Ukraine begins offensives to retake ground in the Donbas. We speak with the deputy head of Ukraine's SSSCIP for Kyiv's perspective on the cyber phases of this hybrid war.
Ukraine at D+102: Ukraine's SSSCIP on cyber war.
This morning's situation report from the UK's Ministry of Defence (MoD) discussed Russian air strikes against Kyiv. "In the early hours of 5 June, Russian Kh-101 air-launched cruise missiles struck rail infrastructure in Kyiv, likely in an attempt [to] disrupt the supply of Western military equipment to frontline Ukrainian units." That assessment is consistent with official statements from Moscow. President Putin warned, the AP writes, that "“All this fuss around additional deliveries of weapons, in my opinion, has only one goal: to drag out the armed conflict as much as possible." While he dismissed the thought that rocket artillery like US-supplied HIMARs and British-contributed MLRS would have an effect on the outcome of the special military operation, he did add that, should such systems be delivered, Russia would “draw appropriate conclusions and use our means of destruction, which we have plenty of, in order to strike at those objects that we haven’t yet struck.”
The MoD resumed its situation report by noting developments in Ukraine's eastern regions, where Kyiv this weekend opened an offensive aimed at ejecting Russian forces from Sieverodonetsk. "In the Donbas, heavy fighting continues in the contested town of Sieverodonetsk and Russian forces continue to push towards Sloviansk as part of their attempted encirclement of Ukrainian forces." In the Black Sea, Russian forces have deployed air defense systems to Snake Island. "At sea, following the loss of the cruiser Moskva in April, Russian forces have likely moved multiple air defence assets to Snake Island in the western Black Sea, including SA-15 and SA-22 systems. It is likely these weapons are intended to provide air defence for Russian naval vessels operating around Snake Island. Russia's activity on Snake Island contributes to its blockade of the Ukrainian coast and hinders the resumption of maritime trade, including exports of Ukrainian grain.
Opposing tactics in the Donbas: Russian reduction...
The MoD's Saturday report focused on the one tactic Russia has been able to execute with some success: reduction of built-up areas by short-range artillery and air strikes. "Russian air activity remains high over contested ground in the Donbas with Russian aircraft conducting strikes using both guided and unguided munitions. Russia’s inability to suppress or destroy Ukrainian strategic air defence systems in the opening days of the conflict limited its ability to provide tactical air support to ground manoeuvre elements, contributing to the failure to advance on Kyiv.Consequently, Russian air activity has been largely restricted to deep strikes using air and surface launched cruise missiles to disrupt the movement of Ukrainian reinforcements and supplies. These strikes alone however have failed to have a meaningful impact on the conflict and Russian stocks of precision guided missiles are likely to have been significantly depleted as a result. With its operational focus switching to the Donbas, Russia has been able to increase its employment of tactical air to support its creeping advance, combining airstrikes and massed artillery fires to bring its overwhelming firepower to bear. The combined use of air and artillery strikes has been a key factor in Russia’s recent tactical successes in the region. The increased use of unguided munitions has led to the widespread destruction of built-up areas in the Donbas and has almost certainly caused substantial collateral damage and civilian casualties."
And Ukrainian counteroffensives.
But a Ukrainian offensive against Russian gains in Sieverodonetsk is underway, and appears, the Telegraph says, to be making progress. Sunday's MoD situation report said, and the Russian infantry engaged is composed largely of reserves drawn from Luhansk itself. "Over the last 24 hours, Ukrainian forces have counterattacked in the contested city of Sieverodonetsk in eastern Ukraine, likely blunting the operational momentum Russian forces previously gained through concentrating combat units and firepower. Russian forces committed in this area include personnel mobilised from the reserve of Russian-led Separatist Forces of the self-declared Luhansk People’s Republic. These troops are poorly equipped and trained, and lack heavy equipment in comparison to regular Russian units. The use of proxy infantry forces for urban clearance operations is a Russian tactic previously observed in Syria, where Russia employed V Corps of the Syrian Army to assault urban areas. This approach likely indicates a desire to limit casualties suffered by regular Russian forces." The MoD's accompanying map gives a rough approximation of where the fighting is currently taking place, on the ground.
Electronic warfare: a blunt instrument in the ether.
Russian electronic warfare capabilities, which before the invasion of Ukraine had been regarded as a national strength, have indeed been employed with effect in Russia's war. They are, however, being used as a kind of artillery in the electromagnetic spectrum. The preferred technique has been jamming (as opposed to collection or deception) and that jamming has tended to be powerful and indiscriminate, pushing noise across wide swathes of the spectrum. The AP reports some use of electronic warfare for targeting, but the Russian main effort seems to be carried by the jammers.
Ukraine offers an update on the cyber phases of Russia's hybrid war.
The cyber phases of Russia's war against Ukraine have not developed into the destructive attacks against infrastructure that were widely feared at the outset of the war. But cyber operations have been conducted. As NPR puts it, describing them in its headline over an interview with Microsoft executive Tom Burt, "A digital conflict between Russia and Ukraine rages on behind the scenes of war."
Ukraine sees itself as waging a defensive cyber war, leaving offensive operations to the Russian enemy and to, perhaps, various friendly governments in the West.
In a press briefing today (at 9:00 AM US Eastern Time, or 4:00 PM Kyiv time) Victor Zhora, Deputy Head of State Special Communications Service of Ukraine (SSSCIP), characterized Russian cyber operations during the war as unremitting, but largely unsuccessful at crippling Ukrainian infrastructure. He also noted the high level of Russian disinformation operations, which extend not only to pushing specific lines of propaganda, but also to denying Ukrainians the means to gain reliable information and communicate with one another.
The CyberWire asked Mr. Zhora why Russian cyberattacks against Ukrainian infrastructure haven't been a significant factor so far, had Russia not attempted them, or had Ukraine succeeded in stopping them? He answered that kinetic attack is simply a more effective method of attack, and that's where the Russians had concentrated their efforts. Ukraine has, he said, successfully fended off cyberattacks against infrastructure, and that it was very aware of the cyber risk to its power grid. Ukraine has prevented, by swift action, an operation that would have deprived people of access to power. Mr. Zhora expects such Russian attempts to continue, and he's confident of Ukraine's ability to defend its power grid in particular. But he emphasized that Russia has emphasized kinetic attack, and that cyber operations, especially information operations, are being used by Moscow as a supporting adjunct to traditional military operations.
We were also able to ask about the operations in support of Ukraine US Cyber Command alluded to last week. The operations General Nakasone mentioned last week to Sky News were, Mr. Zhora said, US operations, and Ukraine didn't participate in them, and so Ukraine is not in a position to comment on them. Mr. Zhora said he "can add nothing" to General Nakasone's statement. He did say that Ukraine did not conduct offensive cyber operations. It does, however, conduct defensive cyber operations, and he said that cooperation with NATO was extensive and ongoing. Ukraine's lack of "dedicated cyber units," by which he presumably meant organizations trained, equipped, and authorized to conduct offensive operations, and its reservations about the permissibility of such operations under international law, are the principal reasons for Kyiv's restraint in this regard.
We followed up this with a question about hacktivism. If Ukraine doesn't conduct offensive cyber operations, what about hacktivist attacks on Russian assets? Are these conducted independently, with Ukrainian guidance, direction, or control? Mr. Zhora replied that the hacktivists were acting independently, and were not under Ukrainian control. He also noted that hacktivism has so far not been very significant in its effects. (Much hacktivism has gone into defacement of Russian websites. Reuters reported Saturday, for example, that the site belonging to Russia's Russia's Ministry of Construction, Housing and Utilities had been defaced with the slogan "Glory to Ukraine." This particular ministry of negligible strategic significance, was clearly a target of opportunity, hacked because it was hackable.)
But the question suggested to him that the possibility of developing an offensive capability as a deterrent was worth serious discussion with partners and allies. He noted the difficulty, under international norms, of conducting offensive cyber operations, and he stressed that Ukraine aimed to behave responsibly, and that Ukraine's aim was to bring Russia to a similar responsibility in cyberspace. He thinks that the ways in which nations defend themselves in cyberspace will certainly change after this war, and that Ukraine intended to be a full participant in that change. (And he thought questions about responsible defense in cyberspace would be good ones to address to General Nakasone.) The existence of cyber forces do indicate a country's potential to defend itself effectively, but it's not yet clear how such potential can be used to build deterrence. Thinking about deterrence in this way will be among the matters countries will take up at the end of the present war.
Reuters asked whether SSSCIP had observed attempts to compromise Ukrainian officials' phones. Mr. Zhora said they had seen Russian attempts to install malware in officials' phones, but that such attempts had generally been unsuccessful, that Ukraine had succeeded in stopping such infestations before they became a problem. They've seen targeting, but no successful compromise of the phones. Some of the attacks have been zero-click attempts, others have been more conventional phishing and smishing, but Mr. Zhora was reticent about sharing too much detailed information about the incidents.
"Cyber Spetsnaz."
Security Affairs reports that researchers at Resecurity have associated a threat group with Operation Panopticon, a nominally hacktivist campaign announced by a Russian group during the last week in May. That group styles itself the Cyber Spetsnaz, and identifies with the Killnet Collective. Security Affairs explains, "The actors are positioning themselves as an elite cyber offensive group targeting NATO infrastructure and performing cyberespionage to steal sensitive data." Their report adds,
"On June 2nd, the group created a new division called 'Sparta'. The responsibility of the new division includes 'cyber sabotage', disruption of Internet resources, data theft and financial intelligence focused on NATO, their members and allies. Notably, “Sparta” outlines this activity as a key priority today and confirms the newly created division is an official part of 'Killnet Collective' group.
"Based on the description, the actors call themselves 'hacktivists', however, it’s not yet clear if the group has any connection to state actors. Sources interviewed by Security Affairs interpreted this activity with high levels of confidence to be state-supported. Interestingly, the name 'Sparta' (in context of the current Ukrainian war) is related to the name of a unit from the Donetsk People’s Republic (DNR)."
"Spetsnaz" is a Russian term for a special operations unit. Historically the name was used most often to refer to the GRU's special operations forces. Western equivalents of "Cyber Spetsnaz" would be names like "Cyber Commandos," "Cyber Green Berets," "Cyber Rangers," "Cyber SEALs," "Cyber SAS," things along those lines. The name is grandiose; we shall see how far, if at all, the Cyber Spetsnaz lives up to their press releases.