Ukraine at D+76: Attribution and condemnation of Russia's AcidRain attack on the KA-SAT network.

This morning's situation report from the British Ministry of Defence (MoD) highlights the struggle for control of the Black Sea coast. Fighting continues at Zmiinyi Island, also known as Snake Island, with Russia repeatedly trying to reinforce its exposed garrison located there. Ukraine has successfully struck Russian air defences and resupply vessels with Bayraktar drones. Russia’s resupply vessels have minimum protection in the western Black Sea, following the Russian Navy’s retreat to Crimea after the loss of the Moskva. Russia’s current efforts to augment its forces on Zmiinyi Island offer Ukraine more opportunities to engage Russian troops and attrit materiel. If Russia consolidates its position on Zmiinyi Island with strategic air defence and coastal defence cruise missiles, they could dominate the north-western Black Sea." Russian bombardment of Odessa continues, the AP reports. It's long-range missile fire, not close combat, and the targets are warehouses and other port facilities, not military units or installations. The evident goal of the bombardment is to deprive Ukraine of the use of its principal port.

Fighting an actual army is different from fighting bandits and insurrectos, or killing civilians.

That's the opinion of a Wagner Group alumnus who says he declined an offer to fight in Ukraine. "They were caught completely by surprise that the Ukrainian army resisted so fiercely and that they faced the actual army," Marat Gabidullin told the Telegraph. "He said people he spoke to on the Russian side had told him they expected to face rag-tag militias when they invaded Ukraine, not well-drilled regular troops." This is of course one man's opinion, albeit one fairly well-informed man, but Mr. Gabidullin (who now lives in Paris) describes a state of military affairs that seems to have been strongly confirmed by surprisingly poor Russian combat performance.

More attribution of the Viasat cyberattack to Russia.

We saw yesterday that the European Union had formally attributed the cyberattack against Viasat's KA-SAT network, which took place an hour before combat operations began against Ukraine, to Russia. Other allied governments were quick to second that attribution.

The US Department of State said, after drawing attention to Russian use of wiper malware in its cyber prep, "Today, in support of the European Union and other partners, the United States is sharing publicly its assessment that Russia launched cyber attacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries. The activity disabled very small aperture terminals in Ukraine and across Europe. This includes tens of thousands of terminals outside of Ukraine that, among other things, support wind turbines and provide Internet services to private citizens."

The US Cybersecurity and Infrastructure Security Agency (CISA) updated their March 17th Alert (AA22-076A) "Strengthening Cybersecurity of SATCOM Network Providers and Customers," to explain that the threat to SATCOM networks they warned about was indeed a Russian threat.

The attribution offered by Britain's NCSC is more specific: it calls out "Russian military intelligence, the GRU, as the organization responsible for the cyberattacks. Estonia is equally specific: "[I]t can be stated with high certainty that the GRU was behind these attacks." The British Government also sees, as the Telegraph explains, the cyberattacks against the German wind turbine sector as collateral damage (perhaps "side benefit" or "gravy" would be more accurate) of the prep fire directed against Ukraine's Internet. Both the British Foreign Minister and the US Secretary of State emphasized this indiscriminate aspect of the Russian cyberattack. “This is clear and shocking evidence of a deliberate and malicious attack by Russia against Ukraine which had significant consequences on ordinary people and businesses in Ukraine and across Europe,” NBC News quotes British Foreign Secretary Liz Truss as saying in a news release, and US Secretary of State Anthony Blinken made the same point: “Russia launched cyber attacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion, and those actions had spillover impacts into other European countries."

Canada, in a joint statement by the Ministers of Foreign Affairs, National Defence, and Public Safety, condemned the Russian attack. “Canada assesses that the Russian military was behind this incident. Russia’s illegal invasion of Ukraine, its malicious cyber activity, and its egregious disinformation campaigns are unacceptable and must stop." The ministers added a brief history lesson to put the attack in the context of what the US State Department called "the Russian playbook":

“This most recent incident underlines a pattern of disruptive cyber activity that demonstrates a repeated disregard for the rules-based international order. This activity also demonstrates the willingness of Russia to use its cyber capabilities irresponsibly.

“Previous malicious Russian cyber activities include:

• "the targeting of the Ukrainian banking sector in February 2022
• "the exploitation of the SolarWinds platform by Russia’s Foreign Intelligence Service (SVR) in 2021
• "the SVR’s targeting of Canadian COVID-19 vaccine research and development in 2020
• "the interference by Russia’s military intelligence agency (GRU) in Georgia’s 2020 parliamentary elections
• "the development and indiscriminate use of NotPetya malware in 2017, which caused massive damage to government and business networks globally"

Australia's Ministers of Foreign Affairs, Defence, and Home Affairs concentrated on Russia's use of cyberattacks as battlespace preparation:

"Today we join the US and the EU in attributing to the Russian government the following activity:

• "Russian military cyber operators have deployed multiple families of destructive wiper malware, including WhisperGate, on Ukrainian government and private sector networks. These disruptive cyber operations began in January 2022 prior to Russia’s invasion of Ukraine.
• "Russian government cyber actors have compromised a number of Ukrainian civilian entities since October 2021 that would be involved in crisis response activities, including networks related to emergency services, energy, transport and also communications. We have previously publicly highlighted Russia’s mid-February distributed denial of service (DDOS) attacks against certain Ukrainian banking-related services.
• "Together with our partners, we assess that Russia launched cyber attacks in late February against commercial satellite communications networks to disrupt Ukrainian command and control during the invasion and those actions had spill-over impacts in other European countries. The activity disabled very small aperture terminals (VSAT) in Ukraine and across Europe. This included tens of thousands of terminals outside of Ukraine that, among other things, support wind turbines and provide internet services to private citizens."

"These unacceptable activities are further examples of Moscow’s indiscriminate approach to cyber operations and blatant disregard for the effects of such operations on the public, including through the commercial sector."

And the Australian Government adds a pointed reminder to Moscow: "Australia is committed to imposing costs on state-based or state-sponsored malicious actors who seek to undermine an open, free, safe and secure cyberspace."

All the governments who've publicly attributed the disruption of Viasat's KA-SAT network add strong and unambiguous condemnation of the cyberattack, and most of them draw attention to the advice they're offering on preparing to withstand future Russian cyberattacks. For governments that aren't parties to the conflict, their open hostility to Russia's special military operation and their support for Ukraine are striking and unambiguous.

That further attacks must be considered at least possible, perhaps probable, is a conclusion to be drawn from MIT Technology Review's coverage of the cyberattack on Viasat terminals. The Russians used the AcidRain wiper against the systems, and AcidRain is striking in its general purpose adaptability. Technology Review quotes SentinelOne researcher Andres Guerrero-Saade, who says, “What’s massively concerning about AcidRaid is that they’ve taken all the safety checks off. With previous wipers, the Russians were careful to only execute on specific devices. Now those safety checks are gone, and they are brute-forcing. They have a capability they can reuse. The question is, what supply-chain attack will we see next?”

Kaspersky remains under investigation.

Bloomberg updates its coverage of the ongoing investigation of Kaspersky security software as a potential security threat, quoting Rob Joyce, head of NSA's Cybersecurity Directorate on the risk he thinks Kaspersky poses to US companies. “I am still very worried about US companies that are using Kaspersky,” Joyce. “We think that is ill-advised with this global situation.” In one respect this is a supply chain issue: Kaspersky software is white-labeled inside many widely used devices. “So there are routers, for example, that come with a Kaspersky engine inside them," Joyce said, "and it’s not clear people understand that that’s buried inside a product that looks US or Western. So we’re trying to understand where those risks are in the supply chain and where the biggest ones exist.”