but does believe these actions represent an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine. We strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in this post."
The attack was, Microsoft says, a two stage operation. Stage one overwrote the Master Boot Record "to display a faked ransom note." That bogus ransom note said:
"Your hard drive has been corrupted. In case you want to recover all hard drives of your organization, You should pay us $10k via bitcoin wallet 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65 with your organization name. We will contact you to give further instructions."
This is implausible as ransomware for a variety of reasons. The same payload was observed in all of WhisperGate's victims, and that's unusual for criminal ransomware, which usually employs customized payloads. It's also unusual for an initial ransom notice to specify an amount of ransom or a cryptocurrency wallet, or, for that matter, to specify Tox as the only mode of contact. There was also no evidence of a recovery mechanism--the Master Boot Record was simply overwritten. And there was no custom ID provided for each victim, which has also been a routine feature of criminal ransomware.
Stage two of the attack installed file-corruption malware. That malware is still undergoing analysis. Microsoft has provided a set of indicators of compromise (IOCs) organizations can use to assess their risk.
The use of a wiper that posed as ransomware had been previously observed in the NotPetya and BadRabbit campaigns, both of which, the Record reminds its readers, were unambiguously attributed by the Five Eyes to Fancy Bear, Russia's GRU military intelligence service.
Disinformation as provocation, a pretext for kinetic military operations.
The cyber operations, coming as they do as Russian troops are reported to have marshaled in assembly areas near the Ukrainian border, have been received by NATO as battlespace preparation. The US has said that the cyberattacks have the hallmarks of a disinformation operation intended to afford Russia a pretext for military action.
Some disinformation is disinformation of the deed, and in this case the US in particular has warned that Russia may be preparing kinetic acts of sabotage or terror as provocations that would provide a pretext for a full-scale invasion. White House press secretary Jen Psaki said. “The operatives are trained in urban warfare and using explosives to carry out acts of sabotage against Russia’s own proxy forces.” US Department of Defense spokesman John Kirby said that Russia was preparing a provocation "designed to look like an attack on ... Russian-speaking people in Ukraine, again as an excuse to go in.”
China says it's unmasked the US Clean Internet.
China's Global Times, picking up on some remarks by a former British official, says that the US objective behind its Huawei ban was "coercive diplomacy." The long-term goal, China's Foreign Ministry explains, is the suppression of China's tech industry to the economic advantage of their American competitors. RT picked the story up, lending some opportunistic Russian amplification to the Chinese line.