Lessons from Ukraine's response to Russia's hybrid war: cultivating resilience, assessing cyber phases of the war, and investigating potential cyber war crimes.
Ukraine at D+532: A kinetic war of attrition, a cyber war for influence.
The Ukrainian General Staff says, the Institute for the Study of War reports, that Ukrainian forces continued to attack in the Bakhmut, Berdyansk (Donetsk-Zaporizhia Oblast), and Melitopol (western Zaporizhia Oblast) zones. Russian mil-bloggers credit Ukraine with local advances and, more importantly, successful attrition of the Russian units opposing the counteroffensive. Both sides continue to exchange drone strikes. According to the New York Times, Ukrainian drone strikes deep into Russian territory have increased recently.
The Ukrainian crossing of the Dnipro River discussed yesterday appears to have been a major raid, although some reports suggest that they established and have maintained a bridgehead over the river. Ukrainian forces are said, by the Telegraph, to have killed or captured about twenty-five Russian soldiers. The Russian defenders are described as "mobilised fighters" who replaced the airborne forces withdrawn to bolster defenses further south.
Satellite imagery of Russia's largest known combat vehicle storage facility suggests that old, retired vehicles maintained in reserve have been returned to combat in large numbers. Approximately 40% of the "Soviet-era" vehicles are now gone from the outdoor track parks where they'd been warehoused. The inference is that combat vehicle losses in the special military operation have been high, severe enough to warrant the deployment of old and outmoded equipment.
Russian Defense Minister Shoigu identified Poland as the tip of the NATO spear aimed at Russia (“the main instrument of the United States’ anti-Russian policy,” as he put it), and says Russia is deploying forces to its western borders to counter the Polish threat. Ukraine and Belarus are between Russia and Poland. (The only border Russia shares with Poland is at its non-contiguous Kaliningrad Oblast, sandwiched between Poland and Lithuania on the Baltic Sea. Kaliningrad was formerly the East Prussian city of Königsberg, which the Soviet Union detached from Germany at the end of the Second World War. It's unlikely there will be a major Russian build-up in Kaliningrad.)
For its part, alarmed by Belarusian military exercises in the western areas of that country, and by the presence of Wagner Group fighters, Poland is deploying an additional 10,000 troops to its border with Belarus. Latvia has also responded with its own augmentation of border security. These steps come at a time when the Wagnerite presence in Belarus may be diminishing. The Institute for the Study of War, citing "a Russian insider source," says the mercenaries are leaving Belarus, either redeploying to Africa, specifically Libya, or returning on leave to Russia.
Belarusian cyberespionage campaign outlined.
ESET researchers today announced their discovery of a Belarusian cyberespionage group ESET has given the unlikely name of "MustachedBouncer." Active since 2014 at least, MustachedBouncer targets foreign diplomatic missions to Minsk. The group uses lawful intercept tools to accomplish adversary-in-the-middle attacks "to redirect captive portal checks to a C&C server and deliver malware plugins via SMB shares." ESET believes ("with low confidence") that there's a good chance MustachedBouncer is collaborating with the often-overlooked and typically underachieving Winter Vivern, a russophone threat group that acts in the interests of both Russia and Belarus. The spyware implants MustachedBouncer deploys against its targets, "NightClub" and "Disco," are capable of audio recording, screenshot capture, and data theft. ESET warns that MoustachedBouncer is a skilled threat actor whose command-and-control is particularly sophisticated. The researchers recommend that organizations operating in countries where the Internet can't be trusted (like Belarus) should use "an end-to-end encrypted VPN tunnel to a trusted location for all their internet traffic in order to circumvent any network inspection devices."
A campaign against VPNs.
In its morning situation report the UK's Ministry of Defence described the Russian government's renewed campaign against virtual private networks. "Over the last week, the Russian authorities have likely increased their ongoing efforts to disrupt Russian citizens’ access to Virtual Private Networks (VPNs). Reports suggest many of the most popular VPNs have become unusable in some regions of Russia. VPNs allow users to obfuscate their access to the internet, to maintain privacy and to bypass state-imposed censorship. VPNs are hugely popular in Russia, despite being illegal since 2017. They allow users to access objective international news sources, including about the war in Ukraine. VPNs likely represent the greatest single vulnerability within the Russian state’s attempts at pervasive domestic information control. As well as increased technical disruption, the Russian state has also launched a public information campaign, attempting to scare citizens into avoiding VPNs by claiming they put their personal data at risk."
Five cyber phases of Russia's hybrid war.
Victor Zhora, deputy chairman and chief digital transformation officer at Ukraine's State Service of Special Communication and Information Protection (SSSCIP)--effectively Kyiv's cybersecurity lead--said at Black Hat that Russian cyber ops would continue long after the end of kinetic combat. "Russia will continue to be dangerous in cyberspace for quite a long period, at least until a complete change of the political system and change of power in Russia, converting them from an aggressor to a country which should pay back for all they've done in Ukraine and also in other countries," the Register quoted him as saying.
Zhora divides Russian cyber operations into five phases:
- Preparation. This began on January 14th, 2022, with WhisperGate wiper malware deployed against IT infrastructure and culminating in denial-of-service attacks that included, by Zhora's reckoning, the cyberattack against Viasat services. The influence campaign of this phase sought to induce fear, to get Ukrainians to "expect the worst."
- Disruption. This phase, beginning in late February and continuing through the end of March 2022, was marked by wiper and distributed denial-of-service attacks.
- Targeted attacks against infrastructure. This third phase, beginning in April 2022, saw a lower cyber optempo, but more sophisticated, more targeted attacks against infrastructure, including but not limited to the power grid.
- Cyber attacks coordinated with kinetic strikes. The second half of 2022 was marked by cyberattacks that sought to hit critical infrastructure (especially water and power) while it was stressed by missile strikes. It culminated just before the new year.
- Cyberespionage. The war is currently in this phase, marked by a shift away from destructive attempts and toward collection and cyberespionage.
All five phases have seen influence operations conducted in Russia's interest.
Nuisance-level DDoS by Russian hacktivist auxiliaries.
The Russian hacktivist auxiliaries of NoName057(16) have continued their customary short-lived, nuisance-level distributed denial-of-service (DDoS0 attacks against European targets. The Record reports that the group has hit a range of Dutch and French targets. Dutch authorities describe the effects as "limited and symbolic," which has been typical of the hacktivist auxiliaries' results during the hybrid war.
Investigating potential cyber war crimes.
Cyberscoop recounts Zhora's thoughts on prosecuting Russian operators for war crimes in cyberspace. The concept of a cyber war crime is not fully developed, and international norms of armed conflict have so far seen only tentative extension to cyber operations. But it seems reasonable to think that the same criteria that make kinetic activity criminal would find application to cyberwar. Those would be military necessity (harm must serve a legitimate military purpose, and not simply be gratuitous), discrimination (non-combatants must be protected, and not made the direct objects of attack), and proportionality (damage done must be proportionate to the military goal served).
Zhora explained how such considerations are informing Ukraine's collection of information about possible cyber war crimes. "So in the case of Russian occupants committing war crimes with prisoners, with civilians on occupied territories and this is achieved through cyber operations, aiming to get available information on them that causes basically the following consequences that can be a part of this war crime," he said. "For instance, when there is a huge attack, cruise missile strike, and then the following attack on the media, for instance, or on critical infrastructure, on the energy sector, which can cause deaths in hospitals or other consequences. Again, this can be considered in my opinion, but we should have this discussion and clearly classify these incidents and these attacks to actually be a cyberwar crime."
Lessons in resilience from Ukraine's experience of hybrid war.
US Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly yesterday discussed what the US and others have learned from Ukraine's resistance to Russia's hybrid war. The CISA head summarized what the present war has taught the world about to build cyber resilience: "Doing the work up front to prepare for a disruption, anticipating that it will in fact happen, and exercising not just for response but with a deliberate focus on continuity and recovery, improving the ability to operate in a degraded state and significantly reducing downtime when an incident occurs." She explained that this will require conscious attention to, first, risk assessment (including the classic elements of vulnerability, likelihood, consequence, and threat), second, resilience planning (which should include realistic testing), and, finally, continuous improvement and adaptation (because the adversary learns and evolves, and the defender must do so as well).