Ukraine at D+50: Russian reconstitution continues as shields stay up for ICS attacks.
N2K logoApr 15, 2022

May 9th may represent President Putin's desired day to claim victory. Atrocities continue under Russian fire as more Russian influencers deny that there are any such things as "Ukrainians"--they're really just aspirational Russians. Finland may fast-track NATO membership. And the energy sector looks to its defenses as a cyberattack toolkit is identified.

Ukraine at D+50: Russian reconstitution continues as shields stay up for ICS attacks.

The most recent situation report from the UK's Ministry of Defence concentrates on events in the Black Sea. "Russia has admitted that the Slava-class cruiser Moskva has sunk. As flagship of Russia’s Black Sea Fleet, the Moskva served a key role as both a command vessel and air defence node. The Soviet-era vessel was one of only three Slava-class cruisers in the Russian navy. Originally commissioned in 1979, the Moskva had completed an extensive refit designed to improve its capability and only returned to operational status in 2021. This incident means Russia has now suffered damage to two key naval assets since invading Ukraine, the first being Russia’s Alligator-class landing ship Saratov on 24 March. Both events will likely lead Russia to review its maritime posture in the Black Sea." The MoD's latest situation map shows continued fighting in the Donbas and along the Black Sea coast.

The BBC and the AP report that Russia has promised to step up missile attacks against Kyiv in response to what Russia's Ministry of Defense characterizes as Ukrainian aggression against Russian territory, but which both news organizations view as retaliation for the loss of the Moskva, flagship of Russia's Black Sea Fleet. (Parenthetically, why should legitimate military targets in Russian territory be immune from Ukrainian attack, aside from merely prudential concerns involving escalation?)

Looking for something that looks like victory by May 9th.

May 9th, Russia's Victory Day, commemorates Nazi Germany's surrender at the end of the Second World War, and observers think it likely that President Putin will seek to accomplish something he can plausibly represent as victory over the next three-and-a-half weeks. With objectives redefined (for now) to limited conquest in the Donbas and the Black Sea coast, the Russian army is reconstituting its mauled forces for a renewed offensive in those regions. But it's unlikely in the extreme that it's been able to correct the command, training, and logistical failures that marked the first month of Russia's war against Ukraine. Such improvements are difficult to improvise even for the most agile and responsive armies, and the Russian army is not known for either initiative or a disposition to learn quickly. The top-down, detailed control Russian doctrine mandates militates against both. Bloomberg describes the continuing challenges the Russian army faces as it seeks to meet Mr. Putin's likely deadline for success, and Forbes points out that redeployment isn't going to solve that army's underlying defects.

CNN offers a simpler but in some ways more telling observation: if you want to understand what went wrong on the ground, look at the Russian army's trucks: ill-maintained and badly driven, with attempts to press confiscated civilian vehicles into service. “Often glamorous dictator militaries are good at the showy weapons," CNN quotes Phillips O’Brien, professor of strategic studies at the University of St Andrews in Scotland. "They buy the fancy aircraft and the fancy tanks, but they don’t actually buy the less glamorous stuff.” Like trucks. And when they buy them, they don't maintain them. There will be no taxicabs of the Marne coming to the rescue of General Dvornikov's stumblebum logisticians.

Personae non grata.

Almost four-hundred Russian diplomats have been expelled from European capitals since Russia began its war against Ukraine, some in retaliation for Russian expulsion of European diplomats, but most on credible grounds of engaging in espionage. The Guardian, which has tallied up the expulsions, says that European governments are now wondering why they extended diplomatic credentials to so many Russians in the first place.

Western support for Ukraine, and fear of Russia in the European North.

At least one of Russia's major strategic and diplomatic objectives, prevention of NATO expansion, seems to have been, as Harold Pinter would have put it, counterachieved. Both Finland and Sweden are moving closer to applying for NATO membership. Finland especially is interested in fast-tracking membership, and its accession to the Atlantic Alliance could come in a matter of weeks, Defense News reports.

NATO members have also begun shipping more, and more lethal, weapons to Ukraine, including armored vehicles, ex-US towed 155mm artillery pieces, and heavy S-300 air defense systems in addition to ammunition and infantry anti-armor and air-defense systems. A formal diplomatic note from Russia to the US objected to arming Ukraine. The Russian démarche said, according to the Washington Post, that such shipments would bring "unpredictable consequences" and were "adding fuel to the fire."

Turning up the heat on Russia, of course, is precisely the point. “What the Russians are telling us privately is precisely what we’ve been telling the world publicly — that the massive amount of assistance that we’ve been providing our Ukrainian partners is proving extraordinarily effective,” a senior administration official told the Post on the condition of anonymity.

Further developments in the Incontroller/Pipedream industrial control system threat.

It seems clearer, E&E News reports, that the ICS-focused tools now generally attributed unofficially to Russia, were designed with the energy sector and particularly liquified natural gas facilities as their targets. We have received a number of comments from industry on the discovery of the attack kit being called Incontroller (by Mandiant) or Pipedream (by Dragos). Steve Moore, chief security strategist at Exabeam, offered his estimate of the situation:

“The feature set of the attacker toolset is both impressive and dangerous. While no public evidence exists, I firmly believe it has been used against at least one target and was discovered due to current international conflicts.  

"It nicely emulates a virtual console for interactive use – as if you were interacting with the system directly, allowing lower-skilled attackers to perform attacks simply. Alternatively, it will enable a high level of automation to target many systems at scale, depending on the goal. 

"Currently, this presents a high-risk scenario. Threat hunts should begin immediately for those with affected industrial control systems using known hostile actions and lateral movement. Each of the toolsets relies on brute-forcing of credentials, dictionary attacks, and the use of default username-password combinations.

"The possible adversary outcome would fall into three situations: denial of service and shutdown, sabotage for purposes of modified outputs, or physical destruction.” 

Danny Lopez, Glasswall CEO, sees the discovery of the tools as further evidence that cyberspace has become a military operational domain, and thinks technical means will be needed to supplement any international agreements on norms for cyberconflict:

“Cyber has joined land, sea and air to become the fourth conflict theatre. From a risk/reward perspective, it’s a theatre of operations that offers a lot of advantages. For instance, attacks can be carried out with little or no repercussions, yet have devastating practical consequences. Attackers are not waging war or committing acts of aggression in the traditional sense, and there are as yet few examples where attacks have caused human casualties. However, each incident adds to the underlying tension and suspicion that exists on the international stage.

"Among the many increasingly sophisticated attacks mounted on the public sector IT infrastructure of countries around the world, the SolarWinds hack perhaps did more than any other to galvanise politicians into action. As reported across many news outlets, both the US and UK governments have both blamed Russia’s Foreign Intelligence Service (the SVR) for the supply chain attack, in an exchange of rhetoric reminiscent of the Cold War. Now, we are seeing geopolitical tensions make their way into U.S. energy facilities.

"While the moves to enact tougher laws and compliance standards in various nations represent an important part of a wider process to increase the levels of protection, without better technology solutions, sophisticated nation-state adversaries are likely to stay one step ahead of the curve. Few would argue that government-led enforcement is key, but there are obvious limitations on the jurisdiction of any domestically-drafted laws, particularly when illegal activities are state-sponsored, and by definition, covert.

"As the ‘weaponization’ of information technology escalates at an alarming rate, organisations must significantly improve their ability to proactively identify and defend against attacks, irrespective of their source and motivation. Failure to do so will leave more organisations at even greater risk of disruption and damage, tactically outmatched by adversaries who are relying on the weaknesses inherent in many of today’s IT networks for their success.”

Aaron Sandeen, CEO and co-founder of Cyber Security Works, argues that cyberwar should motivate organizations to increase their visibility into IT systems:

“From a cybersecurity aspect, the Russia-Ukraine crisis has instilled a new level of anxiety in most North American critical infrastructure organizations, and with good reason. Now that the political climate has changed considerably in the last month, U.S officials are warning that a new hacking tool could be used on energy infrastructure following recent attack attempts on Ukraine's power grid. As global cybersecurity challenges worsen, leaders must expand their visibility of known and unknown assets, increase the frequency with which they validate, and seek early warning capabilities to truly protect their systems from potential cyberattacks. 

"Actions that organizations can take to avoid catastrophe must include patching the vulnerabilities that threat groups and attackers exploit. Knowing how exposed you are to threats and determining your security posture through continuous vulnerability management and proactive penetration testing is crucial to building stronger security for your enterprise amid a cyberwar.”

The unusually large number of industrial control system advisories the US Cybersecurity and Infrastructure Security Agency (CISA) released yesterday seems a partial response to this recently discovered threat.