Ukraine at D+126: Russia leaves Snake Island. DDoS in NATO's North.
N2K logoJun 30, 2022

Russia abandons Snake Island in the Black Sea as the artillery war continues in the Donbas. The Cyber Spetsnaz conduct DDoS attacks against Norway (and the Svalbard treaty is the issue). NATO prepares for renewed Russian cyber ops, and Roskosmos releases satellite images of Western government buildings (apparently nothing more than you could get anywhere else).

Ukraine at D+126: Russia leaves Snake Island. DDoS in NATO's North.

Russian forces have abandoned Snake Island in the Black Sea under Ukrainian fire. Ukraine says it forced Russian occupiers off the island, and that their loss of Snake Island will make it more difficult for Russia to operate against Ukraine's Black Sea coast. Russia, the Guardian reports, says it didn't happen this way, that Russia removed its forces as planned because they'd accomplished their mission, which was "controlling the airspace." And, the Russian Ministry of Defense adds, it was a humanitarian gesture intended to make it easier to move grain from ports in the region. “In order to organise humanitarian grain corridors as part of the implementation of joint agreements reached with the participation of the UN, the Russian Federation decided to leave its positions on Zmiinyi Island,” the Ministry said in a statement that also blamed Ukrainian mines for creating a hazard in the sealanes. Ukraine's claims of a victory are, Russia says, spurious.

The UK's Ministry of Defence (MoD) updates its situation report on the fighting in the Donbas, with an emphasis on the importance of fighting withdrawals in a war of attrition. "Ukrainian forces continue to hold their positions in the city of Lyschansk following their withdrawal from Sieverodonetsk. Russian forces continue to pursue an approach of creeping envelopment from the Popasna direction, removing the need to force a major new crossing of the Siverskyi Donets River in this sector. Current ground combat is likely focused around the Lyschansk oil refinery, 10km south-west of the city centre. At the operational level, Russian forces continue to make limited progress as they attempt to encircle Ukrainian defenders in northern Donetsk Oblast via advances from Izium. It is highly likely that Ukrainian forces’ ability to continue fighting delaying battles, and then withdraw troops in good order before they are encircled, will continue to be a key factor in the outcome of the campaign." The Wall Street Journal describes the cost that war of attrition continues to impose on both sides.

Killnet hits Norwegian websites.

Killnet, operating again as the Cyber Spetsnaz, yesterday announced a campaign against Norway in its Telegram channel. The post led with a doctored photo of Norway's Foreign Minister Anniken Huitfeldt in which she's called "Mrs. Error" and made up to look like the Disney villainess Malificent. “Good morning Norway!" the introductory text read, "All units to battle.” This was followed by a list of Norwegian targets. The Russian complaint against Norway, as the Barents Observer reports, is that Norway isn't permitting Russian goods to transit Norwegian territory enroute to the island of Svalbard via the Russian port of Murmansk. Thus it has some similarity to the Russian complaint against Lithuania, which had prevented shipment of some goods to the non-contiguous province of Kaliningrad, and which also attracted the attention of Killnet. Svalbard is under Norwegian sovereignty, but a treaty guarantees Russian coal mining operations on the island. Members of Russia's Duma have questioned Norway's sovereignty given what they call Oslo's violations of the Svalbard treaty, and the AP reports that Norway's ambassador to Moscow was summoned to the Russian Foreign Ministry to give an explanation of Norwegian policy.

The cyber attacks claimed by Killnet have been distributed denial-of-service (DDoS) incidents. Several sites were disrupted for a matter of hours, but Norwegian authorities said the effects were limited and have been largely mitigated. Norway's NSM attributed the attacks to a "criminal pro-Russian group," and is investigating the group's possible ties to the Russian government.

Hacktivists tied to Russia's government.

Bloomberg reports that "XakNet," a nominally independent pro-Russian hacktivist group that's denied answering to Moscow, may in fact be tied to the Russian government. The source of the attribution is Mandiant. “It’s important we scrutinize the actors who claim to be Russian hacktivists because the intelligence services regularly use that façade to carry out their operations,” said John Hultquist, Mandiant’s vice president of intelligence analysis. “If we wait until after a major attack to ask who is really behind these personas, it may be too late.” This is unsurprising. Russian intelligence and security services have long operated nominally independent hacktivist groups. Guccifer 2.0's actions during the 2016 US elections are an example of the practice--the group was eventually associated with the GRU.

(A pronunciation note: the "X" is pronounced like an English "H," which has no exact equivalent in Russian, and sounds like the "ch" in "loch;" "HackNet" is close enough.)

Looking ahead to possible new cyber phases of Russia's hybrid war.

While Russian cyberattacks have, like Russian ground forces, fallen far short of expectations in terms of effectiveness if not in terms of effort, NATO continues to prepare for renewed cyber offensives that could extend beyond the borders of Ukraine. Such cyberattacks as have extended to NATO members have not succeeded in achieving more than a nuisance level of effect. But Protocol discusses Russian capabilities with a variety of cybersecurity experts who say that desperation could drive Russia to attempt more extensive and more destructive cyberattacks. The views of former US Cybersecurity and Infrastructure Security Agency (CISA) director Chris Krebs are representative. "Once they [the Russians] start losing good options, they're going to start using some of their capabilities they've kept in reserve to strike back at the U.S. and say, 'Hey, wipe off the sanctions,'" he told Protocol. "How are they going to do it? It would be a highly visible, likely destructive attack."

Looking ahead to such an eventuality, NATO this week announced plans to increase resilience and organize a rapid-response capability to address Russian cyber threats. The Alliance announced, in its Madrid Summit Declaration, "Resilience is a national responsibility and a collective commitment. We are enhancing our resilience, including through nationally-developed goals and implementation plans, guided by objectives developed by Allies together. We are also strengthening our energy security. We will ensure reliable energy supplies to our military forces. We will accelerate our adaptation in all domains, boosting our resilience to cyber and hybrid threats, and strengthening our interoperability. We will employ our political and military instruments in an integrated manner. We have endorsed a new chemical, biological, radiological and nuclear defence policy. We will significantly strengthen our cyber defences through enhanced civil-military cooperation. We will also expand partnership with industry. Allies have decided, on a voluntary basis and using national assets, to build and exercise a virtual rapid response cyber capability to respond to significant malicious cyber activities."

Why major, destructive Russian cyberattacks have yet to materialize remains open to debate. The Jerusalem Post reviews two of the leading explanations, overconfidence and poor preparation. Microsoft's John Lambert, vice president of the company's Threat Intelligence Center, described the overconfidence theory. “The easiest explanation is that Russia believed in their war plans," he told a Cyber Week 2022 in Tel Aviv this week. "They thought in 10 days they would be governing the country, the government would fall and they didn’t want to wreck the infrastructure of the country. That did not go according to plan, and they had to adapt.”

Poor preparation was the explanation Professor Isaac Ben-Israel, director of the Blavatnik Interdisciplinary Cyber Research Center at Tel Aviv University, advanced at the same conference. “If you want your capability to be adaptive, you have to invest a huge effort in maintaining this capability,” he said. “Russia didn’t do that, and that’s why when the war started, you saw certain cyber actions, but that was the end of it.” 

Roscosmos publishes locations of Western defense facilities (and subsequently says it sustained a DDoS attack).

Roscosmos, the Russian space agency, released overhead imagery and the geographical coordinates of a variety of Western installations online Tuesday. Dmitry Rogozin, head of Roscosmos, explained, "The entire conglomerate of private and state orbital groupings is now working exclusively for our enemy." He added in his Telegram channel, "Today, the NATO summit opens in Madrid, at which Western countries will declare Russia their worst enemy. Roscosmos publishes satellite photographs of the summit venue and the very 'decision centres' that support Ukrainian nationalists. At the same time, we are giving the coordinates of the objects. Just in case." The photos and geolocations included the venue in Madrid where the NATO summit met, the Pentagon, the White House, various British government buildings in central London, the German Chancellery, the Reichstag, NATO headquarters, the Élysée Palace, and other government buildings in Paris. None of these locations are secret, which makes what Mr. Rogozin thinks he's up to a bit of a puzzle. The "Just in case" sounds menacing, but it's difficult to see what such a case might be. Anyway, he's displeased with support Western space companies and agencies have rendered to Ukraine.

Yesterday, according to the Wall Street Journal, Roscosmos press chief Dmitry Strugovets Telegramed that the agency had sustained a distributed-denial-of-service (DDoS) attack. He said it had been successfully repelled, and that it originated from the Russian city of Yekaterinburg. How such an attack might be staged through Yekaterinburg is unclear, although the city is the setting of the sitcom that features Gennady Bukin, Russia's Al Bundy, so it's got that going for it, we guess.