Who are you gonna believe, me or your lyin' satellites?
N2K logoFeb 17, 2022

Shelling a kindergarten would seem to be a textbook provocation.

Who are you gonna believe, me or your lyin' satellites?

Russian forces near Ukraine appear to have been augmented, and NATO governments see no signs of the withdrawal Moscow said was in progress. Recent cyber operations seem to have been more information warfare than sabotage.

Kinetic provocation.

Organisation for Security and Cooperation in Europe monitors reported “multiple shelling incidents” in eastern Ukraine. Accounts in the Guardian and elsewhere have focused on a children's school (variously described as a "kindergarten" or a "nursery school") that was hit by shellfire said to have injured three people. Ukrainian authorities accused Russian-led nominally separatist forces of artillery attacks in the Donbas this morning. The separatists, CBS reports, blame Ukrainian forces. In any case artillery fire hitting a kindergarten is difficult to improve upon as a false flag provocation. That's how Ukrainian President Zelenskyy has characterized the incident, and NATO governments are tending to agree.

NATO allies still see no signs of a Russian withdrawal.

Far from confirming Russian claims that the forces it's maintained on high alert in forward assembly areas near Ukraine are now beginning to return to their garrisons, the New York Times reports that both US and UK sources say the withdrawal isn't happening. British Foreign Secretary Liz Truss was among the senior officials to publicly dispute Russian withdrawal claims. In fact, Russia seems instead to have deployed an additional seven-thousand troops to border areas. Forbes cites a US official to the effect that the seven thousand represent a further augmentation to the 150,000 troops already in a high state of readiness near Ukraine. “Russia keeps saying it wants to pursue a diplomatic solution,” the unnamed senior administration official said. “Their actions indicate otherwise. We hope they will change course before starting a war that will bring catastrophic death and destruction.”

Ukrainian military intelligence is said to have assessed that Russia's assembly of combat power, disturbing as it is, remains insufficient for a full-scale invasion. If one accepts at face value the traditional military wisdom that an attacker needs a three-to-one advantage over the defender to have a reasonable chance of success, and if one simply counts troops in the theater, that's probably correct. But local superiority can be achieved, and the troop build-up is certainly sufficient for offensives with objectives short of the conquest and subjugation of the entire country. Estonian intelligence services think that such limited offensives are more probable.

Deniability and influence operations.

This week's distributed denial-of-service attacks against two large Ukrainian banks and the country's public-facing Ministry of Defense sites are now being attributed to Russia. The goal being imputed to them is influence. The intention appears to be inculcating the belief that Russian intelligence services can work their will against a weak Ukrainian government, shown to be incapable of meeting its core responsibilities of public safety. “The key goal of the attack is to show the strength of foreign intelligence services and the weakness of the Ukrainian government and to sow panic and chaos in society," posted the Ukrainian Centre for Strategic Communications and Information Security (according to the Christian Science Monitor). 

The Guardian reports that Ukrainian authorities didn't specify a particular Russian organization as responsible, which suggests the attribution is circumstantial.

Sam Curry, Chief Security Officer of Cybereason, wrote that even in this apparently obvious case attribution remains problematic, and that there are any number of purposes the cyberattacks could serve:

"This would appear to be straight cyber conflict and not part of the hybrid warfare campaigns rumored to be the handiwork of Russia. Used against Ukrainian citizens and government officials, hybrid warfare is meant to sew fear and to disrupt the everyday lives of people. To qualify for hybrid warfare, the attack would have to be in combination with other means of conducting war, like an air raid, an invasion, missiles, etc. There is definitely a degree of PsyOps here, but this is about lowering the fog of war on an opponent and raising the stakes.

"It would be premature to pin these attacks on Moscow, as it could be others from domestic separatists, political groups to “Russian aligned” groups. It might be a diversion from something else, like a stealthier cyberattack as cyber defenders dive into the incident response side of these attacks. It could even be opportunistic attacks to frame the Russians, although that is less likely. There aren’t that many candidates for these targets since profit doesn’t seem to be an element and the sides are polarized."

Thus the operation retains a fig leaf of deniability. Ukrainian authorities also described the incident as unusually large. Nonetheless it fell far short of crippling either the Ministry of Defense or financial services across the country; it would, however, represent a plausible effort at sowing doubt and mistrust. "Yesterday, on February 15, the largest DDoS ​​attack in the history of Ukraine was carried out on government websites, on the banking sector," Reuters quotes Deputy Prime Minister Mykhailo Fedorov as saying in a joint briefing with senior officials. "This attack is unprecedented, it was prepared in advance. And the key goal of this attack is destabilization, it is to sow panic, to do everything so that a certain chaos appears in our country."

The Telegraph reports that both the US and UK have stepped up their assistance to Ukraine's cyber defenders.

Cyber operations as preparation.

"Preparation" is used in several senses. There's strategic preparation aimed at the adversary's capacity for effective resistance. Influence operations designed to fragment civil society would often serve that purpose, as would demonstrations intended to show that the adversary's cause is hopeless (and that seems to have been the point of this week's DDoS attacks against Kyiv). This is the sense in which observers are talking about cyber preparation for a prospective Russian expansion of direct combat against Ukraine. Forbes describes how such operations can serve as a precursor to a broader offensive.

There's battlespace preparation, which usually means intelligence collection and analysis in support of current operations. And there's preparation in the sense of an artillery preparation, fires directed against enemy positions in advance of an attack by maneuver elements. That final preparation has yet to be seen. One form it might take is an attack on Ukraine's power grid, which would have an immediate effect on military operations. Russia conducted limited attacks against Ukraine's grid in 2016 and 2017. Robert M. Lee, CEO of industrial cybersecuriyt firm Dragos, commented in a media session yesterday that, while Ukraine has probably improved its response capability since those attacks, its ability to defend the grid is in all likelihood about where it was five years ago.

The possibility of spreading cyber conflict.

Cyber operations form a significant part of the Russian capabilities being deployed against Ukraine. The Christian Science Monitor summarizes US alerts of the danger that Russian cyber operations against Ukraine could readily spread outside the targeted country. Such operations can be difficult to control, that is, to mount in a properly discriminating fashion, and ZDNet reviews the reasons organizations around the world should be looking to their defenses.