Ukraine at D+321: "Difficult in places"
N2K logoJan 11, 2023

Hacktivism reaches Iran as evidence collection for cyber war crimes prosecutions continues.

Ukraine at D+321: "Difficult in places"

Russian forces belonging to the Wagner Group appear to have taken control of most of the village of Soledar, near Bakhmut, Al Jazeera reports, although Ukraine disputes the Wagner Group's claims. The local advance would represent the first Russian success in many months, the Telegraph notes.

A significant fraction of the Wagner Group's manpower is now comprised of prisoners offered remission of their sentences upon completion of their service at the front, but according to the Washington Post, President Putin anticipated this act of clemency by issuing a number of pardons immediately. This suggests, the Post's sources say, a glitchy legal approach to the problem rather than a deep policy change. Presumably deserters will still be shot on the spot.

President Putin acknowledges that the situation in what remains of the four illegally occupied provinces continued to be "difficult in places," but he retains confidence in Russia's ability to restore them to a tolerable way of life.

Training exercises in Belarus.

The UK's Ministry of Defence (MoD) this morning published news of Russian aircraft deployments to Belarus. "On 08 January 2023, the Belarussian Ministry of Defence announced a joint Russian-Belarussian tactical flight exercise to be held in the country from 16 January to 01 February 2023. As of 08 January 2023, amateur aircraft spotters noted the arrival of [a] total of 12 Mi-8 support helicopters and Mi-24 and Ka-52 attack helicopters. With some appearing with ‘Z’ markings, the aircraft landed at Machulishchy Air Base near Minsk." The MoD assesses this as a genuine training exercise, and not as staging of invasion forces. "The new deployment of Russian aircraft to Belarus is likely a genuine exercise, rather than a preparation for any additional offensive operations against Ukraine. "Although Russia maintains a large number of forces in Belarus, they are mostly involved in training. They are unlikely to constitute a credible offensive force."

Ukrainian hacktivists conduct DDoS against Iranian sites.

Russian hacktivists (Killnet is a prominent representative) have served as auxiliaries in Russia's hybrid war, and they have been particularly active against targets in countries friendly to Ukraine. Russia has far fewer friends and partners internationally, but one of them, Iran, has now apparently been hit by pro-Ukrainian hacktivists. SC Media reports that distributed denial-of-service (DDoS) attacks have affected a number of Iranian websites, including but not limited to sites belonging to the National Iranian Oil Company and Iran's supreme leader Ali Khamenei. The hacktivists who claimed credit, the Record reports, are clear that their operations are a reprisal for Iran's willingness to supply Russia with Shahed drones used in attacks against Ukrainian cities. The group CyberSec's said, in its Telegram channel, "And just to show off what we can, and what we cannot Ayatolah Khamenei personal website went down. Just for one hour. As we adviced, it is a warning. If we act, we will act much more rough, no regrets and no sorries there will be. Night timr, no harm. Just a demo. Next time we will deface it. Iranians, it is not your war, step down and [eff] off. Coz next time there will be oil processing scada." Note the explicit threat to industrial control systems expressed in the final sentence.

Comment on the Cold River cyberespionage campaign.

The Cold River cyberespionage activity Reuters described last week still looks like a Russian operation. Itay Glick, VP of Products at OPSWAT, wrote to place the incident into the context of the current war (and the "geopolitical" situations that surround it). The incident represents an incipient threat to operational technology and industrial control systems.

“The Cold River campaign against US nuclear facilities was likely cyber espionage as it directly correlates with geopolitical conflicts, as are other activities by this group.

"We often hear how nuclear facilities are at risk of being targeted through the use of USBs and transient devices that can bypass air-gapped networks, or through remote access to Engineering Works Stations and HMIs – such as the 2015 BlackEnergy attack on Ukraine’s power grid.

"However, this Cold River campaign leveraged what is still one of the most common attack vectors: email. The hackers created fake login pages for each facility, attempting to get staff to log in and thus reveal their passwords, with the goal of possibly gaining scientific intel on the US nuclear manufacturing process.

"With increased connectivity between IT and OT, we may expect to see advanced adversary groups attacking OT/ICS to interfere with our way of life. But incidents like the Cold River campaign can be mitigated through a prevention-based approach, including the use of email security solutions that leverage data sanitization, advanced threat prevention like multiscanning, and anti-phishing with IP, Domain, and URL-Reputation checks.”

More comment on cyber operations as potential war crimes.

The Washington Post quotes Paul Rosenzweig ("a former DHS official who’s part of the cybersecurity law initiative at George Washington University') on the difficulty of establishing that a cyberattack constitutes a war crime. “To be a war crime, it has to be totally directed at civilians, without any realistic possibility of military advantage,” Rosenweig told the Post. “The Russian argument would be, ‘By degrading their economy, we’re increasing the possibility that they’ll sue for peace, and that’s a significant military advantage." That might be one line of Russian defense, that is, establishing the military necessity of an operation that inflicted damage upon civilian targets, but on the other hand military utility isn't the same thing as military necessity.