Ukraine at D+7: Belarusian cyberespionage, Russian rocket fire, Ukrainian hacktivism.
N2K logoMar 3, 2022

A Black Sea port falls, and Russian artillery continues to hit civilian targets. Russia, Belarus, and Ukraine are all engaged in cyber operations (and Ukraine is said to be targeting Russia's railroads and power grid). The UN condemns Russia for a war of aggression.

Ukraine at D+7: Belarusian cyberespionage, Russian rocket fire, Ukrainian hacktivism.

Russian forces have intensified their conventional and in practice indiscriminate bombardment of Ukrainian cities. The Black Sea port of Kherson has fallen, the first Ukrainian city of any size to be taken by Russian forces, but the assault on Kyiv remains more stalled than ever, the BBC reports. The UK's Ministry of Defense, in its daily public appreciation of the situation, says the Russian column advancing on Kyiv has made "little discernible progress in over three days." The MoD puts this down to Ukrainian resistance, but also to "congestion" and "mechanical breakdown."

The indiscriminate character the Russian invasion has assumed has moved governments to consider opening war crimes cases against the special military operation's commanding officers. The Telegraph reports that British Justice Secretary Dominic Raab says the Government is preparing plans to apprehend and prosecute Russian war criminals.

Western companies continue to exit the Russian market as the country's financial system reels on the verge of collapse. The AP reports that Russia has become a commercial pariah, as Western companies increasingly refuse to do business there. Tech companies are largely out, and social media platforms have shuttered operations rather than accede to Moscow's insistence on censorship and positive control of the content they distribute. One interesting business departure is that of Harley-Davidson: President Putin has been famously devoted to his hog, which he rides helmetless, like a centerfold in Outlaw Biker or Iron Horse. No more Harleys for Mr. Putin.

The United Nations General Assembly condemns Russian aggression against Ukraine.

The UN General Assembly voted yesterday to condemn Russia's invasion of Ukraine. In its official statement, the UN wrote: "Deploring in the strongest terms its aggression against Ukraine in violation of the Charter of the United Nations, the Assembly also demanded the Russian Federation immediately and unconditionally reverse its 21 February decision related to the status of certain areas of the Donetsk and Luhansk regions of Ukraine." Thus not only the invasion itself was condemned, but so was the Russian recognition of the independence of the regions it styles the Peoples' Republics of Donetsk and Luhansk. The resolution of condemnation had been introduced by Ukraine.

The vote was 141 in favor of the resolution to 5 opposed, with 35 abstentions, The UN called the vote "a clear reaffirmation of the 193-member world body’s commitment to Ukraine’s sovereignty, independence, unity and territorial integrity." The list of countries who voted nay is instructive: Belarus, North Korea, Eritrea, Syria, and, of course, Russia. The 35 abstentions were Algeria, Angola, Armenia, Bangladesh, Bolivia, Burundi, the Central African Republic, China, Congo, Cuba, Equatorial Guinea, India, Iran, Iraq, Kazakhstan, Kyrgyzstan, the Lao People’s Democratic Republic, Madagascar, Mali, Mongolia, Mozambique, Namibia, Nicaragua, Pakistan, Senegal, South Africa, South Sudan, Sri Lanka, Sudan, Tajikistan, Uganda, Uzbekistan, Vietnam, and Zimbabwe. A number of those who abstained made statements deploring the war but urging restraint in the imposition of sanctions.

After the resolution passed, the Russian ambassador said that it offered Moscow no help in achieving its desire for peaceful resolution of what it characterizes as a defensive military operation. “This document will not allow us to end military activities. On the contrary, it could embolden Kiev radicals and nationalists to continue to determine the policy of their country at any price.” He also said that Russia had paid and will continue to pay scrupulous attention to protecting noncombatants, and that scenes of civilian dead were either provocations of Ukrainian "nationalists" or else simply "Internet fakes." In either case, the real victim, says Russia, is Russia.

In separate remarks, Russian Foreign Minister Lavrov reiterated warnings of the consequences of Ukraine's acquisition of nuclear weapons, something no one is seriously proposing, but which has bulked large in Russian messaging over its war. Mr. Lavrov also said that "a third world war" would be nuclear, and devastating. And, needless to say, after raising the prospect of nuclear war, Mr. Lavrov adds that it's the Westerners, not the Russians, who are considering this possibility. "It is clear that World War Three can only be nuclear," Lavrov said (as quoted in the Moscow Times). "I would like to point out that it's in the heads of Western politicians that the idea of a nuclear war is spinning constantly, and not in the heads of Russians. Therefore I assure you that we will not allow any provocations to throw us off balance," Lavrov added. 

China, which abstained from the General Assembly's vote, contenting itself with deploring violence and calling for peace, has apparently grown more tepid in its support of Russian ambitions in Ukraine. Bloomberg reports that China is talking directly with Ukraine about the crisis. On balance, an op-ed in the Telegraph argues, "a humbled Russia is a win for the [Communist Party of China]." Beijing has been tuning its official line with respect to the war. Formerly, Foreign Policy points out, China's messaging had portrayed President Putin as "the put-upon hero," with NATO and its allies as the "malevolent villains." That's now been moderated to a call for all sides to “address each other’s concerns through peaceful means.” The New York Times reports that China may have had more advanced warning of the Russian invasion than had been appreciated. US intelligence sources believe Beijing asked Moscow to postpone the war until the Olympics closed, which Russia of course did. If that's so, it's a form of advanced warning that amounts almost to complicity.

NATO, for its part, has stepped up delivery of weapons and other materiel to Ukraine, the New York Times reports.

Ukraine expresses an intention to hit Russian infrastructure in cyberspace.

Ukraine's Ministry of Defense has recruited private operators to help wage a cyberwar against Russia. That recruitment isn't principally designed to provoke a cyber rave or cyber riot on the part of outraged sympathizers freelancing as volunteer militia (although that's also happened, certainly in the case of website defacements and service interruptions conducted by Anonymous and others). There are reports that the Ministry has asked a local cybersecurity expert and businessman, Yegor Aushev, to organize a cyber offensive that would go beyond DDoS and defacement and seek to cripple Russian infrastructure, with particular attention to railroads and the power grid. Ukrainian officials declined a request for comment by Reuters.

The hacktivists continue to claim that they're counting coup against Russia, and some of their efforts may (we stress, "may") go beyond vandalism and nuisance hacks. Homeland Security Today reports that Anonymous is crowing high over an effort directed against Russian space surveillance and reconnaissance systems, quoting the Anonymous-affiliated group NB65 as follows: “The Russian Space Agency sure does love their satellite imaging,” the NB65 posted Tuesday morning. “Better yet they sure do love their Vehicle Monitoring System. The WSO2 was deleted, credentials were rotated and the server is shut down. Network Battalion isn’t going to give you the IP, that would be too easy, now wouldn’t it? Have a nice Monday fixing your spying tech. Glory to Ukraine. We wont stop until you stop dropping bombs, killing civilians and trying to invade. Go the f**k back to Russia.”

DanaBot used in distributed denial-of-service attacks against Ukraine's Ministry of Defense.

Russia's cyber operations against Ukraine may be continuing to take advantage of services offered in the criminal-to-criminal market. Zscaler describes the way in which the malware-as-a-service platform DanaBot is being used to run a distributed denial-of-service attack against the Ukrainian Ministry of Defense. Zscaler's research report stops short of attribution: "It is unclear whether this is an act of individual hacktivism, state-sponsored, or possibly a false flag operation."

Ghostwriter resurfaces, with a phishing campaign.

Proofpoint has published a report on a phishing campaign it's calling "AsylumAmbuscade," and which it links to UNC1151, which Proofpoint associates with the Belarusian threat actor it tracks as TA445. That group is most familiar in its GhostWriter guise, in which throughout 2021 it mounted influence campaigns against European targets, especially in Latvia, Lithuania, and Poland. Proofpoint summarized its "key takeaways" as follows:

  • "Proofpoint has identified a likely nation-state sponsored phishing campaign using a possibly compromised Ukrainian armed service member’s email account to target European government personnel involved in managing the logistics of refugees fleeing Ukraine.
  • "The email included a malicious macro attachment which attempted to download a Lua-based malware dubbed SunSeed.
  • "The infection chain used in this campaign bears significant similarities to a historic campaign Proofpoint observed in July 2021, making it likely the same threat actor is behind both clusters of activity.
  • "Proofpoint is releasing this report in an effort to balance accuracy with responsibility to disclose actionable intelligence during a time of high-tempo conflict."

AsylumAmbuscade represents an intelligence collection effort. It shows signs of being particularly interested in the movement of refugees around and out of Ukraine, and is, the Record reports, paying particular attention to targeting European officials involved in refugee relief. There may now be around a million Ukrainian refugees, according to the AP.

Where's the cyber offensive?

AsylumAmbuscade and DanaBot seem relatively low-intensity cyber operations. Trustwave this morning released its appreciation of the state of cyber operations in this conflict, and what they mean for the future of war. Their conclusions read, in part:

"Much of the cyber activity that has taken place so far have not had a direct, significant impact on the physical battlefield. But with that said, we believe these tactics and activities will stand as an example of what we should expect in future geopolitical conflicts.  

"Lone-wolf and organized threats actors who possess the proper cyber skills may directly attack their nation's enemy or recruit others to join in a coordinated attack. These activities, coupled with specific malware use designed to "prep” the physical battlefield, could become a more widely used tactic to weaken a nation’s defensive capabilities, critical infrastructure or communication streams. 

"There is also a strong possibility that social media and forum tactics such as doxing may be used during a conventional cyberattack against civilian targets. For example, corporate officials could be threatened with exposure or blackmail if they do not cooperate with an attacker's demands." 

Beyond some DDoS and the deployment of a couple of wipers, soon mitigated, where have the Russian offensive cyber operators been? They've been as little in evidence as the Russian air force. Both cyber and air were confidently expected to make an appearance in force, early and often, once Russia invaded Ukraine, but this hasn't so far proved to be the case. Ciaran Martin, the founding director of the UK's National Cyber Security Centre and currently Professor of Practice at the Blavatnik School of Government in the University of Oxford, discussed this curious phenomenon in an essay posted to Lawfare.

"The Kremlin’s handful of serious cyberattacks on Ukraine ahead of and around the beginning of the invasion represents its long-standing campaign of cyber harassment of the country over the past decade, rather than a serious escalation of it," Martin writes. "There seems to have been little effort, for example, to strike the core of Ukraine’s internet infrastructure. Instead, the missiles rain, and the soldiers and tanks roll in. Similarly, the actions of pro-Ukrainian actors in defacing and taking down Russian websites may embarrass the Kremlin but hardly merit the much misused term of 'cyberwar'.” He goes on to argue for a realistic appreciation of what cyberattacks are likely to achieve, He urges continued preparation and a prudent regard for risk, but he also thinks that truly destructive cyberattacks are more difficult to execute than many have imagined.

Still, Russia has shown, twice, in 2015 and 2016, its ability to shut down portions of Ukraine's power grid. A Dragos study of the 2016 incident (CRASHOVERRIDE) describes how the more recent attack was carried out. Why hasn't there been a repetition? The violence of kinetic attacks against Ukraine's principal cities suggests that the failure to execute such a cyberattack doesn't stem from a desire to avoid indiscriminate destruction and civilian suffering, and it's unlikely that Ukrainian infrastructure is markedly better protected than it was in 2016. The best explanation at this point seems to be that this may be a case of deterrence, that Russia has kept its cyber attacks at a nuisance level to avoid provoking NATO cyber operators into mounting some deniable retaliation, but that's speculation. Russian restraint in cyberspace remains a mystery.

Such quiet engagement, off in the leftward, lower-intensity bands of the spectrum of conflict, might represent NATO's best option for confronting and frustrating a great power's efforts to wage a large-scale conventional war. That's the argument made in a paper published by the Modern Warfare Institute at West Point, which sees one of the lessons of Russia's war of choice against Ukraine is that "It’s time to get comfortable in the gray zone."

Recognizing the tactical value of OSINT.

That same Modern Warfare Institute essay also points out the pervasiveness of open-source information: "The revolution (and any other war) will be televised." This opens up a range of sources and methods, with attendant challenges for vetting and verification. It also shows that there's a new set of operational security problems: military deception may henceforth need to rely on a newly found ability to hide inside the open-source noise.

Open-source intelligence can sometimes be overlooked by intelligence services who fall into the trap of confusing cost with value. The Russian invasion of Ukraine has shown the value that open-source intelligence can bring. Open-source intelligence ("OSINT") is, according to the US Department of Defense Dictionary of Military and Associated Terms, "Relevant information derived from the systematic collection, processing, and analysis of publicly available information in response to known or anticipated intelligence requirements." The related open-source information, raw material from which OSINT can be derived, is "Information that any member of the public could lawfully obtain by request or observation as well as other unclassified information that has limited public distribution or access."

Consider two sources of OSINT that have enabled observers to form a clear picture of the situation on the battlefield. Commercial satellite imagery is now routinely available, and of such resolution that it's been relatively easy to watch the progress (and lack thereof) of Russian forces in Ukraine. That imagery is useful enough that Ukraine's government has asked commercial firms to provide it with satellite-derived data that can be used to organize defenses or humanitarian relief. Russian forces have also shown signs of an interest in commercial information, which is why, Buzzfeed reports, Google Maps has removed recent user-contributed content out of the proverbial "abundance of caution" lest it assist the invading forces with targeting and tactical planning.

The other significant source of OSINT in Russia's war has come from social media. Civilian observers— journalists, think tanks, and others—were able to develop a surprisingly accurate picture of the Russian order of battles because people took pictures of Russian units moving to their staging areas, and then posting them to social media. There seems to be little more operating here than the simple desire to make a personal record of remarkable events: it's unlikely that many of those TikToking shots of BMPs on railcars, bumper numbers clearly visible, were doing so out of a committed desire to compromise Russian operations. Who wouldn't take and share pictures like that? And Russian soldiers themselves have posted images of themselves in the field. The motive is unlikely to be treason: it's the familiar libido ostentandi, the desire to say, and show, I was there. See? Here I am in front of my Grad MRL. Here are the tanks I saw. Do you see me too? That an army as famously security conscious as Russia's hasn't been able to control its soldiers' phones speaks to the difficulty of achieving sound operational security in a highly networked world.

Cryptocurrency and sanctions.

The sanctions imposed on Russia have already begun to have visible effect on that country's economy. An op-ed in the Telegraph wonders if that success isn't an artifact of the dominant position the US dollar holds in the global financial system, and if Russia and other rogue states won't seek to undermine the dollar by shifting to cryptocurrencies. North Korea, after all, has expended a great deal of effort in stealing Bitcoin and other cryptocurrencies. And both the US and Ukraine have been alive to the possibility that cryptocurrencies might help cushion Russia from the effects of the sanctions. The Ukrainian government has urged major cryptocurrency exchanges to block wallets with Russian addresses, Bloomberg reports, and the US is looking into ways of regulating cryptocurrency transactions.

An essay in the New Atlanticist, however, suggests that the vision of evading sanctions by moving to cryptocurrency is a will-'o-the-wisp. Russia has been ambivalent about such currencies, recently deciding to ban them out of fear that they might prove difficult to control, but has given thought to establishing a digital ruble. It's unclear, however, that a digital ruble would help matters much. Why would international financial institutions find digital rubles any more palatable on their balance sheets than ordinary rubles? Existing alt-coins like Bitcoin and Ethereum, for all the Randian atmosphere that surrounds them, can be traced and confiscated by law enforcement agencies, as Razzlekhan's failed (alleged) money-laundering operation shows, and the platforms that trade them comply with local laws, which typically means US laws.

Task Force KleptoCapture.

The US Department of Justice has formed an interagency task force, "KleptoCapture," designed to investigate and prosecute white collar crime, with special attention to finding and denying the assets of Russian oligarchs, the Wall Street Journal reports. It has two objectives: sanctions enforcement (which will include educating companies who trade with Russia on the sanctions' scope and implications) and tracking down illicit assets, especially those useful in money-laundering (with special attention to cryptocurrency holdings and transactions,) Recent US enforcement actions against domestic money laundering operations (notably the indictment of Razzlekhan and her consort) have shown that cryptocurrency wallets and transactions are not immune to tracking and confiscation.

EU and US policy toward Russia's oligarchs is now decidedly punitive, according to the Washington Post. "Western allies plan to confiscate yachts, jets, luxury apartments from Russian elites in hopes of undercutting Moscow over invasion," the article's deck summarizes. Punishing the oligarchs was one of the talking points in US President Biden's State-of-the-Union speech this week. “Tonight, I say to the Russian oligarchs and the corrupt leaders who built billions off this violent regime — no more,” he said. “We’re coming for your ill-begotten [sic] gains.” Task Force KleptoCapture represents an early step in that approach.

France has seized a yacht belonging to a Russian oligarch. Customs authorities have taken possession of Igor Sechin's Amore Vero. The vessel had put into the French Mediterranean resort of La Ciotat for repairs, the AP reports.

China is said to be skeptical about the efficacy of sanctions against Russia, and indulges in some wishful thinking that the measures will backfire against the US and its allies. There may be some wishful thinking on the other side as well, as observers claim to see signs that the oligarchs are beginning to turn on President Putin. Maybe, but such optimism seems premature.