At a glance.
- Possible Iranian information operation connected to the ICRC data exposure incident.
- Hybrid war narratives.
- Hybrid war disinformation.
- Hybrid war provocations.
- Hybrid war influence operations.
The Red Cross believes its data exposure incident was state-directed.
The International Committee of the Red Cross (ICRC) yesterday released an update on the incident it sustained in which threat actors obtained sensitive information about refugees and other vulnerable populations. The ICRC suspects "state-sponsored" actors, but declines to further identify them. They are believed to have gained access to the ICRC's systems by exploiting an unpatched vulnerability (CVE-2021-40539) in Zoho ManageEngine ADSelfService.
KrebsOnSecurity reports informed speculation that the incident was an Iranian influence operation. A personna using the nom-de-hack “Sheriff” in the anglophone RaidForums criminal souk advertised sale of stolen Red Cross and Red Crescent data. The offer was framed in a way that suggested it was part of an extortion campaign. But “Sheriff’s” email address has been seen before, in “Iranian-based network of inauthentic news sites and social media accounts aimed at the United States.” That network was engaged in amplifying narratives in Tehran's interests. It’s a possibility only, at this stage more suggestive than dispositive, but interesting nonetheless.
Influence operations in a hybrid war: narratives.
Combat power, typically assessed in crude terms by counting troops and tanks, is one aspect of national power, and Russia hasn't been shy about brandishing the combat power it's staged along its own and Belarus's borders with Ukraine. Other forms of national power are more informational, intensional as opposed to extensional. Russia's Duma applied some such power to Ukraine when it voted to request that President Putin recognize the allegedly separatist Ukrainian provinces of Donetsk and Luhansk as independent republics. This would amount to a unilateral abrogation of the Minsk Accords negotiated in the wake of Russia's 2014 conquest of Crimea. It's noteworthy that Russia initially recognized a Republic of Crimea before a plebiscite (generally regarded as illegitimate) voted to ask that Russia annex the peninsula.
The Atlantic Council's Digital Forensic Research Lab reports some of the disinformation narratives recently used against Ukraine:
- Zelensky intends to "massacre" ethnic Russians.
- The so-called "People's Republic of Donetsk" says there are mass graves of Russians murdered by Ukrainian forces.
- There are unexplained "explosions" in Donetsk.
- Ukrainian artillery is shelling Donetsk. [This disinformation achieved kinetic reality this morning in the Donbas, as artillery fire is reported to have actually hit a kindergarten, with no deaths but three injuries reported.
- The Americans have written off Ukraine.
And, of course, the line that the Ukrainians are being run by actual, not metaphorical, Nazis continues. Ilya Kiva, a pro-Kremlin member of the Russophile Opposition Platform—For Life, said, in a Telegram post, "Zelenskyy’s government is closing TV channels, blocking YouTube channels, internet sites and Telegram channels to prepare the country for an information vacuum and informational isolation of the population. They will create legal lawlessness and prepare a “massacre” of unwanted, the Russian population. They will be called the enemies of Ukraine. All this will be done at the hands of Nazis. The Nazis themselves have long made no secret of their plans to start a massacre of Russians inside the country. In the near future, the internet and communications may be disconnected." Mr. Kiva's statement is being generally amplified by Russian media.
Influence operations in a hybrid war: disinformation as bare-faced denial.
Far from confirming Russian claims that the forces it's maintained on high alert in forward assembly areas near Ukraine are now beginning to return to their garrisons, the New York Times reports that both US and UK sources say the withdrawal isn't happening. British Foreign Secretary Liz Truss was among the senior officials to publicly dispute Russian withdrawal claims. In fact, Russia seems instead to have deployed an additional seven-thousand troops to border areas. Forbes cites a US official to the effect that the seven thousand represent a further augmentation to the 150,000 troops already in a high state of readiness near Ukraine. “Russia keeps saying it wants to pursue a diplomatic solution,” the unnamed senior administration official said. “Their actions indicate otherwise. We hope they will change course before starting a war that will bring catastrophic death and destruction.”
Influence operations in a hybrid war: false flags and provocations.
The disinformation narrative that Ukrainian forces are shelling ethnic Russians in its eastern regions was reinforced this morning by artillery fire in the Donbas. Organisation for Security and Cooperation in Europe monitors reported “multiple shelling incidents” in eastern Ukraine. Accounts in the Guardian and elsewhere have focused on a children's school (variously described as a "kindergarten" or a "nursery school") that was hit by shellfire said to have injured three people. Ukrainian authorities blamed Russian-led separatist forces; the separatists, CBS reports, blame Ukrainian forces. In any case artillery fire hitting a kindergarten is difficult to improve upon as a false flag provocation: it’s an almost parodic story of outrage. Ukrainian President Zelenskyy has characterized the incident as a Russian provocation,.
Influence operations in a hybrid war: cyberattacks.
This week's distributed denial-of-service attacks against two large Ukrainian banks and the country's public-facing Ministry of Defense sites are now being attributed to Russia, with an imputed goal of inculcating the belief that Russian intelligence services can work their will against a weak Ukrainian government, which the attacks have shown incapable of meeting its core responsibilities of public safety. “The key goal of the attack is to show the strength of foreign intelligence services and the weakness of the Ukrainian government and to sow panic and chaos in society," posted the Ukrainian Centre for Strategic Communications and Information Security (according to the Christian Science Monitor).
The Guardian reports that Ukrainian authorities didn't specify a particular Russian organization as responsible, which suggests the attribution is circumstantial and that the attack therefore retains some deniability. Ukrainian authorities also described the incident as unusually large. Nonetheless it fell far short of crippling either the Ministry of Defense or financial services across the country; it would, however, represent a plausible effort at sowing doubt and mistrust. "Yesterday, on February 15, the largest DDoS attack in the history of Ukraine was carried out on government websites, on the banking sector," Reuters quotes Deputy Prime Minister Mykhailo Fedorov as saying in a joint briefing with senior officials. "This attack is unprecedented, it was prepared in advance. And the key goal of this attack is destabilization, it is to sow panic, to do everything so that a certain chaos appears in our country."
The Telegraph reports that both the US and UK have stepped up their assistance to Ukraine's cyber defenders.