Ukraine at D+141: Imprecision, gangs, and global cyber war.

The UK's Ministry of Defence (MoD) reports unconfirmed claims by Russian forces to have entered the outskirts of Siversk. "In the Donbas, Russian and pro-Russian Luhansk People's Republic separatist forces claim to have entered the outskirts of Siversk. This has not been corroborated, however, Russian forces have been slowly advancing westwards following shelling and probing assaults towards Siversk from Lysychansk to open a pathway onward to Sloviansk and Kramatorsk. Bakhmut is likely to be the next objective, once Siversk is secured." In the Black Sea, a Russian airstrike against Snake Island failed to hit the island, which the MoD sees as an instance of a trend of Russian tactical air failure. "Since withdrawing from the strategically located Snake Island on 30 June 2022, Russia has been attempting to deny its use by Ukraine. However, on 13 July 2022 airstrikes by two Su-27 Russian fighter jets failed to hit the island. This follows the pattern of Russian air forces failing to successfully engage in the tactical battle." Forced deportations of Ukrainians from occupied territory continue, and have drawn the attention of international war crimes investigations. "Over 2.5m people have now been evacuated from Ukraine to Russia since the start of the invasion. Russia continues to face accusations that it is forcibly deporting Ukrainians; in many cases Ukrainians have reportedly been mistreated in filtration camps set up by Russia."

Vinnytsia missile strikes draw international condemnation.

The Ukrainian city of Vinnytsia (usually and accurately described as being far from the areas of active combat) continues to recover the dead and treat the wounded after Russia struck the town with Kalibr submarine-launched cruise missiles. Russia's Defense Ministry initially said the target was a military training facility, subsequently amending the description to an officers' club where Ukrainian military officials were meeting with foreign arms suppliers. "The attack resulted in the elimination of the participants," the Ministry said. Ukrainian officials, who condemned the strike as an act of terrorism, say that the twenty-three dead identified so far included three children, that a hospital was also hit, and that the building the Russians say they targeted was more civic center than military facility, hosting concerts, local gatherings, and so on, like an American National Guard armory, only less martial in use.

Western governments were quick to second Ukraine's condemnation, the Voice of America and others report. At the G20 meetings in Indonesia US Treasury Secretary Janet Yellen addressed the Russian delegation directly. "Russia is solely responsible for negative spillovers to the global economy," she said. "Russia's officials should recognize that they are adding to the horrific consequences of this war through their continued support of the Putin regime. You share responsibility for the innocent lives lost." Ms Yellen's Canadian counterpart, Finance Minister Chrystia Freeland, was equally direct, telling her Russian colleagues they shared responsibility for "war crimes." "It is not only generals who commit war crimes, it is the economic technocrats who allow the war to happen and to continue," she said.

The strike, timed as it was to arrive when people would be out in the streets, shows at the very least an indifference to civilian casualties. But it also shows, when juxtaposed with the Russian air strike that apparently missed Snake Island, the degree of precision that can be expected from Russian strike and fire support systems. They can hit cities, but there's no assurance a weapon aimed at a small island won't miss and fall into the sea. Contrast the considerably greater accuracy displayed by the systems Ukraine has recently fielded, notably the HIMARS launchers.

Criminal gangs at war.

The most notorious early adherent to the Russian cause among the cyber gangs was the now (possibly) defunct, dispersed, and rebranded Conti, which on February 25th announced its "full support of the Russian government" and promised to use all the resources at its disposal against enemy infrastructure. This prompted a wave of doxing in which disaffected and possibly foreign Conti collaborators released the gang's internal chatter through their @ContiLeaks account. Cyjax, which was following developments, notes, "This leak caused significant unrest within the group, with the @ContiLeaks account itself tweeting: 'We know everything about you Conti, go to panic, you can[‘t] even trust your gf, we against you!'" Conti itself did a bit of back-pedaling for damage control, backing down from its promises of unconditional cyber war to a more measured claim that it would only target Western warmongers, but the reputational damage had been done, and may have contributed to the gang's subsequent occultation.

On March 4th, shortly after Conti's ill-advised patriotic screed, researchers at Cyjax noticed another leak-and-dump operation targeting a different Russian gang: Trickbot. The leakers tweeted under the name @trickleaks, and the main point of their doxing was to expose the close connection between Trickbot's criminal operators and Russia's FSB security service. @trickleaks announced itself to the world with the tweet, “We have evidence of the FSB’s cooperation with members of the Trickbot criminal group (Wizard Spider, Maze, Conti, Diavol, Ruyk). [sic]” The close collaboration between gangland and the Russian security service isn't surprising, but the degree of organization and interconnection among apparently disparate criminal groups is, Cyjax thinks, useful news. The conclusion of their report reads in part:

"The most valuable insight has been through Trickbot’s management teams and the ability to focus on the members themselves, giving us a different perspective into what comprises a cybercriminal group. This enables one to view Trickbot as the business it is, as opposed to some incomprehensible entity which causes harm. Whilst simple, this business model enables researchers, and perhaps law enforcement, to identify real-world weaknesses more accurately within the organisation. Identification of Trickbot’s operational security, tactics and structure may be identified and exploited by those wishing to disrupt their operations. As we have seen, multi-million-dollar crime operations, with potential governmental ties, can be halted by the loss key members. This is best demonstrated by the departure of users’ stern and silver.

"The threat we face today is often depicted as hundreds of individual groups, each with different tactics, techniques, and procedures vying for money and notoriety. From what we have seen, it appears this claim is highly exaggerated. Evidence, such as the overlap in members from the Conti leaks, and the conversation around clients suggests the cybercriminal community is more closely connected than reported. Cybercriminal groups are working together, helping each other, and most of all collaborating on developing the capabilities to cause maximum harm, or in cybercriminal dialect 'make the most money possible'."

A "cyber world war?"

The name seems a bit overheated, and a cyber war isn't, after all, as damaging as a full kinetic war (even when cyber attacks have kinetic effects), but in terms of scope the name doesn't seem too far off.

For example, Canada's Communications Security Establishment (CSE) yesterday warned that the current Russian cyber threat is not to be underestimated. The National Post quotes a CSE report as saying, “the scope and severity of cyber operations related to the Russian invasion of Ukraine has almost certainly been more sophisticated and widespread than has been reported in open sources.” The most immediate threat is heightened cyberespionage, but attacks against critical infrastructure are also held to be a real possibility. Canada has been an early, consistent, and strong supporter of Ukraine during the present war. Canada is also home to a large Ukrainian diaspora.

Politico has a long interview with Yurii Shchyhol, who directs Ukraine's  State Service of Special Communications and Information Protection, the SSSCIP, which Politico describes as roughly equivalent in terms of its responsibilities to the US Cybersecurity and Infrastructure Security Agency (CISA). The article aims to describe what it characterizes as a generally successful Ukrainian defensive effort in cyberspace, and summarizes the Ukrainian view of how to fight Russia in cyberspace: first of all, isolate it, and deny it access to resources and technology.

Tracing the history of the cyber phases of the hybrid war, Shchyhol said that Russia's cyber campaign preceded the physical invasion by more than a month. "For Ukrainians, the first cyber world war started on Jan. 14, 2022, when there were attacks launched at the websites owned by state authorities. Twenty websites were defaced, and more than 90 information systems belonging to those government authorities were damaged." Attacks against Viasat ground terminals disabled the satellite-borne Internet provider a matter of hours before the invasion itself.

Shchyhol thinks the Russian cyber campaign has been well-resourced, but also that it's used familiar tools: "In terms of their technical capabilities, so far the attackers have been using modified viruses and software that we’ve been exposed to before, like the “Indestroyer2” virus, when they targeted and damaged our energy station here. It’s nothing more than a modification of the virus they developed back in 2017. We all have to be aware that those enemy hackers are very well-sponsored and have access to unlimited finances, especially when they want to take something off the shelf and modify it and update it." He emphasized the importance of denying Russia access to the "civilized world's" security companies and IT infrastructure, and in restricting Russia's participation in international IT organizations like the International Telecommunications Union.

He had some interesting if guarded disclosures about the help Ukraine is receiving from NSA and US Cyber Command:

"It’s an ongoing, continuous war, including the war in cyberspace. That’s why I won’t share any details with you, but let me tell you that we do enjoy continuous cooperation. There is a constant synergy with them, both in terms of providing us with the assistance that we need to ensure proper protection and safety of our websites and our cyberspace, especially of government institutions and military-related installations, but also they help us with their experts, some of whom are on-site here in Ukraine and are providing on-going consultations.

"Like in further supply of heavy weapons and other forms of weaponry, the same is true for cybersecurity. We expect that level of assistance, of those supplies, will only increase because only in this manner can we together ensure our joint victory against our common enemy."

Above all, Shchyhol warns against any relaxation of vigilance. He expects the war to continue, and that operational pauses happen in cyberspace much as they do in physical space:

"That’s why we all have to be ready for the following scenario to unfold: Those western countries and companies that are supporting the Ukrainian fight against Russia will be and are already under the constant threat of cyberattacks. This cyberwar will continue even after the conventional war stops.

"The fact that in the last two months there was a relative lull in the number and quality of cyberattacks of our enemy, both against Ukraine and the rest of the world, only follows the usual Russian tactics, which are that they are accumulating efforts and resources, readying themselves for a new attack which will be coming. It will be widespread, probably global. Right now our task here is not to miss it, to stay awake and aware to that threat."