Ukraine at D+347: Hacktivism, privateering, and diversionary ops.

Ukraine says it arrested two FSB agents conducting reconnaissance (the Odessa Journal says they were particularly interested in railroads and energy facilities), and the Telegraph reports that a Russian factory engaged in producing components to repair the Kerch Strait Bridge burned over the weekend. Ukraine hasn't acknowledged such diversionary strikes, but the fire is widely believed to have been a Ukrainian action. The Guardian discusses reports that Ukrainian units carrying out sabotage in Russia are receiving some assistance from disaffected locals.

The European Union intends to increase sanctions against Russia and double the training it's providing Ukrainian troops, Breaking Defense reports.

Ukraine's Defense Minister, Oleksii Reznikov, is said to be on his way out of office. His replacement is expected to be current military intelligence chief Kyrylo Budanov. The change is thought to be connected to a corruption scandal in the ministry.

Russia makes small, local advances around Bakhmut.

The UK's Ministry of Defence (MoD) in its Sunday morning situation report, sees local Russian advances in the vicinity of Bakhmut. "Over the last week, Russia has continued to make small advances in its attempt to encircle the Donbas town of Bakhmut. The M03 and the H32 – the two main roads into the city for Ukrainian defenders – are likely now both threatened by direct fire, following the Russian advances. Earlier in the week, Wagner paramilitary forces highly likely seized a subordinate route which links Bakhmut to the town of Siversk. While multiple alternative cross-country supply routes remain available to Ukrainian forces, Bakhmut is increasingly isolated."

That said, the MoD is concerned to give the lie to Russian claims of success, tweeting, "The story Russia tells the world about its illegal war is vastly different to the reality on the ground. Putin may say the ‘special military operation’ has gained positive momentum, but the heavy losses sustained by his forces on the battlefield tell a different story." The MoD cites against this Ukraine's recapture of about half the "additional territory" seized in the invasion (that is, territory in addition to that taken in 2014), more than 100,000 casualties, and about 5000 armored vehicles destroyed.

Occupied territories formally integrated into Russia's Southern Military District.

The MoD notes a change in Russian military organization. "The Russian military has formally integrated occupied areas of Ukraine into its Southern Military District. On 03 February 2023, Russia state news agency TASS reported that the Donetsk and Luhansk People’s Republics and the Zaporizhzhia and Kherson regions are being placed under the three-star command which is headquartered in Rostov-on-Don. This follows Defence Minister Sergei Shoigu’s January announcement that military expansion would include the establishment of ‘self-sufficient force groupings’ in Ukraine. The move highlights that the Russian military likely aspires to integrate newly occupied territory into a long-term strategic posture. However, it is unlikely to have an immediate impact on the campaign: Russia currently deploys forces from across all of Russia’s military districts, commanded by an ad hoc deployed headquarters." The reorganization is unlikely to have any tactical or operational significance. It serves rather as a further gesture toward the normalization of Russia's annexation of occupied Ukrainian territory, and providing a legal fig leaf to cover Russia's war of aggression, recasting that war as defense of Russia proper, should Ukraine continue to retake territory.

Elections to be staged in occupied territories.

A further sign that this is the case was announced last week. The UK's MoD this morning reported, "On 01 February 2023, Russian Federation Council chair Valentina Matvienko said that regional elections will take place in the newly annexed areas of Ukraine on 10 September 2023. Incorporating the elections into [the] same day of voting which is scheduled across Russia highlights the leadership’s ambition to present the areas as integral parts of the Federation. This follows continued efforts to ‘Russify’ the occupied areas, which include revision of the education, communication, and transport systems. While meaningful democratic choices are no longer available to voters at even regional level elections in Russia, leaders will likely make the self-vindicating argument that new elections further justify the occupation."

Russian cyber auxiliaries continue attacks against healthcare organizations.

Med City News last week put the total number of US healthcare facilities affected by KillNet distributed denial-of-service (DDoS) attacks at "at least" seventeen. While much of the activity has remained at a nuisance-level, that hasn't been the case with all of it. Tallahassee Memorial HealthCare, in the US state of Florida, took its IT systems offline Friday, and suspended emergency medical services, diverting most such patients to other hospitals. It announced that for the time being it would "only accept Level 1 traumas from its immediate service area." The hospital said, in its updates on the incident, “We are safely caring for all patients currently in our hospital, and we are not moving patients to other facilities. However, we have rescheduled non-emergency patient appointments. Patients will be contacted directly by their provider and/or care facility if their appointment is affected.” reads the notice published by TMH. “We are also diverting some EMS patients and will only be accepting Level 1 traumas from our immediate service area. All non-emergency surgical and outpatient procedures have been canceled and rescheduled.” 

The attribution to Russian auxiliaries is still, as the Record observes, circumstantial, but it seems nonetheless fairly clear: The attack on Tallahassee Memorial HealthCare comes just one day after a group of pro-Russian hackers announced distributed denial-of-service (DDoS) attacks on hospitals in at least 25 U.S. states, knocking several offline for hours."

The Russian cyber auxiliaries appear to have ready access to commodity criminal DDoS tools, notably the Passion botnet described last week by Radware. "Passion group, affiliated with Killnet and Anonymous Russia, recently began offering DDoS-as-a-Service to proRussian hacktivists. The Passion Botnet was leveraged during the attacks on January 27th, targeting medical institutions in the USA, Portugal, Spain, Germany, Poland, Finland, Norway, Netherlands, and the United Kingdom as retaliation for sending tanks in support of Ukraine."

Such tools effectively lower the barriers to entry for hacktivists interested in joining the Russian cause. The concentration on healthcare targets is consistent with an overarching strategy of terrorism. Russian state media have been airing calls for attacks that would kill many people inside hostile countries, especially Germans, French, and Americans. Cyberattacks against medical facilities are a deniable, relatively low-risk approach to achieving what Moscow evidently hopes would be terrorist deterrence of (or imposition of costs on, should "terrorist" seem too partisan and tendentious) nations delivering material support to Ukraine.

Adam Flatley, Director of Threat Intelligence at redacted, commented on the effect ransomware attacks against the healthcare sector continue to have. While these are more conventionally criminal than state-directed, however consistent they may be with state objectives, the fear they induce is seen as a powerful inducement to pay:

“We see attacks on healthcare organizations on a regular basis. Cyber threat actors are hitting these organizations because they are juicy victims, they show no mercy to the healthcare industry. Ransomware actors have no compunction about hurting people. They don't care who they hurt in the process of extorting healthcare organizations for money. They destroy lives, businesses, and in the case of hospitals, put human lives at risk with absolutely no pang of conscience. Therefore, it is critical that governments and the private sector not only help with preparation and resilience to mitigate ransomware attacks, but also bring tangible consequences to the threat actors. These groups are targeting healthcare organizations on purpose because they know the emotional impact of doing so which will help them force the extortion payment. What is still really missing is a well-coordinated public/private campaign against them to dismantle their criminal organizations.”

There are obvious similarities to the psychology of deterrence.