Ukraine at D+138: OPSEC in a social media world.
N2K logoJul 12, 2022

Russia continues the reconstitution of its army. Its maneuver forces remain relatively static while its artillery continues the reduction of those Ukrainian towns and cities within cannon and rocket range. Ukraine says it's making good use of NATO-supplied artillery, and Russian social media posts from the area of operations lend credence to those claims. Russia's mounts DDoS attacks against Polish government sites as NATO and Ukraine organize an opposing cyber capability. 

Ukraine at D+138: OPSEC in a social media world.

The UK Ministry of Defence this morning focused on what it tentatively identified as evidence of Russian difficulty in recruiting military personnel for its war in Ukraine. "Russian troops continue to make small incremental territorial gains in Donetsk oblast with Russia claiming to have seized control of the town of Hryhorivka. Russian forces also continue their assault along the E-40 main supply route towards the cities of Slovyansk and Kramatorsk. Russian forces are likely maintaining military pressure on Ukrainian forces whilst regrouping and reconstituting for further offensives in the near future. Russian Armed Forces’ personnel shortages may be forcing the Russian MOD to turn to non-traditional recruitment. This includes recruiting personnel from Russian prisons for the Wagner Private Military Company. If true, this move likely indicates difficulties in replacing the significant numbers of Russian casualties."

Russian combat operations seem indeed to have entered a relatively static phase as Moscow seeks to shake off its logistical failures and reconstitute the road-bound and slow-moving infantry and armored units that have sustained high casualties in the first months of the special military operation. Inevitably the targets have been static, easily located, and within range of artillery positions. This means that built-up areas--towns and cities inhabited by civilians--have been disproportionately represented in Russian targeting. The New York Times summarizes the Russian attacks, and reports the official Russian media accounts that explain those attacks away. The Russian line is that it carefully hits only legitimate military targets. Kremlin spokesman Dmitri S. Peskov's statement is representative: “I would like to again remind you of the words of the president of the Russian Federation and commander in chief that the armed forces of the Russian Federation are not working against civilian targets in the course of the special military operation.” This line has achieved little traction internationally.

NATO-supplied artillery systems continue to find Russian targets. Most of the reports--see, for example, accounts by Reuters and the AP--have been of attacks against ammunition supply points.

Social media and open-source intelligence.

The Telegraph cites a blogger accompanying Russian forces in Ukraine in support of its conclusion that NATO-supplied HIMARS rocket artillery systems have been "striking fear" into Russian troops: “'Yesterday I happened to witness a Himars strike on Chernobayevka in Kherson, practically in front of my eyes,' Roman Saponkov, a Russian military blogger embedded with frontline Russian forces wrote on Telegram on Monday. 'I’ve been under fire many times, but I was struck by the fact that the whole packet, five or six rockets, landed practically on a penny,' he wrote on Telegram. 'Usually MLRS lands in a wide area, and at maximum range it completely scatters like a fan. It makes an impression, I won’t dispute that. It is clear this is just the beginning,' he added. 'They are going to hammer Kherson and other border cities, Belgorod in particular. They will cover all the command posts and military installations they have gathered data on for the past four months.'” Mr. Saponkov sensibly advises his readers that a single wonder weapon is rarely a war-winner, but his comments on the effects of HIMARS fire are striking, and suggest the difficulty of moderating communication in social media, even where there's a strong motivation to do so, and a tradition of censorship to draw upon.

Open-source intelligence has played a prominent role in the special military operation from the outset. On the eve of the invasion, for example, foreign observers had a tolerably complete and realistic picture of the Russian order of battle, based on posts by Russian soldiers and, for example, by curious Belarusian civilians posting photos of Russian combat vehicles staging through their towns. (Bumper numbers of the vehicles often clearly visible.) This new opsec challenge is one all armies will henceforth face, to one degree or another. Clearance Jobs quotes security experts on the challenge. Their comments don't neglect the effect too much information can have on servicemembers' careers, but the broader opsec lessons are also clear. Domnick Eger, field chief technical officer (CTO) at Anjuna Security, said, “The advent of social media has created a whole other realm of over-sharing, tracking, and personal opinion narrative that can affect servicemembers’ careers and impact future endeavors and possible backlash around unpopular topics." Cybrary's chief impact officer Chloé Messdaghi cautioned that, “Service members must be aware of everything you post and have good device, platform and network security practice. One example of each of these might be, for example, requiring device logons that expire quickly when the device is inactive, keep your social media accounts private and be sure you know who you’re accepting and sharing content with, and don’t use public Wi-Fi without a VPN.”

Social media have largely replaced the traditional soldiers' letter home, and armies have yet to come to grips with the new media's immediacy, and the difficulty of controlling the way information transits them.

Russian cyberattacks spread internationally.

KIllnet, the threat actor that represents itself as a hacktivist tendency operating in the patriotic interest of Russia but not under the control of Moscow's security services, has extended its distributed denial-of-service (DDoS) attacks to Polish government sites, the Express reports. As was the case with earlier operations against Lithuania, the most recent DDoS attacks didn't rise above the level of a nuisance. Poland has strongly supported Ukraine both since the invasion and during the tensions that preceded Russia's war.

Margiris Abukevicius, Lithuania's vice minister of national defense, according to Delphi, while emphasizing that the effects of the DDoS attacks had a negligible effect on the country's IT infrastructure, cautioned that they're not to be dismissed, either. Cyberattacks of this kind are aimed at exerting influence quite apart from their effectiveness at disrupting networks. The audience, Mr. Abukevicius says, is at once both foreign (in Lithuania) and domestic (in Russia). The desired effect in Lithuania is erosion of confidence, leading Lithuanians to lose faith in their country's ability to protect itself in cyberspace. He also sees increased friction as a Russian goal: one aim of the cyberattacks is to "increase tension." The desired effect in Russia is the projection of an image of power, and of communicating an assurance that Russia's enemies will be punished.

Even talking about the incidents carries a cost to the victim, Mr. Abukevicius said. "We need to understand that publicity is a very important part of these attacks. If we don't talk about them, the other side will lose motivation. When we talk, when we talk about alleged victories, about alleged punishment of Lithuania, it's motivating the other side." He went on to urge that Russian cyber operations be kept in perspective. "We in Lithuania should not be so hooked on this and we often hear that the sky has been falling here for the last three weeks. It’s definitely not. Yes, we have attacks, some of them disruptive, but we don't see those incidents or those efforts that don't achieve any goal and don't affect the delivery of services at all. There are also many of those, and I think that's what we should say: that despite the effort, despite the coordination, the impact of these attacks is small."

Preparing for cyber combat.

The hybrid war Russia initiated against Ukraine has prompted considerable reflection on how one might train and organize the people who can carry out the defensive and offensive tasks the cyber phases of such a war involve. The CipherBrief describes a high-end, alliance-based approach. An essay by Rear Admiral (Retired) Mark Montgomery, a senior director at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies, and his co-author Jiwon Ma (also at CCTI) commend three steps the US should consider as it seeks to build cyber operational capacity:

"First, improving the overall capacity of allies and partners to prevent, mitigate, and recover from cyberattacks can enhance U.S. economic stability and national security. For instance, to pressure Taiwan to cease resisting Beijing’s push toward unification, China could attack key supply chains, such as those for global semiconductors. Washington would then face a choice between abandoning a key partner or a global economic meltdown. But capacity building efforts such as CYBERCOM-led hunt forward operations could increase Taiwan’s cyber resilience, enabling Taipei to fend off a Chinese attack that would otherwise harm U.S. national security and the global economy.

"Second, cyber capacity building programs help the critical infrastructure of allies and partners, including electrical power grids, water systems, rail lines, ports, and airfields, to remain operational in the face of adversarial attacks — enabling U.S. armed forces to rely on this infrastructure to conduct military operations if necessary.

"Finally, a collective approach can reduce the burden on one nation by sharing information and intelligence on ongoing cyber threats. Collective action also carries more weight, particularly in enforcing cyber norms. For example, as the European Union and its member states condemned Russia’s malicious cyber activity against Ukraine, it also reaffirmed its political and financial support to Kyiv to strengthen Ukraine’s cyber resilience."

There's also a bottom-up, partisan approach to the challenge. The Record by Recorded Future describes the work of Nikita Knysh, a former employee of Ukraine’s Security Service (SBU) and founder of the cybersecurity consultancy HackControl, has been providing Ukrainians with both advice on self-protection (how to use anti-virus programs, how to use a VPN, etc.) and tips on conducting offensive cyber operations against the Russian enemy (mostly instructions on mounting distributed denial-of-service attacks). Mr. Knysh sees this as a contribution to guerrilla war against the invader. He dismisses the concerns some have raised about the risks of encouraging hacktivism, even in wartime.  “Not attacking your enemy in cyberspace is stupid. In the past, soldiers destroyed logistics and production facilities, but now they also attack technology and information.”