Ukraine at D+175: Rear-area threats, and an overview of Russian cyber ops.
N2K logoAug 18, 2022

Ukraine continues to demonstrate the ability to strike Russian rear areas, and Russia resumes the shelling of civilian residential areas. Wiper malware and cyberespionage as defining aspects of Russia's cyber campaign.

Ukraine at D+175: Rear-area threats, and an overview of Russian cyber ops.

Russian forces have resumed indiscriminate shelling of residential areas, most recently in Kharkiv, a largely Russophone city where, contrary to Moscow's prewar expectations, the invaders met a hostile population and strong local resistance. At least six died in the attacks, which Kyiv called "cynical." Al Jazeera has an account of yesterday's shelling; the Telegraph reports that firing has continued into today.

Shelling also continues around the nuclear plant at Zaporizhzhia. A correspondent for the Economist tweeted a clip of a Russian public affairs officer warning, with suspicious specificity, that "Ukraine is planning a 'false flag provocation' in Zaporizhzhia (Enerhodar) power station for Aug 19. 'Russia will be blamed for the man-made catastrophe,' he warns." One hopes this isn't a preemptive attempt at deflecting blame for a nuclear disaster away from Russia.

Ukraine's recently demonstrated ability to strike deep into Russian rear areas, especially in the occupied Crimea, seems to have motivated a shake-up in Russian command. Reuters reports that Vice-Admiral Viktor Sokolov has replaced Admiral Igor Ositpov in command of the Black Sea Fleet. The reports of the apparent sacking and replacement originate with the Russian media outlet RIA Novosti, but, according to Newsweek, other Russian sources have dismissed the news as rumor and gossip. The Moscow Times is running with the news, but the story is developing.

Long-range attacks have been delivered by both Ukrainian special forces and US-supplied HIMARS rocket artillery. These are not the only threats Russian forces face behind their lines, however. The New York Times has an account of widespread partisan activity in the occupied regions.

A sign of failure to enforce low-level battle discipline.

Russian armor has sustained heavy losses during the war, and the UK's Ministry of Defence argues, in today's situation report, that failure to make proper use of reactive armor is partially responsible. "The heavy attrition of Russian Main Battle Tanks in Ukraine is highly likely partially due to Russia’s failure to fit and properly employ adequate Explosive Reactive Armour (ERA). Used correctly, ERA degrades the effectiveness of incoming projectiles before they hit the tank. This suggests that Russian forces have not rectified a culture of poor ERA use, which dates back to the First Chechen War in 1994. It is highly likely that many Russian tank crews lack the training to maintain ERA, leading to either poor fitting of the explosive elements, or it being left off entirely. These deficiencies probably contribute to the widespread incidents of turret ejection, which are well documented in eye-witness videos from Ukraine. The war has seen numerous failures by Russian commanders to enforce low-level battle discipline – such as the use of ERA. The cumulative effect of these failures is likely a significant factor behind the poor performance of Russia’s forces."

Wipers as a tool in hybrid war.

VentureBeat yesterday summarized expert opinion on the way in which wipers in particular have emerged as a disturbing class of malware during Russia's war against Ukraine. One of their sources, Fortinet's Global Threat Landscape Report for the first half of 2022 explained how this had come to be so, describing wiper attacks as a distinctive feature of Russian hybrid warfare. "Security researchers believe—but have not always been able to attribute with confidence—that groups aligned with Russian military goals were behind many of the wiper attacks in Ukraine during the first half of 2022," the researchers write, and then go on to inventory some of the malware used in the attacks:

"One example is CaddyWiper, a variant used to wipe data and partition information from drives on systems belonging to a limited number of Ukrainian organizations soon after the war began. Other examples include WhisperGate, a wiper that Microsoft discovered being used in attacks against Ukrainian entities in January 2022; HermeticWiper, a tool for triggering boot failures that SentinelLabs found being used in similar attacks; and IsaacWiper, a malware tool for overwriting data in disk drives as well as attached storage to make them inoperable. The three other wipers we observed in the first half of 2022 targeting Ukrainian companies and infrastructure were WhisperKill, DoubleZero, and AcidRain."

The wiper attacks were not as discriminating as one would wish a proper weapon to be, their effects spilling over into countries other than Ukraine, the intended target. AcidRain was particularly unconstrained. Wipers have been seen before, and Fortinet says that security teams can expect to see them again. "The attacks in Ukraine have shown how this malware can be used to degrade and disrupt critical infrastructure capabilities and services to support broader kinetic warfare goals. But that is not the only threat. Shamoon showed how wipers can be used as weapons of cyber sabotage, and other variants, such as NotPetya and GermanWiper from 2017, showed how adversaries can use wipers as fake ransomware to try and extort money from victims."

{{nativeAd ads.dbSponsors.db3}}

A scorecard for Russian cyber ops during the special military operation.

Trustwave's SpiderLabs this morning offered an overview of Russian offensive cyber operations so far in the war against Ukraine. They associate distinct threat actors with the three principal Russian security and intelligence organs: the SVR foreign intelligence service and the FSB security service (both daughter organizations of the old Soviet KGB) and the GRU military intelligence service. The associations the researchers track are as follows:

  • "APT28, also known as Cozy Bear or The Dukes, has ties to the Russian Foreign Intelligence Service (SVR).
  • "APT29, also known as Fancy Bear or Sofacy, was traced to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Former GRU) Unit 26165.
  • "SANDWORM, also known as Black Energy, was tied to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (Former GRU) Unit 74455.
  • "DRAGONFLY, also known as Energetic Bear or Crouching Yeti, was identified as the Russian Federal Security Service (FSB) Unit 71330.
  • "GAMAREDON, also known as Primitive Bear or Armageddon, traced to the Russian Federal Security Service (FSB) in November 2021. The Security Service of Ukraine (SSU) successfully identified individuals behind Gamaredon confirming their ties with FSB."

The study divides Russian cyber operations into two broad categories, distinguished by their objectives. Some aim at destruction (in the present war usually destruction of data and IT capabilities) while others aim at collection, espionage. The destructive attacks began as hostilities opened on February 24th, 2022, and continued into early April. They've since abated: "Destructive attacks are meant to destroy the data and render targeted systems inoperable. According to Viasat, on February 24, the day the war started, cyberattacks against Viasat’s KA-SAT network impacted several thousand customers in Ukraine and tens of thousands across Europe. Reuters reported over 5,800 Enercon wind turbines in Germany were affected by this attack. As published by SSSCIP, on April 8, the Sandworm group attacked a Ukrainian energy provider. Fortunately, due to a timely response, only part of the IT infrastructure was affected, and significant power outages were prevented."

Cyberespionage began to intensify about a week into the war and has continued through the present. Interestingly, some of the cyberespionage has been conducted by privateers, criminal gangs operating in the interest of the Russian state: "Espionage attacks are designed to establish a foothold and exfiltrate data from targeted systems. Malware used in  the attacks usually provides attackers backdoor access with webcam and microphone captures, keylogging, and the possibility to download and install additional components. Exfiltrated data includes operating system information, documents, pictures and stored passwords from web browsers and other software."

For many reasons--the inherent difficulties of offensive cyber, the need to integrate cyber into effective combined arms operations (and Russian forces have shown surprisingly little aptitude for combined arms operations), victory disease (overconfidence inspired by years of consequence-free privateering and espionage)--cyber operations haven't proven to be the war-winner for Russia that many feared they would. But that said, there are many reasons to expect cyber to remain a principal military tool in future conflicts. SpiderLabs outlines them. "Without a doubt, sophisticated cyber weapons are key tools in the arsenal of a modern military, and the amount of global cyberwarfare will likely increase in the future.

  • "First, with the constantly growing number of devices connected to the network, the attack surface is becoming massive, increasing the potential use cases for cyberwarfare. 
  • "Second, cyberwarfare is not bound by the territorial constraints of conventional warfare, offering the chance to infiltrate and damage targets far behind the frontlines. 
  • "Finally, compared to traditional warfare, cyberwarfare is invisible to the naked eye, does not risk lives on the side of the aggressor, and is cost effective."