Preparing for multidomain operations in the gray zone.
N2K logoJan 19, 2022

Last week's cyberattacks against Ukrainian targets deployed, as Microsoft said Saturday, a destructive wiper that represented itself as ransomware. Many observers view the incident as Russian battlespace preparation.

Preparing for multidomain operations in the gray zone.

Ukraine has confirmed, according to the Washington Post, that last week's WhisperGate cyberattacks were indeed destructive, and represented neither the hacktivist defacements nor the ransomware crimes they misrepresented themselves as. Ukraine's State Service of Special Communications and Information Protection said, "Thus with a high probability it can be argued that the defacement of the websites of the attacked government agencies and the destruction of data using a wiper are components of one cyber attack aimed at as much damage as possible to the infrastructure of state electronic resources.” Ukraine is calling the campaign #BleedingBear and attributed it to Russia.

The selection of ransomware as cover for the attacks is unsurprising. Ransomware is not only a commonplace criminal activity, but it can also be, as CyberScoop observes, highly disruptive. The pretense of ransomware is not only useful for misdirection and concealing an incipient cyberattack, but the tools used by ransomware gangs are readily repurposed for espionage and sabotage.

Governments respond to the prospect of further cyberattacks like those that hit Ukraine last week.

Serhii Demediuk, Deputy Secretary of Ukraine’s National Security and Defense Council, described the steps Kyiv is taking to protect the country from further cyberattack in an interview with the Record. Ukraine's CERT, for one thing, is coordinating closely with the US Cybersecurity and Infrastructure Security Agency (CISA).

For its part CISA yesterday published advice on how organizations can protect themselves against cyberattacks of the kind Ukraine sustained last week. The advisory is designed to help:

  • "Reduce the likelihood of a damaging cyber intrusion, 
  • "Detect a potential intrusion, 
  • "Ensure the organization is prepared to respond if an intrusion occurs, and 
  • "Maximize the organization’s resilience to a destructive cyber incident."

The structure of the advice is thus familiar: reduce the likelihood of intrusion, prepare to quickly identify an intrusion, prepare to respond to an intrusion, and, finally, increase organizational resilience.

Poland has also raised its level of cyber alert, Reuters reports.

Diplomacy during the deployments.

US Secretary of State Anthony Blinken is the most recent NATO foreign minister to visit Ukraine. He arrived in Kyiv today, Reuters reports, and will then travel to Berlin for talks with his German counterparts before arriving in Geneva for talks with Russian Foreign Minister Lavrov.

NATO General Secretary Stoltenberg has called for further talks with Russia, saying, as quoted by Al Jazeera, "The risk of a conflict is real,“ and that the Atlantic Alliance seeks "progress on the political way forward.” Russian Foreign Minister Lavrov says he wants answers to Russia's soft ultimatum before holding any further talks: “We are now awaiting responses to these proposals – as we were promised – in order to continue negotiations."

The US and NATO are in Russia's (minority) view the aggressors, as Mr. Lavrov said Friday. “We have run out of patience. The West has been driven by hubris and has exacerbated tensions in violation of its obligations and common sense.” To review, the "proposals" Foreign Minister Lavrov wants an answer to by tomorrow are these, as outlined by Russia Matters:

  • "Demand No. 1: No more NATO expansion eastward, especially to Ukraine and Georgia;
  • "Demand No. 2: NATO withdraws military infrastructure placed in Eastern European states after 1997; and
  • "Demand No. 3: U.S./NATO deploy no strike systems in Europe, such as intermediate- and short-range missiles, that would be capable of striking targets in Russia."

"Infrastructure" is vague, but it would presumably include installations, transportation nodes, C4ISR facilities, and probably headquarters. 1997 is a significant year, since NATO's expansion into the former Warsaw Pact and the Near Abroad began in 1999, when Hungary, Poland, and the Czech Republic joined. Bulgaria, Estonia, Latvia, Lithuania, Romania, Slovakia, and Slovenia were extended membership in 2004, Albania and Croatia in 2009, Montenegro in 2017, and North Macedonia in 2020.

It's worth noting that the Alliance's premier cybersecurity organization is located in a former Soviet Republic. NATO's Cooperative Cyber Defence Centre of Excellence, the well-known and multinational CCDCoE, is headquartered in Tallinn, Estonia, where it's staffed and financed by Austria, Belgium, Bulgaria, Canada, Croatia, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Montenegro, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, South Korea, Spain, Sweden, Switzerland, Turkey, the United Kingdom, and the United States.

The Washington Post notes that the US has already said that the first Russian demand, no admission of Ukraine or Georgia to NATO, is unacceptable. Thus it seems unlikely that either Brussels or Washington will give Mr. Lavrov the sort of answer he seems to be hoping for, but that may not be the point if Russian policy is more interested in pretext and provocation than it is in diplomacy. The US has been delivering $200 million in military aid to Ukraine since mid-December of 2021, the Military Times reports. The US views Russian troop deployments as giving Moscow the ability to attack on short notice.