Ukraine at D+477: Targeting, kinetic and cyber.
N2K logoJun 16, 2023

With two hours' dwell time, anything that's just ten miles away can be hit. In the cyber phase of the hybrid war, a look at the role played by hacktivist auxiliaries and useful idiots.

Ukraine at D+477: Targeting, kinetic and cyber.

Ukraine says it's retaken more than a hundred square kilometers (about thirty-eight square miles) through the first week of its counteroffensive, according to Al Jazeera, not a huge gain, but not an insignificant one, either.

Russia greeted a delegation of African leaders on a diplomatic visit to Kyiv (they represented South Africa, Senegal, the Comoros, and Egypt) with a brace of missile and drone strikes, for the most part shot down by Ukrainian air defenses. The Telegraph reports that the African delegation is scheduled to meet President Putin in St. Petersburg this weekend. On the eve of their visit with the Russian president, Reuters quotes Kremlin spokesman Dmitry Peskov as saying, "President Putin was and is open to any contacts to discuss possible scenarios for solving the Ukrainian problem." Those "possible scenarios" are limited to those recognizing "new realities," that is, Russia's annexations of the territories it claims, and which it continues in part to hold.

35th Combined Arms Army chief of staff killed in Ukrainian strike.

The UK's Ministry of Defence, in its morning situation report, looks at the recent combat death of another Russian general officer. "General-Major Sergei Goryachev was almost certainly killed in a strike on a command post on or around 12 June 2023, in southern Ukraine. Goryachev was the chief of staff of 35th Combined Arms Army (35 CAA). With 35 CAA’s nominated commander, General-Lieutenant Alexandr Sanchik, reported to be filling a gap in a higher HQ, there is a realistic possibility that Goryachev was the acting army commander at the time of his death. Goryachev is the first Russian general confirmed killed in Ukraine since the start of 2023. It continues a war record which has been both difficult and controversial for 35th CAA: in March 2022 elements of the army were present during the massacre of civilians in Bucha, and in June 2022 the force was largely wiped out near Izium."

And over a hundred Russian soldiers are reported killed while assembled for a general's pep talk.

The Ministry of Defense hasn't commented, but Russian military bloggers are reporting, with appropriate outrage, that more than a hundred Russian soldiers were killed near Kreminna in a single Ukrainian HIMARS strike. A large number of soldiers were assembled and kept standing for some two hours, the Telegraph reports, while they waited for a general to show up to give them a motivational speech. Kreminna is about ten miles behind the lines, which puts it beyond the range of most cannon fire but within range of rocket artillery. The general who wanted to give his troops the word is said to be Major General Zurab Akhmedov, who commands the 20th Combined Arms Army and has been accused in the past of recklessness with soldiers' lives. A Ukrainian official confirmed with the Kyiv Post, on condition of anonymity, that the incident indeed happened as the milbloggers said it did. The incident reveals several things about the artillery war. First, Ukrainian forces are able to effectively develop targets for engagement with artillery. Second, Ukraine may have overcome the Russian GPS jamming that had been thought to degrade HIMARS accuracy. Third, Russian commanders continue to present their enemy unnecessarily soft targets, and leave those targets with enough dwell time to be effectively hit. And, fourth, Russian soldiers seem to have grievous and legitimate complaints against their senior officers.

Recent activity by Russian cyber auxiliaries.

Dutch media have attributed last week's distributed denial-of-service attacks against the websites of the ports of Rotterdam and Eemshaven/Delfzijl (Groningen Seaports) to Russian hacktivists, specifically to NoName05716.

The IT Army of Ukraine as an example of a cyber auxiliary.

The IT Army of Ukraine, an acknowledged hacktivist auxiliary working against Russian targets in loose concert with Ukraine's government, offers an unusually transparent example of offensive cyber operations, hacktivism, and the mobilization of a cyber auxiliary. Lawfare summarizes some of the key features of the group's performance during Russia's war.

  • Four classes of demonstrated capabilities.The IT Army has engaged in four kinds of offensive operations: "sabotage, denial of service, doxing, and defacement." The last three have been common operations by auxiliaries on both sides of the conflict.
  • Crowd-sourced operations. The IT Army uses its Telegram channel to organize operations, offering both target lists and access to tools hacktivists might use to attack them.
  • Opportunistic but selective targeting. Ten sectors of the Russian economy have received attention from the IT Army: "finance and insurance; information technology; wholesale and retail trade; transportation; oil and gas drilling, mining, and other extraction; utilities; education manufacturing; government; and arts, entertainment, and recreation businesses." (That final sector, in the North American Industry Classification System (NAICS) Lawfare uses, includes news media.) Financial services were the most frequently attacked, with news media also receiving significant attention. Sectors that have not been attacked seem to represent either harder targets that may be beyond the hacktivists' abilities to reach (utilities, for example, especially electrical power utilities, are tougher than many other sectors to crack) or targets that are being deliberately excluded to avoid interfering with other operations (intelligence collection, for example) or to avoid revealing too much about Ukrainian and allied access and methods. The targeting process seems conventional, seeking out either high-value or high-payoff targets, with the selection ultimately informed by a high-level as opposed to a detailed, highly granular knowledge of Ukrainian strategic, operational, and tactical needs.
  • Willingness to attack civilian targets (within limits). Much of the targeting is directed against civilian as opposed to military networks, and this stretches international norms of war. Lawfare writes, "Its willingness to attack areas outside of government control, most of which have a civilian function, such as the 93 attacks against the financial sector and weekly attacks against Russian news outlets, demonstrates a disregard for some of the norms around the use of cyberattacks against military targets that have been circulated by the United States and like-minded states. The IT Army does not appear to operate entirely without limit, however." The hacktivist auxiliary seems to have avoided some sectors, notably medical and healthcare organizations, that are unambiguously protected under the laws of armed conflict.

The transparency of the IT Army's operations and relations with the Ukrainian government is relative. Kyiv has maintained that the IT Army coordinates only with civilian government agencies, not military or intelligence services, but it's clear that some coordination occurs with military and intelligence organizations. Some of that cooperation is done for deconfliction, some to receive direction, and, in a few cases, for direct combat support.

Influence operations in the current phases of Russia's war.

The IT Army of Ukraine also uses its Telegram channel to post news and opinion selected to influence its followers' views of the war. Russia has also mobilized social media to push its own narratives, most recently the narrative that Ukraine's counteroffensive has failed. That particular view seems not only false (in addition to being in any case grossly premature) but it also appears to have gained little traction, according to the Atlantic Council's DFRLab monitoring. Some of the posts that have failed to gain significant "virality" are associated with Mr. Kim Dotcom--@kimdotcom, to use his screen name. Mr. Dotcom's motivation in serving the Russian organs as a useful idiot is unclear.

Russophone gamers hit with ransomware.

Cyble Research and Intelligence Labs this week reported a ransomware campaign against Russian-speaking gamers playing the first-person-shooter, multiplayer game Enlisted. The attackers (so far unknown, but suspected of being motivated by Russia's war in Ukraine) use a ransomware they're calling Wannacry 3.0. It is, however, unrelated to the genuine Wannacry released in 2017.