Ukraine at D+67: Russia trims expectations and Ukraine carries the war into Russia.
By Victory Day, maybe not victory, but full mobilization instead?
N2K logoMay 2, 2022

Russia continues its firepower-intensive campaign as Ukraine arms itself with more NATO weapons. Experts speculate about the current state of the cyber phases of the hybrid war.

Ukraine at D+67: Russia trims expectations and Ukraine carries the war into Russia.

The British Ministry of Defense (MoD) on Saturday summed up Russian attempts to improve its very spotty combat record in Ukraine. Its situation report (with map available here) said, "Russia hopes to rectify issues that have previously constrained its invasion by geographically concentrating combat power, shortening supply lines and simplifying command and control. Russia still faces considerable challenges. It has been forced to merge and redeploy depleted and disparate units from the failed advances in north-east Ukraine. Many of these units are likely suffering from weakened morale. Shortcomings in Russian tactical co-ordination remain. A lack of unit-level skills and inconsistent air support have left Russia unable to fully leverage its combat mass, despite localised improvements." Monday morning's situation report offers a rough assessment of Russian losses and the army's prospects for reconstitution of the units it committed to Ukraine. "At the start of the conflict, Russia committed over 120 battalion tactical groups, approximately 65 per cent of its entire ground combat strength. It is likely that more than a quarter of these units have now been rendered combat ineffective. Some of Russia’s most elite units, including the VDV Airborne Forces, have suffered the highest levels of attrition. It will probably take years for Russia to reconstitute these forces."

Tactical failure may be moving Russia toward full mobilization against Ukraine (and the world's "Nazis" who are ganging up on Russia, in the Kremlin's view). British Defense Secretary Wallace thinks it likely that President Putin will make some such announcement next weekend on Victory Day. That would represent a come-down from earlier expectations that Victory Day would mark the successful termination of a war that many observers had expected to be over in seventy-two hours, and that now has dragged on for more than two months, with no Russian victory in sight. Observers have discerned a shift in Russian domestic propaganda, with the emphasis now being placed on the threat from NATO, represented as an aggressive, anti-Russian, fascist conspiracy. Framing Ukrainian battlefield success as the working of NATO's hidden hand serves to soften the bad news, Newsweek reports, and prepares Russia for a more extensive mobilization.

There's been another shift in domestic propaganda, the Telegraph reports: Russian television in particular has taken to explaining lack of progress as the result of the Russian army's humanitarian restraint. The Ukrainians, you see, are using their own civilians as human shields, and the "nobility" of the Russian operations naturally disposes them to great restraint, and punctilious observance of humanitarian law designed to protect civilian populations.

Russia's Foreign Minister Lavrov downplayed over the weekend the notion that Russian forces are under pressure to win their war against Ukraine by this coming weekend's Victory Day. “Our military will not artificially adjust their actions to any date, including Victory Day,” Al Jazeera quotes Foregin Minister Lavrov as saying. “The pace of the operation in Ukraine depends, first of all, on the need to minimise any risks for the civilian population and Russian military personnel." Concern for the civilian population is not much in evidence, given the way in which tactical failure of Russian infantry and armor have led Russia's forces to rely on the static and indiscriminate destruction of cities as their only effective path to forcing a kind of victory.

The success of such tactics may itself be nearing the end of its run. Significant military aid continues to arrive in Ukraine from NATO, and that aid is increasingly taking the form of lethal systems. The air defense systems, the 155mm artillery, and the counterbattery radars are likely to make themselves felt over the next two weeks.

Ukraine has increasingly hit military targets within Russia itself, a development that Russia warns risks expansion of the war to those countries that have supported Ukraine.

Widespread and damaging Russian cyberattacks have yet to appear, but criminals find a new field of activity.

That's not entirely for want of trying: nuisance-level distributed denial-of-service attacks have occurred, as have some relatively ineffectual wiper attacks against Ukrainian targets. Russia hasn't sustained any devastating cyberattacks either, but it's feeling the effects of a range of government-run and hacktivist attacks. Many of these have taken the form of doxing, and these too have been nuisance-level operations.

But both the extensive participation of hacktivists and the novelty of the experience of coming under cyberattack have in the case of Russia been striking. Russia had hitherto enjoyed a degree of immunity from criminal attack, for one thing. There were more lucrative targets elsewhere, many of the gangs were based in Russia and enjoyed Russia government protection (or at least benign neglect) and there's some opinion that they were deterred from hitting Russian targets by a fear of Russian ability to retaliate. Much of that immunity seems to have evaporated over the course of Russia's war against Ukraine. The Washington Post describes how this has changed. It has become, the headline says, "a free-for-all." "Experts anticipated a Moscow-led cyber-assault," the article's deck reads. "Instead, unprecedented attacks by hacktivists and criminals have wreaked havoc in Russia." Particularly telling is a report from Lithuanian security firm SurfShark, which has made a practice of tallying the numbers of leaked credentials, now finds that Russian addresses amount to more than half the world total. "The number of presumed Russian credentials, such as those for email addresses ending in .ru, in March jumped to encompass 50 percent of the global total, double the previous month and more than five times as many published as were in January," the Post explains, and goes on to quote SurfShark: “The U.S. is first most of the time. Sometimes it’s India. It was really surprising for us.”

All of this said, US authorities continue to warn that Russian still poses a substantial cyber threat. C4ISRNet reports that testimony before Congress last week continued to emphasize that threat.

Hacktivism and privateering.

No one has so far turned out the lights in Kyiv (or Moscow), but distinctive styles of non-governmental activity have emerged. On the Russian side this has been a continuation of the privateering that's long been in evidence. Some Russophone gangs, notably the Conti ransomware group, have expressed their patriotic adherence to Moscow's cause, but in general they haven't enjoyed as much success as might have been expected. Criminal activity continues, but not with noticeably greater effect than has been seen before Russia's invasion of Ukraine. The gangs themselves have become targets of hacktivist reprisal, with the doxing of internal Conti chats being a prime example. Such doxing doesn't seem to have had much effect on Conti, at least in the near term, but the leaks may offer some useful insight into the gangs' organization and operations.

The Ukrainian side has benefited from a surge of ideologically aligned hacktivism, by Anonymous and others, who have received some encouragement and some targeting suggestions from the Ukrainian government via its volunteer IT-Army channels. “There are state institutions in Ukraine interested in some of the data and actively helping some of these operations,” an analyst at security firm Flashpoint told the Washington Post. “The sense that Russia is off-limits has somewhat expired, and hacktivism is one of the most accessible forms of striking at an unjust regime or its supporting infrastructure,” the Post quotes Distributed Denial of Secrets co-founder Emma Best as saying. (Distributed Denial of Secrets is a hacktivist data dump site that has prominently displayed some of the hacktivist take from Russian organizations. It hasn't by any means confined itself to Russian government data, but such data have recently been prominent on the site.) Best calls much of the hacktivism a "symbolic pantsing" of President Putin. “He’s cultivated a strongman image for decades, yet not only is he unable to stop the cyberattacks and leaks hitting his government and key industries, he’s the one causing it to happen.”

Legal and prudential limits to hacktivism.

A YouTuber is calling for other hacktivists to join in a distributed denial-of-service campaign against Russia. That call, BleepingComputer points out, not only violates YouTube's terms of service, but would also be illegal in most jurisdictions, and that means not just Russian jurisdictions, but jurisdictions throughout the civilized world as well.

The tool being recommended and offered to would-be hacktivists, "Liberator," is murky in its workings and provenance. Perhaps it functions as advertised, but it's difficult to be sure. BleepingComputer quotes a comment on the relevant YouTube channel by a user who goes by the screen name "junk." He's sympathetic to Ukraine's cause, but warns that Liberator is a closed-source tool that transfers information about a user's device to a disBalancer server, and that does so through a non-encrypted channel. Avast warned last month about the risks involved in using such tools for hacktivist purposes. The users expose themselves to considerable risk. (And besides, it's almost surely illegal.)

Applying lessons learned from an earlier cyberwar.

In 2007 Estonia was the target of Russian cyberattacks that significantly disrupted the country's financial and commercial sectors. The campaign, while it did not extend to physical invasion, nonetheless foreshadowed Russia's operations against Ukraine. Estonia's perceived affront was the relocation of a Soviet-era war memorial, the Bronze Soldier, that Russian state-controlled media seized upon as evidence of persecution of Estonia's Russophone minority. Estonia learned from the experience, and has since become one of the countries that punches far above its weight in cyberspace. It appears, NPR reports, that Russia's playbook has not changed significantly since 2007, and that the lessons learned since then have served Ukraine and others who've come under Russian cyberattack well.

And applying lessons learned from earlier privateering.

We received some comment from Benny Czarny, Founder and CEO, OPSWAT, discussing the lessons organizations have learned from the Colonial Pipeline ransomware incident, one of the more disruptive criminal attacks in recent history.

“A major lesson organizations have learned is the need for a managed Security Operation Center (SOC): that is, operationalization of ransomware response and professional response teams and services. An example within the critical infrastructure space, is managed Operational Technology (OT) SOC. This means better performance monitoring of all systems, enforcing standard change management processes, vetting and deploying updates, and immediately reacting to any potential threats.  

"Organizations have also learned the need to safeguard their critical environments, especially with the recent news of OT-specific malware (Pipedream/Industroyer2) and Shields Ups warning. Safeguarding includes adapting a defense-in-depth approach, with end-to-end security measures from the cloud all the way down to protecting critical operational assets. The revised TSA pipeline security directive makes a clear separation between IT and OT, with enhanced security measures, disaster, and recovery plans for the OT environment. Essentially, an incident at the IT environment is virtually inevitable, but contrary to the Colonial Pipeline incidents – OT operations shouldn’t be impacted and shouldn’t be shut down. 

"Organizations have also learned the need to assess both livelihood and financial risks. From a livelihood perspective, critical organizations now understand both cyber and physical risks, including prioritization of risk areas, and asset management and containment of attacks through more aggressive segmentation of critical data. From a financial risk perspective, Colonial Pipeline and other critical infrastructure attacks have taught organizations NOT to pay. There is no guarantee they will regain access or that data has not already been leaked or stolen. Payment also reinforces future and more sophisticated attacks—and it could be a US Sanctions Violation.

"Some believe that ransomware-as-a-service has tapered off and mature attack groups are bringing expertise in-house. This means higher quality and more targeted ransomware will be potentially harder to detect and remediate. Perhaps there may be fewer attacks, but they could be more damaging and difficult to recover from.

"Lastly, some security researchers believe REvil ransomware group (or another closely tied to REvil) is working on a new ransomware operation, begging the question: Is there a risk of “copycat” attacks with the one-year anniversary coming up? The main concern is the increasing aggressiveness of hacking groups from increased crackdowns—especially with the high “ROI” for attacks on critical infrastructure.”