Ukraine at D+564: Mobilization drives a hacker diaspora.
N2K logoSep 11, 2023

Ukraine's deliberate advance in the South continues, as do drone strikes by both sides. Russian cyber criminals and IT workers who fled mobilization amount to a hacker diaspora.

Ukraine at D+564: Mobilization drives a hacker diaspora.

According to the Voice of America, Russia mounted a two-hour-long drone attack against Kyiv in Sunday's predawn darkness. Radio Free Europe | Radio Liberty says that thirty-two drones were launched, and that Ukrainian air defenses shot down twenty five of them. Falling debris did some damage on the ground. For its part Russia claimed to have shot down eight Ukrainian drones approaching Crimea.

On Saturday morning the UK's Ministry of Defence (MoD) reported Russian redeployments to shore up defenses against the Ukrainian advance past Robotyne. "Elements of the Ukrainian Armed Forces have advanced into the multi-layered main Russian defensive line east of the town of Robotyne. Ukrainian dismounted infantry forces are continuing to make gradual tactical advances against Russian positions and attrite Russian forces in the area. Ukrainian forces have also maintained pressure on Russian positions to the south of Bakhmut, making gradual gains between Klishchiivka and Adriivka. It is highly likely that Russia has redeployed forces from other areas of the frontline to replace degraded units around Robotyne. These redeployments are likely limiting Russia's ability to carry out offensive operations of its own along other areas of the front line. The redeployments are also highly likely an indication of pressure on their defensive lines, particularly around Robotyne."

By Sunday afternoon, according to the Institute for the Study of War, Ukraine had consolidated its advances and pushed farther into Russian held territory. "Ukrainian forces continued to advance south of Robotyne in western Zaporizhia Oblast and reportedly advanced near Bakhmut on September 10," the ISW wrote. "Geolocated footage posted on September 10 shows that Ukrainian forces have advanced east of Novoprokopivka (18km southeast of Orikhiv). Ukrainian Tavriisk Group of Forces Spokesperson Oleksandr Shtupun noted that Ukrainian forces continue to advance near Robotyne (12km south of Orikhiv) and have liberated 1.5 square kilometers of territory in this direction. The Ukrainian General Staff and Ukrainian Eastern Group of Forces Spokesperson Ilya Yevlash reported that Ukrainian forces achieved unspecified success near Klishchiivka (7km southwest of Bakhmut) in Donetsk Oblast."

Russian defenders have moved their command post farther to the rear, out of range of all but the longer-ranged Ukrainian artillery. Such forward command posts as they've maintained, the Institute for the Study of War wrote Friday, have been dug in deeper and placed behind fortified positions. They're relying more on field telephones and what the ISW calls "safer radio communications." But operations security (OPSEC) remains weak: "signals at the battalion level downward are still often unencrypted and that Russian personnel still frequently communicate sensitive information through unsecure channels."

Replenishing ammunition stocks, especially missiles.

Russia is looking abroad for sources of supply. Its high expenditure rates of missiles in particular is proving difficult to sustain. Iran is reported to be a willing supplier of missiles, but the head of Israel's Mossad said this weekend that those shipments had been thwarted, in some unspecified fashion.

Chairman Kim of North Korea, another supplier of munitions to Russia, is reported to be enroute, by train, to meet President Putin, the AP reports. The two leaders are expected to discuss trade agreements under which the DPRK will contribute more ammunition and artillery systems, the Russians advanced military technology. North Korean stocks of ammunition tend to be old, but they're very large, and conventional ammunition has in principle a very long shelf-live--forty years or more isn't unusual, if the ammunition is stored under reasonable conditions.

A home guard against drones (and those who operate them).

The drones used in Ukrainian attacks against Russian military airfields have been small quadrotors, consumer-grade products with short ranges and small payloads. They were probably launched and controlled by small diversionary groups operating from inside Russian territory, and some Russian local authorities are determined to do something about the threat. The UK's MoD reported Sunday morning: "In Russia’s Pskov Oblast, close to the Estonian border, the governor has organised volunteer security patrols to interdict further uncrewed aerial vehicle (UAV) attacks against Kresty air base. Reportedly up to 800 citizens have signed up to join the patrols. This initiative follows the reported damage of two IL-76 CANDID transport aircraft on 29 August 2023. Due to the limited range of quadcopter UAVs, the attacks on the base were almost certainly launched from within the Russian Federation. The patrols will consist of groups of 50 divided among multiple municipalities which will patrol border areas and critical infrastructure, particularly airports and airbases. The creation of these volunteer security patrols will likely act as a deterrence and provide a level of defence against quadcopter UAVs being operated from the immediate vicinity of the air base. Historically it has proven difficult to destroy UAVs using small-arms fire, so Russian forces will still require air-defence systems, with a surveillance capability and both kinetic and electronic means of interception, to destroy attacking UAVs. The use of volunteers highly likely indicates a shortage of trained security personnel within Russia."

Spending by regional governments on security and policing has increased this year, Radio Free Europe | Radio Liberty reports. These functions are still largely paid from the Federal budget, but growing domestic security needs have driven an increase in regional outlays.

Manning Russia's army.

Russian authorities are seeing to increase recruiting of contract soldiers, the UK's MoD said in Monday's morning report. "The Russian military intends to recruit 420,000 contract personnel by the end of 2023. On 3 September 2023, Russian Security Council Deputy Chairman Dimitry Medvedev stated that so far 280,000 personnel had been recruited. These numbers cannot be independently verified."

The recruiting drive my be having a noticeable effect on the country's economy. "Russia's conscription continues to have negative effects on its industry workforce. The Yegor Gaidar Institute for Economic Policy found that Russia's industry shortage of workers reached a new high of 42% for July 2023, 7% higher from April 2023. In contrast to conscription efforts elsewhere, in the IT sector Russia has taken steps to preserve the workforce. This likely highlights the particularly acute shortages in the sector after about 100,000 IT workers left Russia in 2022. This equates to 10% of the IT sector workforce. On 4 September 2023, President Putin signed a decree to increase the exemption age of military recruitment for IT professionals from 27 to 30. This shows that mobilisation and conscription within Russia has worsened non-defence workforce shortages. In the run-up to the Russian presidential elections scheduled for March 2024, Russian authorities will likely seek to avoid further unpopular mobilisations."

Russia's hacker diaspora in Turkey.

The Financial Times reports that among the many thousands of young, military-aged men who skipped from Russia last Fall to evade increased conscription, including the recall of former conscripts who'd finished their military service. were a large number of hackers, IT workers, and, most significantly, cybercriminals. Turkey received several thousand such emigrants, and many of them have either connected with local Turkish gangs or formed small criminal groups themselves. Conditions for cybercriminals in Turkey are not as easy as they are in Russia, where cyber gangs operate with the connivance of the government. They enjoy no such official protection in Turkey, but hope to stay at large by keeping their crimes petty, by avoiding hitting targets in Turkey (where victims are likely to complain to the local authorities), and by keeping their trade as unobtrusive and evasive as possible.

The expatriate criminals' preferred tool is Redline, commodity malware that nonetheless seems to evade widely used defensive software. It's "most often downloaded inadvertently by people using illegal websites to play video games or pirated versions of popular software." The criminal take is retail-level stuff: passwords and other login credentials as well as credit card data. It also includes stolen cookies, possession of which makes it easier to use the other data the thieves hold. The information is traded in an underground souk researchers call "the Underground Cloud of Logs."

The newly arrived Russians are said to have taught the existing Turkish cybercriminals how to make better use of their tools, and in particular how to organize their stolen data in ways that render them more attractive in the C2C markets.

Russian cyber diplomat warns against US escalation in cyberspace.

In an interview with Newsweek, Artur Lyukmanov, director of the Russian Foreign Ministry's International Information Security Department and special representative to President Vladimir Putin on international cooperation on information security, reiterated familiar Russian non-denial denials of Moscow's offensive cyber operations--US allegations are accompanied by a "lack of hard evidence," he said. Thus, it's not so much "we didn't do it," as, "where's your evidence?" and besides, you're the guilty ones here." He described the US National Cybersecurity Strategy as an inherently escalatory document that deeply implicates the US government and US corporations in "preparations for 'cognitive warfare.'" He said, "We want to halt further deterioration. A mistake in the use of ICTs may lead to a direct conflict, an all-out war, especially as that the White House is aware that Russia has all the necessary capabilities to defend itself. A devastative computer attack against our critical information infrastructure will not be left without response."

The Russian official position is that there should be a generally agreed-upon and legally binding set of laws for cyberspace that would govern the conduct of all nations consistently. The US position is that international law already applies to cyberspace, and that Russia routinely violates them. Russian proposals for international statutes to control cyberspace are marked by provisions that would enable repression, surveillance, and censorship.

One of the principal lessons the US has drawn from Russia's war is that effective cyber defense depends upon international cooperation, and specifically upon cooperation among the public and private sectors of democracies. Breaking Defense reports that Ambassador-at-Large Nate Fick told the Billington Cybersecurity Summit last week that a new strategy for promoting such cooperation was under preparation, and that it would be circulated this Fall.

Update on Starlink's availability in the Black Sea.

Starlink indeed wasn't available for Ukrainian forces to use in an attack against the Black Sea Fleet, but it may not have been a service interruption. Walter Isaacson, Elon Musk's biographer and the writer who broke the story, tweeted, "To clarify on the Starlink issue: the Ukrainians THOUGHT coverage was enabled all the way to Crimea, but it was not. They asked Musk to enable it for their drone sub attack on the Russian fleet. Musk did not enable it, because he thought, probably correctly, that would cause a major war." Russia's war can already reasonably be characterized as "major," so this must mean escalation to include other countries.

This is essentially what Elon Musk said in his own response to the Washington Post story: "The Starlink regions in question were not activated. SpaceX did not deactivate anything. There was an emergency request from government authorities to activate Starlink all the way to Sevastopol. The obvious intent being to sink most of the Russian fleet at anchor. If I had agreed to their request, then SpaceX would be explicitly complicit in a major act of war and conflict escalation."

A Ukrainian attack would not have constituted an escalation. The Russian combatant fleet had been engaged in fighting since Russia's invasion of Ukraine, and was (and remains) a legitimate military target. It's worth noting that occupied Crimea is not generally recognized as being Russian territory, and it wasn't unreasonable for Ukraine to have understood their Starlink coverage would extend to the peninsula. Mr. Musk is said to have feared that Ukrainian attacks would provoke Russian escalation, possibly including, according to Computing, escalation to nuclear war.

US Secretary of State Blinken said Sunday of Starlink that “What we would hope and expect is that the technology will remain fully available to the Ukrainians.” He declined to comment on Mr. Musk's decision to withhold service in the vicinity of Sevastapol, but the Secretary did say, “Here’s what I can tell you: Starlink has been a vital tool for the Ukrainians to be able to communicate with each other, and particularly for the military to communicate in their effort to defend all of Ukraine’s territory.”