Ukraine at D+502: Cyber action discussed (and experienced) at the NATO summit.
N2K logoJul 11, 2023

As NATO leaders meet in Vilnius, collective security in cyberspace will figure among the agenda. Russian operators are also active against the summit, with kinetic threats and cyberattacks.

Ukraine at D+502: Cyber action discussed (and experienced) at the NATO summit.

As NATO's summit began in Vilnius, Russian drones were launched against Kyiv. With twenty-six of the twenty-eight Iranian-manufactured Shaheds shot down, the surviving two are reported to have done minimal damage to the capital. were shot down by Ukrainian air defenses. Odessa was targeted as well, with damage to the port's grain terminal and other facilities. Russia also continued strikes against other Ukrainian cities, with attendant civilian casualties. The grimmest such attack came in the village of Orikhiv, near Zaporizhia, where Russian missiles hit an aid distribution center in a school, killing seven and injuring eleven. Authorities in Ukraine, Estonia, Latvia, Lithuania and Poland are cooperating in the investigation of Russian attacks against noncombatants and other alleged (but well-attested) war crimes.

The Telegraph cites Ukrainian authorities who place the amount of ground Ukraine says it's retaken since the onset of its counteroffensive at 169 square kilometers on the southern front and 24 square kilometers around Bakhmut. In comparative terms that's about three-times the size of Manhattan, or a bit more than the area of Brooklyn, a bit less than the area of American Samoa. That's not negligible, but it's not a lot, either, although it's markedly more progress in five weeks, the Institute for the Study of War observes, than Russian forces were able to make in the last six months. The Institute writes, "Ukrainian military officials stated that Ukrainian troops continued offensive actions in the Bakhmut, Berdyansk (western Donetsk-eastern Zaporizhia oblasts), and Melitopol (western Zaporizhia Oblast) directions."

Ukraine to be offered a relationship with NATO.

The UK, the US, France, and Germany are expected to take the lead, during the Vilnius summit, in an offer of what the Telegram calls "NATO lite" protection. These would amount to security guarantees similar to those the Atlantic Alliance has made to Israel, but which fall short of full membership.

Beside marking the summit's opening with waves of drones launched against civilian targets, Russia also warned NATO through diplomats' statements. Reuters summarizes those warnings. NATO realizes that it's losing in Ukraine, the Vienna-based Russian security negotiator Konstantin Gavrilov said, adding that the fate of Europe was of little concern to the Americans, but that Europe would bear the brunt of Russia's response to what Russia (and no one else) characterizes as NATO aggression. TASS quotes Ambassador Gavrilov at greater length. "From our perspective in Vienna - given what we do, how we deal with various delegations and explore the situation here - it appears that talks are simply not possible at this point," Mr. Gavrilov said when asked about the present possibility of a negotiated peace. "If the Americans wanted to, they would make the Ukrainians sit down. If the Ukrainians wanted to do something, they would also start sending appropriate signals. But nothing like that is happening. As for trying to persuade them to come to the negotiating table - no, thank you. As [Russian Foreign Minister] Sergey Lavrov said, if you want war, that’s what you will get."

Recruiting those who don't count.

The UK's Ministry of Defence this morning reported on an initiative to replace casualties, this one by Moscow's city fathers. "Moscow’s municipal authorities are highly likely threatening to withdraw contracts from construction firms if they fail to hit quotas for providing ‘volunteers’ to serve in Ukraine. One company has reportedly been set a target of 30 volunteers by the end of August 2023. The move will likely primarily affect ethnic minorities from poorer regions of Russia such as Dagestan and central Asian states, who make up the majority of Moscow’s construction workers. This measure is highly likely at least tacitly endorsed by Moscow mayor Sergey Sobyanin. It continues his track record of trying to minimise the impact of the conflict on better-off Muscovites, while still being seen to support the war effort."

President Putin and the mutineers.

Kremlin spokesman Dmitry Peskov yesterday presented a picture of reconciliation in his description of a June 19th meeting between President Putin and Wagner Group commanders. President Putin offered his "assessment" of the mutiny and march on Moscow, and then “listened to the explanations of the commanders and offered them options for further employment and further use in combat.” For their part the Wagnerites said they were patriots. “The commanders themselves presented their version of what happened. They underscored that they are staunch supporters and soldiers of the head of state and the commander-in-chief, and also said that they are ready to continue to fight for their homeland,” Mr. Peskov explained. 

Observers interpret the meeting, and the apparent desire to regain the Wagner Group's loyalty (or retain it--the Wagnerites always said their march on Moscow was aimed at the Ministry of Defense, not against the President) as a sign of Mr. Putin's continued dependence on the private military corporation and his suspicion that the regulars and the security services may not be reliable. Also present at the meeting were General Viktor Zolotov, who leads the internal security troops of Russia's National Guard, and SVR head Sergey Naryshkin. The National Guard and the SVR provide a potential check to such established security organs as the FSB. So why aren't the Wagner Group mutineers disarmed and in custody? Evidently because Mr. Putin feels he needs them.

NATO considers Article 5 in cyberspace.

The Vilnius summit affords an opportunity for NATO to take stock of its collective cyber defenses. The NATO Cooperative Cyber Defence Centre of Excellence in Tallinn has proven its value, and, as cyberspace has become a generally recognized operational domain, the Alliance may consider ways in which it might build even more effective collective security in that fifth domain. Security Week offers a range of suggestions that may be under consideration, from collective joint cyber training, to the formation of a NATO cyber command analogous to the national cyber commands several of its members have developed, to considerations of the ways in which cyber attacks might trigger the collective defense provisions of Article 5. (And consideration of what a proportionate response to the cyber phases of a hybrid war might look like.)

The Record has an interview with Christian-Marc Lifländer, the head of NATO's cyber and hybrid policy section, in which Lifländer discusses lessons learned from Russia's war against Ukraine. At a high level, he sees a need to avoid "self-deterrence," a reluctance to take action that might be perceived as escalatory, and a corresponding willingness to recognize that cyber operations, to a greater extent perhaps than those in other domains, tend to blur and overstep institutional lines. "But there seems to be something about cyber that doesn't really respect organizational boundaries," he said. "I mean, you need the technical, the operational, and the political layer to operate better together. So this is exactly what we're trying to achieve here. It means information sharing, it means intelligence sharing, but it also means a better way to react, a better way to shape cyberspace." Cyber is "always on," and warnings must be in place that enable an appropriate Alliance response to threats there, whether they amount to political pressure, disruption, or direct attack against infrastructure. 

An op-ed in POLITICO urges NATO to recognize what the authors, consider the central lesson to be drawn from the war against Ukraine, "that software is a strategic enabler — perhaps the principal enabler — for joint and distributed multidomain and combined military operations," and to both act and invest accordingly.

Cyberattacks aimed at the NATO summit (and conducted in the Russian interest).

BlackBerry researchers have found that the RomCom threat actor is using malicious documents to spread its remote access Trojan. The targeting is significant. "Based on the nature of the upcoming NATO Summit and the related lure documents sent out by the threat actor, the intended victims are representatives of Ukraine, foreign organizations, and individuals supporting Ukraine." The researchers conclusion reads, "Based on the available information, we have medium to high confidence to conclude that this is a RomCom rebranded operation, or that one or more members of the RomCom threat group are behind this new campaign supporting a new threat group. The information we base this conclusion on includes: 

  • "Geopolitical context
  • "Domain’s registration and HTML scraping of legitimate websites
  • "Certain similarities in the code between this campaign and previously known RomCom campaigns
  • "Network infrastructure information".

(Added, 1:30 PM ET, July 11th, 2023. Max Gannon, Senior Cyber Threat Intelligence Analyst at Cofense, wrote with comment on RomCom's use of spearphishing. "Although the analysts were unable to uncover the actual spear-phishing emails encouraging victims to visit the malicious website, they are likely correct that spear-phishing was used to deliver links to the malicious website. It is unlikely that the threat actors were planning to use Google search results to promote the malicious website as Google detected suspicious activity and warns that the site may harm your computer," Gannon observed. "The use of cloned malicious websites and typosquatting is nothing new, we have previously reported on a targeted campaign using cloned pages of the United States Department of Labor for phishing." He too notes that the timing can't reasonably be supposed to be an accident. "What sets this campaign apart is the timely nature of the attacks and the apparent targeting which is something seen in threat actors with a political agenda rather than threat actors simply looking to compromise anyone that they can. There are many solutions to prevent spear-phishing attacks and prevent access to unauthorized websites however in the end it all comes down to people being able to recognize something as being malicious. In this case, the .info TLD is a giveaway but the method of obtaining the URL is likely suspicious as well. We can't comment further on that side of things without having access to the spear-phishing emails themselves.")

Anonymous Sudan remains a nuisance-level irritant.

Anonymous Sudan launched another wave of distributed denial of service (DDoS) attacks against US owned companies over the weekend leading into Monday morning. The group, widely believed to be a Russian cyber auxiliary, claimed that the DDoS attacks against Reddit, Tumbler, Flickr, and were to take down services which host LGBTQ+ and NSFW content. “It's part of our campaign targeting companies registered in the United States. The operators of this site is "Organization for Transformative Works (OTW)" who are registered in the United States. In addition to that, we are against all forms of degeneracy and the site is full of disgusting smuts and other LGBTQ+ and NSFW things,” the group wrote on its Telegram page. Anonymous Sudan has also posted tweets from irritated users of Tumbler, Reddit, and Flickr, presumably as evidence of the hacktivist auxiliary’s successful DDoS attack. Update on the Anonymous Sudan story from yesterday. After the company for archiveourown,org's parent, AO3, tweeted that their volunteer IT staff is working to fight off the DDoS attack, Anonymous Sudan wrote that they demand a ransom of $30k. Anonymous Sudan will attack, and, if there's public outrage or irritation, the group demands money.

Anonymous Sudan, despite its name, is almost certainly a front operated under the direction of Russian intelligence. It's shown a growing sophistication in its operations, and its DDoS activity--more successful than most such attacks--suggests that it's receiving relatively lavish funding. The infrastructure necessary to conduct DDoS on the scale the group has, Cybersecurity Dive points out, doesn't come cheap.