Ukraine at D+413: The Discord Papers investigation.
N2K logoApr 13, 2023

The Discord Papes seem to have been leaked by a young influencer with a surfeit of access and ego, and too many teenage followers.

Ukraine at D+413: The Discord Papers investigation.

There is little change to the lines as Russian forces continue to entrench before an expected Ukrainian spring offensive. Bakhmut remains contested, and Ukrainian outrage grows over evidence that some Ukrainian prisoners of war have been beheaded by their Russian captors.

The cognitive dissidence surrounding Russia's Victory Day.

"Leaders of several Russian regions bordering Ukraine, as well as occupied Crimea, have announced that their usually high-profile 9 May Victory Day military parades will be cancelled," the UK's Ministry of Defence wrote in this morning's situation report. Victory Day is the Russian equivalent of the V-E Day observed in the West, celebrating the end of the Second World War in Europe. Victory Day, however, is a far more important holiday than V-E Day, central to Russian national identity, especially with respect to the country's self-consciously assumed role as heir to the Soviet legacy. "Some Russian cities further away from Ukraine have confirmed they plan to go ahead with Victory Day. The cancelled events have likely primarily been called off because of security concerns near the border, as officials have claimed. However, the different approaches highlight a sensitive communications challenge for the Kremlin. Putin couches the ‘special military operation’ in the spirit of the Soviet experience in World War Two. The message risks sitting increasingly uneasily with the many Russians who have immediate insights into the mismanaged and failing campaign in Ukraine. Honouring the fallen of previous generations could easily blur into exposing the scope of the recent losses, which the Kremlin attempts to cover up."

Source of leaked US intelligence may be closer to identification.

The Washington Post has investigated the Discord Papers, as they're now being called, by going to the obvious place: the Discord group where the intelligence documents were first posted. The leaks came through a small, invitation-only clubhouse (“Thug Shaker Central") established on Discord in 2020. Its members were apparently looking for fellowship and diversion during the pandemic, and found it among a collection of military wannabes who shared a willingness to engage in casual, low-grade racist humor and fantasies about conspiracies.

The leader of the clubhouse, a young man with the derivative handle "OG," is described as a "young, charismatic gun enthusiast who shared highly classified documents with a group of far-flung acquaintances searching for companionship amid the isolation of the pandemic." OG told his followers, who seem to have been disproportionately teenage boys, that he worked on a "military base" that he declined to identify, and that he spent his days working with classified material in a secure facility. The two youths with whom the Post spoke (one of whom they interviewed with the permission of his mother, which indicates how young the members of the group are) say they know OG's real name, the state in which he works, and that he's in his early-to-mid twenties.

Counterintelligence officers traditionally use the acronym "MICE," for money, ideology, compromise, and ego, to summarize the motivations of people who commit espionage. OG seems to have been motivated strongly, apparently exclusively, by ego. “If you had classified documents, you’d want to flex at least a little bit, like hey, I’m the big guy,” one of OG's besotted followers told the Post.

The material began to leak from its initial Discord channel on February 28th, when one teen member of Thug Shaker Central posted some of its photos to a different Discord channel. Other files subsequently spread to a Discord server devoted to the game Minecraft. OG stopped sharing classified information in mid-March, but on April 5th some of the material already posted appeared in 4chan and Russian Telegram channels. At that point the leak finally came to the attention of the US Government. When OG became aware that his leaked files had leaked beyond his online family, he was, the follower told the Post, distraught. “He said something had happened, and he prayed to God that this event would not happen... But now it’s in God’s hands.”

NBC News reports that the incident is prompting the US Government to review the way it monitors social media for security threats. The intelligence community is now grappling with how it can scrub platforms like Discord in search of relevant material to avoid a similar leak in the future, said [a] congressional official." How that might be accomplished is under study; the solution isn't obvious.

Canada says its natural gas infrastructure sustained no physical damage from cyberattacks.

One of the leaks in the Discord Papers outlined attempted Russian cyberattacks against Canada's natural gas infrastructure. Prime Minister Trudeau said yesterday that the country's infrastructure sustained no "physical damage" from such attacks.

Russian cyberattacks are expected to increase as the invasion of Ukraine stalls.

The Voice of America quotes NSA cybersecurity director Rob Joyce's warning not to dismiss Russian offensive cyber capabilities. Joyce said this week, "In cyber, I think people have underestimated really how much game they [Russia] brought, whether it be the Viasat hack to nine or 10 different families of brand-new, unique wiper viruses that have been thrown in that ecosystem There's continued attacks on Ukrainian interests, whether it's financial, government, personal, individual, business — just trying to be disruptive.”

One of the threat actors that will bear watching is Winter Vivern. Avertium has published a summary of Russia's Winter Vivern and its recent activities; the researchers urge continued vigilance against what they describe as a "scrappy" and often overlooked group.

The Atlantic Council writes that Ukraine's energy sector seems to have survived the winter, and the country has even resumed export of electricity. Russian attacks against Ukrainian power generation and distribution continue, and have shown some ability to interrupt Internet service, but CyberScoop reports that those attacks have been brutally and directly kinetic attacks, not cyber operations.