Ukraine at D+160: A counteroffensive and cyber as combat multiplier.
the cyberwire logoJust Now

As the Ukrainian counteroffensive opens in the south, Russia continues to do what it can do: mass artillery against towns. A look at the cyber phases of the hybrid war concludes that cyber operations have now clearly become a combat multiplier.

Ukraine at D+160: A counteroffensive and cyber as combat multiplier.

The morning situation report from the UK's Ministry of Defence today looks at the growing isolation of the battlefield in Kherson Oblast. "As a result of a Ukrainian strike against a Russian ammunition train in Kherson oblast, southern Ukraine, it is highly unlikely the rail link connecting Kherson with Crimea remains operational. Russian forces are likely to repair the railway line within a few days, although it will remain a vulnerability for Russia forces and their logistical resupply route from Crimea into Kherson. Russia has promoted the ferry crossing recently established to replace the damaged Antonovsky Bridge over the Dnipro river in Kherson as for civilian use, however Russian military forces will almost certainly utilise it for troop movements and logistical resupply. It is likely that we will see an increase in civilians attempting to flee Kherson and the surrounding area as hostilities continue and food shortages worsen. This will create pressure on transport nodes and routes, likely resulting in measures to control movement being implemented."

The Wall Street Journal reports widespread Russian shelling of civilian areas in the southern regions of Ukraine, from Dnipropetrovsk to Mykolaiv, as Russia seeks to forestall Ukraine's counteroffensive. The Atlantic Council's UkraineAlert sees Ukraine's offensive to retake Kherson as likely to prove one of the decisive battles of the war. "Since early July, the Ukrainian military has deployed its growing arsenal of long-range artillery and HIMARS precision rocket systems to destroy dozens of Russian command posts and ammunition supply bases throughout southern Ukraine. More recently, Ukrainian forces have targeted the bridges across the Dnipro River that serve as a lifeline for Putin’s troops in Kherson. Russia has since launched an improvised ferry service, indicating that the main bridge in Kherson itself is indeed no longer able to support military traffic."

A summary of the cyber phases of the hybrid war.

Nozomi Networks this morning published its OT/IoT Security Report, and in that report details what it's observed during Russia's war against Ukraine. While others have expressed surprise at the relatively ineffectual character of Russian offensive cyber operations, Nozomi's report highlights the attacks that Russia is known to have carried out in cyberspace. It concludes that cyber operations have now clearly established themselves as a "force multiplier" (that is, a factor in combat power that gives a force greater capabilities than its unaided numbers would enable it to achieve) in contemporary combat. The report draws three major lessons from the hybrid war:

  • "War increases cyber activity: Of the varying threat actors and motives, nationstate Advanced Persistent Threats (APTs) are the most active during wartime. They are less financially motivated and more focused on cyber espionage—spying and disrupting communications and other critical enemy systems. Some companies become incidental casualties of cyber war as a result of threat actors’ attacks on their targets."
  • "Private companies are stakeholders in war: In addition to military and government entities, private companies, especially critical infrastructure companies (manufacturing, communications, transportation, energy, etc.) are also prime targets during wartime. Companies should maintain a heightened security posture and cooperate with their governments to safeguard assets in the event of a war."
  • "Wartime contingency and data security strategies are necessary: Ukrainians relocated their sensitive servers out of the country in case a physical attack was launched on their communications infrastructure. An attack on in-country servers could prevent Ukrainians from organizing efforts with domestic troops and even allies, putting them at a disadvantage during the war."

Both sides have been active in cyberspace, and Nozomi outlines some of what it assesses as the more significant operations:

Operating objectively in the Ukrainian interest, a Belarusian hacktivist group hit Belarus's state rail system server with the aims of disrupting Russian troop movements through Belarus, and of protesting Minsk's support of Moscow's imminent aggression against its neighbor. The operation took place on January 25th, while Russian invasion forces were still staging, a month before the February 24th invasion.

The other campaigns Nozomi describes were conducted by Russian operators. On the day of the invasion Viasat was hit with a cyberattack that disrupted the satellite-based communications provider's ground stations. The terminals were offline for a brief period, and SpaceX's StarLink service restored Ukrainian communications within a matter of days. "Based on forensics investigations," Nozomi says, "it appears that the attackers were able to use a KA-SAT management mechanism to simultaneously deploy a destructive payload to multiple KA-SAT modems. The payload rendered the modems unable to connect back to the network by wiping their flash memory." The payload deployed against Viasat systems was AcidRain. This cyberattack did inflict some collateral damage (or bring Russia some side benefits, since the collateral effects themselves advanced the Russian interest). "A notable spillover effect of this cyberattack was loss of view of Enercon's 5,800 wind turbines in Germany, which could no longer be remotely monitored.7,8,9 ViaSat later confirmed that the AcidRain wiper caused the disruptions, thus beginning the influx of wiper malware used during the Russia/Ukraine war."

The Viasat incident was not the only time Russia deployed wipers against Ukrainian targets. Following a series of CISA alerts, Nozomi summarizes :

  • "HermeticWiper: HermeticWiper overwrites the master boot record, rendering the operating system unable to boot. HermeticWiper was used in conjunction with HermeticWizard, which provided worm functionality to spread HermeticWiper across entire networks."
  • "IsaacWiper: IsaacWiper, also used in conjunction with Hermetic Wizard, overwrites user files with random data, rendering any attached storage disk unusable."
  • "CaddyWiper: CaddyWiper works similarly to other wipers. Not only does it attempt to replace victim files with “null” data, but it also then attempts to wipe the master boot record (MBR), corrupting the victim’s stored data."
  • "WhisperGate: In January 2022, Microsoft Threat Intelligence Center (MSTIC) discovered this wiper. As the above wipers, it aims to erase data, rendering devices inoperable.... If a computer contains multiple drives—such as one for storing personal files and another for storing digital backups—the wiper could also destroy all copies of those files stored on external devices like USB sticks or network drives. Wipers have become popular among nation-state APTs who are not necessarily financially motivated but instead want to cause as much destruction as possible."

Wipers have been a distinctive aspect of Russia's cyber campaigns.

Russian services also attacked industrial control systems (ICS). INCONTROLLER was one of the suites of ICS attack tools observed. Mandiant's initial report on INCONTROLLER described it as "likely state-sponsored," and it's since been attributed by other sources to Russia. On April 13th the US Cybersecurity and Infrastructure Security Agency (CISA) described INCONTROLLER's effects in Alert AA22-103A. The tools affected a range of programmable logic controllers (PLCs) and operational technology (OT) servers. CISA described the tools as having a modular architecture that enabled them to conduct "highly automated exploits" against selected targets, and that these automated exploits could be executed by lower-skilled cyber grunts--once the tools are deployed, the attackers don't need a high degree of technical virtuosity to succeed. "The APT actors" (that is, the Russian intelligence and security services) "can leverage the modules to scan for targeted devices, conduct reconnaissance on device details, upload malicious configuration/code to the targeted device, back up or restore device contents, and modify device parameters," CISA explained.

And a familiar attack tool, Industroyer, deployed by Russia's Sandworm (that is, Unit 74455 of the GRU) against sections of Ukraine's power grid in 2015, has been upgraded to version 2. "It is possible," Nozomi writes, "that Sandworm is using Industroyer as a broader framework to create future variants that specifically target other ICS protocols."

Nozomi doesn't discuss the nuisance-level defacements and distributed denial-of-service attacks both sides have conducted, and it remains true that Russian cyber operations have fallen far short of the devastating effects widely expected during the run-up to war in January. But this is a relative absence of effect, and it's not for want of trying.