Limited objectives? And collaboration during conflict.
N2K logoJan 26, 2022

Russian forces near the Ukrainian border (now estimated in media reports as having stabilized around a total troop strength of 100,000) remain in position as NATO and Ukraine increase their own readiness in the region. NATO pledges continued cyber support as the US and other members prepare sanctions against Russia.

Limited objectives? And collaboration during conflict.

Russian forces near the Ukrainian border (now estimated in media reports as having stabilized around a total troop strength of 100,000) remain in position as NATO increases its own readiness in the region (although forward-deployed NATO troops number far less than the Russian forces on the other side). Foreign Policy sees the three Baltic states (Latvia, Lithuania, and Estonia) and the United Kingdom and Canada as the NATO members most committed to the defense of Ukraine. Ukraine's own forces remain on high alert even as Kyiv downplays the threat of imminent Russian invasion. NATO pledges continued cyber support as the US and other members prepare sanctions against Russia.

Ukrainian forces on alert. Russian influence operations continue.

Ukraine has maintained its own forces in a state of alert, but Kyiv has also, Military Times reports, sought to reassure the public that a Russian invasion, while a serious threat, is neither imminent nor inevitable. A high state of military readiness is nothing new for the country's Eastern provinces, which have seen Russian-backed separatist activity since 2014. Fighting, as the AP reports, has continued at a sporadic low level. Ukrainian military capabilities aren't negligible, resembling as they do a somewhat smaller version of Russia's, and an analysis in the Washington Post offers reason to expect that any large-scale combat will be both protracted and painful.

Two regions in the largely Russophone Eastern Ukraine, Donetsk and Luhansk, have declared their autonomy, and the Russian Duma has made rumblings that it might recognize them. The Guardian offers reason to believe that a kinetic invasion, should it come, might have the relatively limited objective of consolidating Russian influence over Eastern Ukraine than it would the conquest and subsequent administration of the country as a whole. An analytic essay by the Center of Defense Strategies published by the Kyiv Independent makes a similar case:

"In short, our conclusions are the following:

  1. "A full-scale invasion capturing most or all of Ukraine in the near future seems unlikely.
  2. "There are other threatening scenarios that may materialize.
  3. "Ukraine must remain calm and actively prepare for the defense of the country in any case."

The New Atlanticist has an overview of the current state of play in the Donbass:

"Bolstering discussions about Donetsk and Luhansk independence may be aimed at putting additional pressure on Ukraine to make concessions to Russia. If Putin decides to recognize these regions as sovereign states, it would put an end to the 2014 and 2015 Minsk peace agreements in which Russia participated as a mediator between Ukrainian government authorities and the self-proclaimed republics. Recognition of the two breakaway regions could also lay the groundwork for Russia to deploy additional military troops there. The Ukrainian defense ministry estimates that there are currently thirty-five thousand separatist fighters and two thousand Russian regular forces in Donetsk and Luhansk, according to Reuters, though Russia disputes those tallies. Recognition of these territories would also trigger additional Western sanctions against Russia."

President Putin has said that Ukraine's efforts to restore authority over the area "resembles genocide," the New York Times reports, and for all the Russian media attempts to characterize Ukraine as moving toward Nazism, the historical parallels the Donbass suggests in 2022 are with the Sudetenland in 1938. Russian accusations of genocide and Nazism have convinced few abroad, but they're likely to remain a staple of Moscow's influence campaign. The crisis, as Moscow says it sees it, is made in Washington and Brussels, where a mixture of calculation and "hysteria" have convinced Western governments that Russia is a threat to Ukraine. Russian television news outlets have been particularly active in distributing this particular line, Reuters reports. As far as any Russian threat to Ukraine is concerned, "They've invented it... The Americans have been scaring themselves about a Russian invasion for months," a correspondent for Vesti said in a representative interview.

Regular and irregular cyber warfare.

In the present phase of the conflict, deniable, grey-zone cyber operations are generally regarded as likely. NATO has reaffirmed what it characterizes as its longstanding commitment to Ukrainian cyber defense. "NATO has been working with Ukraine for years to increase its cyber defences, and will continue to do so at pace," a statement from the Alliance said. The same statement also quoted Deputy Secretary General Mircea Geoană on the current crisis on NATO's Eastern flank. “The use of hybrid attacks against Ukraine, including cyber-attacks and disinformation," he said, "as well as the massing of advanced weapons on its borders, underlines the key role of advanced technology in modern warfare.”

The Belarusian Cyber Partisans, a hacktivist group opposed to the rule of Belarusian President Lukashenka, claimed credit for Operation Peklo, a cyberattack intended to disrupt Belarusian freight rail traffic. It's a ransomware attack, but the ransom demanded is the release of fifty political prisoners and an end to the Russian military presence in the country. Mark Carrigan, Cyber VP of Process Safety and OT Cybersecurity at Hexagon PPM, wrote to point out that both regular forces ("nation-states") and irregulars ("activists") have, and can be expected to use, cyber offensive capabilities, and that the use of these represents an evolution of traditional operational approaches to disrupting enemy command, control, and service support:

“It comes as no surprise that during a time of rising international tensions, critical infrastructure is now a target of cyber attackers. History has shown that in the opening days of warfare, the command, control and logistics of an adversary are among the first targets. Today, nation-states and activists have a new way to disrupt these critical services – cyber-attacks. If tensions continue to rise and the western allies signal that they intend to implement harsh economic sanctions on Russia, there is an increasing likelihood that cyber-attacks on critical infrastructure will escalate. Operators of critical infrastructure must increase their vigilance during times of heightened political conflict and improve their operational resilience to ensure they can respond to this new, ever expanding threat to their business.”

The cyberattack against Global Affairs Canada remains under investigation, the CBC reports. Ottawa has said the incident was contained, and that while services haven't been fully restored, no other government agencies or services were affected. The government hasn't said much about the nature of the incident, nor has it offered any attribution. "There is no indication that any other government departments have been impacted by this incident," an official statement said, adding, "This investigation is ongoing. We are unable to comment further on any specific details for operational reasons."

The timing of the incident, coming as it did as Canadian security services were warning of the possibility of Russian cyberattacks during the crisis over Ukraine, prompted much informed speculation to the effect that Russian organs were responsible (and CBC has an extensive summary of the reasons for thinking so). But that said attribution remains unclear, and coincidence remains a real possibility.

Global Data security expert Trevor Morgan, product manager at comforte AG, wrote to comment on the general threat of cyberattack during periods of heightened international tension:

“As individuals, we are aware of the personal threats posed by cyberattacks directed against us. As members of businesses and organizations, we know that enterprise data, which is the lifeblood of the corporation, is always a tempting target for hackers. And yet, as citizens we should be most cognizant of the brazen attempts by threat actors to steal state secrets or disrupt governmental operations. We depend on government to provide us with a basic level of security against all threats to our lives and livelihoods, so we have to be concerned that threat actors—whether acting independently or state-sponsored—are directing their efforts against the entities which have the most ample resources to defend against cyberattacks."

Looking for sanctions that might actually bite Russia's leaders.

The US has devoted considerable attention to the sanctions it might bring against Russia should Moscow carry out its threat against Ukraine. Some of those resemble the US measures against Huawei, but writ large, and designed to cover broad stretches of the Russian economy as opposed to one or a handful of companies. The US is also considering, according to Bloomberg, sanctions directed specifically against Russian President Vladimir Putin. A recent example of what such sanctions might look like is afforded by last week's US Treasury Department action against four Ukrainian nationals accused of working as Russian agents of influence against the government in Kyiv.

FSB's action against organized cyber crime. 

Russia's FSB has recently arrested members of organized cyber gangs who had previously expected (and enjoyed) a comfortable immunity from official attention as long as they stayed clear of Russian targets and confined their theft and extortion to Western organizations. Why Russian authorities have shifted their policy now remains unclear, although some have speculated that the police raids serve to position Russia as a good citizen in cyberspace even as it prepares for hybrid war against Ukraine. It's also unclear how deep and enduring the shift will prove. John Fokker, Head of Cyber Investigations & Principal Engineer at Trellix wrote to offer some perspective on Russian law and law enforcement:

"It is highly likely that the FBI has exchanged case information on Russian individuals that have committed and gained a significant amount of income from cybercrimes. There is no official treaty between the US and Russia that covers the mutual recognition of their respective cybercrime laws. What this means is that the individual must commit a Russian crime in order for the Russian authorities to prosecute. The easiest crime to prosecute is money laundering, as we have seen with the REvil case.

"In my own experience with dealing with the Russian law enforcement authorities, building a case based on foreign information takes time. The fact that this action is taking place now can mean it is related to current events in Ukraine or simply mean the case work took a long time. We will never know for sure. However, I am happy to see more action being taken against cyber criminals of Russian nationality. The news of the arrests have resonated strongly in the Russian speaking cybercriminal underground and have started striking panic amongst cybercriminals. There is a real chance to get caught even if they reside in Russia.

"What this means in the long term remains to be seen, as the US has indicted quite a few Russian cybercriminals in the past and they still haven’t had a visit from the FSB to this day."