Ukraine at D+421: Reviewing the cyber phases of Russia's hybrid war.
N2K logoApr 21, 2023

Ukraine keeps Russia guessing about the spring counter-offensive. In cyberspace, the situation remains largely unchanged.

Ukraine at D+421: Reviewing the cyber phases of Russia's hybrid war.

The timing of Ukraine's counter-offensive seems affected by the tension between an opportunity--the presently degraded condition of Russian forces--and a means--the arrival of Western weapons from the NATO countries that are supplying them to Ukrainian forces.

NATO Secretary General Stoltenberg said during his visit to Kyiv this week that the consensus among NATO members is that Ukrainian membership in the Atlantic Alliance is merely a matter of time. Ukraine will join, the Guardian reports, once the present war is over.

TASS reports that a Russian Su-34 fighter discharged some unspecified ordnance over the Russian city of Belgorod. The release is said to have been accidental, and TASS says there were no deaths on the ground, but whatever that Su-34 dropped made a big, twenty-meter hole in the ground.

General Winter has been relieved by General Mud.

But firmer ground is on the way. "With soft ground conditions across most of Ukraine, severe mud is highly likely slowing operations for both sides in the conflict," the UK's Ministry of Defence writes in this morning's situation report. "However, Russian online outlets are likely exaggerating the overall impact of mud on Ukrainian forces as part of an information operation aimed at raising Russian morale, and undermining Ukraine’s supporters, in light of an anticipated Ukrainian counter offensive. Surface conditions can be expected to improve in the coming weeks. The threat from mines probably continues to be a more important factor in limiting the combatants’ off-road manoeuvre."

Forget about those evil maids. What about these evil sys admins?

Support personnel can represent as much of an insider risk to security as can line personnel--sometimes more, because of the way they can be overlooked or disregarded. (This can be seen, for example, in "evil maid" attacks that might be carried out by an actual member of a cleaning crew.) The Wall Street Journal offers reflections on the ongoing investigation of the Discord Papers leaks, especially for what they reveal about the access that IT personnel acquire to sensitive information in the course of their daily work.

"Airman Teixeira," alleged leaker of the Discord Papers, "worked on cyber transport systems—a role that involved work to 'keep our communications systems up and running,' according to an Air Force job description," the Journal writes. The story goes on to point out that another notorious leaker, Edward Snowden, was also in tech support. "Mr. Snowden, who lives in Russia, was described by officials at the time of his leak in 2013 as a systems administrator." Their motives (alleged, in Airman Teixeira's case) were quite different, but the access their positions gave them has much in common.

Eurocontrol under attack.

The European air traffic control agency, Eurocontrol, reports that it's under cyberattack by Russian actors. Eurocontrol's site has a terse account of the attack, which appears to be of the familiar distributed denial-of-service variety. "Since 19 April, the EUROCONTROL website has been under attack by pro-Russian hackers. The attack is causing interruptions to the website and web availability. There has been no impact on European aviation." The Wall Street Journal reports that KillNet has claimed responsibility.

(Added, 10:15 PM ET, April 21st, 2023. Several industry experts wrote to advocate the importance of air-gapping. David Mitchell, Chief Technical Officer at HYAS, writes to advise revisiting the value of air gaps. “It is important for critical OT systems like Air Traffic Control, power & water to be air-gapped from other IT systems — primarily because OT systems can often be decade(s) old and do not have the normal software update cycle of IT systems," he says. "Due to the nature of interactions with resources on the Internet or internal IT environments, it is very difficult to isolate newer systems and software to an air gapped environment while maintaining functionality.”

Another expert, Jan Lovmand, CTO, BullWall, also advised in favor of air-gapping, as well as certain other access management approaches. “Air-gapping, biometrics, and other methods of breaking the flow of data can be effective tools in preventing malicious actors from breaking into sensitive data networks, especially in high-security environments such as aviation safety systems. Air-gapping, which involves physically isolating critical systems from external networks, can provide a strong layer of defense against cyber-attacks," Lovimand wrotes. "By keeping critical systems completely disconnected from external networks, the risk of unauthorized access or data breaches is significantly reduced." Nor should the potential value of biometrics and other techniques be overlooked. "Biometrics, such as fingerprint or retina scans, can add an additional layer of security by requiring unique physiological characteristics for access. This can help prevent unauthorized access to sensitive systems and data, as biometric data is difficult to replicate or spoof. Other methods of breaking the flow of data, such as using one-way data diodes or unidirectional gateways, can also be effective in preventing data leaks or unauthorized access. These technologies allow data to flow in one direction only, preventing any backflow of information that could be exploited by hackers." Obviously each technique has its limitations, and will function best within the context of an integrated defense. “While these measures can be effective in protecting sensitive data networks, they also have limitations. Air-gapping can be challenging to implement in complex networks, as it requires physical separation and can hinder communication and data exchange between systems. Biometrics, although highly secure, can also face issues such as false positives or false negatives, leading to potential access errors. A comprehensive defense strategy should incorporate multiple layers of security, including network segmentation, access control, data encryption and reliable backup and ransomware containment systems, in the event that all else fails, to provide robust protection against cyber threats.”

Roy Akerman, Co-Founder & CEO of Rezonate, concurs that systems of this kind demand the most effective forms of protection. “It is a common practice across different government agencies to apply completely air-gapped systems and total separation from wiring, to network, to software and mission critical systems. While there’s no silver bullet protection, as we are proven often, OT (Operational Technology) infrastructure like water, gas and electricity supply, military and air-traffic, and other deemed critical services apply the most stringent access and functional operation. The focus for the past few years, with nation state attacks on countries infrastructures and a near constant attack on countries as part of the global geopolitics, has increased both the risks as well as the readiness and practices implemented.”)

Assessments of the cyber phases of Russia's war against Ukraine.

The European Cyber Conflict Research Initiative (ECCRI) has issued the report on a conference that studied Russian methods of cyber warfare. "In line with its doctrine of information confrontation, Russia employed a variety of cyber operations during the war at an unprecedented scale," the ECCRI writes. "The primary goals of wartime operations – sabotage, influence, and espionage – have remained constant. Cyber operations provide new opportunities to achieve age-old objectives." The study focuses on what Russia achieved–most prominently a high cyber operational tempo–as opposed to the many and obvious ways Russian cyber operations fell far short of pre-war expectations. The report offers these major takeaways:

  • "Cyber activity in Ukraine is associated with kinetic activity bursts and lulls.
  • "The GRU has adopted a flexible approach with “pure wipers” that are easy to manipulate and launch without draining significant resources.
  • "Western observers may overestimate coordination between Russian-aligned criminals and the government.
  • "Distinguishing between cyber criminal and political activist groups is becoming increasingly difficult.
  • "Initiatives such as the IT Army risk blurring important principles of distinction between combatants and noncombatants.
  • "There is a shift in responsibilities that needs to be recognized by both the public and private sectors, with industry delivering capacity at scale.
  • "While Ukraine has benefited from unity of purpose across many different Western actors, this conflict may not provide a good roadmap for the future."

An essay in the Atlantic Council's UkraineAlert series is similarly struck by the level of Russian effort in cyberspace. "The Russian invasion of Ukraine is the first modern war to feature a major cyber warfare component," essayist Vera Mironova writes. "While the conventional fighting in Ukraine often resembles the trench warfare of the early twentieth century, the evolving battle for cyber dominance is highly innovative and offers important insights into the future of international aggression." One unintended feature of Russia's long campaign against Ukraine (which opened in 2014's invasion of Crimea) is that the very frequency of Russian cyberattacks has provided Ukrainian forces with an opportunity to learn about threat, understand it, and devise ways of counteracting it.

Much discussion of cyber operations has focused on its novelty, but it's perhaps worth looking to the lessons that might be drawn about cyber operations from the history of electronic warfare. Much of the activity in the fifth domain seems to represent an evolution of traditional jamming, intrusion, interception, and meaconing. A similar point might be made about contemporary influence operations and the history of black propaganda. An interesting topic awaits any historian willing to tackle it.