The Ukrainian crisis. Cyber operations in the early stages of a hybrid war. Russian disinformation campaigns.

The Ukrainian crisis.

US President Biden on Thursday told his Ukrainian counterpart, President Zelensky, that a Russian invasion next month was "a distinct possibility." For its part, Ukraine regards the situation as grave, but also as not inevitably leading to war. The Military Times quotes a Ukrainian military assessment to the effect that “By now, the Russian military contingent near the Ukrainian border is insufficient to carry out a large-scale armed aggression against Ukraine. The Armed Forces of Ukraine are ready to protect Ukrainian territory and the Ukrainian population.” Russian Foreign Minister Lavrov also took a slightly softer tone. "If it depends on Russia, then there will be no war," he said. "We don't want wars. But we also won't allow our interests to be rudely trampled, to be ignored."

The British Government last Saturday accused Moscow of attempting to form a pro-Russian government in Ukraine, Reuters reports. The British Foreign Office identified Yevhen Murayev, a former Ukrainian legislator, as the leader Russia was seeking to install in Kyiv.

The US State Department has directed the families of American diplomats to leave Ukraine, and has given assigned diplomats permission to leave should they so desire. State is also warning US citizens to avoid travel to Ukraine and Belarus.

NATO has moved air and naval units into positions to respond to further Russian incursions into Ukraine. Reuters reports that the alliance presently has about 4,000 troops deployed in multinational battalions in Latvia, Lithuania, Estonia, and Poland; the US is said to have placed some 8,500 additional troops on alert, prepared to be transported to the region. Russia, which has staged approximately 100,000 troops near Ukraine, says NATO's response (described as "hysteria") shows that Russia, not Ukraine, is the target of aggression. Hysterical or not, the Guardian writes that Western governments are preparing an extensive and potentially crippling sanctions regime that could be imposed on broad stretches of the Russian economy should Moscow's pressure on Ukraine continue.

The Guardian notes that a number of members of the alliance have deployed warships (to the Baltic, for the most part), aircraft, and ground forces into the theater. The European Union has promised €1.2 billion in loans and grants to help Ukraine cope with the financial consequences of an invasion.

Sanctions are also under discussion. The US is considering implementing a "novel" set of sanctions (as the Washington Post calls them) intended to cripple Russian strategic industries, including its technology sector. The Hill lists the sectors most likely to be affected: "artificial intelligence, maritime, defense, and civilian aviation sectors." The sanctions would include strict control of exports of "all microelectronics designed with US software or technology or produced using US equipment."

Some of the proposed sanctions resemble the US measures against Huawei, but writ large, and designed to cover broad stretches of the Russian economy as opposed to one or a handful of companies. The US is also considering, according to Bloomberg, sanctions directed specifically against Russian President Vladimir Putin. A recent example of what such sanctions might look like is afforded by last week's US Treasury Department action against four Ukrainian nationals accused of working as Russian agents of influence against the government in Kyiv.

A démarche proposes confidence-building.

Russia closed the January 21st talks in Geneva with a set of "proposals" that amounted to a soft ultimatum for NATO: that the Atlantic Alliance would agree to rule out eventual Ukrainian (or Georgian) membership, that it would roll back troop deployments and infrastructure in the Near Abroad and the former Warsaw Pact, and that it would agree not to deploy certain classes of long-range strike weapons. The US and NATO responded Wednesday, and unambiguously rejected the Russian demands, the AP reports.

The US and NATO did seek to offer, as the BBC quotes US Secretary of State Blinken, "a serious diplomatic path forward, should Russia choose it." The challenge will be to arrive, if US and NATO diplomacy should prove successful, at a face-saving way for Russia to back away from its pressure on Ukraine. The US and NATO responses offered additional confidence-building measures, in particular the disclosure of information about certain kinds of short-notice military exercises that have hitherto been exempt from transparency agreements. The US also proposed an extension and expansion of the New START treaty that would further reduce nuclear weapon inventories and alert levels, the Washington Post said.

The Russian response to the rejection of its proposals by NATO and the US has so far been less intemperate than the soft ultimatum itself was. Diplomacy seems likely to continue, at least in the short term. TASS's reporting suggests that diplomacy remains Russia's focus. Reuters also sees a softening of the Russian tone, but that change in tone hasn't involved any retreat from Russia's central demands: no NATO expansion, no deployment of strike weapons near Russia, and a reversion to the Atlantic Alliance's status quo of 1997. Those are substantially the demands Russia made during the Geneva talks, and neither NATO nor the US are likely to accede to them.

The US has called for a meeting of the United Nations Security Council on Monday, where the US intends to confront Russia over its preparations to invade Ukraine. The Wall Street Journal reports that the US probably has sufficient support among the Council members to bring the meeting about.

Cyber operations in the early stages of a hybrid war.

In the present phase of the conflict, deniable, grey-zone cyber operations are generally regarded as likely. NATO has reaffirmed what it characterizes as its longstanding commitment to Ukrainian cyber defense. "NATO has been working with Ukraine for years to increase its cyber defences, and will continue to do so at pace," a statement from the Alliance said. The same statement also quoted Deputy Secretary General Mircea Geoană on the current crisis on NATO's Eastern flank. “The use of hybrid attacks against Ukraine, including cyber-attacks and disinformation," he said, "as well as the massing of advanced weapons on its borders, underlines the key role of advanced technology in modern warfare.”

As Ukraine continues to investigate the data-wiping attack that hit government websites two weeks ago, the State Service of Special Communication and Information Protection of Ukraine says it's found signs of false-flag evidence planted to mislead investigators into suspecting a Ukrainian hacktivist group as opposed to Russian intelligence services. Ukraine has called that campaign "Bleeding Bear," and Deep Instinct has a useful account of what's presently known about the attacks. Zero Day reports that the wiper used in the Bleeding Bear attacks was code repurposed from the WhiteBlackCrypt ransomware strain. Other low-grade hacking continues. Reuters reports that a "promotional" website belonging to the Ukrainian foreign ministry was knocked offline Wednesday for several hours by unidentified threat actors. Ukrinform reports that Poland has joined Ukraine in assessing recent cyberattacks against Ukrainian targets as the work of Russian intelligence services.

MIT Technology Review describes how Russian cyberattacks against Ukraine could have effects that spread to other parts of the world. There is, of course, the likelihood that Russian retaliation against countries that have supported Ukraine in the present conflict would take the form of cyberattacks. But the experience of both NotPetya and WannaCry indicate that cyber effects are difficult to control, whether the Russian services lost control of those attacks or were simply indifferent to the collateral damage they worked, in both cases the effects spread well beyond the immediate Ukrainian targets. The NotPetya attack of 2017 affected shipping and logistics companies worldwide; the US estimated the global costs inflicted by the pseudoransomware incident at more than $10 billion.

Coincidentally or not, the National Post reports that Global Affairs Canada, a service of the Foreign Affairs Department, was hit with an unspecified cyberattack detected on January 19th, the day before, Reuters observes, the Communications Security Establishment (CSE) issued a bulletin warning that there was a Russian threat to Canadian infrastructure. According to Computing, investigation of the incident continues. Prime Minister Trudeau has reiterated Canadian support for Ukraine during the ongoing crisis.

Ars Technica reports that the Cyber Partisans have claimed responsibility for a ransomware attack against Belarusian railroads that's being called operation "Peklo" (roughly "Hellfire"). The hacktivist group, which has acquired a reputation for sophistication, has been active since at least July of 2021.

Multiple sources, including CNN, Newsweek, CBS News, and ABC News, report that the US Department of Homeland Security has issued a memorandum to its law enforcement partners warning them to prepare for Russian cyberattacks in the event of a US or NATO response to Russia's threatened invasion of Ukraine. The memorandum doesn't appear to contain much specific information beyond a recognition of Russian cyber capabilities and an acknowledgement that tensions in Eastern Europe are running high.

The US Cybersecurity and Infrastructure Security Agency (CISA) has urged infrastructure operators in particular to be on the alert, and to look to their defenses.

The BBC reports that Britain's National Cyber Security Centre (NCSC) has (like others among the Five Eyes, notably Canada and the US) renewed warnings to businesses in the UK that they should be on alert for Russian cyberattacks during the present period of heightened tension. The Danish Defense Intelligence Service has also warned of the prospect of Russian cyberattack, and it's focused on the maritime sector. Shipping Watch notes that the Danish shipping giant Maersk was particularly hard-hit by NotPetya.

Russian disinformation campaigns.

Russia has conducted extensive influence operations in connection with its ambitions in Ukraine. They have tended to represent Ukraine as a threat to Russia, not only in its policy, but also in its growing alignment with NATO and internal ethnic fissures that, Russia argues, render the country dangerously unstable. The AP reports that Washington has been unusually open and forthcoming about "naming and shaming" the influence operators and their products. The US State Department offers a summary and assessment (a negative assessment, it need hardly be noted) of recent Russian influence operations.

The CyberWire's continuing coverage of the crisis in Ukraine may be found here.

Greek parliamentary email accounts compromised.

Media reports say that some sixty email accounts belonging to Greece's parliament were discovered late last week to have been compromised. The accounts belonged to members, staffers, and journalists covering parliamentary affairs. As a precautionary measure parliament's webmail has been suspended while investigation proceeds.

REvil actors may still be active.

The REvil ransomware gang, recently hit by Russia's FSB in a widely publicized enforcement action that resulted in both arrests and asset forfeitures, may be reforming, or at least some of its alumni who remain at large appear to be reconstituting the operation. GovInfoSecurity reports that the Malware Hunter Team has been tracking what's either a revenant, a successor, or an imitator, a gang that styles itself "Ransom Cartel." There's some speculation that the FSB sweep may have hit more lower-level hoods than leaders, and that in particular REvil's coders may have remained at large.

65% of organizations say employees have been approached by ransomware actors.

A survey by Pulse and Hitachi connects insider threats with ransomware tactics. Over half of the hundred security and IT executives surveyed (sixty-five of them) said that they or their employees had been approached by cyber criminals who sought to enlist the insiders' aid in conducting ransomware attacks. That represents an increase of 17% over those who reported attempts at recruitment when the survey was last conducted in November. Most of the contacts (59%) were by email, with 27% and 21% of the contacts coming, respectively, by phone call or social media. BleepingComputer speculates that the Great Resignation renders employees (who may already have one foot out the door) more susceptible to this sort of recruitment.

North Korea's Internet disrupted by DDoS attack.

Reuters reports that North Korea's already closely controlled and tightly limited Internet has been disrupted by a significant distributed denial-of-service incident for the second time in two weeks. Little information, still less any attribution, is available, but Reuters notes that the timing of the outages may be significant: they've occurred around Pyongyang's recent tests of long-range missiles.

Watering-hole site targets Hong Kong activists.

ESET has found that the compromised website of a pro-democracy (which is to say, objectively anti-Beijing) radio station in Hong Kong has been serving as a watering hole. Visitors to the site are served a WebKit exploit called "DazzleSpy" that's designed for use against macOS systems. It's not the first time such activity has been observed. Google's Threat Analysis Group described watering hole activity back in November, and SEKOIA.IO researchers tweeted at about the same time that an inauthentic site catering to dissidents in Hong Kong had been designed from the outset with that purpose in mind. Which threat actor specifically is behind the campaigns ESET isn't yet prepared to conclude, but it does say that, "Given the complexity of the exploits used in this campaign, we assess that the group behind this operation has strong technical capabilities."

China's APT27 targets German companies.

Reuters reports that Germany's BfV has found an extensive industrial espionage effort mounted against the pharmaceutical and tech sectors. The threat actor the BfV accuses is APT27, Beijing's Emissary Panda. The BfV added, "It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers (supply chain attack)."

State-sponsored hackers appear to avoid the Winter Olympics.

State-sponsored threat actors from Russia, Iran, and North Korea who've been known to rattle the Olympic rings in the past have been unusually quiet during the run-up to this year's Winter Games. The reason for the good behavior, Recorded Future's Insikt Group writes, is apparently a desire not to get on the bad side of the host, China. There's trouble enough elsewhere without poking the Panda.

Patch news.

Pursuant to the US Cybersecurity and Infrastructure Security Agency's (CISA) Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, CISA last week added seventeen listings to its Known Exploited Vulnerabilities Catalog. Federal agencies have until February 1st to address the most urgent issues, which include CVE-2021-32648 (October CMS Improper Authentication), CVE-2021-21975 (Server Side Request Forgery in vRealize Operations Manager API), CVE-2021-22991 (BIG-IP Traffic Microkernel Buffer Overflow), three Nagios XI OS Command Injection vulnerabilities (CVE-2021-25296, CVE-2021-25297, CVE-2021-21315 (System Information Library for node.js Command Injection), and CVE-2021-25298), CVE-2021-33766 (Microsoft Exchange Server Information Disclosure), and CVE-2021-40870 (Aviatrix Controller Unrestricted Upload of File).

CISA on Tuesday issued an industrial control system security alert for GE Gas Power ToolBoxST.

Microsoft has improved the security of its popular Excel product: in Excel 4.0 (XLM), macros are now disabled by default.

Crime and punishment.

The Washington Post says that a British High Court decision rendered Monday has given Wikileaks impresario Julian Assange leave to appeal the decision to extradite him to the United States, where he's wanted on charges of violating the Espionage Act. Mr. Assange remains in Belmarsh Prison while his case is being decided.