Ukraine at D+11: Stalled advances, intense fires, and cyber ops.
N2K logoMar 7, 2022

Russia's advance remains largely stalled; both Russia and Ukraine turn to auxiliaries in the cyber phase of Russia's hybrid war of aggression.

Ukraine at D+11: Stalled advances, intense fires, and cyber ops.

Within hours of agreeing to cease-fires late last week that would have permitted civilians to evacuate areas of active fighting, Russian forces resumed shelling the evacuation routes they'd agreed to protect. The attacks have been particularly severe and indiscriminate around the southern port city of Mariupol, where Ukrainian resistance continues. Russia today declared new humanitarian cease-fires in areas with heavy refugee traffic, but it seems unlikely that these guarantees will prove any more reliable than those that accompanied the earlier cease-fire promises.

A surprisingly slow advance yields to tactics out of Russia's "Syria playbook."

The UK's Ministry of Defence, in its regular update on Russia's war against Ukraine, yesterday assessed the situation as follows: "Russian forces probably made minimal ground advances over the weekend. It is highly unlikely that Russia has successfully achieved its planned objectives to date. Over the past 24 hours, a high level of Russian air and artillery strikes have continued to hit military and civilian sites in Ukrainian cities. Recent strikes have targeted Kharkiv, Mykolaiv and Chernihiv, and been particularly heavy in Mariupol."

The Russian advance on Kyiv in particular has been stalled for days, and Russian forces in the southern part of the country, while enjoying more success, have also this weekend faced setbacks. Military Times reports statements by the US Department of Defense to the effect that the US has seen only “limited changes on the ground.” “Russian forces continued efforts to advance and isolate Kyiv, Kharkiv and Chernihiv across the north and east are being met with strong Ukrainian resistance,” the Pentagon said. The Wall Street Journal looks at the surprisingly mixed combat performance of the Russian army and lays much of the responsibility at the feet of Defense Minister Sergei Shoigu. He holds a general's rank in his present position, but Mr. Shoigu is a lifetime civilian, and it seems that he's overestimated the success of his efforts to modernize the Russian army and bring it to a higher level of readiness.

An essay in Foreign Policy argues that Russian forces are now following their "Syria playbook," referring to the tactics Russia used when it deployed their forces as deniable "mercenaries" or "volunteers" or "contractors" to prop up the Assad regime in Syria. Those tactics are marked by the use of heavy conventional forces against civilian targets with a view to obliterating infrastructure and punishing civilian populations. The Russian invasion has stalled in the face of stiff Ukrainian resistance and Russian operational failures; President Putin appears to have decided to redress his military failures through direct terrorism in what is the most unambiguous and one-sided case of aggression in Europe in 1939.

Ukrinform claims that Ukrainian forces have regained control of Hostomel, a Kyiv suburb. The report says that the Russian forces "did not have military badges and any identity documents, except for vaccination certificates and blank medical books." Weapons taken from the Russian personnel were redistributed to local Ukrainian defense units. Hostomel is the site of an airfield that fell early to Russian forces and was used to insert troops for the push on Kyiv.

Ukrainian refugees continue to flee the war. There's a much smaller but interesting flow of Russian refugees, too, mostly into Finland, where, Finnish news media report, trainloads and busloads of Russians are arriving, apparently seeking to exit Russia before a feared imposition of martial law.

On Saturday, Ukrainian President Zelenskyy, in what POLITICO characterizes as an "emotional" teleconference with members of the US Congress, called for more aid, a comprehensive ban on Russian oil exports, and a NATO-enforced no-fly zone over the theater of operations.

Russian influence operations fail as few support Russia's war of aggression.

"Aggression" in this case isn't mere tendentious name-calling. The UN General assembly called Russia's war "aggression" when it voted overwhelmingly to condemn it last week. But the epithet "Nazi," meant by the Kremlin to be taken literally, is mere tendentious name-calling.

The terror is, in Russian President Putin's view, the fault of Ukraine and NATO, since sanctions against Russia amount to a declaration of war. “These sanctions that are being imposed are akin to a declaration of war, but thank God it has not come to that,” Mr. Putin said (arguably blasphemously). Ukrainian actions (and not, as one might think, the full-scale and unrestrained Russian invasion) have called Ukraine's continued existence as a state into question. “The current leadership," that is, Ukraine's government, "needs to understand that if they continue doing what they are doing, they risk the future of Ukrainian statehood,” Mr. Putin said. The "de-militarization and de-nazification" of Ukraine remain Russia's non-negotiable war aims. In a call with Turkey's President Erdogan, President Putin said that suspension of hostilities would only be possible "if Kyiv stops military operations and carries out well-known Russian demands." Russia would negotiate, Mr. Putin said, but it would not stand for protracted negotiations designed simply to draw the fighting out.

The Daily Beast has an account of how the Russian line is playing out over state media. Essentially, "Nazi" has become a very expansive and inclusive term. NATO? Nazis. The EU? Nazis. The German government? Nazis. The US? Both Republicans and Democrats are Nazis. And so on. The war is a defensive one, forced on Russia by "NATO's [Nazi] fist."

Russia boycotted today's opening session of the International Court of Justice (ICJ) in the Hague, Reuters reports. The ICJ is holding an inquiry into Ukraine's claim that Russia is illegally using international law against genocide to justify its war against Ukraine. The Telegraph outlines six Russian actions that arguably qualify as war crimes: the aggression itself, the deliberate targeting of civilians, use of prohibited munitions, against protected places (like hospitals), the firing on the Zaporizhzhia nuclear power plant (because of the possibility of indiscriminate effects), and, on the local, tactical level, widespread alleged sexual assault.

Demonstrations around the world this Sunday ran strongly against Russia, the Washington Post reports, with governments disputing Russian government propaganda in social media. The Russian embassy in South Africa, claiming to see a surge in public support that's been invisible to everyone else, tweeted, "Dear subscribers, we have received a great number of letters of solidarity from South Africans, both individuals and organizations. We appreciate your support and glad you decided to stand with us today, when Russia, like 80 years ago, is fighting Nazism in Ukraine!" The first response in the Twitter thread came from Germany's embassy in South Africa, which was direct and uncompromising: "Sorry, but we can't stay silent on this one, it's just far too cynical. What [Russia] is doing in [Ukraine] is slaughtering innocent children, women and men for its own gain. It's definitely not 'fighting Nazism'. Shame on anyone who's falling for this. (Sadly, we're kinda experts on Nazism.)" Bravo, Germany.

The one front on which Russian disinformation may be enjoying some traction is the home front. The New York Times reports that Ukrainians are finding that some of their Russian relatives are buying into the Kremlin's line that it's not really a war, but a defensive operation with fundamentally humanitarian aims. Russophone Ukrainians have not, generally speaking, greeted the Russian army as liberators and rescuers (some of the bitterest resistance has been in the largely Russian city of Kharkiv) and the Telegram believes that this reception surprised President Putin, who'd counted on the support of ethnic Russians.

Ukraine will become a "contributing participant" in NATO's CCDCOE.

The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) announced Friday that Ukraine will become a "contributing participant" in the CCDCOE. The twenty-seven members of the CCDCOE voted unanimously to extend membership, which Ukraine has accepted. Estonia's Minister of Defense made a representative comment on Ukraine's participation: “Capability and knowledge comes from experience, and Ukraine definitely has valuable experience from previous cyber-attacks to provide significant value to the NATO CCDCOE. Estonia as a Host Nation of the CCDCOE has been a long-term partner for Ukraine in enhancing its cyber security capacity and cyber resilience and we welcome the decision of the members of CCDCOE agreeing to Ukraine’s membership." (The CCDCOE is hosted in Estonia.)

Participation in the CCDCOE isn't necessarily restricted to NATO members—Austria, Finland, and Ireland are members who don't belong to the Atlantic Alliance—and participation doesn't constitute NATO membership.

Ukrainian cyberattacks, and the marshaling of hacktivists.

Distributed denial-of-service (DDoS) attacks, relatively easy to mount, lend themselves to the sort of hacktivism that's surged with sympathy for Ukraine. BleepingComputer reports that Russia's National Coordination Center for Computer Incidents (NKTsKI), a service established by the FSB, has distributed a list of 17,576 IP addresses said to be used in the DDoS campaign and a second list of referring domains involved in the operation. The NKTsKI also recommended measures organizations should take to defend themselves.

The volunteer hacker army that Ukraine has sought to rally, and succeeded in rallying, to its cause have been given some targeting instructions. They've been told, Reuters reports, to hit Belarusian railroads and the GLONASS positioning system. The volunteers are said, according to official Kyiv, to be principally tasked with collecting intelligence, and aren't supposed to pursue non-military targets. Thus stated Ukrainian policy is to have its volunteer IT Army operate under real operational control.

Tight control over a quickly assembled and protean volunteer corps may be difficult to achieve in practice. “We are really a swarm. A self-organizing swarm,” AP (via SecurityWeek) quotes Roman Zakharov, described as "a 37-year-old IT executive at the center of Ukraine’s bootstrap digital army." And some inducements seem likely to goad the swarm in unpredictable directions. The Record reports that "Cyber Unit Technologies, a Kyiv-based cybersecurity firm, has been particularly outspoken — on Tuesday, the company started a campaign to reward hackers for taking down Russian websites and pledged an initial $100,000 to the program."

Concerns about control aren't trivial. The responsibility to exert control over an armed force is a central concept in the law of armed conflict. While international law governing the cyber phases of a hybrid war remains largely unformed, there are analogies with armed conflict that ought to give one pause. To whom do the hackers answer? When peace is negotiated, will they cease virtual fire? What about the familiar difficulty of attribution of cyber activity?

In some respects the hacktivist enthusiasm represents, WIRED says, "pandemonium." The New York Times, while reporting that Ukraine has been deliberate and intentional in its recruitment of hackers, quotes Matt Olney, director of threat intelligence at Cisco Talos: “It is crazy, it is bonkers, it is unprecedented. This is not going to be solely a conflict among nations. There are going to be participants that are not under the strict control of any government.”

Much of the hacktivist activity so far has involved website defacements and DDoS attacks. The DDoS attacks have raised more questions among observers. Security firm Avast, no crew of Russian stooges, and very alive to the iniquity of Russia's war (they've released a decryptor for HermeticRansom, used in the early stages of that war), nonetheless cautions that freelancing DDoS can be a dangerous game. For one thing, it's worth remembering that even in a war, there's such a thing as an illegal combatant. Avast offers four reasons to think twice before casually signing on to a DDoS operation:

  • "Performing DDoS attacks is illegal. 
  • "Ensuring your security while using such tools is difficult to achieve, and by participating in these actions, you risk your privacy. 
  • "By using these tools, you could cause counterproductive collateral damage, especially if you don’t understand what you’re doing by using them. 
  • "Historically, similar tools have been abused by various actors who piggybacked on their popularity and started distributing their own variants including malware."

Russian cyberattacks.

Russian cyberattacks have been more muted since the outbreak of President Putin's war against Ukraine, but they haven't been absent. Ukraine's State Service of Special Communications and Information Protection (SSSCIP) tweeted Saturday, "Russian hackers keep on attacking Ukrainian information resources nonstop. Since the beginning of invasion, DDos attacks have been primarily aimed at the resources of Verkhovna Rada, Cabinet of Ministers, President of Ukraine, Defense Ministry and Internal Affairs Ministry." The distributed denial-of-service attacks are said to have been contained; the other effects are said to have been limited to some webpage defacements. The SSSCIP summarized the results of the attacks: "The most powerful attacks exceeded 100 Gbps at their peak. Despite all the involved enemy’s resources, the sites of the central governmental bodies are available. The only thing the occupants managed to do was to substitute the front pages at the sites of some local authorities."

More serious than DDoS and defacement is GPS interference. Satellite firm Hawkeye 360 has observed GPS interference in the Donbas region which it tentatively attributes to Russian jamming, Space News reports.

This morning the UK's Ministry of Defence tweeted an assessment of Russia's operations, highlighting their effects on communications. "Russia is probably targeting Ukraine’s communications infrastructure in order to reduce Ukrainian citizens’ access to reliable news and information. Russia reportedly struck a TV tower in Kharkiv yesterday, suspending broadcasting output. This follows a similar strike on a TV tower in Kyiv on 01 March 2022. Ukrainian internet access is also highly likely being disrupted as a result of collateral damage from Russian strikes on infrastructure. Over the past week, internet outages have been reported in Mariupol, Sumy, Kyiv and Kharkiv." Ukrainian President Zelenskyy tweeted Saturday that SpaceX was sending more Starlink terminals to his country: "Talked to @elonmusk. I’m grateful to him for supporting Ukraine with words and deeds. Next week we will receive another batch of Starlink systems for destroyed cities. Discussed possible space projects. But I’ll talk about this after the war." The first deliveries of Starlink terminals arrived on February 28th, accompanied by warnings that Russia had the capability of locating and targeting satellite uplinks.

This activity apart, Russian cyber offensive operations have thus far had a negligible effect on either the war or on international support of Ukraine, particularly as that support has been manifested in sanctions. Defense Daily, Government Technology, and the Hill all reiterate warnings that organizations should remain on their guard against Russian cyberattacks. These warnings are mostly matters of a priori possibility, based on an assessment of Russian capabilities as opposed to specific indicators and warnings. The Hill on Saturday published an appreciation of why a general cyber campaign against Western supporters of Ukraine has so far not materialized. As much as sanctions have hurt Russia, Moscow's risk-and-reward calculus so far indicates that it may have more to lose than to gain from an escalation in cyberspace. InfoRisk Today late last week offered an inventory of various explanations for Russia's relative restraint. They include such disparate assessments as operational incapacity, a decision to hold cyber capabilities in reserve, a desire to avoid escalation, and (the least plausible, in our view) simple unreadiness.

One section of Ukraine's infrastructure Russia seems to be leaving intact is the country's cellular system. POLITICO suggests three reasons this has been so: first, Russia may by monitoring those networks for intelligence collection, second, Russian forces are themselves using cell phones for communications, and, third, they're looking ahead to an occupation, during which such networks will be important to the occupiers.

Lessons from the Conti leaks.

KTVH reports that hackers are split over the war. But the division seems pretty clear cut: If Kyiv has the hacktivists. then Moscow has the hoods. The hoods are probably a lot more biddable than are the hacktivists, so in terms of control of a tractable asset, advantage Moscow.

Brian Krebs has been poring over the leaked chatter from the Conti ransomware gang, a criminal enterprise that moonlights as a Kremlin goon shop, such being the cost of running a cyber gang out of Russia. He's so far divided them into three thematic groups: Evasion, The Office, and Weaponry. The chat logs show that Conti indeed suffered disruption when the US NSA and FBI took action against the gang's infrastructure, that Conti turned to a target list of US healthcare organizations as it reestablished itself, and that the gang was confident it wouldn't be interfered with by Russian authorities. (Russian authorities, for reasons that remain unclear, were more interested in Conti's rival REvil.)

The chats also show that Conti operated like a business. It has (or had) the equivalent of an HR department supporting functional groups that fall out roughly as follows:

  • "Coders: Programmers hired to write malicious code, integrate disparate technologies
  • "Testers: Workers in charge of testing Conti malware against security tools and obfuscating it
  • "Administrators: Workers tasked with setting up, tearing down servers, other attack infrastructure
  • "Reverse Engineers: Those who can disassemble computer code, study it, find vulnerabilities or weaknesses
  • "Penetration Testers/Hackers: Those on the front lines battling against corporate security teams to steal data, and plant ransomware."

The gang faces many of the problems any badly run business faces. Krebs describes what he sees in the logs:

"Like countless other organizations, Conti made its payroll on the 1st and 15th of each month, albeit in the form of Bitcoin deposits. Most employees were paid $1,000 to $2,000 monthly.

"However, many employees used the Conti chat room to vent about working days on end without sleep or breaks, while upper managers ignored their repeated requests for time off.

"Indeed, the logs indicate that Conti struggled to maintain a steady number of programmers, testers and administrators in the face of mostly grueling and repetitive work that didn’t pay very well (particularly in relation to the earnings of the group’s top leadership). What’s more, some of the group’s top members were openly being approached to work for competing ransomware organizations, and the overall morale of the group seemed to fluctuate between paydays.

"Perhaps unsurprisingly, the turnover, attrition and burnout rate was quite high for low-level Conti employees, meaning the group was forced to constantly recruit new talent."

For all of these problems, Conti has been good at identifying and attacking victims. And, not suffering from the romantic confusion of cost with value that can seize so many non-criminal operations, It's also realized the value of open-source intelligence, and is willing to pay for the use of legitimate commercial business intelligence tools:

"Conti budgeted heavily for what it called 'OSINT,' or open-source intelligence tools. For example, it subscribed to numerous services that can help determine who or what is behind a specific Internet Protocol (IP) address, or whether a given IP is tied to a known virtual private networking (VPN) service. On an average day, Conti had access to tens of thousands of hacked PCs, and these services helped the gang focus solely on infected systems thought to be situated within large corporate networks.

"Conti’s OSINT activities also involved abusing commercial services that could help the group gain the upper hand in ransom negotiations with victims. Conti often set its ransom demands as a percentage of a victim’s annual revenues, and the gang was known to harass board members of and investors in companies that refused to engage or negotiate."

Aaron Sandeen, CEO of Cyber Security Works, thinks that recognizing Conti as a malign business, and understanding its techniques, will prove useful to defenders. He wrote, in an email:

“What’s fascinating about these leaked chats is that they seem to be struggling with the same challenges (turnover, attrition) that any other legitimate company would. I am not surprised that they could find new targets and victims quickly. Most organizations still do not prioritize cyber hygiene, and they do end becoming victims of ransomware gangs like Conti. 

"Knowing your opponent is vital to secure your defenses. For instance, Conti uses 17 vulnerabilities that exist in products such as Microsoft, Adobe, Apache log4J to launch their attacks. They were quick to weaponize Log4J vulnerabilities even as organizations around the world scrambled to patch their digital environment.

"It is possible that these leaks could cause Conti to temporarily disappear then reemerge as a new group. Ryuk disappeared after successfully targeting 67.3 million targets in 2020. There have been persistent rumors that they rebranded themselves as Conti. Ransomware as a Service (RaaS) is becoming a mature SaaS commodity with every passing day, and they are going after targets pretty much the same way a sales team goes after their leads.”

And their sales team is always made up of the widest of wide boys.