Russian fire remains heavy as Ukraine marshals countermeasures and appears ready to take the war to Russia proper Both sides exchange cyberattacks, and a well-known Chinese threat actor turns its attention to Russia.
Ukraine at D+63: Fire and counterfire, physical and virtual.
Russia continues its firepower-intensive assaults in eastern Ukraine, and is supplementing them with attacks farther west intended to interdict Ukrainian supply lines. There's little evidence of more successful maneuver operations, and Ukraine continues to develop its air defense and counterbattery capabilities to counter what have emerged, faut de mieux, as Russian strengths. Evidence of Ukrainian interest in carrying the fight into Russia is shown by more explosions at Russian installations inside Russia proper.
The British Ministry of Defence situation report this morning focuses on Russian naval capabilities in the Black Sea. "Approximately 20 Russian Navy vessels are currently in the Black Sea operational zone, including submarines. The Bosporus Strait remains closed to all non-Turkish warships, rendering Russia unable to replace its lost cruiser Moskva in the Black Sea. Despite the embarrassing losses of the landing ship Saratov and cruiser Moskva, Russia’s Black Sea Fleet retains the ability to strike Ukrainian and coastal targets."
Microsoft summarizes the scale of Russian cyberattacks against Ukraine.
Russian cyberattacks have failed to develop into either widespread pests (like 2017's NotPetya) or locally disruptive attacks against critical infrastructure (like Russia's cyberattacks against portions of the Ukrainian power grid in 2015 and 2016). Both were expected; neither has materialized. This doesn't mean, however, that Russian cyber operators have been idle in the hybrid war against Ukraine. Yesterday Microsoft released a detailed report on Russian cyberattacks against Ukraine. The accompanying blog post summarizes:
"Starting just before the invasion, we have seen at least six separate Russia-aligned nation-state actors launch more than 237 operations against Ukraine – including destructive attacks that are ongoing and threaten civilian welfare. The destructive attacks have also been accompanied by broad espionage and intelligence activities. The attacks have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country’s leadership. We have also observed limited espionage attack activity involving other NATO member states, and some disinformation activity."
Redmond sees them as combat support operations, keyed to events on the ground:
"Russia’s use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians. For example, a Russian actor launched cyberattacks against a major broadcasting company on March 1st, the same day the Russian military announced its intention to destroy Ukrainian “disinformation” targets and directed a missile strike against a TV tower in Kyiv. On March 13th, during the third week of the invasion, a separate Russian actor stole data from a nuclear safety organization weeks after Russian military units began capturing nuclear power plants sparking concerns about radiation exposure and catastrophic accidents. While Russian forces besieged the city of Mariupol, Ukrainians began receiving an email from a Russian actor masquerading as a Mariupol resident, falsely accusing Ukraine’s government of “abandoning” Ukrainian citizens."
Since the war isn't approaching its end, Microsoft argues that it's reasonable to expect more Russian cyberattacks, and that we shouldn't assume that other countries, particularly NATO countries sympathetic to Ukraine, will continue to experience relative immunity to Russian cyberattacks:
"Given Russian threat actors have been mirroring and augmenting military actions, we believe cyberattacks will continue to escalate as the conflict rages. Russian nation-state threat actors may be tasked to expand their destructive actions outside of Ukraine to retaliate against those countries that decide to provide more military assistance to Ukraine and take more punitive measures against the Russian government in response to the continued aggression. We’ve observed Russian-aligned actors active in Ukraine show interest in or conduct operations against organizations in the Baltics and Turkey – all NATO member states actively providing political, humanitarian or military support to Ukraine. The alerts published by CISA and other U.S. government agencies, and cyber-officials in other countries, should be taken seriously and the recommended defensive and resilience measures should be taken – especially by government agencies and critical infrastructure enterprises."
It's worth stressing that such immunity as NATO countries have enjoyed is a relative immunity only. Russian cyber espionage and, especially, Russian privateering against Western targets have continued at their customary, familiar levels. Microsoft's recommendations will be familiar to any who have followed CISA's Shields Up warnings, and they're no less sound for their familiarity.
Russian cyber capabilities should be neither overestimated nor underestimated.
Microsoft's report is a useful reminder that, while Russia's cyber operators have enjoyed less success than had been widely expected during the run-up to war, they've been neither completely ineffectual nor inactive. The Wall Street Journal offers a different perspective, this one from Ukraine, which has endured a much more protracted and intimate familiarity with Russia in the fifth domain. “Russian cyber offensive operations likely reached their full potential and we do believe the international community will be able to keep them at bay,” Victor Zhora, deputy chief of Ukraine’s State Service of Special Communication and Information Protection, said yesterday. “They did not offer anything special during these two months.” He sees this as indicating that cyber operations are difficult, and take time to prepare, and that Russia has found itself unable to “scale their cyber warriors." Zhora acknowledged Russian capabilities, and said that Moscow's cyber operators had paid particular attention to Ukraine's energy and telecommunication infrastructure. That attention, however, hasn't paid off for them in a big way, as both sectors have continued to function under stress. “We shouldn't underestimate Russian hackers, but we probably should not overestimate their potential since their potential isn't growing now,” Zhora added.
The most prominent and potentially serious threat to Ukrainian infrastructure was the largely contained use of evolved Industroyer malware against electrical power distribution. The US linked that attempt to Sandworm, that is, Russia's GRU military intelligence service, an attribution that Russia has consistently denied with some show of indignation. Nozomi Networks yesterday published its assessment of Industroyer2. Whatever else the GRU operators who ran the attack may be accused of, shyness and reticence aren't among them. As Nozomi wrote of their analysis of the attack:
"We came across something unusual in modern malware: the authors did not bother hiding its activity, nor perform any form of obfuscation. The core of the malware consists of its configuration which, among other parameters described below, contains a hardcoded list of IOAs to manipulate. This configuration is not protected in the executable, rather it is embedded as a regular Unicode string.
"This lack of concern for detection on the endpoint suggests that the threat actor had a fairly complete understanding of the security measures deployed in the target environment. At the same time, the hardcoded list of IOAs indicates two things:
- "The operators had a thorough understanding of the Operational Technology (OT) environment; and
- "The Industroyer2 sample is designed to be executed in a privileged environment with direct access to the target devices."
It's worth noting that Russia hasn't been immune from Ukrainian cyberattacks, particularly intelligence collection and distributed denial-of-service attacks from Kyiv's IT Army, a largely volunteer effort that responds to the direction of Ukrainian intelligence services. Wired reports that hacktivists, volunteers, and intelligence services are all playing a role: "Hacktivists, Ukrainian forces, and outsiders from all around the world who are taking part in the IT Army have targeted Russia and its business. DDoS attacks make up the bulk of the action, but researchers have spotted ransomware that’s designed to target Russia and have been hunting for bugs in Russian systems, which could lead to more sophisticated attacks."
This kind of hostile activity is, for Russia, unfamiliar territory. "The attacks against Russia stand in sharp contrast to recent history. Many cybercriminals and ransomware groups have links to Russia and don’t target the nation. Now, it’s being opened up. 'Russia is typically considered one of those countries where cyberattacks come from and not go to,' Digital Shadows' Stefano De Blasi told Wired.
Ukrainian countermeasures shouldn't be underestimated, either. At today's Global Cyber Innovation Summit in Baltimore we're hearing that "our Ukrainian colleagues," as Kyiv's cyber operators are being called, have been not only effective, but "absolutely heroic" in their defense of their country's networks.
Information collection and "digital dossiers."
The AP reports that an important goal of Russian intelligence collection has been the compilation of "digital dossiers" on Ukrainian citizens, in which information obtained from compromised Ukrainian government databases is used to compile information that can be used to identity people for arrest or isolation during an occupation, and that can also be used in a range of influence operations. Collection began long in advance of Russia's invasion. The AP quotes CrowdStrike's Adam Meyers, who argues that the goal is as much influence as it is intelligence. “Make them scared that when the Russians take over, if they don’t cooperate, the Russians are going to know who they are, where they are and come after them,” Meyers told the AP.
Such compilation of personal data has by no means been one-sided. Ukraine has similarly assembled dossiers on Russian military personnel in particular, with the aim of using it to degrade Russian morale. Serhii Demediuk, deputy secretary of Ukraine’s National Security and Defense Council, who said inter alia that "Cyberwarfare is really in the hot phase nowadays,” gave the AP a sense of the scope and detail of Ukrainian collection. He said that Kyiv's intelligence services now know “exactly where and when a particular serviceman crossed the border with Ukraine, in which occupied settlement he stopped, in which building he spent the night, stole and committed crimes on our land. We know their cell phone numbers, the names of their parents, wives, children, their home addresses,” and even who their neighbors are, where they went to school and the names of their teachers. Some of that information has apparently been used to call the families of Russian service members and tell them that their sons, fathers, husbands, are engaged in a criminal war.
Making due allowance for the usual exaggeration, collection of personally identifiable information by both sides seems to have been extensive.
Chinese intelligence services are paying close attention to Russian targets.
Researchers at Secureworks reported yesterday that the Chinese government threat group Secureworks calls "Bronze President" (but which is also known as Mustang Panda, RedDelta, and TA416) has turned its attention to Russia, hitting Russophone targets with an updated version of its PlugX malware. This represents a shift in targeting. Mustang Panda had hitherto specialized in South Asian, and especially Southeast Asian targets. The attention to collecting against Russia suggests that Beijing is closely interested in the progress of Russia's war against Ukraine.