Ukraine at D+1.
N2K logoFeb 25, 2022

Russia's invasion of Ukraine continues to follow its brutal course. The civilized world imposes sanctions and looks to its own cyber defenses.

Ukraine at D+1.

We note at the outset of this report that combat is inherently chaotic, and that all specific reports of damage and casualties should in particular be treated with a degree of respectful skepticism. MIT Technology Review offers some useful advice about the ways in which mis- and disinformation easily spreads in wartime. Old video and images circulate in social media (and the mainstream press) where they're represented as current imagery. Some of this is a simple matter of error born of inexperience, some of it is more-or-less sincerely driven by partisan desire and expectation, and some of it is deliberate disinformation. There are also often problems with mistranslations of reports, especially between unrelated or more remotely related languages.

But there's another reason to treat claims with caution: it's very difficult, in ground operations, for anyone, including commanders and their staffs on the scene, to know the detailed effects of combat with clarity and precision. (Anyone who's been involved in military training exercises will have experienced this difficulty first-hand, and combat exacerbates it.) So treat the reports from serious media as representing more-of-less sound approximations, and read the following with that in mind.

The situation on the ground in Ukraine.

There are confirmed Russian attacks in progress in some twenty Ukrainian cities, with Russian forces moving in from the Russian east, the Belarusian north, and the Black Sea south.

Fighting is reported in and around the capital, Kyiv, as Russia seeks the replacement of the Ukrainian government—Kyiv appears to be a decapitation objective. Russian forces are apparently making heavy use of artillery weapons. (Many or most of the "missile attacks" being reported are actually probably rocket attacks. The Russian weapons seen on the ground include a great many multiple rocket launchers, and those are free rockets, unguided systems, not missiles equipped with precision guidance. Free rockets are area weapons. Think of them as targeting square kilometers, not flying into individual vehicles or small command posts.) Ukrainian regulars are resisting Russian heavy forces (that is, mechanized forces equipped with tanks and other armored vehicles), and there are reports of irregular resistance as well, which the Ukrainian government has encouraged. Foreign Policy has an account of such resistance in the Donbas city of Kharkiv.

Some of the Russian forces engaged in the invasion have staged through and attacked from Belarusian territory. There are no credible reports of Belarusian troops proper involved in the invasion, but they're apparently available should their participation become necessary or desirable. Belarusian President Lukashenka said yesterday that they would fight if Russia needed them.

Russian Foreign Minister Lavrov has offered to negotiate with Ukraine, the New York Times reports. All Ukraine needs to do is stop resisting the Russian special military operation. Thus the price of negotiation is surrender.

Public uses of intelligence.

Both the US and the UK have been unusually forthcoming about the intelligence they've developed concerning Russian capabilities and intentions over the past two months. At least two advantages may have derived from the unusual openness. The New York Times thinks it enabled greater transatlantic solidarity and more effective coordination of policy and sanctions. Quartz argues that Russian disinformation was noticeably less effective than it might otherwise have been, given quick American debunking and, even moreso, predictive prebunking.

The situation in cyberspace, as Russia pursues its hybrid aggression.

The Russian invasion of Ukraine was preceded by distributed denial-of-service (DDoS) attacks that included wiper malware ("HermeticWiper").

Trellix Labs emailed us their assessment that any organization affected by WhisperGate should expect to be hit by the more destructive HermeticWiper:

“We are continuing to monitor the wiper malware activity in Ukraine. Our detection and analysis of these attacks suggests the same organizational networks and critical sectors impacted by WhisperGate should be preparing for attacks from HermeticWiper. While we are monitoring for indications that these attacks are spilling over into other countries, we advise caution in the heat of crisis against misreading what could be false positives as evidence of a NotPetya-type outbreak. We counsel vigilance in the spirit of #ShieldsUp, advising organizations to implement the latest measures based on the latest threat intelligence to protect themselves. This is a time for clear heads AND strong hearts.”

Moody's Vice President Leroy Terrelonge commented on the impact of the Russian invasion: "We believe cyberattacks will continue to target Ukrainian critical infrastructure entities, and we are on the lookout for spillover effects that could touch corporates beyond Ukraine’s borders."

Russia has itself begun to experience some retaliatory DDoS attacks, the Record reports. Who's responsible is unknown, but neither hacktivism nor state-directed action can be ruled out. "The perpetrators of these attacks remain unknown," the Record says, "but the sudden and senseless breakout of the Russo-Ukrainian armed conflict this week has also drawn a lot of sympathy on the side of the Ukrainian side, including from the Anonymous hacktivist group, which called on its members to attack Russian government targets." Computing notes that someone, probably, in the Guardian's estimation, the Ukrainian government, has invited hacktivists to take action against Russia.

Governments generally sympathetic to Ukraine have raised their own level of alert for Russian cyberattack. The US Cybersecurity and Infrastructure Security Agency continues to update its Shields Up advisory, posting most recently, "Russia’s unprovoked attack on Ukraine, which has been accompanied by cyber-attacks on Ukrainian government and critical infrastructure organizations, may have consequences for our own nation’s critical infrastructure, a potential we’ve been warning about for months." This is not based on specific indicators or warnings, but rather presents a prudential judgment. "While there are no specific or credible cyber threats to the U.S. homeland at this time, we are mindful of the potential for Russia’s destabilizing actions to impact organizations both within and beyond the region, particularly in the wake of sanctions imposed by the United States and our Allies. Every organization—large and small—must be prepared to respond to disruptive cyber activity."

James Turgal, Optiv Security's VP of Cyber Risk, Strategy and Board Relations reminds us, inter alia, that Russian government operations can be quickly supplemented by privateering:

“The cyber-attack capabilities of the Russian government and the organized crime elements that support the nation states’ offensive attack capabilities are well documented and are occurring as we speak. The increase in geopolitical pressure exerted upon cyber space by the kinetic activity that Russia is driving in Eastern Europe is a calculated part of Russia’s strategy. There is little doubt that the cyber-attacks victimizing government and critical infrastructure elements within the Ukraine are at least sponsored, if not sanctioned by, the Russian government and is designed to soften up the battlefield and create a disruption of information flow and chaos, whether that ends in a full-scale invasion of Ukraine or merely the annexation of parts of the country.

He also thinks that the SolarWinds episode offers a good example of how Russian operators can be expected to proceed:

"To understand the impact of what this means to the United States government, our European Allies, corporate America and our critical infrastructure, we don’t have to look much further than the proof points of Russian capabilities in the massive and sophisticated Solar Winds attacks. Everything happens for a reason, and the timing and extent of the infiltration of the Russian government into the customers of SolarWinds, which include government and critical infrastructure organizations, cannot be minimized and, in my opinion, are not a coincidence. The conversation post-breach usually centers on what information was taken. However, the most important question that is rarely asked or spoken about is what the adversary learned from the infiltration and the navigation into these organizations. The well leveraged, slow and well thought out attack plans seen in the Solar Winds incident were very successful across multiple well-protected targets. Some analysts believe the attackers appear to have had the ability to compromise thousands of organizations, but instead chose their victims carefully. However, the fact that they have not weaponized the attack in a destructive way thus far, does not mean that what they learned from that attack and the extent to which the attacker chose to deploy in that instance, isn’t being saved for a time when the attacker needs to make the biggest impact, such as during an invasion of another country.

"What is lost in the noise of numerous attacks is that, in this case, attackers used a few new and refined mechanisms to compromise Solar Winds and other downstream organizations, such as low-level compromises of the software development process and the subversion of cloud identity management technology. It also should be noted that it was the attackers’ skilled penetration and prolonged period of not being detected within these systems that is most significant to today’s crisis. And it begs the question: Are they still there and waiting for further deployment?” 

Tony Cole, CTO, Attivo Networks, offered advice to organizations concerned about becoming the targets of Russian cyber operations:

"The impact of the Russian invasion of Ukraine will have a significant impact on cybersecurity challenges for companies and governments in the U.S., allied with the U.S., and especially for the Ukraine. Here in the United States, we should expect significant attacks focused on what Putin will see as the organizations helping enact sanctions on Russia and their oligarchs. The U.S. Cybersecurity & Infrastructure Security Agency has already released warnings about attacks in a number of areas, including state-sponsored Russian attacks against cleared defense contractors. We can expect to see more frequent attacks against the U.S. financial sector, the U.S. Treasury Department, the US State Department and many others focused on actions around sanctions. Previous ground gained in pushing the Russian government to shutdown criminal ransomware gangs focused on targeting U.S. companies will likely evaporate and it’s possible those same gangs will be encouraged to increase their illicit activity.

"Companies in critical infrastructure should take the following steps immediately:

  • "Ensure multifactor authentication is in place and required for every user.
  • "Increase efforts around cyber-hygiene activities to keep all applications and operating systems updated.
  • "Closely monitor and manage identity services systems such as Active Directory and implement attack detection inside it.
  • "Ensure backups are done frequently, kept off-site, and kept in a pristine state.
  • "Keep your incident response (IR) plan updated and practice it with all key personnel. Add an external IR contract if you lack expertise.
  • "Engage with and get to know your local law enforcement team ahead of any major incident.
  • "Know, understand, and follow other best practices from NIST (Cybersecurity Framework), MITRE ATT&CK, and MITR."

NBC News reported yesterday that President Biden had been presented with options for cyber operations against Russian infrastructure: "Two U.S. intelligence officials, one Western intelligence official and another person briefed on the matter say no final decisions have been made, but they say U.S. intelligence and military cyber warriors are proposing the use of American cyberweapons on a scale never before contemplated. Among the options: disrupting internet connectivity across Russia, shutting off electric power, and tampering with railroad switches to hamper Russia’s ability to resupply its forces, three of the sources said."

But White House Press Secretary Jen Psaki was quick with a denial. There's nothing to the story, she tweeted, "This report on cyber options being presented to @POTUS is off base and does not reflect what is actually being discussed in any shape or form." It seems unlikely that the US wouldn't have contingency plans for cyber operations against Russia (it would amount to military malfeasance if no such plans were prepared), so perhaps the Press Secretary's statement is better read as a non-denial denial, perhaps serving strategic ambiguity. That any such plans are predecisional is likely: the report did say that "no final decisions had been made."

Danielle Jablanski, OT Cybersecurity Strategist at Nozomi Networks wrote to stress that cyber operations in a full-scale war remain to a significant extent terra incognita:

"The most well-informed intelligence professionals and war planners still do not know what escalation looks like in an unprecedented exchange of cyber warfare. Any cyber operation to counter Russian military aggression in Ukraine that wants to avoid encouraging Putin to take more drastic steps cannot threaten the lives and safety of innocent civilians. Cyber weapons might include zero day exploits and the potential to impose high costs on an adversary, but they also potentially lead to unintended consequences which might not be justifiable if unprovoked."

Policy (including sanctions and objectives).

The EU is today working out the sanctions it will apply to Russia as a partial response to that country's aggression in Ukraine, Reuters reports. The Kyiv Independent tweeted that the Council of Europe has suspended Russia's right of representation.

British Prime Minister Johnson yesterday announced new sanctions against Russia. These include, the Telegraph reports, "asset freezes on all major Russian banks; legislation to prohibit Russian companies from raising finance on UK markets; sanctions against more than 100 individuals, entities and their subsidiaries; trade and export bans on a wide range of tech equipment; an imminent ban on the Russian airline Aeroflot; and an intention to shut off Russia's access to the SWIFT payment system." That last is an "intention"—Russia for now at least retains access to SWIFT.

The additional sanctions the US announced yesterday continued Washington's policy of gradual incrementalism. None of them are regarded as a knock-out blow against the Russian economy, but they will impose certain costs on Moscow. A White House factsheet enumerated the new sanctions as follows:

  • "Severing the connection to the U.S. financial system for Russia’s largest financial institution, Sberbank, including 25 subsidiaries, by imposing correspondent and payable-through account sanctions. This action will restrict Sberbank’s access to transactions made in the dollar. Sberbank is the largest bank in Russia, holds nearly one-third of the overall Russian banking sector’s assets, is heavily connected to the global financial system, and is systemically critical to the Russian financial system.
  • "Full blocking sanctions on Russia’s second largest financial institution, VTB Bank (VTB), including 20 subsidiaries. This action will freeze any of VTB’s assets touching the U.S financial system and prohibit U.S. persons from dealing with them. VTB holds nearly one-fifth of the overall Russian banking sector’s assets, is heavily exposed to the U.S. and western financial systems, and is systemically critical to the Russian financial system.
  • "Full blocking sanctions on three other major Russian financial institutions: Bank Otkritie, Sovcombank OJSC, and Novikombank- and 34 subsidiaries. These sanctions freeze any of these institutions’ assets touching the U.S financial system and prohibit U.S. persons from dealing with them. These financial institutions play a significant role in the Russian economy.
  • "New debt and equity restrictions on thirteen of the most critical major Russian enterprises and entities. This includes restrictions on all transactions in, provision of financing for, and other dealings in new debt of greater than 14 days maturity and new equity issued by thirteen Russian state-owned enterprises and entities: Sberbank, AlfaBank, Credit Bank of Moscow, Gazprombank, Russian Agricultural Bank, Gazprom, Gazprom Neft, Transneft, Rostelecom, RusHydro, Alrosa, Sovcomflot, and Russian Railways. These entities, including companies critical to the Russian economy with estimated assets of nearly $1.4 trillion, will not be able to raise money through the U.S. market — a key source of capital and revenue generation, which limits the Kremlin’s ability to raise money for its activity.
  • "Additional full blocking sanctions on Russian elites and their family members: Sergei Ivanov (and his son, Sergei), Nikolai Patrushev (and his son Andrey), Igor Sechin (and his son Ivan), Andrey Puchkov, Yuriy Solviev (and two real estate companies he owns), Galina Ulyutina, and Alexander Vedyakhin. This action includes individuals who have enriched themselves at the expense of the Russian state, and have elevated their family members into some of the highest position of powers in the country. It also includes financial figures who sit atop Russia’s largest financial institutions and are responsible for providing the resources necessary to support Putin’s invasion of Ukraine. This action follows up on yesterday’s action targeting Russian elites and their family members and cuts them off from the U.S. financial system, freezes any assets they hold in the United States and blocks their travel to the United States.
  • "Costs on Belarus for supporting a further invasion of Ukraine by sanctioning 24 Belarusian individuals and entities, including targeting Belarus’ military and financial capabilities by sanctioning two significant Belarusian state-owned banks, nine defense firms, and seven regime-connected officials and elites. We call on Belarus to withdraw its support for Russian aggression in Ukraine.
  • "Sweeping restrictions on Russia’s military to strike a blow to Putin’s military and strategic ambitions. This includes measures against military end users, including the Russian Ministry of Defense. Exports of nearly all U.S. items and items produced in foreign countries using certain U.S.-origin software, technology, or equipment will be restricted to targeted military end users. These comprehensive restrictions apply to the Russian Ministry of Defense, including the Armed Forces of Russia, wherever located.
  • "Russia-wide restrictions to choke off Russia’s import of technological goods critical to a diversified economy and Putin’s ability to project power. This includes Russia-wide denial of exports of sensitive technology, primarily targeting the Russian defense, aviation, and maritime sectors to cut off Russia’s access to cutting-edge technology. In addition to sweeping restrictions on the Russian-defense sector, the United States government will impose Russia-wide restrictions on sensitive U.S. technologies produced in foreign countries using U.S.-origin software, technology, or equipment. This includes Russia-wide restrictions on semiconductors, telecommunication, encryption security, lasers, sensors, navigation, avionics and maritime technologies. These severe and sustained controls will cut off Russia’s access to cutting edge technology.
  • "Historical multilateral cooperation that serves as a force multiplier in restricting more than $50 billion in key inputs to Russia- impacting far more than that in Russia’s production. As a result of this multilateral coordination, we will provide an exemption for other countries that adopt equally stringent measures. Countries that adopt substantially similar export restrictions are exempted from new U.S. licensing requirements for items produced in their countries. The European Union, Australia, Japan, Canada, New Zealand and the United Kingdom, have already communicated their plans for parallel actions. This unprecedented coordination significantly expands the scope of restrictions on Russia. Further engagement with Allies and partners will continue to maximize the impact on Russia’s military capabilities."

It's noteworthy that sanctions are being leveled against Belarus as well as Russia. The measures stopped short of cutting off Russia's access to the SWIFT international bank transfer system, a move many observers thought would be among the more punitive measures that might be taken. White House sources indicated that Russian access to SWIFT was permitted to continue at the request of US allies. US Senator Bob Menendez (Democrat of New Jersey and chair of the Senate Foreign Relations Committee) explained the probable outcome of the new measures in a statement distributed in an email: “The sanctions announced today will exact a significant toll on the Russian economy, including by blocking some of the largest banks in Russia; mirroring the steps I have called for in legislation. These measures will also limit Russia’s ability to participate in the global economy, restrict critical exports, and importantly, impose costs on Russian elites who have enabled and benefit from Putin’s aggression and grip on power." He also indicated that access to SWIFT should be among the options the Administration considers, going forward: “As we seek to impose maximum costs on Putin, there is more that we can and should do. Congress and the Biden administration must not shy away from any options—including sanctioning the Russian Central Bank, removing Russian banks from the SWIFT payment system, crippling Russia’s key industries, sanctioning Putin personally, and taking all steps to deprive Putin and his inner circle of their assets."

Ukraine understandably would like to see the US and its NATO allies doing much more. President Zelenskyy said yesterday, "This morning we are defending our state alone. Like yesterday, the world's most powerful forces are watching from afar. Did yesterday's sanctions convince Russia? We hear in our sky and see on our earth that this was not enough."