Cyberspace in multi-domain operations: the case of Ukraine.
N2K logoJan 18, 2022

Ukraine has now attributed last week's cyberattacks to Russian operators, and Kyiv has found some support for its conclusion among other governments. Microsoft on Saturday released a report on the malware used in the attacks: it was a wiper that represented itself as ransomware. NATO considers its options for defense, deterrence, and response.

Cyberspace in multi-domain operations: the case of Ukraine.

A preliminary note on last week's apparent Russian cyber operations against Ukraine: the incidents are still recent, and investigation is underway. While there's an emerging consensus that Russian services are responsible for last week's attacks, the full extent of those attacks, their goals, the way they were carried out, and even final attribution remain under investigation. But the situation as a whole exhibits hybrid warfare in all but its most active kinetic phases: from diplomacy through influence operations, from cyber operations to the staging of deniable irregular or special forces, and on to the preparatory marshaling of large conventional forces.

Ukraine officially attributes last week's cyberattacks to Russia.

Kyiv has accused Russian services of carrying out last week's cyberattacks. "Moscow continues to wage a hybrid war and is actively building forces in the information and cyberspace," Ukraine's Ministry of Digital Transformation said this weekend. Kyiv's view is that the operation is a continuation of a hybrid war Russian has waged against Ukraine since its 2014 invasion of Crimea. Ukraine's State Service for Special Communications described the attacks as hitting seventy government "sites or resources," ten of which were "subjected to unauthorized interference." But the service claimed that no personal data were leaked, and that most affected sites were quickly restored to normal. The State Service added some details about how the attackers obtained access to the sites: it was a supply chain attack. "The attackers hacked the infrastructure of a commercial company that had administrative access to the web resources affected by the attack." Which commercial vendor was hit remained unspecified. (It's worth noting that a supply chain attack through M.E.Doc tax preparation software was used in 2017's NotPetya attack, which has been generally attributed to Russian intelligence services.) Reuters reported this morning that Ukraine's Cyber Police said that "external information resources" may have been destroyed in last week's attack. The emphasis on "external resources" would seem to suggest confirmation that the incident involved a supply chain attack.

Early reports from Kyiv alleged Belarusian participation in the cyberattacks. Serhiy Demedyuk, deputy secretary of the national security and defense council, told Reuters in written comments that "We believe preliminarily that the group UNC1151 may be involved in this attack," adding, "This is a cyber-espionage group affiliated with the special services of the Republic of Belarus." Ukrainian investigators say they've found code similarities with malware used by Russian intelligence services. Demdyuk said, "The malicious software used to encrypt some government servers is very similar in its characteristics to that used by the ATP-29 group. The group specializes in cyber espionage, which is associated with the Russian special services (Foreign Intelligence Service of the Russian Federation) and which, for its attacks, resorts to recruiting or undercover work of its insiders in the right company." APT29 is familiarly known as Cozy Bear, and is usually associated with the Russian SVR foreign intelligence service, but sometimes also with the Russian FSB security service.

Mandiant, which has been tracking UNC1151 since 2017, in November released a report attributing the GhostWriter campaign to UNC1151 and thence to the Belarusian government, wrote at the time that "We cannot rule out Russian contributions to either UNC1151 or Ghostwriter. However, at this time, we have not uncovered direct evidence of such contributions." Distinguishing Russian from Belarusian operations in this case may amount to drawing a distinction without a difference, since Belarusian and Russian cooperation is longstanding and widely recognized, and since combined cyberoperations are likely as a matter of a priori possibility, but Ukraine now maintains that it's found significant code similarities between the attack tools used by both Moscow and Minsk.

In any case, Reuters also reported Monday that Russian forces have arrived in Belarus to prepare for joint exercises, "Allied Resolve," to be held in February near Belarus's borders with Poland, Lithuania, and Ukraine. The exercises, which have attracted NATO criticism as indications of an imminent intention to invade Ukraine, are represented by both Russia and Belarus as routine and prudent responses to NATO provocations.

Disinformation as battlespace preparation.

The cyber operations, coming as they do as Russian troops are reported to have marshaled in assembly areas near the Ukrainian border, have been received by NATO as battlespace preparation. The US has said that the cyberattacks have the hallmarks of a disinformation operation intended to afford Russia a pretext for military action. (Russia yesterday denounced the US charges as "total disinformation.")

The cyberattacks that hit Ukrainian government websites told users that their information had been compromised. Amit Shaked, CEO of Laminar, wrote to point out that fear of loss of personal data appeared to be the principal immediate threat the website defacements intended to communicate: “Although the details of the Ukrainian government cyberattack are still to surface, the ‘currency’ being used to [incite] fear is clear: personal data. The message posted on attacked sites reads, ‘Ukrainians! All your personal data was uploaded to the internet... All information about you became public. Be afraid and expect the worst.’ Lest we forget, cybersecurity is about protecting data. Therefore a data-centric approach that understands where your most sensitive data is, that it has proper controls in place and that it is being continuously monitored is an excellent place to start.”

Ukraine's ministry of digital transformation agrees that the cyberattacks represented, at one level, disinformation in the service of influence operations. "Its goal is not just to intimidate society, but to destabilize the situation in Ukraine by stopping the public sector's work and undermining Ukrainians' confidence in their government."

Some disinformation is disinformation of the deed, and in this case the US in particular has warned that Russia may be preparing kinetic acts of sabotage or terror as provocations that would provide a pretext for a full-scale invasion. Foreign Policy quotes an anonymous US official at length on how this might be accomplished. “Russia is laying the groundwork to have the option of fabricating a pretext for invasion, including through sabotage activities and information operations, by accusing Ukraine of preparing an imminent attack against Russian forces in eastern Ukraine," the source said. An attack against deniable, Russian-proxy forces that have been operating in the Donbass region of Eastern Ukraine since 2014 is thought most likely. The anonymous official added, “The Russian military plans to begin these activities several weeks before a military invasion, which could begin between mid-January and mid-February. We saw this playbook in 2014 with Crimea.” The Guardian quotes two US officials on the record as making essentially the same point. “We have information that indicates Russia has already pre-positioned a group of operatives to conduct a false flag operation in eastern Ukraine,” White House press secretary Jen Psaki said. “The operatives are trained in urban warfare and using explosives to carry out acts of sabotage against Russia’s own proxy forces.” US Department of Defense spokesman John Kirby said that Russia was preparing a provocation "designed to look like an attack on ... Russian-speaking people in Ukraine, again as an excuse to go in.”

Russia denies any involvement in the cyberattacks, and disclaims any intention to invade Ukraine. Kremlin spokesman Dmitry Peskov, said, in a CNN interview, “We have nothing to do with it. Russia has nothing to do with these cyber-attacks. Ukrainians are blaming everything on Russia, even their bad weather in their country,”

Misdirection for staging and sabotage.

The cyberattacks may also have been intended to provide cover for other, more destructive operations. Deputy Secretary Demedyuk, while sniffing at the low quality of the Polish-language site defacements ("It is obvious that they did not succeed in misleading anyone with this primitive method, but still this is evidence that the attackers 'played' on the Polish-Ukrainian relations (which are only getting stronger every day))," added that Ukraine views last week's websites defacements as misdirection, and not operations to be taken at face value. "The defacement of the sites was just a cover for more destructive actions that were taking place behind the scenes and the consequences of which we will feel in the near future," he said.

Microsoft said on Saturday that it hadn't been able to draw connections between Friday's cyberattacks against Ukraine and any of the threat actors it tracks. It is, however, confident that the attack involved the use of a wiper, that is, malware whose intent was the destruction of data, not their temporary denial (as in a conventional ransomware attack) or their theft. The operation is being called "WhisperGate." and Microsoft has given the threat actor behind it the temporary tracking identifier DEV-0586. The Microsoft Threat Intelligence Center (MSTIC) reported:

"While our investigation is continuing, MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom....

"Given the scale of the observed intrusions, MSTIC is not able to assess intent of the identified destructive actions but does believe these actions represent an elevated risk to any government agency, non-profit or enterprise located or with systems in Ukraine. We strongly encourage all organizations to immediately conduct a thorough investigation and to implement defenses using the information provided in this post."

The attack is, Microsoft says, a two stage operation. Stage one overwrites the Master Boot Record "to display a faked ransom note." That bogus ransom note said:

"Your hard drive has been corrupted. In case you want to recover all hard drives of your organization, You should pay us $10k via bitcoin wallet 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65 with your organization name. We will contact you to give further instructions."

This is implausible ransomware on several grounds. For one thing, the same payload was observed in all of WhisperGate's victims, and that's unusual for criminal ransomware, which usually employs customized payloads. It's also unusual for an initial ransom notice to specify an amount of ransom or a cryptocurrency wallet, or, for that matter, to specify Tox as the only mode of contact. There was also no evidence of a recovery mechanism--the Master Boot Record was simply overwritten. And there was no custom ID provided for each victim, which has also been a routine feature of criminal ransomware.

Stage two of the attack installs a file-corrupter malware. That malware is still undergoing analysis. Microsoft has provided a set of indicators of compromise (IOCs) organizations can use to assess their risk.

The use of a wiper that posed as ransomware has been previously observed in the NotPetya and BadRabbit campaigns, both of which, the Record reminds its readers, were unambiguously attributed by the Five Eyes to Fancy Bear, Russia's GRU military intelligence service.

Calvin Gan, Senior Manager, Tactical Defence, at F-Secure, wrote to point out that there's no novelty in concealing a wiper in apparent ransomware or a data theft incident.

"The existence of wiper malware disguised as ransomware is not new. WhisperGate or DEV-0586 as Microsoft calls it has a similar resemblance to NotPetya discovered back in 2017 which is also a wiper malware disguised as a ransomware. NotPetya at that time has crippled many companies in Ukraine, France, Russia, Spain and the United States. Then there is also the Agrius group tracked by researchers from SentinelOne who recently has also been utilizing wiper malware on their target organizations in the Middle East.

"With the usage of wiper malware, it is clear that the attackers are not after financial gain but [are] more motivated to cripple the target operations. Overwriting the Master Boot Record (MBR) would render the machine unbootable thus making recovery impossible especially when the malware also overwrites file contents before overwriting the MBR.

While the attacker's true intention of deploying wiper ransomware coupled with file corrupter is not known at the moment, however having it targeting governmental agencies and associated establishments is "a sign that they want operations in these organizations ceased immediately. Perhaps, the bitcoin wallet address and communication channel in the ransom note of WhisperGate is a smoke screen to divert attention of the attacker's true intention of the attack while making it harder to track them."

Raj Samani, McAfee Enterprise & FireEye’s Chief Scientist and Fellow, also says this isn't a new tactic:

“The use of pseudo ransomware is not necessarily novel, and in this case we are tracking the prevalence of the campaign to determine whether targeting is wider than just the Ukraine. Upon analysis, it would suggest that the campaign is indeed largely focused on organizations in the one country. We have to acknowledge that such actions in conjunction with the inability to pay infers a destructive campaign, or indeed one intended to spread fear. This campaign somewhat resembles NotPetya and WannaCry in its pseudo ransomware nature, but it is highly targeted rather than wormable. This places it more in the tradition of a wiper like Shamoon.”

Those interested in a review of Russia's history in Ukraine, including aspects of the Soviet legacy and, especially, Russian cyber operations and hybrid warfare against its neighbor since 2014 and up through last year, will find an anthology prepared by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCoE) particularly helpful as background. Cyber War in Perspective: Russian Aggression Against Ukraine is a valuable contribution to understanding current history.

Reaction from NATO.

Ukrinfor reports (and TASS echoes, with a surprisingly neutral account) that NATO, having condemned last week's cyberattacks, is working closer cooperation on cyber defense with Ukraine. According to Reuters, the US has offered Ukraine "whatever it needs" to recover from those attacks, and Interfax-Ukraine says that Franco-American talks have addressed common preparations to render such aid to Kyiv.

Germany's Foreign Minister Annalena Baerbock, in Kyiv for talks before moving on to Moscow for further discussions of the crisis, held out hope for a diplomatic resolution of the tensions, but was clear that "Each further aggressive act will have a high price for Russia, economically, strategically, politically." Talking specifically about the recent cyberattacks, US National Security Advisor Jake Sullivan acknowledged that, while the attacks looked, circumstantially, like something out of the Russian playbook, the US would wait for more definitive attribution. Should that be obtained, there would be consequences for Russia. “If it turns out that Russia is pummeling Ukraine with cyberattacks,” the New York Times quoted Sullivan as saying, “and if that continues over the period ahead, we will work with our allies on the appropriate response.”

Heightened tension in cyberspace has also prompted Britain's GCHQ to join US warnings for critical infrastructure operators, urging them to harden themselves against demonstrated Russian cyberattack capabilities.

Russia's objectives in Ukraine.

The New York Times reported this morning that Russia has begun drawing down the diplomatic staff in its Kyiv embassy. The move is being watched closely as observers seek to determine whether it's propaganda, feint, preparation for escalated conflict, or some mix of all three.

Russian President Vladimir Putin has given the US a soft deadline for meeting Russia's demands--it's set to expire, roughly, on January 20th. He's outlined three demands, Russia Matters reports:

  • "Demand No. 1: No more NATO expansion eastward, especially to Ukraine and Georgia;
  • "Demand No. 2: NATO withdraws military infrastructure placed in Eastern European states after 1997; and
  • "Demand No. 3: U.S./NATO deploy no strike systems in Europe, such as intermediate- and short-range missiles, that would be capable of striking targets in Russia."

Should the US refuse, and it would be expected to formally accede to or reject the demands,

"This written refusal to honor Russia’s demands could then be used in a rhetorical battle on the international stage over which side is to be blamed when Russia subsequently claims it has been compelled to act vis-à-vis Ukraine and the West—be this via the deployment of nuclear attack systems along Russia’s western frontiers (including Kaliningrad, as well as in Belarus), the deployment of systems in Cuba and Venezuela and/or another intervention in Ukraine."

The Atlantic Council offers a summary of expert opinion about the range of responses available to NATO in general and the US in particular. One of the suggestions they report, from Barry Pavel (senior vice president, the director of the Scowcroft Center for Strategy and Security), advocates clarity about deterrence, which implies understanding what the adversary actually values. Pavel's argument suggests that influence operations be given prominent attention:

"Threaten what Putin values most. As Putin is trying to cement his own legacy in Russian history, he may care much less about punitive economic sanctions and even increased western military assistance to Ukrainian forces (to support an insurgency against Russian occupying forces). One way around this potential asymmetry of stakes would be to go back to the heart of deterrence—to threaten what Putin values most, and that is his hold on dictatorial power. The United States and NATO should launch a sustained information campaign to inform the Russian people about Putin’s ongoing, massive corruption and theft of billions of dollars from the Russian people for himself, his immediate family, and his cronies."

For a more sympathetic understanding of Moscow's policy, see the argument made in an essay that appears in Foreign Affairs, which essentially holds that, while Russia is very far from blameless, its fear of NATO expansion isn't entirely unreasonable, either, and that NATO's eastward expansion since the fall of the Soviet Union has lacked strategic clarity. NATO should, the argument runs, "close its open door." But NATO expansion hasn't been unmotivated, either, still less driven by naive hubris. The countries of the Near Abroad have direct, recent experience of rule from Moscow, and most aren't interested in that sort of restoration. SecurityWeek quotes Ukrainian Foreign Minister Dmytro Kuleba to the effect that Ukraine was working in close partnership with NATO, and that, if Russia felt itself menaced by NATO's eastward expansion and wondered why it was happening, some self-examination would be in order. "If Putin wants to know why neighbors are seeking to join NATO he only needs to look in the mirror."

Notes on hybrid war.

Hybrid war incorporates aspects of conventional military operations into a campaign that includes influence operations, cyber operations, and kinetic operations by deniable proxy forces. Large conventional forces are difficult to keep deployed forward into staging areas for long periods of time without their combat readiness declining (training, fitness, maintenance, and so forth become more difficult to conduct during high states of alert), so February should see some resolution of the threat of a conventional invasion of Ukraine one way or another, either by an attack or a stand-down. Cyber operations in hybrid warfare can serve many of the same ends traditional electronic warfare does: collection, jamming, deception, and so forth, with the strong possibility of such operations disrupting the adversary's C4ISR capabilities. They can have strategic effect, as Russia's partial takedown of Ukrainian regional power grids demonstrated in 2015, and the widespread disruption of commerce in 2017 by NotPetya showed. And influence operations have as their objective the erosion of an effective national will to resist. All of these potentially figure in Moscow's current planning.