Ukraine at D+146: Kinetic attrition and cyberespionage.
N2K logoJul 20, 2022

A stalled Russian offensive, but mass, indiscriminate fires continue unabated. Observers offer a range of possible explanations for why Russian cyber operations have remained relatively limited in scope. And, while their kinetic effect may have been negligible, Russian threat actors remain active in cyberespionage.

Ukraine at D+146: Kinetic attrition and cyberespionage.

"A terrible throwback to attrition warfare."

The UK Ministry of Defence situation report this morning finds the lines in the Donbas static. "Russia continues to make minimal gains in its Donbas offensive, with Ukrainian forces holding the line." In the southern area of operations, Dnieper crossings are becoming a Ukrainian objective. "On 19 July 2022, the authorities in Russian-occupied Kherson reported that the Antonovskiy Bridge over the Dniepro River had been struck by Ukrainian forces. Social media posts showed apparent battle damage to the bridge’s roadway. It is highly likely that the bridge remains usable – but it is a key vulnerability for Russian Forces. It is one of only two road crossing points over the Dnieper by which Russia can supply or withdraw its forces in the territory it has occupied west of the river. This area includes the city of Kherson, which is politically and symbolically important for Russia. The lower reaches of the Dnieper present a natural barrier, with the waterway typically around 1000m wide. Control of Dnieper crossings is likely to become a key factor in the outcome of fighting in the region."

Russia's war remains static, reliant on heavy and indiscriminate artillery fire to reduce essentially civilian objectives. Al Jazeera notes that Russian fire continues to hit Ukrainian homes and other noncombatant targets; "a terrible throwback to attrition warfare," War on the Rocks calls the Russian approach. The Wall Street Journal quotes senior Ukrainian defense officials as crediting their own artillery, especially fires delivered by US-supplied HIMARS with blunting the Russian offensive in the Donbas. Those fires, Ukrainian sources say, have exacerbated the characteristic Russian problems with logistics.

Russia has not moderated its goals, despite having made no significant gains since taking Lysychansk two weeks ago. Reuters quotes Dmitry Medvedev, formerly Russia's president during a brief interregnum in President Putin's formal occupation of the post and now deputy head of Russia's Security Council, to the effect that "Russia will achieve all its goals. There will be peace - on our terms." Defense One reports that the US sees Russia as following its Crimean "playbook" to annex occupied territory in the south and east.

Current Russian cyber operations.

There's been some chatter in Twitter about a resurgence in operations by the FSB's Turla group. A representative post by @billyleonard, of Google's Threat Analysis Group, opened a thread on July 8th by drawing attention to, "Some recent Turla activity that @0xbadcafe1 and I looked at spoofing the Azov Regiment ... but targeting Android users."

Late yesterday Google's Threat Analysis Group (TAG) published a full report on what it's seen, recently, of Turla and other actors aligned with the Russian cause. Turla is indeed impersonating the Azov Regiment, and is offering malicious apps that misrepresent themselves as a kind of do-it-yourself kit patriotic Ukrainians can use to conduct DDoS attacks against Russian networks. The apps do nothing of the kind, but instead install malware on the devices to which they're downloaded. "Turla, a group publicly attributed to Russia’s Federal Security Service (FSB), recently hosted Android apps on a domain spoofing the Ukrainian Azov Regiment," TAG writes. "This is the first known instance of Turla distributing Android-related malware. The apps were not distributed through the Google Play Store, but hosted on a domain controlled by the actor and disseminated via links on third party messaging services. We believe there was no major impact on Android users and that the number of installs was miniscule."

Other Russian groups TAG mentions in dispatches include the GRU (APT28, Sandworm, or Fancy Bear) and a privateering spin-off of the possibly defunct Conti gang. These are exploiting the now-patched Follina remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool. TAG's observations confirm earlier reports by CERT-UA. "The Sandworm campaign used compromised government accounts to send links to Microsoft Office documents hosted on compromised domains, primarily targeting media organizations in Ukraine," the report says, adding, "TAG has also observed an increasing number of financially motivated actors targeting Ukraine. One recent campaign from a group tracked by CERT-UA as UAC-0098 delivered malicious documents with the Follina exploit in password-protected archives, impersonating the State Tax Service of Ukraine. We assess this actor is a former initial ransomware access broker who previously worked with the Conti ransomware group distributing the IcedID banking trojan based on overlaps in infrastructure, tools used in previous campaigns, and a unique cryptor."

Cyberespionage continues, with phishing as its principal mode of gaining access. Ghostwriter, operated by the intelligence services of Russia's ally Belarus, has continued to work against its customary targets, especially Poland, and the Russian threat group ColdRiver (also called "Callisto" but best known as Gamaredon or Primitive Bear) "continues to send credential phishing emails to targets including government and defense officials, politicians, NGOs and think tanks, and journalists." ColdRiver has also used Dropbox and Google Drive to host malicious pdfs.

Russia's cyber operations appear to focus on espionage.

Spectacular cyberattacks, works of sabotage with widespread kinetic effect, have not so far figured in Russia's war, and this defies the expectations that many observers had during the run-up to the February invasion. Russia had given ample evidence of its ability to disable infrastructure in earlier cyberattacks against portions of Ukraine's power grid, and there was no reason to expect restraint once Moscow's policy became one of full-scale, lethal, aggression.

Why this has been so remains a matter of debate and speculation. An essay in War on the Rocks observes that Russian cyber operations have been largely confined to cyberespionage and influence operations, leavened by some low-grade, nuisance-level distributed denial-of-service (DDoS) attacks. Among the possible explanations for the absence of serious attacks against infrastructure are 1) effective Ukrainian cyber defense (they've learned from their experience of earlier Russian attacks, and they've successfully engaged sympathetic international partners to help improve security), 2) NATO, especially US interference (the Record reports that US Cyber Command's General Nakasone yesterday repeated, without further detailed elaboration, his statement last month that his organization had actively "denied, degraded, and disrupted" Russian cyber and information capabilities, 3) such denial, disruption, and degradation may have induced a fourth D, deterrence, and, finally, 4) as War on the Rocks speculates, offensive cyber operations have simply turned out to be more difficult to pull off than many had imagined.

Cyber escalation and spillover.

While cyber operations clearly have a place in hybrid war at least as prominent as traditional espionage and electronic warfare, they seem so far to have fallen short, at least in Russian hands, of their menacing promise as combat support for a shooting war. A cold war may be a different matter. An essay in Forbes outlines the role cyber operations will play should a new cold war emerge from the war in Ukraine. The arguments in the essay, by Forbes Technology Council member Matt Georgy (CTO at [redacted], and that's the company's name, including the square brackets), are short and cogent, but we would offer one demurral: the new cold war isn't emerging. It's been in progress for the better part of a decade at least.

The European Union yesterday issued a statement deploring Russia's conduct in cyberspace and the way in which its offensive activities have spilled over to countries other than Ukraine. The statement draws particular attention to the nuisance-level DDoS attacks EU member states have recently experienced: "The latest distributed denial-of-service (DDoS) attacks against several EU Member States and partners claimed by pro-Russian hacker groups are yet another example of the heightened and tense cyber threat landscape that EU and its Member States have observed. We strongly condemn this unacceptable behaviour in cyberspace and express solidarity with all countries that have fallen victim. We remain determined to address and investigate malicious cyber activities affecting international peace, security and stability, including the security of the European Union and its Member States, their democratic institutions, citizens, businesses, and civil society." The statement made a point of reminding all that the EU had condemned Russian cyberattacks against Ukraine as early as January 14th of this year, a date that seems to mark the onset of the preparation phase of Russia's hybrid war.

The Center for European Policy Analysis (CEPA) has a recommendation on a proper Western response to Russian cyber operations: refer ops and the threat actors behind them to the International Criminal Court in the Hague.