Ukraine at D+229: Russia escalates a terrorist strategy.
N2K logoOct 11, 2022

Russia is conducting indiscriminate attacks against civilian targets (which are both soft and, especially, stationary) with an evident goal of making Ukraine "whine" and "howl." Russian cyberattacks continue at a low nuisance level.

Ukraine at D+229: Russia escalates a terrorist strategy.

Russian missile strikes against Ukrainian cities continue.

Lviv was hit again, after Monday's initial wave of Russian missiles, the Telegraph reports. The latest strikes appear to have disrupted electrical power distribution in the city. The G7 is holding an emergency meeting this week to discuss Russia's expansion of its war; Ukrainian President Zelenskyy will address the session, according to CNBC. The G7 are expected to hear a request from British Prime Minister Truss to maintain sanctions against Russia and increase delivery of military supplies to Ukraine.

Belarus has announced joint troop deployments with Russia near Ukraine's western border, and some observers see this as an indication of a renewed Russian offensive against Kyiv itself, the Hill says.

An appreciation of Russia's fortunes from GCHQ.

Sky News apparently had early access to remarks by GCHQ chief Sir Jeremy Fleming, and they offered a summary of remarks he's scheduled to give later today:

"Russia is running out of weapons for its war in Ukraine and the costs to the Kremlin are 'staggering' in terms of soldiers and equipment lost, UK spy chief Sir Jeremy Fleming, head of GCHQ, will say in a speech on Tuesday. The GCHQ director will say Ukrainian armed forces are “turning the tide” on the physical battlefield as well as in cyberspace. In a speech at RUSI, he will call decision-making by President Vladimir Putin 'flawed'. Russia’s 'gains are being reversed', Sir Jeremy will say, according to excerpts of the speech. 'The costs to Russia – in people and equipment are staggering. We know – and Russian commanders on the ground know – that their supplies and munitions are running out.' The UK spy chief will say: 'Russia’s forces are exhausted. The use of prisoners to reinforce, and now the mobilisation of tens of thousands of inexperienced conscripts, speaks of a desperate situation.' Sir Jeremy will add: 'And the Russian population has started to understand that too. They’re seeing just how badly Putin has misjudged the situation. They’re fleeing the draft, realising they can no longer travel. They know their access to modern technologies and external influences will be drastically restricted. And they are feeling the extent of the dreadful human cost of his war of choice.'"

Russia looks for ways of redressing combat failure.

The morning situation report from the UK's Ministry of Defence offers some obvious observations about the appointment of General Surovikin as commander of Russia's forces operating against Ukraine. "On 08 October 2022, the Russian Ministry of Defence (MOD) announced that General Sergei Surovikin had been appointed as overall commander of its Joint Group of Forces conducting the ‘special military operation’ in Ukraine. Surovikin has previously commanded the Russian Aerospace Forces and, more recently, the Southern Grouping of Forces on operations in Ukraine. For much of its operation, Russia has likely lacked a single empowered field commander. General Alexandr Dvornikov likely held the role for a period between April and August 2022, but it is unclear whether he was able to effectively exercise control over the often disparate and competing groupings of forces. Surovikin’ s appointment likely reflects an effort by the Russian national security community to improve the delivery of the operation. However, he will likely have to contest with an increasingly factional Russian MOD which is poorly resourced to achieve the political objectives it has been set in Ukraine."

Perspective on Russian tactics from a former Russian Human Rights Commissioner.

The AP reports widespread applause for Russian strikes against civilian targets from hard-line propagandists and Duma members. The New York Times summarizes the opinions of military analysts who assess the strategic effects, the military effects proper, of the strikes as negligible. The point is to impose pain, and that's been acknowledged and approved by Russia's commentariat.

Julia Davis, columnist at the Daily Beast and founder of the Russian Media Monitor, tweeted an excerpt from an appearance by Konstantin Dolgov, former Russian commissioner for human rights, on Olga Skabeeva's political talk show, aired this morning on Rossiya-1. "This is a fundamental point, a turning point in the operation, and, as a whole, the situation surrounding Ukraine," Mr. Dolgov said of Monday morning's missile strikes against Ukrainian cities.

"And not only Ukraine," he added. "We clearly understand, and have often said, that there is a war against Russia. It's more than a hybrid war against the West. Today's statement by the President and today's strikes show that the Kyiv regime, which is a terrorist regime, is not only illegal, but terrorist in nature. There are unlawful regimes in the world that are not terrorist regimes. Zelensky and his clique are a combination of both. Vladimir Vladimirovich [that is, Putin] is absolutely correct, citing an incomplete list of examples. By these actions, they put the remnants of Ukraine's statehood on a path of destruction. Lenin gave it, and Zelensky took it away. This is obvious," he asserted.

"I'm not saying that the strikes themselves lead to that." Ukraine's destruction is, Mr. Dolgov added, it's own doing, and Russia is waging a properly discriminating war, hitting military and not civilian targets. "These strikes are not against the civilian infrastructure. In my opinion, it's very important to understand these as strikes against military infrastructure, the infrastructure of war. All of Ukraine's plumbing isn't working for civilians. It's working for war."

"Despite the desire of millions of Ukrainians, I'm sure, regardless of how they feel toward us, under the influence of Ukraine's media and propaganda, I'm certain they don't want war," Mr. Dolgov continued, seeking to frame the war as Ukrainian aggression. "They don't want their children and husbands to die. I'm absolutely sure of that. Zelensky doesn't care, and the West could care even less."

"It's very important that we struck today. It's very important because it changes the outlook. This war is happening and we are fighting against terrorism. The title of the operation is not the key here, a special military operation or otherwise. At its core, this is an anti-terrorist operation, and against terrorism. This terrorism threatens not only Russia, not only the new regions of Russia, not only the residents of the Donbas. It's a threat to Europe and the entire world. That's certain."

"Look at the statements coming in, including the one from Kissinger. Yes, he said, Russia lost. The respected elderly politician interprets it his own way. Russia isn't losing. It's winning. He further mentioned the threshold of nuclear war. The West is pushing us to that. The West wants exactly that. Today's strikes show that we have many opportunities to realize our strategic military goals and tasks without crossing certain serious lines regardless of how we're being pushed to do it. It's very important." That is, Russia is acting with restraint, and the enemy should fear what will happen when we drop that restraint.

"I personally hope that the approach that we saw this morning will be continued. Honestly, I have very little doubt that the Kyiv regime will be pushed into more terrorist acts. I personally have very little doubt of that. I don't think many people doubt that, either. This means there will be more strikes. This means the infrastructure will be destroyed. Let me emphasize once again: this is the infrastructure of war, of war." Emphasis and repetition are in the original. "This war has been forced upon the Ukrainian people. This is not about the peaceful plumbing or sewers. This is about war. If they're planning to keep on fighting, there will be fewer and fewer resources for this war., both human and material ones. Are they whining yet? Are they howling yet?" The rhetorical separation of the Ukrainian people, whose false consciousness has been shaped by terrorist propaganda, from the criminal regime in Kyiv, is dropped at the end, but Mr. Dolgov kept up the mendacity until the end. The Romans spoke with greater clarity on such matters: oderunt dum timerunt; let them hate us as long as they fear us.

It's worth noting that the television screens in the chat show's background repeatedly show footage of a Russian missile hitting a long footbridge in Kyiv. No one seemed to have been killed in the strike, but it's difficult to see a pedestrian bridge as military infrastructure, especially when you've denounced the attack on the Kerch Bridge as a terrorist attack against a civilian target. The footage is attractive to the producers, we surmise, because it's clear, brightly lit, violent, startling, and a little disquieting. The point is to make the enemy fear Russia, a tactic of direct terrorism which the regime and its supporters understand and approve. The incoherence doesn't matter. Indeed, the incoherence is part of the effect. Say this, the state commands. Say this obvious nonsense, and acknowledge thereby our power, and your powerlessness.

Russia's Killnet suspected in DDoS attack on major US airports.

Killnet is suspected of being behind a wave of distributed denial-of-service (DDoS) attacks on US airports. SecurityWeek reports that airports in Atlanta, Chicago, Los Angeles, New York, Phoenix and St Louis were among those affected. The Register, citing researchers at CyberKnow who've found Killnet's published target list of US airports, says the nominally hacktivist group Killnet has claimed responsibility. CyberKnow subsequently shared a similar target list from Anonymous Russia. Service was restored quickly, SC Media reported, but more attacks are expected.

Two general points are worth making. Russian cyberattacks continue to achieve little more than nuisance-level results, and, despite their hacktivist posturing, threat actors like Killnet and Anonymous Russia are agents of the Russian state.

Mike McPherson, SVP of Security Operations at ReliaQuest, put Killnet in the context of Russia's hybrid war, and describes the significance of DDoS on transportation infrastructure:

“Killnet" is a pro-Russia hacktivist group which has been active since at least February 2022. The group emerged during the Russian invasion of Ukraine in response to pro-Ukraine hacktivism. Killnet can be seen as a collective response to Ukraine’s IT army, who are a hacktivist group who are seen to be supporting Ukraine's war effort.

"Airports form part of US critical infrastructure providing supply chain systems as well as general transport mechanisms for the public. The general thinking for attacking such systems is to sow panic in a populace and create a sense of distrust that those responsible for protecting them can do so adequately. This is in addition to the positive notoriety which a successful attack will have on the attacker's reputation.

"DDoS attacks have seen a rise during the course of 2022, with several record-breaking attacks making headlines. These events differ from other general attacks, as their intent is not theft of intellectual property or cyber espionage– it’s to be purely disruptive, and at times used as an extortion method or distraction from a separate attack which has yet to be revealed. It is important to note that in this circumstance, it’s the websites affiliated with airports which are being attacked, and not the airports or flight operations.

"The best way to be prepared for an attack is to do the basics, do them well, and consistently. Attackers will most often go-after the lowest hanging fruit and pick off the weakest targets first. In relation to DDoS attacks in particular, anyone operating a public presence or website should employ a reputable DDoS protection service."

Gary Kinghorn, Senior Director at Nozomi Networks wrote to make two points: first, DDoS attacks are for the most part only nuisances, and, second, DDoS attacks don't exploit any particular vulnerabilities:

"Fortunately, the DDoS attacks were not particularly damaging or long lasting. Most of the major airports appeared to be responding normally to new connection requests without delay by early to mid-morning. DDoS attacks are not targeted attacks that exploit a specific vulnerability, but generally just overwhelm a site’s ability to respond with an enormous amount of traffic from a large number of distributed clients. There are many types of DDoS attacks that can seek to exploit different aspects of the client-server connection request protocol. This attack appears to be a SYN flood, where there are a large number of connection requests that never complete and leave the target web site resources used on incomplete connections that delay response to legitimate users. It does not appear that a deeper exploit was executed that took advantage of known vulnerabilities in higher levels of the OSI protocol stack, hopefully because most of these sites are well-patched and defend against most sophisticated DDoS attacks. It’s hard to defend against DDoS attacks because every web site that is open to all users can be overwhelmed with a traffic spike of valid connection requests until you can identify and filter out a range of IP sources or expand capacity or bandwidth for the target site. CISA has an excellent Quick Guide that explains best practices for managing DDoS attacks and good site hygiene to make sure sites are not vulnerable to more sophisticated attacks using various IP protocols."

Michael Hamilton, Founder, President, and CISO of Critical Insight made a similar point about DDoS not depending for its success on exploitation of any particular vulnerability:

"All websites are vulnerable to distributed denial of service. This type of attack can be conducted by nearly anyone, and especially if there are many “volunteers” that operate DOS tools from their computers or phones. The attack itself is essentially an annoyance, perpetrated by reasonably unsophisticated actors. Services such as Cloudflare proxy inbound traffic and have detection analytics for denial of service attacks, which they null-route to protect customer sites and that does a good job of mitigating these attacks. However, the Russian volunteers are not without skilled cyber actors and it may only be a question of time before more sophisticated attacks are leveled at infrastructure. Security teams should track this group in terms of the techniques and procedures used to estimate what sectors are being targeted with what techniques, and then apply controls commensurate with the threat."

Yotam Perkal, Director, Vulnerability Research at Rezilion, offered some reassurance about the lack of operational effect on airport operations:

"So far from what I’ve been able to gather, the important thing to note here is that the affected targets are the airport websites which had no operational impact on the airports themselves. I haven’t been able to find any technical information about the attack method, but it doesn’t seem a specific vulnerability was exploited. In these types of DDoS attacks the attackers simply issue a significantly large amount of traffic from multiple locations directed at the website under attack until it (or the hosting service it uses) cannot handle the load and it becomes unavailable."

Chris Grove, Nozomi Networks' Director of Cyber Security Strategy gives props to CISA for anticipating the Russia threat actors' probable behavior:

"Before we get into the specifics of the cyber-attack, I need to recognize and give kudos to CISA for issuing Alert AA22-110A just 6 months ago, which called this hacker group out by name, described their tactics typically used, then warned of similar upcoming attacks after they DDOS’d Bradley airport in March. Today's attack is evidence of the importance of collaborative approaches to cybersecurity, and heeding warnings that come from those in the know. It's fortunate that the operations of these airports weren’t impacted, but assuredly that will change in the future as the assailants attempt more brazen attacks with larger impact. As we’ve learned from mitigating years of attacks from other cyber activists, like Anonymous, these campaigns don’t last long (this airport attack was part of a 1 week campaign), are mostly confined to DDOS attacks, with an occasional data leakage if the hackers were able to breach the defenses. Like a storm, this too will pass. For the air industry there will be other attacks as the Ukraine situation escalates, so although this campaign is only 1 week long, defenders should remain at a high state of alert, and continue developing 360-degree situational awareness of their operations."

Frank Catucci, Chief Technology Officer and Head of Security Research at Invicti, wrote about the importance of minimizing attack surface. "If airlines are being targeted by DDoS, it is more than likely their web presence is also being targeted by the same attackers," he said. "There are many avenues to a denial of service, so continuously testing for web vulnerabilities and remediating any issues is crucial to minimize the overall attack surface. While DDoS attacks are mainly intended to render systems unresponsive and deny service to users, they are also used to slow systems down in preparation for further attacks, including SQL injection."

Lloyd's of London is back online.

Lloyd's concluded yesterday that no data were lost in the suspicious incident that came under investigation last week. "The investigation has concluded that no evidence of any compromise was found and as such Lloyd's has been advised that its network services can now be restored," the insurance market told Reuters.