Ukraine at D+84: Five months of cyber and info ops.
N2K logoMay 19, 2022

With little change on the ground, Ukraine increases its combat capability while Russia seeks to reconstitute its forces for a renewed offensive. Mandiant issues a report on information operations conducted to date in support of Russia's war against Ukraine. And someone's robo-calling the Kremlin.

Ukraine at D+84: Five months of cyber and info ops.

This morning's situation report from the British Ministry of Defence (MoD) offers an account of the senior Russian officers who've either been sacked or are on the hot seat over combat failure in Ukraine:

"In recent weeks, Russia has fired senior commanders who are considered to have performed poorly during the opening stages of its invasion of Ukraine. Lieutenant General Serhiy Kisel, who commanded the elite 1st Guards Tank Army, has been suspended for his failure to capture Kharkiv. Vice Admiral Igor Osipov, who commanded Russia’s Black Sea Fleet, has also likely been suspended following the sinking of the cruiser Moskva in April. Russian Chief of the General Staff Valeriy Gerasimov likely remains in post, but it is unclear whether he retains the confidence of President Putin. A culture of cover-ups and scape-goating is probably prevalent within the Russian military and security system. Many officials involved in the invasion of Ukraine will likely be increasingly distracted by efforts to avoid personal culpability for Russia’s operational set-backs. This will likely place further strain on Russia's centralised model of command and control, as officers increasingly seek to defer key decisions to their superiors. It will be difficult for Russia to regain the initiative under these conditions."

These firings are in addition to the earlier purge of the FSB, blamed by President Putin for intelligence failures prior to the invasion. The MoD's current situation map shows stagnation in the Donbas and along the Azov coast.

Russian information operations surrounding the invasion of Ukraine.

Mandiant this morning published an overview of the Russian information operations it's tracked during the run-up to Russia's war against Ukraine, through the actual invasion, and continuing until now. Senior Analyst Alden Wahlstrom, one of lead authors of this report, said that the research sought to exhibit "how known actors and campaigns can be leveraged or otherwise refocused to support emerging security interests, including large-scale conflict. For years, analysts have documented that Ukraine, a key strategic interest of Russia's, is a testing ground for Russian cyber threat activity that they may subsequently deploy elsewhere. Now, we witness how pro-Russia actors have leveraged the assets and campaign infrastructure developed over time (in whole or part) to target Ukraine.”

The operations exhibit a mixture of disinformation and disruptive attacks (mostly ransomware, wiper malware disguised as ransomware, and nuisance-level distributed denial-of-service attacks). Defacement of Ukrainian government websites began as early as January 14th of this year, with messages claiming theft and subsequent deletion of data. "The defacements likely coincided with the January deployment of destructive tools PAYWIPE, an MBR wiper disguised as ransomware, and the SHADYLOOK file corrupter against Ukrainian government and other targets." February 23rd, the eve of the invasion proper, saw a repetition of this style of attack. In this case the defacements "coincided with destructive attacks against Ukrainian government targets using the NEARMISS master boot record (MBR) wiper and PARTYTICKET wiper disguised as ransomware." And during the war itself, on March 16th a deepfake video of Ukrainian President Zelenskyy appearing to announce surrender to Russia was distributed over compromised Ukrainian news sites. This incident coincided with another wiper attack: "On the same day, Mandiant identified the JUNKMAIL wiper targeting a Ukrainian organization. The malware was configured via a scheduled task to execute approximately three hours before Zelenskyy was scheduled to deliver a speech to the U.S. Congress."

Some familiar threat actors have been in evidence. APT28 (Fancy Bear, the GRU) has been behind much of the Russian activity, and the allied Ghostwriter operators of Belarus's satellite intelligence and security services have also been active in the Russian interest. The Internet Research Agency, well-known as an election-meddling troll farm, seems also to have resurfaced as "Kiber [that is, Cyber] Force Z," and resumed influence and amplification operations. And there have been the usual covert media outlets working under inauthentic personae. Kiber Force Z's style is as familiar as it is tasteless, featuring a Russian-uniformed Pepe the Frog (an Orthodox cross blasphemously around his neck, a "Z" patch in the place of honor on his left shoulder) calling in an airstrike on Azovstal, occupied by three Azov Battalion soldiers with pig faces. (The Azov boys look better uniformed and equipped than comrade soldier Pepe, who seems a bit slack and devil-may-care in his turnout. Maybe Kiber Force Z realized that President Zelenskyy's casual kit played better than President Putin's expensive clothes, long tables and Ruritanian guards.)

There's also been some nominally hacktivist activity conducted in support of Russia. "Established hacktivist personas JokerDNR and Beregini have remained active in their targeting of Ukraine in the leadup to and since Russia’s invasion, including through their publication of allegedly leaked documents featuring possible personally identifiable information (PII) of Ukrainian military members.," Mandiant notes, and goes on to observe cautiously, "Additionally, newly established 'hacktivist' groups, whose degrees of affiliation to the Russian state are yet unknown, like Killnet, Xaknet, and RahDit, have engaged in hacktivist-style threat activity in support of Russia, including distributed denial-of-service (DDoS) attacks, hack-and-leak operations, and defacements." There is, we think, a strong likelihood that these hacktivist personae are operating under the control or at least direction of Moscow's intelligence services.

Russian disinformation has had two sides. One, for foreign consumption, has been in the familiar, tabloidesque, entropic style, intended to darken counsel more than to persuade, that's been a staple of Russian election meddling for the past decade. This line has featured such claims as the discovery of US biowar labs in Ukraine, Poland's systematic harvesting of Ukrainian refugees' organs for sale on the transplant black market, etc. The other has been aimed primarily at domestic audiences, and has emphasized the foreign threat to Russia, Ukrainian atrocities against ethnic Russian enclaves, and, above all, the alleged Nazi cabal that's got to be running Kyiv. These lines of disinformation have been intended to persuade.

The report concludes by offering its take on the outlook for influence campaigns aligned with Russian goals. Russian operators can be expected to continue to push disinformation, with a probable assist from their satellite services in Belarus. China and Iran serve as allies of convenience, retailing Russian themes when it serves those regimes' longstanding anti-Western strategic goals:

"Information operations observed in the context of Russia’s invasion of Ukraine have exhibited both tactical aims responding to, or seeking to shape, events on the ground and strategic objectives attempting to influence the shifting geopolitical landscape. While these operations have presented an outsized threat to Ukraine, they have also threatened the U.S. and other Western countries. As a result, we anticipate that such operations, including those involving cyber threat activity and potentially other disruptive and destructive attacks, will continue as the conflict progresses. 

"One notable feature of operations attributed to known actors thus far is their apparent consistency with the respective campaign’s established motives. Russia-aligned operations, including those attributed to Russian, Belarusian, and pro-Russia actors, have thus far employed the widest array of tactics, techniques, and procedures (TTPs) to support tactical and strategic objectives, directly linked to the conflict itself. This is especially beneficial when the facts on the ground shape Russia’s need to influence events in Ukraine, marshal domestic Russian support, and manage global perceptions of Russia’s actions. Meanwhile, pro-PRC and pro-Iran campaigns have leveraged the Russian invasion opportunistically to further progress long-held strategic objectives. We likewise expect this dynamic to continue, and are actively monitoring for expansions in their scope of information operations activity surrounding the conflict."

NATO cyber coordinators meet.

NATO's national coordinators for cybersecurity met yesterday in Brussels, the Hill reports, the first time such a group has convened. The meeting was prompted by the Russian war against Ukraine, and the ways in which it's altered the strategic landscape. "Allies have expressed concern that cyber threats to the security of the Alliance are complex, destructive, coercive, and becoming ever more frequent," a NATO press release said. "NATO is a strong platform to share information, to exchange national approaches and responses, as well as to consider possible collective responses. Allies are also providing practical support to partners, including Ukraine."

What are you talking about, Vladimir Vladimirovich? There's no I.P. Freely here. No? Then why did you call me, Sergei Kuzhugetovich?

Or words to that effect. Hacktivists looking for ways of throwing sand in the gears of Russian governance have established a website (WasteRussianTime.Today, according to Wired's story) where, if you're of like mind, you can place robot calls that connect a couple of Kremlin apparatchiki while you listen in as they try to figure out who called whom. The technology the hacktivist group (which calls itself the "Obfuscated Dreams of Scheherazade") uses is first cousin to that employed by the people who call you about extending your car warranty, or getting credit card interest relief.

“This war started inside Moscow and St. Petersburg, within the power circle of Putin, and that’s who we want to annoy and disturb,” Wired quotes one of the service's organizers as explaining. So the effort is meant to be irritating, and no doubt it is, but these aren't prank calls in the classical genre, like calling the local smoke shop, inquiring whether they've got Prince Albert in a can, and then saying, "well, you better let him out," or like asking the bartender to page Amanda Huggenkiss. The organizers decided against facilitating such direct interaction (too dangerous to the participants, who might inadvertently reveal their identity or location). What they did instead was to set up a program that would initiate "a VoIP call, automatically dialing 40 of the leaked [Kremlin] phone numbers, and merging the user into a three-way call with the first two Russian officials' phones that connect."

We're of two minds on this. On the one hand, it's difficult to summon much sympathy for robocalling or even hacktivism in general, which have typically been marked by poor control, bad aim, and unintended effects. When Wired tried out the service, they found there were some difficulties connecting two Russian parties. Apparently there are latency issues, which the Obfuscated Dreams of Scheherazade are working on. There are also sources-and-methods issues. Christo Grozev, of Bellingcat, and no stranger himself to prank calls, explained this particular downside to Wired. “Whenever something like this becomes public, the whole department changes their numbers, and that's not good for investigations, including journalistic investigations.” 

On the other hand it's difficult not to appreciate what the Obfuscated Dreams of Scheherazade are doing, at least as conceptual art. So, for your consideration, a thought experiment: what if the prank calls weren't placed by various outraged randos, but by, say, US Cyber Command, known to many as a pretty low-latency outfit. We're fairly sure there must be some Title 10 authority for ordering two-dozen anchovy pizzas for delivery to the Russian President's office. If, that is, you can still get a pizza in Moscow. So we say, Rear Admiral (retired) John ("Jack") Mehoff, call Fort Meade. America has need of you in this hour. (And, General Nakasone, you're welcome.)