Ukraine at D+56: Phase II of Russia's war is underway, and the Five Eyes warn of infrastructure attacks.
N2K logoApr 21, 2022

Russian forces enter the second phase of Mr. Putin's war against Ukraine as Kyiv refuses to concede either the Donbas or the Sea of Azov coast to the invaders. The Five Eyes issue an unusually explicit warning of an imminent Russian cyber threat to critical infrastructure.

Ukraine at D+56: Phase II of Russia's war is underway, and the Five Eyes warn of infrastructure attacks.

The British Ministry of Defence's situation report this morning summarized: "Russia likely desires to demonstrate significant successes ahead of their annual 9th May Victory Day celebrations. This could affect how quickly and forcefully they attempt to conduct operations in the run-up to this date. Russian forces are now advancing from staging areas in the Donbas towards Kramatorsk, which continues to suffer from persistent rocket attacks. High levels of Russian air activity endure as Russia seeks to provide close air support to its offensive in eastern Ukraine, to suppress and destroy Ukrainian air defence capabilities."

President Putin has claimed victory in the reduction of Mariupol, Bloomberg reports, although Ukrainian defenders continue to hold the city's sprawling Azovstal steel plant. The mayor of Kharkiv says his city is suffering from renewed Russian fire. Reuters quotes mayor KIhor Terekhov as saying, "Huge blasts, the Russian Federation is furiously bombing the city." Kharvkiv, a predominantly ethnic Russian city in Ukraine's northeast, has about a million inhabitants remaining after some 30% of its population (mostly women and children) have been evacuated. The current Russian assault on a city that had been expected to welcome the Russian army shows Moscow's claims of humanitarian intervention to save ethnic Russians from "Nazi genocide" to be a figleaf covering President Putin's direct and unprovoked aggression.

US President Biden is expected to announce more military assistance for Ukraine later today.

Renewed Five Eyes' warning of the threat of Russian cyberattacks.

The cyber authorities of the Five Eyes (that is, Australia, Canada, New Zealand, the United Kingdom, and the United States) have issued a joint Cybersecurity Advisory warning that there are indications of Russian preparations and intent to conduct significant cyberattacks against critical infrastructure in countries who have sanctioned Russia or otherwise supported Ukraine. In specificity and detail the Advisory goes well beyond the normal run of government alerts. The Five Eyes' agencies' warning is based upon actual intelligence, and not merely on grounds of a priori possibility:

"Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks (see the March 21, 2022, Statement by U.S. President Biden for more information). Recent Russian state-sponsored cyber operations have included distributed denial-of-service (DDoS) attacks, and older operations have included deployment of destructive malware against Ukrainian government and critical infrastructure organizations

"Additionally, some cybercrime groups have recently publicly pledged support for the Russian government. These Russian-aligned cybercrime groups have threatened to conduct cyber operations in retaliation for perceived cyber offensives against the Russian government or the Russian people. Some groups have also threatened to conduct cyber operations against countries and organizations providing materiel support to Ukraine. Other cybercrime groups have recently conducted disruptive attacks against Ukrainian websites, likely in support of the Russian military offensive."

The explicit notice taken of Russophone criminal gangs suggests that privateering remains a prominent component of Russia's cyber armamentarium.

The Advisory includes a summary of risk reduction measures infrastructure operators should consider taking against the eventuality of Russian cyberattack: "For more information on Russian state-sponsored cyber activity, see CISA’s Russia Cyber Threat Overview and Advisories webpage. For more information on the heightened cyber threat to critical infrastructure organizations, see the following resources:

It also contains a summary overview of the various Russian government organizations known to engage in offensive cyber operations. The threat actors whose techniques receive detailed attention include:

  • "The Russian Federal Security Service (FSB), including FSB’s Center 16 and Center 18
  • "Russian Foreign Intelligence Service (SVR)
  • "Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS)
  • "GRU’s Main Center for Special Technologies (GTsST)
  • "Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM)"

We received emailed comments on the joint Advisory and the threat to criticial infrastructure from several industry experts. Tim Erlin, VP of strategy at Tripwire, thinks that organizations that haven't been paying attention, well, should start doing so. The Advisory should also help convince leaders of organizations who might still need convincing:

“If you’re a critical infrastructure operator, and you aren’t already paying attention to potential cybersecurity consequences of the war in Ukraine, then this warning is unlikely to make a difference. On the other hand, if you’re a critical infrastructure operator and you’re looking for a concrete reason to convince someone else in your organization to care about these threats, then this is a very useful advisory.

"There is an incredible, and quite possibly overwhelming, amount of detail in this joint advisory. If you’re looking for a history of Russian-aligned threat groups and activity, this advisory is a good place to start.

"With a broad threat like this, it’s difficult to lay out a single mitigating activity that’s likely to make a difference. So much of what needs to be done falls into the category of foundational best practices, but that reality shouldn’t prevent critical infrastructure organizations from taking action. The best time to implement these controls may be in the past, but the second best time to do so is right now.”

Chris Grove, Director, Cyber Security Strategy at Nozomi Networks, commends the Advisory, and calls its recommendations a matter of "bread and butter" that should be actionable:

"CISA Alert AA22-110A contains a lot of useful information for defenders to understand something about the various threat actors, their methods, and motivations. The recommendations provided by CISA are….'bread and butter’ recommendations. Meaning, there’s nothing out of the ordinary, nothing over the top, and if operators of critical infrastructure aren’t already doing those things, they should stop now, assume they’ve been breached, and start thinking about resilience, consequence reduction, and the impact to safety. The message should be loud and clear, Russian nexus-state actors are on the prowl, cyberspace has become a messy, hot war-zone, and everyone should be prepared for an attack from any direction. I believe that’s the primary goal of this alert….to ring that bell in the city square letting everyone know there’s a storm on the horizon, so put countermeasures in place…now. Be prepared, and put your shields up."

As the first anniversary of the Colonial Pipeline attacks approaches, and as the threat of Russian cyberattacks against infrastructure rises, CISA has announced a new ICS (industrial control system) Joint Cyber Defense Collaborative (JCDC) that will have significant industry participation. It's not purely a response to the just-announced assessment of the Russian threat to critical infrastructure, but the timing is appropriate. The co-founder and CPO of one of the companies that will be a founding partner of the JCDC, Nozomi Networks' Andrea Carcano, commented on the value he sees in the new body, whose formation follows closely the formation of the OT Cyber Coalition:

"From our perspective both are very positive indications that public/private cooperation is maturing in ways that will genuinely strengthen collective defenses for critical infrastructure. As a founding member of the OT Cyber Coalition, we’ve teamed with many of our long-time partners and several of our fiercest competitors to work collaboratively with government and industry leaders to develop strong, effective cybersecurity solutions and guidelines for the end user. Our shared goal is to advocate for vendor-neutral, interoperable, cybersecurity and information sharing solutions that fortify the security of our nation’s most critical infrastructure.

"Helping build the JCDC-ICS is an opportunity to roll up our sleeves and work even more closely with CISA in their efforts to strengthen cybersecurity performance goals across critical infrastructure sectors.

"The US Government has been addressing critical infrastructure - OT cybersecurity for years. What’s changing - and what we believe is having a positive impact on helping defenders gain the upper hand - is the progress that’s been made by Jen Easterly to establish CISA as the central point of collaboration and coordination across the infosec community. Effective public/private collaboration on a collective defense is also critical to speeding progress. The OT Cyber Coalition and the JCDC make it easier for critical infrastructure organizations to work closely with the vendor community and the government to collaborate on effective guidelines and solutions. Still, it could take a couple of years to see significant improvements in terms of meaningful improvements on our defenses. One sign of this progress will come in the form of new, open solutions for information sharing. That includes options that don’t compromise private data and make it possible for public and private sector organizations to collectively strengthen their defenses."

CrowdStrike's  Adam Meyers, senior vice president of intelligence, also welcomed the JCDC's initiative, in which his company will be a major private sector participant:

“We are excited to be part of JCDC’s new industrial control systems (ICS) initiative to empower security teams with actionable knowledge and insights to detect and deter cyberattacks across their operational technology (OT) networks,” said Adam Meyers, senior vice president of intelligence at CrowdStrike. “The ICS supply chain has become an increasingly fertile ground for exploitation by today’s attackers. Too often, security teams have limited technologies to adequately detect adversaries in their OT networks and can miss attackers lurking within critical infrastructure systems, posing numerous risks and potentially impacting many. Through this new initiative, CrowdStrike and other partner companies will share critical threat intelligence to help break down silos across the public and private sectors, helping to ultimately secure these essential networks. We applaud CISA for taking the step to help facilitate this new initiative.”

Russian ICBM test is intended in part as persuasion.

Russian Foreign Minister Lavrov may have said earlier this week that Russia didn't intend to use nuclear weapons in Ukraine, but he seems to have been playing the unfamiliar role of good cop here. His boss, announcing the successful test launch of Russia's new Sarmat multiple warhead ICBM, showed a clear understanding of influence by threat works. Mr. Putin, here playing his familiar one-note role of bad cop, said the test would make "detractors of Russia think twice," the New York Times reports. Note: it's not just enemies or adversaries who should think twice, but "detractors." Russian cultural sensitivity about being belittled or laughed at by foreigners is on full display in Mr. Putin's remarks. They may find our army's tactical performance risible, and they may think we haven't had an admiral who knows his stuff since John Paul Jones left Catherine the Great's service, but get a load of this, foreigners. We're still a nuclear power. (And, by the way, we're not afraid to commit atrocities. Not that we have, you understand--all those pictures are staged provocations--but you know we would, don't you?