Ukraine at D+148: Spycraft, traditional and cyber.
N2K logoJul 22, 2022

Russia's offensives remain stalled, as MI6 and CIA think the Russian army has "run out of steam." Russian cyberespionage continues as traditional espionage runs up against apparently effective European counterespionage measures. And hackers spread disinformation over nine Ukrainian radio stations.

Ukraine at D+148: Spycraft, traditional and cyber.

The morning situation report from the UK's Ministry of Defence says the Russian advance in the Donbas has stalled. "In the Donbas, Ukrainian forces continue to repel Russian attempts to assault the Vuhlehirsk power plant. Russian artillery remains focused on areas around the cities of Kramatorsk and Siversk. On 21 July 2022, Vitaly Kim, governor of Ukraine’s Mykolaiv region, said that Russian forces had used seven air defence missiles to strike infrastructure, energy facilities and storage areas. Russia has increased its use of air defence missiles in a secondary ground attack mode because of critical shortages of dedicated ground-attack missiles. [Russia] has almost certainly deployed S-300 and S-400 strategic air defence systems, designed to shoot down aircraft and missiles at long ranges, near Ukraine from the start of invasion. These weapons have relatively small warheads, designed to destroy aircraft. They could pose a significant threat against troops in the open and light buildings but are unlikely to penetrate hardened structures. There is a high chance of these weapons missing their intended targets and causing civilian casualties because the missiles...are not optimised for this role, and their crews will have little training for such missions."

Air defense weapons are not the only class of system being used for purposes outside their designed functions. Many of the cruise missiles used against Ukrainian cities have been anti-ship missiles, which are also not well-suited for land attack. Russian efforts to buy drones from Iran may been seen in this light as act of weakness.

CIA and MI6 chiefs describe the problems Russia faces in Ukraine.

While the heads of the US and UK intelligence services agree that there's no reason to believe Russian President Putin is ill, despite widespread speculation that he's in decline, and wishful thinking retailed in the media concerning his hold on the Kremlin. According to the Washington Post, US Director of Central Intelligence William J. Burns said at the Aspen Security Forum yesterday, “There are lots of rumors about President Putin’s health, and as far as we can tell, he’s entirely too healthy.”

They do, however, see other weaknesses in Russia. They're the familiar ones that have been seen on the battlefield since the first week of Russia's war. “They’re about to run out of steam,” Bloomberg quotes MI6 head Richard Moore as saying, also at the Aspen Security Forum. "Our assessment is the Russians will increasingly find it difficult to find manpower, materiel over the next few weeks. They will have to pause in some way, and that will give the Ukrainians opportunities to strike back." The Telegraph reports that Moore said "their, that is, Ukrainian" morale is still high and they are starting to receive increasing amounts of good weaponry. To be honest it will be an important reminder to the rest of Europe that this is a winnable campaign.”

DCI Burns assessed Russian casualties to date as roughly 15,000 killed in action, and an additional 45,000 wounded. He sees, Bloomberg reports, Russia's negotiations with Iran to receive supplies of Iranian drones as a sign of weakness, and also believes that China has been surprised and unsettled by poor Russian combat performance.

Minsk echoes Moscow.

Belarusian President Lukashenka, in an interview yesterday with AFP, explained his formula for peace. "We must stop, reach an agreement, end this mess, operation and war in Ukraine," he said. "Let's stop and then we will figure out how to go on living." Like his Russian colleague President Putin, Mr. Lukashenka expressed his concerns about the likelihood of nuclear war. "There's no need to go further. Further lies the abyss of nuclear war. There's no need to go there." What's needed for peace, in Mr. Lukashenka's view, is that Ukraine come to its senses. "Everything depends on Ukraine," he said. "Right now, the peculiarity of the moment is that this war can be ended on more acceptable terms for Ukraine." Ukraine should "sit down at the negotiating table and agree that they will never threaten Russia," accept that it won't recover its occupied provinces ("This is no longer being discussed. One could have discussed this in February or March"), and accede to Russia's conditions. Mr. Lukashenka's reference to the settled status of the Donbas and the occupied southern regions suggests that Moscow's policy has been made clear to him. Russia intends to stage plebiscites in Donetsk and Luhansk at least this September, Bloomberg reports, and the results that will be announced are expected to provide a fig leaf for forcible Russian annexation.

In his call for Ukraine to negotiate Mr. Lukashenka is more irenic than Russian Foreign Minister Lavrov, who the day before had said peace talks with Ukraine "made no sense." But Minsk's views on the causes of the war are closely aligned with Moscow's. Russia's special military operation is essentially defensive, including its initial movement of troops into Ukraine, which was a perfectly legitimate and purely preventive operation to preempt NATO aggression. "You have fomented the war and are continuing it," he said, addressing AFP as an agent of NATO. "We have seen the reasons for this war. If Russia had not got ahead of you, members of Nato, you would have organised and struck a blow against it. He just got slightly ahead of you." Had NATO given Russia "the security guarantees" it asked for, there would have been no special military operation. "On the eve of the Ukraine war why did not you provide such guarantees?" Mr. Lukashenka said. "This means you wanted war. You, members of NATO and Americans, needed war."

President Lukashenka, while saying that no Belarusian soldiers are fighting in Ukraine, was direct and forthright in his adherence to the Russian cause. "I am part of the operation that Russia is conducting," he said. "I am supporting Russia." This, too, is NATO's fault. "Because you were ready to strike Belarus and Russian infrastructure," he explained. "Do you want to say that I had to sit and wait until rockets start falling on the heads of the Belarusian people? No! I shut the western and the southwestern border near Brest. So that you, the NATO troops, primarily the Poles being pushed by the Americans, do not stab the Russians in the back. I couldn't allow it."

He also doesn't like the sanctions:"The situation with your idiotic and savage sanctions just showed how dependent you are on Russian energy resources."

It's crudely overdrawn and unlikely to persuade the unpersuaded, but Mr. Lukashenka is preaching to a choir of one: Mr. Putin.

Traditional espionage and counterespionage during the hybrid war.

Traditional espionage run by intelligence officers working under diplomatic cover has grown somewhat more difficult for Russia during the present war. The Record quotes the head of Britain's MI6 as estimating that around half, roughly four hundred in total, of the Russian intelligence officers so operating in Europe have been expelled. Clearing compromised personnel from Ukrainian security and intelligence services is a more complex and difficult task. The Atlantic Council describes the challenges of expunging Russian sympathizers from the SBU security service and the Prosecutor General’s Office (PGO). The heads of both agencies have been suspended, but reforming large agencies in wartime is like rebuilding a ship during a voyage.

SVR's abuse of Google Drive: industry reaction.

That said, Russian cyberespionage attempts continue unabated. Palo Alto Networks' Unit 42 early this week outlined evidence that Russia's SVR foreign intelligence service (APT29, which Unit 42 calls "Cloaked Ursa," Microsoft "Nobelium," and others "Cozy Bear") had been actively abusing Google Drive to distribute malware in the service of cyberespionage. TechCrunch observed that this isn't the first time the SVR has been observed making hostile use of legitimate web services (Mandiant had earlier seen the SVR using DropBox for command-and-control).

We've received comment from several industry experts on the implications of the SVR's current tactics. Lior Yaari, CEO and co-founder of Grip Security, wrote that this is the latest instance of a long-running trend. “The recent malicious activity discovered using Google Drive is emblematic of the SaaS security challenge—universal accessibility and ease of deployment. Before Google Drive, there was Dropbox and before Dropbox, APT29 was hitting Microsoft 365," he said. "These were all compromised by credentials that could have been more secure—and these are credentials for the apps we monitor every day; we are not even discussing the horde of business-led SaaS that is wholly outside of security control. The SaaS security challenge for campaigns like these only illustrates the trend toward exploiting SaaS’s strengths for nefarious ends. And the matter only becomes worse with more SaaS out-of-sight for many security teams.”

Shahar Vaknin, Threat Hunting Expert and Team Axon Leader at Hunters, sees the development as foreseeable. "As C2 domains detection systems improve," he wrote, "C&C communication over common services such as GDrive, Slack, Telegram, etc. rises. An example for it can be seen in WhisperGate wiper malware used against Ukrainian targets. WhisperGate downloads its second stage from a Discord CDN which makes the activity hard to be detected. We advise correlating between the proxy logs and EDR logs in order to track down the binary which initiated the connection."

Whatever other lessons organizations might take from the recent SVR campaigns, one they should clearly draw is as old as warfare itself: the enemy reacts and adapts. Omer Yaron, Head of Research at Enso Security, wrote, "This is another example of the cat and mouse game between the sophisticated attackers and researchers who are trying to expose them. The only thing different each time is the increased sophistication of these attacks. This event is another reminder that stakeholders must always be alert and up to date with the latest security tools and methodologies because he/she is going to need it. If you want to handle these events the most effective way, you need to have the best data, the most knowledge and be the one to figure it out first. The whole APT game continues, but it's not just about covering your bases anymore, it's how fast you can identify such an event." 

Yoni Shohet, CEO and Co-founder of Valence Security, warns that the present campaigns represent a threat to the software-as-a-service (SaaS) ecosystem. “The hacking group behind the SolarWinds attack campaign has focused multiple times in the past on supply chain access breaches and leveraging legitimate vendors for malicious purposes." He added, "Even though it’s early to tell, it seems like in this case, the attackers leveraged Google Drive, but its potential impact extends not only to that SaaS application but to the rest of the SaaS mesh connect[ed] to it, so it is imperative to have controls in place to prevent the potential impact and lateral movement of these types of threats as well as attacks on an organization’s entire SaaS supply chain.”

Assessing Russian cyberattacks.

The US continues to look for an explanation of why Russian cyberattacks in support of its war against Ukraine, while they've certainly been conducted, have so far fallen short of the devastating potential widely expected as the special military operation began. Deputy National Security Adviser for Cyber Ann Neuberger reviewed the bidding Wednesday at the Aspen Security Forum. Defense News quotes her as saying, “With regard to the Russian use of cyber and our takeaways, there are any number of theories for what we saw and what, frankly, we didn’t see. Some argue for the deterrence the U.S. has put in place,” and in this she was alluding to the discussion between Presidents Biden and Putin after the Colonial Pipeline ransomware attack. “Some argue that it was the result of the extensive cybersecurity preparations Ukraine did, supported by allies and partners. And some argue that we don’t quite know.”

Ukraine thinks defensive preparations made a contribution to blunting Russian cyberattacks. Illya Vityuk, head of the cybersecurity department of the Ukrainian State Security Service, pointed to the weeks of preparatory Russian cyberattacks before the actual invasion. “For us it was like a full dress rehearsal,” he said, as reported by CyberScoop. The Ukrainian services had an opportunity to assess the enemy's capabilities and to address their own vulnerabilities in advance of the onset of war, and he says they were able to make good use of the opportunity.

Ukrainian radio stations briefly hacked.

“Cyber criminals have spread the news suggesting that the President of Ukraine Volodymyr Zelenskyy is allegedly in critical condition under intensive care and the Chairperson of the Verkhovna Rada of Ukraine Ruslan Stefanchuk acts in his stead,” a spokesperson for the State Service of Special Communications and Information Protection (SSSCIP, Ukraine's counterpart to the US CISA) told reporters, according to CyberScoop. Broadcasts over nine stations were affected. This amounts to a defacement aimed at spreading disinformation. There was no immediate specific attribution, nor was any information available on how the attack proceeded.