Ukraine at D+411: US leaks remain under investigation.
N2K logoApr 11, 2023

Governments continue to focus on the provenance and implications of the US intelligence documents, many of them having to do with Russia's war against Ukraine, that leaked into Discord servers.

Ukraine at D+411: US leaks remain under investigation.

Russian and Ukrainian forces continue to contest the ruined city of Bakhmut, which Russia continues to reduce to rubble with artillery fire. The Wall Street Journal quotes Ukrainian officials who characterize the Russian tactics as "scorched earth."

The reconstitution of Russian airborne forces appears to be underway, at least in the form of the VDV's equipment with thermobaric rockets. "As of 03 April 2023, Russian media reported the transfer of TOS-1A thermobaric multiple launch rocket systems to Russian airborne forces (VDV)," the UK's Ministry of Defence writes in this morning's situation report. "The highly destructive TOS-1A, which Russia designates as a ‘heavy flamethrower’, is typically operated by Russia’s specialist Chemical, Biological and Radiological Protection Troops in Ukraine, and has not previously been formally associated with the VDV. The transfer likely indicates a future role for the VDV in offensive operations in Ukraine. It is likely part of efforts to reconstitute the VDV after it suffered heavy casualties in the first nine months of the war." Thermobaric weapons disperse a fuel into the air, typically as an aerosol, where it's then ignited to produce a high-temperature, high-overpressure explosion. Unlike more conventional high-explosive munitions--artillery shells or rocket warheads, for example--which do much of their damage with fragmentation, thermobaric weapons kill with heat and blast.

Updates on the leaked US classified documents.

The US continues to investigate the leaks of classified information that appeared on Discord servers and have since circulated through social media (especially in Russian channels). The investigation is seeking to confirm, first, that the leaks have stopped, second, to determine their authenticity, and, third, to identify their source. Some of the documents appear, on preliminary evidence to have been altered, CBS News reports. National Security Council spokesman John Kirby on Monday said, “We know that some of them have been doctored.” Many or most of them, however, seem to be genuine, and the AP writes that the US Department of Defense is taking them seriously. While the leaks are not believed to contain operational plans, according to CNN Ukraine has indicated that the leaks have induced it to make some alterations in its own planning.

Discord servers have shown themselves readily adaptable to the sharing, scraping, and dissemination of sensitive information, CyberScoop explains. The publication also gives some color to the nature of the leaks. "The leaked documents are photographs of briefing slides that appear to have been folded up. They are photographed mostly against what appears to be a low table. In the background of some of the photographs can be seen a bottle of Gorilla Glue and what appears to be a strap with the Bushnell brand, a popular maker of outdoor optics and rifle scopes." Other files, the Wall Street Journal reports, are photographs of paper documents, with folds in the paper visible in many of them. Since their initial posting the images have circulated through 4chan and various Russian social media accounts.

Who leaked them? No one knows, so far. And, as the New York Times reports, a large number of people had access to the compromised information.

Report from the leaks: Russian hackers compromised a Canadian gas pipeline.

There are some indications in the leaked files that a Russian threat actor has claimed to have compromised a Canadian natural gas pipeline in an incident reminiscent of the 2020 Colonial Pipeline attack, but the claim is just that: a claim. Canadian authorities have declined to comment.

The Washington Post quotes a section of the leaked files, a February intelligence report. “A pro-Russia hacking group is receiving instructions from a presumed Federal Security Service (FSB) officer to maintain network access to Canadian gas infrastructure and wait for further instruction. The FSB officers anticipated a successful operation would cause an explosion at the gas distribution station.… If Zarya succeeded, it would mark the first time the IC [intelligence community] has observed a pro-Russia hacking group execute a disruptive attack against Western industrial control systems.” 

Many experts regard the claims with skepticism. Zarya's record, such as it is, shows no ability to conduct anything beyond nuisance-level attacks, nothing more sophisticated than distributed denial-of-service (DDoS) operations. The group is thought to be an offshoot of the Cyber Spetsnaz auxiliary, itself spawned from KillNet. The Wall Street Journal cites cybersecurity experts who believe the claim looks like "active disinformation." Even if there were a breach, and that's far from confirmed, it seems likely that only business systems would have been compromised. The Journal quotes Lesley Carhart, director of incident response for North America at Dragos, who explains, “There is a mountainous gap between getting access to control devices in an industrial network, and actually being able to make something, and I quote, explode. That involves understanding chemical engineering, understanding the process systems, and understanding all of the safety controls—human, mechanical, electronic, otherwise—that are involved in that specific configuration.”

KillNet counts some coup against NATO (but not as much as it claims). 

Some follow-up to reports of KillNet's distributed denial-of-service (DDoS) action against NATO. The Russian news source Lenta published an article yesterday alleging that “during the DDoS attack the hackers were able to paralyze at a minimum 60% of the alliance’s electronic infrastructure.” Lenta also claims that the hackers gained access to secret data from the NATO countries. The CyberWire wrote to NATO asking for comment, and a NATO official responded as follows:

“Cyberspace is contested at all times, and we face malicious cyber activity on a daily basis. NATO takes this very seriously. We remain vigilant and continue to adapt to evolving threats. NATO and Allies are strengthening our ability to detect, prevent and respond to such activities. 

“We are currently experiencing Denial of Service attempts against a number of NATO websites, and our experts are responding. NATO’s classified networks are not affected and there is no impact on NATO operations.” 

Thus Lenta’s claims that KillNet had disabled some 60% of NATO’s “electronic infrastructure” seem overstated. NATO School Oberammergau, the most commonly mentioned victim of DDoS, is not, we note, an operational command.