Ukraine at D+299: Cyber operations 300 days into the war.
N2K logoDec 20, 2022

Russia looks to shore up its ally, and to hunt down traitors, diversionaries, and the insufficiently committed at home and in the occupied territories.

Ukraine at D+299: Cyber operations 300 days into the war.

Little has changed on the ground. President Putin was in Minsk yesterday, the New York Times writes, to shore up the support of his junior partner, President Lukashenka, in "unified defense." The AP reports that Moldova is worried that it may be next on the Kremlin's invasion list, with Transnistria playing the role Donetsk played in Ukraine--a nominally breakaway province occupied by Russian forces.

According to the Telegraph, Russia claims to have shot down several US-supplied HARM missiles it says Ukrainian forces fired toward Russian territory around Belgorod this week. This seems unlikely, the HARM being a relatively small, fast, short-ranged, air-launched missile, but it's not entirely impossible. If the report is true, however, what's interesting is that Ukraine has been using HARMs. The HARM is a radar-killer, designed for suppression of enemy air defenses, the "SEAD" mission. If in fact Ukraine is firing HARMs at Russian fire control radars, that suggests that a Ukrainian air campaign is in the offing. If, again, the Kremlin reports are true.

Managing expectations.

The UK's Ministry of Defence this morning offered a take on Friday's meeting between President Putin and senior military officers. "On 16 December, Russian President Vladimir Putin visited the Joint Headquarters of the Special Military Operation. Putin was filmed meeting with a number of senior military officers including Chief of General Staff Valery Gerasimov and Defence Minister Sergey Shoygu. He invited proposals for next steps of the Special Military Operation. Commander of the Russian Group of Forces in Ukraine, General Sergey Surovikin, was one of those who presented a report. In this choreographed meeting Putin likely intended to demonstrate collective responsibility for the special military operation. This display likely aimed to deflect Putin’s responsibility for military failure, high fatality rates and increasing public dissatisfaction from mobilisation. The televised footage was probably designed to also dispel social media rumours of General Gerasimov’s dismissal."

Foreign Affairs has published a long review of what the endgame for Russia's war might look like. A negotiated settlement seems as unlikely at this stage as a Russian battlefield victory. President Putin has shown no indications of a realistic wish for compromise, and his government would be unlikely to survive much retreat from the ambitious goals he's set for the special military operation. A successor (unlikely, in the analyst's view, to be a Westernizing liberal) would at the very least be unwilling to part with Crimea, occupied since 2014. Russia might face defeat amid escalation. Such escalation could, although this isn't highly probable, include nuclear strikes against Ukraine. Nuclear strikes would probably bring international conventional intervention and would be unlikely to restore Russia's battlefield fortunes. Or, and the range of possibilities here are among the more likely outcomes, internal disorder might bring about a Russian collapse.

The Guardian cites a video issued by President Putin that includes an allusion to things not going entirely as he might wish. "In a video message addressed to Russia’s security services, Putin said the situation in the four Russian-occupied Ukrainian regions was 'extremely complicated,' and urged security agencies to intensify their efforts to identify 'traitors, spies and diversionists.'" ("Diversionists" would be enemy special forces.)

Breaking Defense, looking at the growing importance of the Wagner Group and other semi-private armies to Russia's war, sees some prospect of unrest in what it calls a "Balkanized" collection of armed groups.

Public fantasizing about nuclear war remains a staple of Russian propaganda. A popular song making the video circuit, "Sarmatushka," celebrates the new RS-28 Sarmat intercontinental ballistic missile. Performed by Denis Maidanov, a pop star and Duma member who inter alia missed the expiration date on those leather pants he wears in the video, the song debuted this past Saturday, which is, as it happens, Strategic Missile Forces Day, an annual celebration of the Russian nuclear arsenal. The video was produced by the Ministry of Defense. The title, "Sarmatushka," is a diminutive of "Sarmat," difficult to translate, but which might be rendered "Li'l' ol' Sarmat." The RS-28 is supposed to enter service this month, but, as Task & Purpose points out, such deadlines in Russia tend to be aspirational at best.

The Daily Beast reviews recent Russian media content and sees an official line that publicly at least rejects the prospect of negotiation. Calls for peace, expressions of doubt or dissatisfaction with the war as the talk of turncoats who've been manipulated by Western influence operations. (And these are accompanied by lots of Sarmat-fantasy, too.)

Trends in the cyber phases of Russia's hybrid war.

The CyberPeace Institute has published its quarterly analysis of cyber operations by both Russian and Ukrainian forces. Auxiliaries continue to play a significant role on both sides, and distributed denial-of-service (DDoS) and influence operations retain their prominence among the tactics deployed.

CERT-UA warns of attacks against DELTA situational awareness system.

A Washington Post op-ed argues that Ukraine's ability to deploy and make effective use of modern, automated, command-and-control systems to process intelligence and conduct operations has given it the advantage over the invaders. Such systems would be obvious targets for Russian cyber operations, and those indeed seem to have been attempted. CERT-UA reports that, over the weekend, it had detected attempts against its DELTA system, an automated situational awareness system. It's a phishing campaign that uses emails and instant messages that misrepresent themselves as spot reports, but which carry FateGrab/StealDeal information-collecting malware as their payloads. CERT-UA offers no attribution, and says it's been unable to link the campaign to any specific threat actor, but circumstantially at least it looks like a Russian operation.

FSB cyber operations against Ukraine.

Palo Alto Networks' Unit 42 reports that the FSB group Trident Ursa has been highly active lately against Ukrainian targets. "Since our last blog in early February covering the advanced persistent threat (APT) group Trident Ursa (aka Gamaredon, UAC-0010, Primitive Bear, Shuckworm), Ukraine and its cyber domain has faced ever-increasing threats from Russia. Trident Ursa is a group attributed by the Security Service of Ukraine to Russia’s Federal Security Service. As the conflict has continued on the ground and in cyberspace, Trident Ursa has been operating as a dedicated access creator and intelligence gatherer. Trident Ursa remains one of the most pervasive, intrusive, continuously active and focused APTs targeting Ukraine." As has often been the case, the FSB's operations are less sophisticated and more obvious than those of its sister Bears, but the FSB doesn't seem to care about this. In its conclusion Unit 42 writes:

  • "Trident Ursa remains an agile and adaptive APT that does not use overly sophisticated or complex techniques in its operations. In most cases, they rely on publicly available tools and scripts – along with a significant amount of obfuscation – as well as routine phishing attempts to successfully execute their operations.
  • "This group’s operations are regularly caught by researchers and government organizations, and yet they don’t seem to care. They simply add additional obfuscation, new domains and new techniques and try again – often even reusing previous samples.
  • "Continuously operating in this way since at least 2014 with no sign of slowing down throughout this period of conflict, Trident Ursa continues to be successful. For all of these reasons, they remain a significant threat to Ukraine, one which Ukraine and its allies need to actively defend against."

Russian operations against space systems.

Little additional information has emerged on Russian efforts to compromise US space systems beyond what CyberScoop reported Friday. Signs point to APT28 (GRU's Fancy Bear): "While details of the attack are scant, researchers blamed the incident on the Russian military group known as Fancy Bear, or APT28. It involved a satellite communications provider with customers in U.S. critical infrastructure sectors." Former Chairman of the U.S. House Intelligence Committee Mike Rogers thinks the reports foreshadow possible Russian retaliation for continued US support of Ukraine. “Russia’s hacking is not anything new, but it is indicative of how—should it wish—Moscow could retaliate against the U.S. for its support of Ukraine," he said in emailed comments. "If Russia were to attack satellite networks, it could have devastating effects on Americans. Nearly every aspect of daily life relies on services from space—from GPS tracking of packages to the timing signals used by gas stations and ATMs. The Biden Administration and U.S. Congress must work aggressively to protect our space assets and defend this central component of our national and economic security that we all-too-often take for granted.”