Ukraine at D+190: Trimming expectations and calling for assassinations.
N2K logoSep 2, 2022

As Ukraine's counteroffensive continues, Russian media personalities blame NATO for setbacks and speculate about the need for a program of targeted assassination, in both Ukraine and NATO. Experts look at the mixed record of state cyber operations, hacktivism, and privateering in the hybrid war.

Ukraine at D+190: Trimming expectations and calling for assassinations.

Ukraine's counteroffensive.

Ukrainian officials say that Russian forces are sustaining "heavy losses" in fighting around Kherson, the Independent reports.

The UK's Ministry of Defence (MoD) reports that "Heavy fighting continues in southern Ukraine, including shelling in Enerhodar district, near the Russian-occupied Zaporizhzhia Nuclear Power Plant." This hasn't, however, stopped Russia's annual Vostok military exercise. "Despite the war in Ukraine, on 01 September, the Russian military started exercise Vostok 22, its annual Joint Strategic Exercise, marking the culmination of the military training year. Russia publicly claimed that 50,000 troops will take part, however, it’s unlikely that more than 15,000 personnel will be actively involved this year. This is around 20% of the forces which participated in the last Vostok exercise in 2018." Vostok has long been more gesture than effective training. "Russia’s military performance in Ukraine has highlighted that Russia’s military strategic exercises, such as Vostok, have failed to sustain the military’s ability to conduct large scale, complex operations. Such events are heavily scripted, do not encourage initiative, and primarily aim to impress Russian leaders and international audiences."

Talking heads talk about "diversionary operations."

Russian state television struck an unusual note of pessimism. Total victory may no longer be possible, as Newsweek glosses the show Myetsa Vstrechi ("Meeting Place"), and that's the fault of NATO, which has been delivering decisive assistance to Ukraine. Those notes of pessimism were accompanied by some aggressive musing about what might still be done. Rossiya1's evening show recently included a long discussion of the possibility of Russian diversionary operations abroad, both in Ukraine and outside Ukraine, against countries that support Kyiv in the present war. "Diversionary operations" in Russian military argot are what the US would call "special operations," or what Hollywood would call "commando raids." These are conducted by small units, in some cases individuals, operating clandestinely: the success of a diversionary operation generally depends upon its going undetected. The speculations by the talking heads largely center on the assassination of Ukrainian, British, and (especially) American officials. The British and the Americans are, in the view represented on Rossiya1's set, the ones calling the shots and pulling the strings behind the Ukrainian fascists, and the puppetmasters must be punished. The casual way they propose large-scale assassination and the sense they express of Russia's being under an existential threat are surprising, but, unfortunately, not unusual. (A note on US organization, by the way, to help out Rossiya1. Their experts talk about the good things that would follow the murder of a "CIA general." The CIA is a civilian intelligence service; its officers don't hold military rank.)

War crimes: apology and prosecution.

Rossiya1's program is also disturbing (but again, unfortunately not unusual) for its casual advocacy of "filtration" as a necessity, indeed as a patriotic obligation. For what "filtration" means on the ground, see the Washington Post's account. Filtration is the coercive displacement, detention, interrogation, and surveillance of civilians. Forcible deportation is a war crime, and it's difficult to find even a dubious justification for it in Ukraine on grounds of military necessity. Russian sources have claimed that filtration is either (1) voluntary repatriation, (2) protective, humanitarian evacuation, or (3) a legitimate search for fascist war criminals, at worst an inconvenience. None of these justifications can reasonably be regarded as plausible. Radio Free Europe | Radio Liberty describes one family's grim experience of filtration under the headline "'You Are Russian Now': Ukrainian Family Recalls Deportation To Moscow."

Ukrainian prosecutors continue to work to identify war crimes suspects, CNN reports. They've now used news reports and video to name a suspect in two murders--civilians shot in the course of Russian looting in a town near Kyiv during the early stages of the war

An assessment of Russian failure (or disinclination) to mount effective cyber campaigns.

An essay in the New Atlas looks at the decidedly mixed record of Russian cyber operations in the current war. While Russian operators had some early success deploying wiper malware against Ukrainian communications infrastructure, that success was short-lived. Since the first weeks of the war Russian cyber operations have tended toward conventional espionage, augmented by some ransomware privateering and nuisance-level distributed denial-of-service. The reasons for this are obscure, but, while due credit should be given to Ukrainian resilience, Russia's cyber shortfalls may be a species of the more general Russian problem of coordinating effective combined arms operations: "What has been apparent over the last six months is that few, if any, of Russia's cyber attacks have been launched in support of a clear military objective. There were no assaults on military command and control systems, no critical infrastructure attacks, and nothing that could put real pressure on Ukraine to force concessions from the country or its friends."

Hacktivism and privateering may have been overrated in Russia's war, university researchers conclude.

"Drawing on a range of data sources, we argue that the widely-held narrative of a cyberwar fought by committed ‘hacktivists’ linked to cybercrime groups is misleading," a study conducted by researchers at the Universities of Cambridge, Strathclyde, and Edinburgh concludes. The researchers looked at web defacements, reflected distributed denial-of-service attacks, and communiqués posted to a "volunteer hacking discussion group." They enriched their analysis by interviewing people who'd actively engaged in defacing websites in Russia and Ukraine.

It appears that hacktivism shades quickly into slacktivism, as much of the initial enthusiasm fades:

"Our findings indicate that the conflict briefly but significantly caught the attention of the low-level cybercrime community, with notable shifts in the geographical distribution of both defacement and DDoS attacks. However, the role of these players in socalled cyberwarfare is minor, and they do not resemble the ‘hacktivists’ imagined in popular criminological accounts. Initial waves of interest led to more defacers participating in attack campaigns, but rather than targeting critical infrastructure, there were mass attacks against random websites within ‘.ru’ and ‘.ua’. We can find no evidence of high-profile actions of the kind hypothesised by the prevalent narrative."

The researchers also spill some cold water on the reputation of the IT Army of Ukraine: "The much-vaunted role of the ‘IT Army of Ukraine’ co-ordination group is mixed; the targets they promoted were seldom defaced although they were often subjected to DDoS attacks." (As we've noted elsewhere, the IT Army of Ukraine has evolved in the direction of a security start-up; it's not a hacktivist mob rising is simple spontaneous righteous indignation.)

So the hacktivists got bored and the crooks weren't necessarily seeing the payoff. "Our main finding is that there was a clear loss of interest in carrying out defacements and DDoS attacks after just a few weeks. Contrary to some expert predictions, the cybercrime underground’s involvement in the conflict appears to have been minor and short-lived; it is unlikely to escalate further."

Rachel Noble, chief of the Australian Signals Directorate, has, according to the Canberra Times, a higher assessment of how the privateers, at least, have performed in the war. "Cyber criminals started to take sides in the war. These are serious and organised criminal gangs with deep resources, who took it upon themselves to take action both on behalf of Russia and on behalf of Ukraine, and involve themselves in the conflict." Not decisive, but messy and troublesome.

Cyberattack against Montenegro.

Concluding that privateering may be played out, however, seems to be premature, if the Montenegro incident is any indication. Balkan Insight characterizes the effects of the Cuba ransomware on Montenegrin networks as having sent the country "back to analog." Bloomberg reports that investigation and recovery are still in progress, as Montenegro calls in assistance from its NATO allies. And a second piece in Bloomberg cites a warning from the Italian Foreign Minister that cyberattacks against Western European targets have spiked since Russia's invasion of Ukraine.

We've received commentary from two experts on the implications of ransomware attacks during a hybrid war. Sam Curry, Chief Security Officer, Cybereason, thinks it unsurprising that Russian gangs have hit Montenegro. "It should shock no one that Montenegro has been targeted in all likelihood by Russian cybercrime gangs, given the recent attacks on not only critical infrastructure providers in the UK, Greece and Luxembourg, but governments in Costa Rica and Taiwan. In Greece, last week the country’s largest natural gas provider came under attack from the Ragnar Locker ransomware gang." He sees target selection as opportunistic: find a vulnerable government network and go after it. "In the case of Costa Rica, the President declared war on the ransomware gangs and refused to meet their extortion demands. In Taiwan, a massive DDoS attack surfaced because it's a fast and go-to tool for quick results and normal ingredients that could accompany more serious and invested attacks. Cyber terrorists and extortion gangs are hitting these countries and critical infrastructure operators because they deem them vulnerable." The gangs hit whom they think they can damage, and aren't terribly concerned with finding either high-payoff or high-value targets.

"Given the reckless attacks on Montenegro, all nations should be on high alert regardless of how close they are geographically or politically to the Ukrainian-Russian conflict. Why else would reports surface that the FBI rushed a team of cybersecurity experts to Montenegro if there wasn't a clear indication of Russian involvement? There is the possibility of the repercussions being felt in the U.S. and other regions.

"In general, state-ignored criminal organizations such as Conti Group, REvil, Lockbit and Clop and many others are privateers, but in a time of war there's no such thing as plausible deniability. Warning to the ransomware gangs and their ilk: watch out who you target in your pursuit of cash. Some of those targets have more power than you think."

Curry recommends some steps organizations can take to harden themselves:

"To protect against DDoS and ransomware attacks, both public and private sector organizations should prepare in peacetime and ensure redundancy in network connectivity and have mitigation strategies ready. And don't just prepare for volumetric attacks (there are more kinds of DDoS than simple floods) but also practice good security hygiene and regularly update and patch operating systems and other software. Also, conduct periodic table-top exercises and drills including people beyond the security team all the way to the Executive Suite. 

"Organizations should also ensure clear isolation practices are in place to stop ingress on the network and the spreading of ransomware. And also evaluate locking down critical accounts when possible. The path attackers often take in propagating ransomware across a network is to escalate privileges to the admin domain-level and then deploy the ransomware."

Michael McPherson, SVP of Security Operations at ReliaQuest, also sees evidence of widespread risk, and offers some reflections on the assistance NATO allies are rendering Montenegro:

"The recent cyberattack involving a combination of ransomware and denial of service against critical infrastructure and government entities in the country of Montenegro once again demonstrates no one is immune from these threats.

"Although the deployment of the FBI’s Cyber Action Team (CAT) is not uncommon, it does demonstrate the breadth and depth of this attack. CAT team deployments are generally reserved for complex situations which require additional manpower and technical expertise.

"The ransomware-branded Cuba, which is reportedly being utilized in this attack, has historically targeted critical infrastructure entities. However, in this instance, the attacks appear more widespread than in the past.

"Dating back to at least 2018, the U.S. military has been working with the government of Montenegro on cybersecurity cooperation, training, and resiliency. These efforts highlight the importance of pre-attack partnerships which can facilitate response capabilities in an attack such as this."

Taxi! Hey, like everyone else, all us bots need a lift, too, and bistro! Hey over here, taxi!

The latest incident in nuisance-level hacking took place in Moscow. Yandex Taxi's ride-hailing app was breached by hackers Thursday who summoned dozens of cabs to the Hotel Ukraina on Kutuzovsky Prospekt, snarling traffic and generating much inconvenience, Cybernews reports. For what it's worth, Anonymous TV claimed responsibility on behalf of the hacktivist collective, tweeting, "Moscow had a stressful day yesterday. The largest taxi service in Russia 'Yandex Taxi' was hacked by the Anonymous collective. A traffic jam took place in the center of Moscow when dozens of taxi were sent by the hackers to the address on Kutuzovsky Prospekt." The tweet associated the action with Anonymous's #OpRussia.

War's been tough on the hoods, too.

Digital Shadows, in the course of its continuing observation of Russophone cybercriminal fora, and its ongoing nosing around the dark web, finds that the war has been tough on the cyber underworld, too. Part of the tough times seems to be the normal fluctuation of the criminal business cycle, but sanctions and other war-driven downturns have had their effect as well. "With recent sanctions and additional scrutiny on activity originating from Russian entities, it’s likely that many of these cybercriminals have been forced to constantly refine and adapt their techniques; and therefore, having to climb out of that trough again. A good example of this is the use of GooglePay and other financial technologies becoming banned for use across Russia; this led to many scams becoming redundant almost overnight." Some of the bite taken out of their earnings seems to have come from the Russian authorities themselves, who've cracked down on the carding they'd formerly winked at.