Deterrence and retaliation in Russia's hybrid campaign against Ukraine.
N2K logoJan 25, 2022

Hacktivism as irregular cyber warfare during a period of hybrid conflict.

Deterrence and retaliation in Russia's hybrid campaign against Ukraine.

NATO has moved air and naval units into positions to respond to further Russian incursions into Ukraine. Reuters reports that the alliance presently has about four-thousand troops deployed in multinational battalions in Latvia, Lithuania, Estonia, and Poland; the US is said to have placed some eighty-five-hundred additional troops on alert, prepared to be transported to the region. Russia, which has staged approximately one-hundred-thousand troops near Ukraine, says NATO's response (described as "hysteria") shows that Russia, not Ukraine, is the target of aggression.

NATO, the EU, and the OSCE prepare a response to Russia's threatening posture.

Western leaders held a secure video conference yesterday in which, according to the White House:

"They reiterated their continued concern about the Russian military build-up on Ukraine’s borders and expressed their support for Ukraine’s sovereignty and territorial integrity. The leaders underscored their shared desire for a diplomatic resolution to the current tensions and reviewed recent engagements with Russia in multiple formats. The leaders also discussed their joint efforts to deter further Russian aggression against Ukraine, including preparations to impose massive consequences and severe economic costs on Russia for such actions as well as to reinforce security on NATO’s eastern flank. They committed to continued close consultation with transatlantic Allies and partners, including working with and through the EU, NATO, and the OSCE."

Participants in the call included US President Joe Biden, European Commission President Ursula von der Leyen, European Council President Charles Michel, President Emmanuel Macron of France, Chancellor Olaf Scholz of Germany, Prime Minister Mario Draghi of Italy, NATO Secretary General Jens Stoltenberg, President Andrzej Duda of Poland, and Prime Minister Boris Johnson of the United Kingdom.

Sanctions are widely expected to form an important part of any Western response. Reuters outlines the US sanctions regime that damaged Huawei when the Chinese IT giant came under suspicion of complicity with Chinese government surveillance and collection operations. Similar measures are under preparation for use against a broad range of Russian sectors.

Hacktivism in Belarus aims to disrupt rail transport for Russian forces.

An online Russian-language publication, Reformation, yesterday reported that a Belarusian hacktivist group had carried out a cyberattack designed to interfere with rail traffic in Belarus. The incident is said to have affected the national railroad’s business systems by encrypting data and destroying backups. The hackers say they’ll provide a decryptor upon the release of fifty political prisoners and a halt to Russian troop deployment in Belarus. Observers initially treated the claims of responsibility with caution: the incident may indeed have been a genuine case of hacktivism, but action by criminals, national intelligence services, or Russian provocation couldn't be ruled out, either.

Later Monday Ars Technica added more on what increasingly appears to be a hacktivist ransomware attack against Russian troop deployments and the Belarusian government that's cooperating with Moscow. The Cyber Partisans have claimed responsibility for the operation (called "Peklo," roughly "Hellfire"); they're a sophisticated hacktivist organization known to have been active since at least July of 2021. (Bloomberg reported at the time that the group had counted coup against official databases maintained by Belarusian President Lukashenka's government, doxing agencies and obtaining "lists of alleged police informants, personal information about top government officials and spies, video footage gathered from police drones and detention centers and secret recordings of phone calls from a government wiretapping system." The Belorusian KGB at the time blamed "foreign special services" for the Cyber Partisans' action. Last September the Washington Post described the Cyber Partisans' exposure of operations by Minsk's security agencies.)

The Cyber Partisans tweeted their explanation of why they hit the railroad: "At the command of the terrorist Lukashenka, #Belarusian Railway allows the occupying troops to enter our land. We encrypted some of BR's servers, databases and workstations to disrupt its operations. Automation and security systems were NOT affected to avoid emergency situations." The AP reports that a spokesperson for the Cyber Partisans, New York-based Yuliana Shemetovets, said that “Mostly commercial (freight) trains are affected. We hope it will indirectly affect Russian troops as well but we can’t know for sure. … At this point it’s too early to say.”

CyberScoop lays out the case for the Cyber Partisans being a genuine hacktivist group. It's believed they're a "self-taught" group of about fifteen expatriate Belarusian dissidents who retain some connection with disaffected members of Belarusian security services.

Why a disruptive cyberattack against railroads? Freight rail is a convenient way of moving heavy units. If Russian forces are using Belarusian rail transport, it suggests they're moving tanks and other armored vehicles. In an aside delivered during ceremonies at the Belarusian Academy of Sciences yesterday, President Lukashenka said that neither he nor his generals wanted war, and that war wasn't inevitable. He also alluded to similarities between current tensions and the German invasion of the Soviet Union during the Second World War.

Hybrid war jitters.

Multiple sources, including Newsweek and ABC News, report that the US Department of Homeland Security has issued a memorandum to its law enforcement partners warning them to prepare for Russian cyberattacks in the event of a US or NATO response to Russia's threatened invasion of Ukraine. The memorandum, dated January 23rd and produced by the Department of Homeland Security's Officer of Intelligence and Analysis, is said to read, in part, "We assess that Russia would consider initiating a cyber attack against the Homeland if it perceived a US or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security." (Newsweek points out that this one-sentence assessment is printed in boldface, presumably for emphasis.) The memorandum goes on to explain, "Russia maintains a range of offensive cyber tools that it could employ against US networks — from low-level denials-of-service to destructive attacks targeting critical infrastructure. However, we assess that Russia's threshold for conducting disruptive or destructive cyber attacks in the Homeland probably remains very high and we have not observed Moscow directly employ these types of cyber attacks against US critical infrastructure — notwithstanding cyber espionage and potential prepositioning operations in the past."

This isn't shocking, and the warning is carefully hedged. The memorandum is largely an exercise in presenting a priori possibilities. Of course Russia presents a cyber threat. It disposes considerable resources and expertise, that "range of offensive tools" the memorandum mentions. And it's well-established that Russian services have conducted cyberattacks, and tolerated criminal privateers who act against Russia's adversaries. Be wary, of course, but the memo as it's been reported doesn't appear to be based, publicly at least, on specific indications and warnings.

Industry assessments of the Russian cyber threat.

SecurityWeek reports that WhisperGate malware operators who recently hit Ukrainian targets in a pseudoransomware attack had access to the affected networks for several months before they executed the attack. Cisco Talos researchers believe the attackers gained access through stolen credentials, and they advise organizations to take the same sorts of defensive measures they took following NotPetya and WannaCry.

And there's a sense that Russian intelligence services may not be particularly restrained this time around. Duo's Decipher quotes Talos's director of threat intelligence, Matthew Olney, to the effect that, “They’re trying to say that there’s potential for the rules of the game to change. In the past if you discovered Russian adversaries in your network, you’d try to find all their footholds, board up behind them, and do better next time. There is a potential future where that’s not the case. If the rules of engagement change, Russia will be looking to put in place as much pressure as they can to remove any sanctions they don’t find acceptable."

We heard from other industry experts who observe that large-scale hybrid warfare is something no one has a great deal of experience with, yet. Tim Erlin, VP of Strategy at Tripwire, thinks, however, that the novelty is a surface novelty, and that it hasn't rendered well-established best practices obsolete:

“The cybersecurity industry has gotten used to tossing around the idea of ‘nation-state’ adversaries, but I think we’ve yet to see cyber attacks used in concert with a full-fledged military campaign. DHS’s warning sets that expectation that something has changed in the threat profile, and that organizations should be prepared for a change in the types of attacks they see. It’s entirely valid for organizations to wonder what they’re supposed to do differently when faced with this type of alert. Cybersecurity calls for constant defense already, and an alert like this doesn’t magically remove the obstacles that are preventing organizations from implementing solid security controls. For most companies, a DHS alert simply doesn’t create budget or add people to their staff.”

Roger Grimes, data-driven defense evangelist at KnowBe4, sees the change and sees the danger, and points out that the international norms of conflict in cyberspace still remain unformed:

"It is considered fairly natural for cybersecurity attacks to accompany kinetic, real-world battles. CISA sent out a warning last week for American organizations to be doubly prepared for additional Russian-originating cyber attacks. What surprises me a bit is that it used to be that only the directly involved parties...government and government-related contractors and suppliers, had to be worried. But Russia has changed that equation enormously over the last year. Nation-state attacks are happening by the tens of thousands and occurring against organizations with no direct government affiliation. Everyone is apparently a "fair target" these days. It is really a change in the state of nation state attacks and cyberwarfare. And it is permanent. At least until we get a Geneva Conventions-like peace agreement on what is and is not allowed in the cyberspace. Right now, it is do what you want with near impunity, with low risk. We are in an especially dangerous and risky time because no one knows what the response will be if one side or the other goes too far. For example, if one side unilaterally attacks another side in cyberspace, does that mean that a kinetic response is allowed or warranted? Does one side overreact? I think we will all be less stressed when the new rules of cyberwarfare are figured out."