Cyber phases of a hybrid war.
N2K logoFeb 16, 2022

Bluff or gambit, even if NATO isn't buying a Russian stand-down, the financial markets seem bullish on peace. (But cyber operations apparently aren't over.)

Cyber phases of a hybrid war.

If you buy the theory that markets are the best predictors, and that wisdom is to be found in crowds more often than is madness, then you should feel a bit better about the threat of an intensified, fully kinetic Russian war against Ukraine. US stock indexes rose yesterday after three consecutive days of losses, and the Wall Street Journal attributes the gains to investors' optimism that the crisis is relaxing. An opinion piece in the Telegraph argues that what the markets are actually bullish on is a Western sell-out of Kyiv. But both military and diplomatic signals remain mixed.

Ukrainian banks and Ukraine's Ministry of Defense sustain distributed denial-of-service attacks.

On a day of mixed military and diplomatic signals, two major Ukrainian banks and the country's Ministry of Defense sustained denial-of-service attacks. Forbes identifies the banks as Privatbank and Oschadbank, and quotes Ukrainian government sources as saying that "public-facing" websites of the Ministry of Defense were affected. Those military sites are unlikely to be directly relevant to command-and-control. The attacks appear to have been nuisance-level operations, disturbing but not crippling, relatively unsophisticated and easy to remediate. The Wall Street Journal reports that both the banks and the Ministry have been quick to begin remediation. Neither Ukrainian government nor security industry sources have so far offered attribution of the incident, although Ukrainian authorities pointed out the a priori likelihood that Russia was behind the incident. "It cannot be excluded that the aggressor is resorting to dirty tricks," an AFP story in the Kyiv Post quotes the country's "communications watchdog" (apparently the Center for Strategic Communications and Information Security) as saying. Moscow was quick to deny any involvement.

Adam Meyers, SVP of Intelligence at CrowdStrike, emailed us a summary of what they've observed in Monday's attacks against Ukrainian targets. The company is cautious about attribution, as is its usual custom. “Today [Tuesday, February 15th], we observed multiple DDoS attacks against targets in the Ukraine, and indications of a broader information operation involving SMS messages," Meyers wrote. "The DDOS attacks targeted Ukrainian servers associated with government and financial institutions. Telemetry acquired during the attacks indicates a large volume of traffic three orders of magnitude more than regularly observed traffic, with 99% of this traffic consisting of HTTPs requests, indicating the attackers were attempting to overwhelm Ukrainian servers. CrowdStrike Intelligence cannot attribute these attacks at this time. Various Russia-nexus adversaries have been targeting Ukrainian infrastructure since 2014 and are believed to engage in operational preparation of the environment."

CrowdStrike sees the potential for collateral damage to organizations outside Ukraine. Meyers added, "While there is no evidence of any targeting of western entities at this time, there is certainly potential for collateral impact as a result of disruptive or destructive attacks targeting Ukraine - this could impact companies that have a presence in Ukraine, those that do business with Ukrainian companies, or have a supply chain component in Ukraine such as code development/offshoring." And he offered some advice on how to improve an organization's cyber readiness posture. "CrowdStrike urges organizations to remain vigilant and implement innovative technology to amplify their security posture. The two most effective things that organizations can integrate are a managed threat hunting program to help stop threats before they turn into breaches and establishing an identity-centric Zero Trust architecture.” 

Christian Sorensen, CEO of SightGain, commented on Tuesday's distributed denial-of-service attacks against Ukrainian financial institutions and the country's Ministry of Defense. "These attacks are ratcheting up attention and pressure. It doesn’t sound like much impact yet," he wrote in an email. "In the coming hours/days, I would anticipate more activities to isolate and disrupt Ukrainian citizens and especially government activities. The purpose at this stage is to increase leverage in negotiations. Next stage will be impactful and continue deterrence for other countries to get involved."

Others offered an explanation of the conduct and effects of distributed denial-of-service attacks. “The DDoS (Distributed Denial of Service) attacks can utilize hundreds or thousands of devices to disrupt the communications for an organization and its internet-facing systems." James McQuiggan, security awareness advocate at KnowBe4, commented. "It is like getting on the highway at rush hour and needing to get from one side of the city to another in 10 minutes, and it is impossible because of the volume of cars on the road, making the trip take 45 minutes. Technology exists to reduce a DDoS attack; however, it is difficult to stop the attack once it starts without disabling the equipment. Organizations can consider having non-essential systems in a cloud environment like their main website or email. They can install and configure anti-DDoS hardware or software in a cloud environment. Most importantly, having a DDoS incident response plan is critical so IT personnel can quickly implement the necessary actions to minimize the attack and effectively return the systems to operation.”

Establishing persistence in Ukrainian networks.

Following its recent practice of releasing intelligence assessments that might otherwise be closely held, the US Intelligence Community has said, the Washington Post reports, that it's likely Russian cyber operators have penetrated and established persistence inside Ukrainian critical infrastructure networks.

Possible targets of an expanded Russian cyber campaign: commercial ISR providers.

Russia's pressure on its neighbor, has brought new urgency to space systems' and commercial space companies' cybersecurity. Russia has jammed or spoofed PNT (positioning, navigation, and timing) signals in the past. And given the prominent role commercial satellite imagery has played in revealing Russian military deployments over the course of the crisis, there's speculation that Western space companies and the assets they run will become early targets of cyberattack should Russia's hybrid war against Ukraine intensify. Cyberattack is an attractive alternative to kinetic antisatellite operations. Cyberattacks are more ambiguous, more deniable, less easily attributable, and less likely to draw retaliation in kind. Commercial ISR is also a useful source of tactical and operational intelligence for Ukraine, and denying Kyiv easy access to such combat information would be an obvious move should the conflict become more intense.

While risks of expanded cyber operations is real, Mandiant, for one, cautions against exaggerating the threat. Sandra Joyce, Mandiant’s executive vice president of global intelligence, reminded Bloomberg that, “We’ve had a lot more death and destruction from real kinetic war than we’ve had from the cyber domain, and I think that people just need to slow down and realize that.” Kinetic attack is far more likely to scorch the earth than is cyberattack.

Russia says its troops have begun to return to garrison, but NATO's not ready to buy it, yet.

NATO says it hasn't seen signs that Russian troops are moving from exercise and assembly areas back to their home stations, the AP reports, whatever Moscow may be saying. “At the moment, we have not seen any withdrawal of Russian forces,” NATO Secretary-General Jens Stoltenberg said. “If they really start to withdraw forces, that’s something we will welcome but that remains to be seen.” Nor have Ukraine's leaders. The BBC reports that President Zelensky isn't seeing a drawdown yet, either. "When the troops do pull back, everyone will see that," President Zelensky told the BBC. "But for now, it’s just statements." Radio Free Europe | Radio Liberty summarizes the open-source evidence for what the US news service calls an "unprecedented" military build-up.

It seems increasingly clear that the immediate Russian strategic objective is exclusion of Ukraine from membership in NATO. The BBC quotes a Russian Foreign Ministry source (Ambassador Konstantin Gavrilov) as saying "Russia will insist that Nato publicly announces its refusal to accept Ukraine into its ranks. Kyiv, in turn, must proclaim its neutral, non-aligned status." US President Biden has said, as recently as yesterday, that this is a concession the US isn't prepared to make.

Things apparently look different from Berlin, where exactly this concession is very much on the table. The Telegraph quotes German Chancellor Olaf Scholz as saying, “The fact is that all involved know that Nato membership for Ukraine is not on the agenda. Everyone must step back a bit here and make it clear to themselves that we just can’t possibly have a military conflict over a question that is not on the agenda. It is a question of leadership ability for all involved – in Russia, in Ukraine, in Nato – to make sure we don’t have an absurd situation that would be about something like that.” President Putin added, at a press conference following his meeting with Chancellor Scholz, “We need to solve this issue today by peaceful means through a diplomatic process. We want our partners to hear our concerns and [be] taken seriously.”

Influence operations in the hybrid war.

T-80s, BMPs, and D-30s represent one aspect of national power, useful in threatening neighbors, but there are of course others that are less brutally kinetic. Russia's Duma applied a different form of pressure to Ukraine when it voted to request that President Putin recognize the allegedly separatist Ukrainian provinces of Donetsk and Luhansk as independent republics. This would amount to a unilateral abrogation of the Minsk Accords negotiated in the wake of Russia's 2014 conquest of Crimea. It's noteworthy that Russia initially recognized a Republic of Crimea before a plebiscite (generally regarded as illegitimate) voted to ask that Russia annex the peninsula.

The Atlantic Council's Digital Forensic Research Lab reports some of the disinformation narratives recently used against Ukraine:

  • Zelensky intends to "massacre" ethnic Russians.
  • The so-called "People's Republic of Donetsk" says there are mass graves of Russians murdered by Ukrainian forces.
  • There are unexplained "explosions" in Donetsk.
  • Ukrainian artillery is shelling Donetsk.
  • The Americans have written off Ukraine.

And, of course, the line that the Ukrainians are being run by actual, not metaphorical, Nazis continues. Ilya Kiva, a pro-Kremlin member of the Russophile Opposition Platform—For Life, said, in a Telegram post, "Zelenskyy’s government is closing TV channels, blocking YouTube channels, internet sites and Telegram channels to prepare the country for an information vacuum and informational isolation of the population. They will create legal lawlessness and prepare a “massacre” of unwanted, the Russian population. They will be called the enemies of Ukraine. All this will be done at the hands of Nazis. The Nazis themselves have long made no secret of their plans to start a massacre of Russians inside the country. In the near future, the internet and communications may be disconnected." Mr. Kiva's statement is being generally amplified by Russian media.

See it and raise you, or check?

The Economist wonders whether the Russian troop deployments may be more bluff than realistic military threat. 150,000 troops (the most recent estimate, up from an earlier tally of 130,000) are a lot, to be sure, but Ukraine wouldn't, at this stage of its post-Crimea rearmament, be a pushover, either. And the paper also isn't seeing the level of domestic propaganda it would expect on the eve of an invasion. (Given the factitious atrocity stories circulated by Russian media, the Economist has high expectations indeed for what wartime propaganda would look like.)

There's an emerging tendency to romanticize Vladimir Putin as cunning, enigmatic, and dangerously difficult to read. A New York Times piece offers an intelligent example of this trend, with due emphasis placed on Mr. Putin's background as a career KGB officer. Some of the inscrutability is put down to the Russian President's good opsec habits. "He avoids electronic devices, oftentimes bans note-takers, and tells his aides little," all of which make collection difficult. (But some of the impenetrability comes across as card table jitters: the Americans, one feels, are looking for tells, and they're not sure where to find them. In some respects Russo-American relations are a competition between adversaries who are playing different games. A nation of poker players looks for bluffs and thinks hard about managing risk in a conflict where chance dominates the play, unless you can stack the deck or see the opposition's cards. A nation of chess players sees a complex but ultimately deterministic competition where players make mistakes, but nothing happens by chance.)