Ukraine at D+418: Cyber potential in the hybrid war.
N2K logoApr 18, 2023

As attrition gutters on in the Donbass, the Discord Papers continue to prompt speculation about both sides' prospects in Russia's war, and the Vulkan Papers afford some insight into the convergence of EW, SIGINT, and cyber operations.

Ukraine at D+418: Cyber potential in the hybrid war.

President Putin is said to have made two trips to the combat zone, one to Kherson, the other to Luhansk, ostensibly with the purpose of receiving briefings and pepping up Russian troop morale. Ukrainian President Zelenskyy has also visited the front, in Donetsk. As Ukraine prepares its counteroffensive, the G7 nations are preparing for Russia to step up both nuclear threats and cyberattacks, the Guardian reports.

Update on the situation on the ground in the Donbas.

"Heavy fighting has continued along the Donbas front line," the UK's Ministry of Defence writes in this morning's update. "However, there is a realistic possibility that Russia has reduced troop numbers and is decreasing offensive action around Donetsk city, most likely to divert resources towards the Bakhmut sector. In Bakhmut, Russian MoD and Wagner Group forces continue to make creeping advances. The front line in the town centre largely follows the main railway line. Ukraine is generally holding Russia’s envelopment from the south along the line of Korsunskovo Street, the old main road west out of town. For both sides, the exact sequencing of any major drawdown of their units around Bakhmut has become a critical question, with Ukraine wanting to free-up an offensive force while Russia likely aspires to regenerate an operational reserve."

The Discord Papers.

The US Department of Defense has decided that the Discord Papers leaks are unlikely to affect relations with allies. The Department is also working to make future leaks of this kind less likely, and less troublesome. The Secretary of Defense has directed "a comprehensive review of DOD security, programs, policies and procedures," with a report due in forty-five days. This study is in addition to ongoing, daily attention to investigating and mitigating the Discord leaks.

Two questions have risen to prominence in the Discord Papers case. The first involves opportunity: how did the (alleged) leaker have so much access to highly classified information? Vice argues that expanded access is a result of the US assessment that excessive compartmentalization and poor information sharing led to the intelligence failures that enabled the 9/11 terrorist attacks. Increasing information sharing was neither pointless nor necessarily ill-advised, but in this case at least supervision and proper control appear to have been lacking. Inside Defense reports that the Pentagon is tightening up access to classified information.

The second question involves motive: why did the (alleged) leaker do what he (allegedly) did? Politico reports that investigators are looking, so far in vain, for some foreign connection that would make the incident a familiar if regrettable instance of espionage. But it seems increasingly likely that the leaker was motivated by social media cachet, not by cash, or conviction, or compromise.

The FBI has the blogger and podcast host Sarah Bils (nom-d'influence Donbass Devushka) under investigation, the Wall Street Journal reports. Ms Bils appears to have been involved in spreading the information from the Thug Shaker Central Discord community to the broader (but still fringy) Internet. “She is actively under federal investigation,” a US official told the Journal, “but the circumstances of the content of the investigation are unclear at this time.” Ms Bils says she's the victim here, and the Bureau is investigating death threats made against her. “I have been forthright and honest with the FBI and NCIS in regards to what my clearances were and what I had access to, which was literally nothing,” she said to the Journal. “I didn’t leak the documents and they’ve never even been in my possession.”

An update on Russia’s NTC Vulkan: SIGINT, EW, and cyber ops.

Since the end of March, the media have reported on the activities of NTC Vulkan, a threat actor working against OT systems under contract to the Russian government. 

To recap briefly, NTC Vulkan is a Moscow-based IT consultancy that does contract work for all three of the major Russian intelligence services: the GRU, the SVR, and the FSB. Vulkan's specialty is the development of cyberattack tools. Der Spiegel, one of a group of media outlets that broke the story, sourced it to a major leak of some thousand sensitive documents running to more than five thousand pages. The media consortium that received and shared the leaks includes German, French, British, and American papers.

The Vulkan papers, as the leaks are being called, reveal that Vulkan is engaged in supporting a full range of offensive cyber operations: espionage, disinformation, and disruptive attacks intended to sabotage infrastructure. On Monday Dragos released a study of what the Vulkan Papers mean for that last class of activity: infrastructure disruption. Dragos took as its point of departure the coverage in the Washington Post, and its researchers focused in particular on one of Vulkan’s tools, a malware suite known as Amesit-B. The researchers offered four key takeaways:

  • First, the papers represent genuine leaks. “Dragos assesses with moderate confidence that the documents reviewed are legitimate and were leaked or stolen from a Russian contracting repository.”
  • Second, “it is unlikely that these tools and platforms are exclusively used for testing or training purposes.” They represent a real operational capability.
  • Finally, Amesit-B represents a clear potential threat to the rail transportation and petrochemical sectors. “Modules contained in the Amesit-B platform could allow for a range of impacts in rail and petrochemical environments which could result in physical consequences, including damage to physical equipment or creating unsafe conditions where injury and loss of life are possible.” And what Amesit-B seems designed to do comes from a familiar Russian military intelligence playbook. As Dragos puts it, “The capabilities described are consistent with previous attacks attributed to various units of the Russian Military’s GRU, with tactics, techniques, and procedures (TTP) overlapping with multiple identified threat groups.”

The Amesit-B platform shows an interesting convergence of cyber operations with traditional signals intelligence and electronic warfare operations. And it’s very much a combat support system, intended for battlefield use by a combatant commander. Dragos concludes with some advice to take Vulkan’s capabilities seriously, and to understand them in context. “Russian intelligence services continue to invest in the development of more efficient cyber operations at the beginning of the attack lifecycle, as shown by contracted projects from NTC Vulkan,” the researchers write. “The projects also reveal interest in using cyber operations to amplify psychological effects and target critical infrastructure, including energy utilities, oil and gas, water utilities, and transportation systems. Defenders should be aware of these capabilities and priorities to protect critical infrastructure and services.”