Ukraine at D+539: Drones, grain corridors, and combat-support hacking.
N2K logoAug 17, 2023

A look at lessons from cyber threats to satellite communications, and some apparent domestic hacktivim in Russia.

Ukraine at D+539: Drones, grain corridors, and combat-support hacking.

Ukrainian forces maintain their deliberate pace of advance in the southeastern zone. The Institute for the Study of War reports the liberation of several villages along the axis of advance, with progress confirmed by Russian accounts of their forces' local withdrawals. Russian forces have continued to attempt spoiling attacks elsewhere along the line of contact, and Ukrainian officials warn that those attacks could enjoy some success.

Russia also continues to strike grain, as Ukraine tests the Black Sea blockade with a Hong-Kong-flagged grain ship.

Ukraine's intelligence service, the SBU, has claimed responsibility for the July 17th attacks by surface drones against the Kerch Strait Bridge. The "Sea Baby" drones used in the attack were, the SBU said, domestically developed and carry an explosive charge of 850 kilograms.

Preparing for a longer war.

The British Ministry of Defence this morning assessed Ukraine's energy reserves as observers increasingly expect the war to continue through this winter. "Despite the continued pressures of war, Ukrainian efforts to build up fuel stockpiles will likely be successful in ensuring that it will have sufficient fuel reserves during the approaching winter period. Ukraine has been effective in mobilising its mining sector to maintain output, ensuring a continuous supply of coal is available for thermal power and heating plants in the winter, with substantial gas stocks providing a further reserve."

Russia hit energy infrastructure in Ukraine last winter, but without decisive result. The UK's MoD expects the same this winter. "Despite Russian attacks on Ukraine’s energy infrastructure likely continuing this winter, Ukraine demonstrated last winter that it has the skilled workforce and expertise needed to operate and maintain the power network, even in wartime conditions."

Lessons learned from the Russian cyberattack on Viasat.

CSO Online has an account of the lessons in incident response learned when Russian cyber operators disrupted Viasat service in Ukraine during the opening hours of Russia's invasion in February of 2022. Viasat and NSA offered their analyses of the incident at Black Hat and Defcon. Early on February 24th, 2022, as Russian forces were preparing to cross their lines of departure, a well-timed wiper attack disrupted Viasat's KA-band satellite communications, shutting down thousands of ground-based modems.

The attack began with reconnaissance, and then, around midnight, successful access to Viasat’s FTP server, "a part of the infrastructure that delivers new software or updates to the modems." The attackers "dropped a wiper binary along with scripts to enumerate the network, interrogate it, and report back the status after the scripts completed execution." Over roughly three hours, the Russian operators installed the wiper on the targeted terminals and wiped the flash memory of the modems. When rebooted, the modems "became inoperable." Viasat lost between 40,000 and 45,000 modems. The initial wiper attack was followed by a distributed denial-of-service attack, which complicated recovery.

Viasat identified several lessons it drew from the experience. First, incident response is a vital security capability. Second, information sharing is both complicated and vital. And, third, it's important to have a sound baseline understanding of what normal operations look like, the better to recognize anomalies. One mystery endures: how did the Russians obtain the credentials they used to gain access to Viasat's FTP server? Investigation seems to have ruled out both brute-forcing and a zero-day exploit. An insider threat has not been ruled out.

The initial wiper attack stands out as a Russian success in a record of offensive cyber action that, for the most part, has been mediocre, falling far short of prewar expectations. The cyberattack against Viasat was well-planned and effectively executed. It was timed to maximize its combat support effect. And it served a traditional electronic warfare role, jamming the enemy's communications at a crucial phase of the operation.

Update on cyber threats to Starlink.

The Telegraph reported Saturday that Ukraine's State Security Service (SBU) has claimed that Russia's GRU is attempting to deploy malware against the Starlink satellite communications system with a view to collecting data on Ukrainian troop movements. The Debrief provided an update on Wednesday, quoting an SBU report to the effect that the GRU operation represented “large-scale cyber attacks to obtain unauthorized access to Android devices possessed by Ukrainian military personnel for planning and performing combat missions.” The SBU has found ten malware strains in the campaign, including one infostealer whose "functional purpose is to gather data from the Starlink satellite system.” This campaign represents collection, not an attempt at disruption; it's espionage, not sabotage.

There's emerged another source of concern in Ukraine with respect to Starlink: SpaceX boss Elon Musk's restriction of service when Starlink connectivity seems ready to be used in support of offensive operations against Russia proper. This is of a piece with Mr. Musk's recent calls for, essentially, a freezing of the conflict that would effectively amount to a Russian victory.\

Disgruntled currency speculator? Unhappy import-export type?

The ruble's recent slide against the dollar, the euro, and other foreign currencies is a matter of some dissatisfaction in Russia. The government is working to stabilize its money, and has for now, Radio Free Europe | Radio Liberty reports, decided against imposing a freeze on currency trading or related speculation.

One disgruntled citizen (apparently a citizen, although other hackers can't necessarily be ruled out) hacked a big outdoor news ticker in the Siberian oil town of Surgut to display the message, "Putin is a d*ckh*ad and a thief. 100₽ to the dollar – you've lost your f*cking mind." Video of the crawler is provided by the Financial Times Moscow Bureau Chief in a tweet. "D*ckh*ad" isn't a literal translation of the demotic expression that appears in the message, but it's close enough in perlocutionary force for government work.