Russian cyberespionage continues in the Ukraine, while observers debate the tactical situation on the ground.
Collection courtesy of Actinium.
The US predicts grim consequences of a Russian invasion of Ukraine (and a quick conquest of Kyiv itself) while world leaders continue diplomatic efforts to forestall a war. Researchers update their accounts of Russian cyberespionage as observers look at the complexity of Russia's decision-making with respect to Ukraine.
More on Gamaredon ("Actinium," or, if you prefer, "Primitive Bear").
Microsoft late Friday released more information on the threat actor it calls "Actinium" and that others call "Gamaredon" or "Primitive Bear." The Microsoft Threat Intelligence Center (MSTIC) "has observed ACTINIUM targeting organizations in Ukraine spanning government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organizations. MSTIC has observed ACTINIUM operating out of Crimea with objectives consistent with cyber espionage." Actinium, MSTIC concludes, represents a different set of activities than the pseudoransomware wiper deployed against Ukrainian sites in January. Thus they don't believe Actinium is responsible for WhisperGate. (Microsoft tracked that earlier activity as DEV-0586.)
Ukrainian security services have attributed the activity to the FSB, specifically an FSB unit operating out of Crimea, and it's significant that MSTIC also sees Actinium's geographical base as lying in the peninsula Russia seized in 2014. Primitive Bear is not generally reckoned as smarter than the average Bear, but neither are its operators complete rookies, either. They vary their infrastructure periodically to evade detection, using over a thirty-day period some twenty-five "new unique domains" and more than eighty distinct IP addresses. Its domain name DNS records change on the average of once a day, not fast enough to count as fast-flux, but enough for a plausible form of evasiveness. In general, Actinium “quickly develops new obfuscated and lightweight capabilities to deploy more advanced malware later. These are fast-moving targets with a high degree of variance.” The group also hosts the malicious macros remotely, which helps them evade detection by static analytical systems.
Microsoft sees Actinium's principal objective as collection, and establishing persistence within targeted organizations in furtherance of future cyberespionage. It's typically gained initial access through phishing. Some of its phishing emails misrepresented themselves as coming from the World Health Organization.
NATO cybersecurity assistance to Ukraine.
"After the attack last month," the Wall Street Journal reports, "Lithuania offered to deploy a group of emergency defenders, known as the Cyber Rapid Response Team, to help protect Ukraine’s networks. The rapid response team includes cybersecurity experts from Lithuania, Estonia, Croatia, Poland, the Netherlands and Romania." While Ukraine hasn't yet accepted the offer, Victor Zhora, chief digital transformation officer at Ukraine’s State Service of Special Communication and Information Protection, suggested that Kyiv could use assistance with “quick response and quick countermeasures to defend our networks.”
US Deputy National Security Advisor Anne Neuberger has been consulting with NATO allies to organize a coordinated response to cyber threats Russia poses to Ukraine (and by implication to Ukraine's neighbors and supporters). The Telegraph quotes her on the way in which a hybrid war is likely to develop. “We’ve been warning for weeks and months, both publicly and privately, that cyber attacks could be part of a broad-based Russian effort to destabilise and further invade Ukraine,” she said. “The Russians understand disabling or destroying critical infrastructure can augment pressure on the country’s government, military and population, and accelerate the receding to Russian objectives.”
Why hasn't Ukraine been given access to NATO's Cooperative Cyber Defense of Excellence (CCDCOE)? The Kyiv Post, citing Oleksiy Danilov (secretary of Ukraine’s National Security and Defense Council) says Hungary blackballed Ukraine's membership late last year. Danilov says Hungary was the only NATO member to vote against Ukrainian's membership.
Russian objectives in Ukraine.
Russia's "proposals" to NATO last month demanded no further expansion of the Atlantic Alliance and a withdrawal of most forces deployed to either former Soviet Republics or former members of the Warsaw Pact. An Atlantic Council blog points out some reasons for skepticism that these, and not a reassertion of Russian control over what Moscow views as lost provinces, represent Russia's actual objectives. Ukraine, for one thing, had formally declared itself to be nonaligned in 2010, but this did nothing to deter Russia's invasion and annexation of Crimea. Nor is the experience of Moldova reassuring. The country made neutrality a clause of its 1994 constitution, but Russia has occupied Moldova's Transnistria region and has kept the country under continuous political, military, and economic pressure since.
The difficulty of invading, and the difficulty of backing down.
The terrain along the Belarusian-Ukrainian border is flat, but it's also boggy. That's not an insuperable obstacle to moving heavy forces, but marshy ground is difficult to negotiate, and complicates any invasion. The Washington Post quotes military commentators who emphasize the difficulties. The Post also points out that the Chernobyl Exclusion Area lies on that border, north-northwest of Kiev, and the contamination remaining from the Chernobyl nuclear disaster of the late Soviet period would also give commanders pause. This latter obstacle is less significant. Russian forces would seek to move through rapidly in any case, and it's unlikely that troop safety would be high on the list of Russian commanders' concerns. But the likeliest avenues of approach to Kyiv are from the east, through Kharkiv and the area to the north of that city. These approaches are far more tankable, whatever the weather.
Russia has now staged about 135,000 troops in assembly areas near the Ukrainian border, not only in Russia proper but in its client state Belarus as well. The Atlantic Council's Digital Forensic Research Lab says it's confirmed the presence of a Russian missile battalion in Belarus. It's an S-400 Triumph air defense unit, and it staged through Luninets station.
It's difficult to maintain heavy conventional forces poised in assembly areas for an extended period of time. Readiness degrades under such conditions. Newsweek quotes a former CIA analyst as giving Russia about three more weeks within which to either use the troops or climb down and return most of them to their garrisons. Backing down will be difficult, but President Putin is said to have toned down his rhetoric in recent weeks, and may be looking for some face-saving formula, preferably involving partial concessions from NATO, that would enable him to reduce tension.
Complicating Russia's military calculus.
Former Ukrainian President Petro Poroshenko tells CNBC that he sees three ways of frustrating Russia. First, strike at it economically by forestalling the Nord Stream II pipeline. Second, increase Ukrainian military strength by upgrading military inventories and improving the country's economic position. The third approach is to increase Ukraine's resilience through internal reforms. NATO as a whole should concentrate on making clear to Russia that it would face severe costs should it invade Ukraine. Poroshenko said, “Increase the price that Russia will pay if Putin makes an absolutely crazy decision to continue the large-scale operation against Ukraine. So stronger Ukraine, increase the price and this is the shortest way to peace.”
The US continues to work on a sanctions regime that would go a long way toward imposing such costs. Adding more Russian organizations and individuals to the Specially Designated Nationals And Blocked Persons List is expected to be a prominent feature of US sanctions. The US Commerce Department is also generally thought to be preparing a Foreign Direct Product Rule that would be broadly applicable against many Russian economic sectors. (Such a rule has been used in sanctioning Huawei.) The economic damage this and other sanctions (especially interruption of Nord Stream II) would impose significant economic costs on Russia, and it's unlikely, as an essay in Foreign Policy points out, that China would be willing or able to take up the slack.
The evolving NATO response to Russia's pressure on Ukraine.
France and Germany, the two largest continental powers in NATO, are each working on a response to Russia. The Atlantic Council sums up their approach as follows:
"During a recent press conference in Paris, French President Emmanuel Macron renewed his long-standing call for dialogue with Russia, arguing that a viable European security order cannot be built without Moscow’s participation. Meanwhile, the new German Chancellor Olaf Scholz appears inclined to follow in the footsteps of his predecessors by insisting that peace and security in Europe are only attainable in partnership with Russia, regardless of Moscow’s aggressive policies toward Ukraine and other neighbors."
French President Emmanuel Macron is in Moscow today for meetings with Russian President Putin; he'll be in Kyiv tomorrow to meet his Ukrainian counterpart, President Zelenskyy. President Macron's objective, according to Reuters, is mediation, with a view toward getting Russia to moderate its support of nominal separatists in the Donbas in exchange for greater strategic stability in Eastern Europe. Sources close to the French president concede to Reuters that the visit is a crapshoot, and it's been received with irritation by Eastern European governments more directly threatened by Russian conventional forces. They tend to see his diplomacy as directed, fundamentally, at a domestic French audience, positioning himself as a world leader before upcoming elections. But the Kremlin sees the Americans as its primary diplomatic focus, and have shown little sign of willingness to moderate their position under French persuasion.
Germany, which has also been seen by other NATO partners as relatively soft on Russia. It's resisted calls for materiel support from Kyiv, and it's been vague on the possibility that interruption of the gas deliveries through the Nord Stream II pipeline might be held over Russia as a stick. Chancellor Olaf Scholz will be in Washington this week, where he hopes, the Guardian reports, to convince the US and other NATO allies that Germany remains a reliable partner in the Atlantic Alliance. The German government is emphasizing its contribution of a Bundeswehr battle group stationed in Lithuania, and has said it intends to reinforce that unit.
The responses seem consistent with what an essay in World Politics Review sees as the lessons of the crisis: NATO's response has been, so far, effective, but it's been effective under US leadership, and it's not clear that a purely European response would have succeeded in deterring President Putin from the re-engorgement of Ukraine. Whether the US-led response will succeed in doing so, and succeed peacefully, still remains to be seen, but it at least appears to have a reasonable chance of restraining Russia.