Ukraine at D+678: A template for hacktivist auxiliaries.
the cyberwire logoJan 3, 2024

Reprisal and retaliation in the war of missiles, as President Putin says Ukraine is already destroyed, and that the real war is against the West. Cyber operations continue to represent the familiar mix of threat actors: intelligence services, hacktivist auxiliaries, and criminal privateers.

Ukraine at D+678: A template for hacktivist auxiliaries.

Heavy Russian drone and missile attacks against Ukrainian targets prompt calls for urgent delivery of Western air defense systems. The Atlantic Council describes how this winter's targeting differs from last year's. During the winter of 2022-2023, Russian strikes concentrated on energy infrastructure. "Putin’s new bombing offensive appears to have a wider focus, with targets of recent attacks including military and industrial objects along with residential buildings, hospitals, and shopping malls. The increased targeting of civilians has already led to dozens of deaths and sparked suggestions that Russia seeks to undermine Ukrainian morale." The UK's Ministry of Defence also notes a shift in Russian targeting, with more attention now being paid to Ukrainian industry.

The exchange of missiles has also prompted both sides, especially the Russian government, to promise retaliation against the enemy's crimes. The Lieber Institute has published a guide to retaliatory warfare under international humanitarian law and the laws of armed conflict. In general, with limited exceptions, retaliation against non-combatants is prohibited. Ukrainian cross-border attacks seem to have been directed against permissible targets, with civilian casualties appearing incidental (and accidental). Russian strikes, in contrast, appear to have directly and frankly aimed at noncombatants and civilian infrastructure.

The article distinguishes between retaliation against permissible targets, which is generally lawful, and reprisals against otherwise prohibited targets, which is permissible only under very restricted circumstances. "The Russian attacks on populated areas have been, and remain, unlawful; claims to the contrary are absurd," the essay's conclusion reads in part. "And it is too early to tell whether Ukraine resorted to the tactic of population centers over the weekend. But the bellicose statements by Ukrainian officials combined with widely circulating video footage and the extent of civilian casualties arguably merit further investigation."

President Putin declares Ukraine "completely destroyed," and that the real war is against the West.

The Institute for the Study of War (ISW) describes President Putin's characterization of his war. "Russian President Vladimir Putin identified the West as Russia’s 'enemy' and implied that Russia is fighting in Ukraine in order to defeat the West. Putin responded to a Russian serviceman’s question about Western aid to Ukraine during a meeting at a military hospital in Moscow Oblast on January 1, stating that Russia’s issue is not necessarily that the West is aiding Ukraine, but rather that the West is Russia's 'enemy.'"

And Ukraine, already wreaked, is in the Russian president's view represents nothing more than an opportunity for Western aggression. "Putin added that 'Ukraine by itself is not an enemy for [Russia],' but that Western-based actors 'who want to destroy Russian statehood' and achieve the “strategic defeat of Russia on the battlefield” are Russia’s enemies. Putin claimed that Western elites are trying to break Russia into five parts and are trying to do so using Ukraine, but that the situation on the frontlines is changing and that Russia will “deal with the [West] faster” than the West can deal with Russia on the battlefields in Ukraine. Putin added that the problem is not in Western aid deliveries to Ukraine and noted that Ukraine has already been 'completely destroyed,' that there is 'nothing left' of the country, and that it 'exists only on handouts.'”

The long game playing out in the information space, the ISW thinks, is therefore probably designed to prepare Russian public opinion for a long war.

US Department of Homeland Security assesses cyber threats to the US originating in Russia's war.

In its annual Homeland Threat Assessment for 2024, the US Department of Homeland Security's Office of Intelligence and Analysis predicts a continuing Russian threat in cyberspace. It draws particular attention to three expected areas of Russian activity against the US to emanate from Russia's war against Ukraine.

  • Disinformation and influence operations. "Russia likely will continue to use traditional media, covert websites, social networks, online bots, trolls, and individuals to amplify pro‑Kremlin narratives and conduct influence activities within the United States. Since its invasion of Ukraine, Russian messaging has focused on justifying its aggression, seeking to reduce US domestic support for Kyiv, and encouraging divisions among the diverse set of global partners that are helping Ukraine."
  • Privateering by criminal groups and disruptive attacks by hacktivist auxiliaries. "Malicious cyber activity targeting the United States has increased since the beginning of the Russia‑Ukraine conflict, a trend we expect to continue throughout the duration of the conflict. Pro‑Russia cyber criminal groups, such as Killnet, collaborate to conduct distributed denial‑of‑service (DDoS) attacks and other potentially disruptive attacks against US government systems and our transportation and healthcare sectors. Killnet claimed credit for a March 2022 DDoS attack against a US airport it believed was helping US efforts to aid Ukraine."
  • Cyberespionage and possibly sabotage by intelligence services."Russian government‑affiliated cyber espionage likely will remain a persistent threat to federal, state, and local governments, as well as entities in the defense, energy, nuclear, aviation, transportation, healthcare, education, media, and telecommunications industries."

None of these represent significant departures for Russian policy or practice.

Cameras hacked by Russian intelligence services to provide targeting information.

Interfax-Ukraine reports that the SBU identified and disabled some Internet-connected security cameras in Kyiv that had been compromised by Russian intelligence services and used to select targets and correct missile targeting during the recent strikes. "According to available information, with the help of these cameras, the aggressor was collecting data for the preparation and correction of strikes on Kyiv," the SBU said. The Record notes that Russian security services are believed to have gained access not only to camera feeds, but to camera controls as well, and with them obtained the ability to direct the cameras toward areas of interest. Reports suggested that the imagery could have been used to correct the fall of shot. That's likelier in the case of cannon fire or free, unguided rockets, but less likely for drones or guided missiles. "Correcting targeting" probably means that the imagery could be valuable pre-strike in target selection, and post-strike in battle damage assessment.

Belarusian Cyber-Partisans claim successful attack against state media in Belarus.

Belarusian Cyber-Partisans claim to have conducted a successful cyber attack against BelTA, Belarus's principal state-owned media operation. GovInfo Security reports that the attack combined website defacement with data theft and data destruction. The Cyber-Partisans represent a dissident hacktivist group. The Partisans said in their Telegram channel, "Propagandists of the Belarusian Telegraph Agency are harming the Belarusian people along with punitive forces from the Ministry of Internal Affairs and Lukashenko's special services. All the years of dictatorship, they have been poisoning the minds of Belarusians with lies and manipulations to please the tyrant. For this, we are striking at the Belta computer network, paralyzing the work of pro-government propaganda websites and destroying backups." 

Belarus has been Russia's closest ally in the special military operation, providing support that's extended to permitting Russian forces to stage in its territory.

NoName057(16) as a model for future hacktivist auxiliaries.

NoName057(16) selects targets for attack by its supporters, and it offers a distinctive mix of ideological gratification and financial incentives. It's highly disciplined, focused on hitting sites and organizations it brands as "Russophobic," and it's open to volunteers, especially those interested in deploying NoName's DDOSia tool against properly designated targets. The group's approach, CSO writes, in an appreciation that suggests NoName057(16) offers a template for hacktivist auxiliaries, is highly gamified, with ranks and accomplishments structured in ways immediately intelligible to online gamers. The group engages in three main kinds of activity, according to CSO: "disinformation, intimidation, and chaos creation." By "chaos creation" CSO means distributed denial-of-service (DDoS) activity, and that indeed has been the most prominent of NoName's operations. The disinformation and intimidation amount for the most part to trolling.

Bailiffs as recruiters.

Russians who are late paying, say, their utility bills, receive a notice from a bailiff to collect. The Bailiff Service has been directed to introduce a new wrinkle in the collection process. The Independent Barents Observer reports. "The very first paragraph of the notice which the bailiff sent the debtor explains how one can get an exemption from paying the debt. According to the law, enforcement proceedings are suspended if a citizen enters into a contract with the Armed Forces and goes to war in Ukraine." The case the Observer describes was over a debt of 169 rubles owed up in Karelia, which amounts to about $1.85. Given that a buck-eighty-five is no one's idea of crushing debt, it seems that anyone who owes anything is being offered a chance to go to the front as an alternative to paying for, say, a pack of gum. This in turn suggests the magnitude of the recruiting challenges Russia faces. So, either pay the cost of a couple of eggs, or report to the front. The airborne forces are hiring.