Assessing capabilities and intentions in Russia's hybrid war against Ukraine.
Cyberthreats and the threat of sanctions over Ukraine
Russian cyberattacks continue to afflict targets in Ukraine even as Russian conventional forces remain poised in assembly areas. US Secretary of Defense Austin and Chairman of the Joint Chiefs of Staff Milley said late last week that, while intentions remained "opaque," Russia's capabilities were up to a damaging invasion of Ukraine. “Given the type of forces that are arrayed, the ground maneuver forces, the artillery, the ballistic missiles, the air forces, all of it packaged together, if that was unleashed on Ukraine, it would be significant… and it would result in a significant amount of casualties,” Breaking Defense quotes Milley as saying. “And you can imagine what that might look like in dense urban areas, all along roads, and so on and so forth. It would be horrific.” The widely quoted "more than 100,000" figure for deployed Russian troop strength includes, note, naval, air, and logistics troops as well as ground forces. "Horrific" is fair enough, but it's unclear that the troops so far staged would be sufficient for the conquest and subjugation of the entire Ukraine some are foreseeing as opposed to destructively punitive short-term operations in border regions.
Short-term prospects for diplomacy.
It's a military truism that prudent planning should be based on the opposition's capabilities, and not its presumed intentions, since intentions are reckoned harder to discern and easier to mistake than are capabilities. But realistically intentions have to be read and addressed in planning, since it's usually impossible to effectively address every possible operation that falls within the range of an adversary's capabilities. Germany's BND thinks that Russia hasn't yet made a decision to begin a full-fledged invasion. "I believe that the decision to attack has not yet been made," Bruno Kahl, Reuters quotes the BND's head as saying. He added that "The crisis can develop in thousands of ways." Kahl holds out some hope for a diplomatic reduction in tension, as do other observers cited by Defense One.
The United Nations Security Council is meeting today to discuss Russia's actions against Ukraine, the Washington Post reports. China voted with Russia against the meeting, but the US proposal to meet passed nonetheless. The US, the AP writes, fully intends to put Russia on the defensive during the sessions. Russia is of course unhappy that the meeting's being called at all. Moscow's deputy UN ambassador Dmitry Polyansky tweeted a response: “I can’t recall another occasion when a SC (Security Council) member proposed to discuss its own baseless allegations and assumptions as a threat to intl (international) order from someone else. Hopefully fellow UNSC members will not support this clear PR stunt shameful for the reputation of UN Security Council.”
Bilateral diplomacy also continues. According to Bloomberg, US Secretary of State Blinken and Russian Foreign Minister Lavrov plan a phone call over the crisis tomorrow.
Cyberthreats and Ukraine's cyber readiness.
On Friday CrowdStrike released its analysis of the probable course of Russian cyber action against Ukraine. They attribute most of the activity against Ukrainian targets to Voodoo Bear, a unit operating under the direction of Russia’s GRU military intelligence service. Voodoo Bear has a long history of servicing Ukrainian targets that goes back to 2014, the year Russia seized and annexed Ukraine’s Crimean region. The recent information operations in the campaign CrowdStrike calls WhisperedDebate are assessed as preparation. Should the conflict escalate, CrowdStrike expects Voodoo Bear to step up destructive wiper attacks.
Other Russian services appear to have been active in cyberspace as well as the GRU. Researchers at Symantec ascribe recent attacks to the threat group they track as Shuckworm, and that's otherwise known as Primitive Bear, Armageddon, or, most commonly, Gamaredon:
"Active since at least 2013, Shuckworm specializes in cyber-espionage campaigns mainly against entities in Ukraine. The group is known to use phishing emails to distribute either freely available remote access tools, including Remote Manipulator System (RMS) and UltraVNC, or customized malware called Pterodo/Pteranodon to targets. A recent report published by The Security Service of Ukraine (SSU) noted that Shuckworm’s attacks have grown in sophistication in recent times, with attackers now using living-off-the-land tools to steal credentials and move laterally on victim networks. Recent activity seen by Symantec is consistent with that documented by SSU."
Ukraine's SSU security service this past November connected the group to Russia's FSB, and the group certainly has a record of carrying out operations in the furtherance of Russian interests. At the time the SSU described the group (their preferred name for it is "Armageddon") as follows:
"The ARMAGEDON hacker group is an FSB special project, which specifically targeted Ukraine. This ‘line of work’ is coordinated by the FSB’s 18th Center (Information Security Center) based in Moscow.
"Since the Russian aggression in 2014 [Russia's invasion and annexation of Ukraine's Crimean territory], this unit has carried out over 5,000 cyber attacks and attempted to infect over 1,500 government computer systems. The attackers’ goals were:
- "control over critical infrastructure facilities (power plants, heat and water supply systems);
- "theft and collection of intelligence, including information with restricted access (related to security and defence sector, government agencies);
- "informational and psychological influence;
- "blocking information systems."
And this seems a fair representation of the ongoing activity against Ukraine. The SSU also published at the time a technical summary of the techniques the FSB was using in what even then the SSU characterized as Russia's "hybrid war" against Ukraine. (It's worth recalling that low-level kinetic combat and cyber operations have been in progress since 2014.)
In other respects, as Cisco Talos noted last year, Gamaredon has been an odd duck among APTs, making heavy use of commodity tools and operating in a relatively noisy manner. It's also shown some signs of working as either a contractor or an APT side-hustle.
Looking forward at the possible escalation of the conflict, POLITICO thinks that Russian operators would be unlikely to show the discrimination in targeting they've so far exhibited, and that there's no reason to believe that the effects of destructive cyberattacks would be confined within the borders of Ukraine. The Czech Republic has joined the UK, Canada, and the US in warning of the likelihood of Russian cyberattacks. The Expat says that on Friday the Czech National Cyber and Information Security Agency warned that "Attacks could constitute cyber spying operations orchestrated by foreign powers or attacks to harvest Czech data. The agency called attention to 19 possible modes of attack, and 14 frequently neglected vulnerabilities."
NATO has provided Ukraine with cybersecurity assistance, but it would be difficult for Kyiv to withstand any greatly intensified Russian cyber campaign, the Record argues. Effective defenses would involve building the sort of whole-of-nation system that remains a work in progress in most countries (including the US).
Influence operations show mixed success.
Russian disinformation in the service of influence operations designed to fissure Ukrainian society continues, and the Atlantic Council’s Digital Forensic Research Lab (DFRLab) has done a commendable job in tracking some of its characteristic themes. Those themes exhibit some of the typical inconsistencies that have long marked Russian influence campaigns. For example, on the one hand NATO's provision of weapons, notably anti-armor rockets, to Ukraine is an intolerable provocation and amounts to placing a dagger in the hands of Kyiv, which intends aggression against at the very least Russophone populations if not Russian itself. But on the other hand the weapons are junk, and can't hit the broad side of a barn (or "even an old Soviet tank").
On a large scale it seems that these efforts seem to have fallen short of their mark, with pro-Russian sentiment sharply down in the large, predominantly Russian-speaking city of Kharkiv, close to Ukraine's eastern border with Russia. Both the Wall Street Journal and the Washington Post report the ongoing pressure on Ukraine seems to have increased national unity even in those regions that had shown some ethnic and linguistic affinity with Russia.
For all China's comments at the UN of the importance of quiet diplomacy in seeking a peaceful reduction of tension, Chinese social media operators, Beijing's "Wolf Warriors," have been taking opportunistic advantage of the crisis, trolling the US and the EU, Foreign Policy reports.
Sanctions under preparation.
Both the US and the UK are preparing new sanctions against Russia should it not pull back from its threatening posture with respect to Ukraine, Bloomberg reports. The most serious sanctions would be reserved as a response to an invasion. This round of sanctions will in all likelihood be designed to have a strong effect on individuals. British Foreign Secretary Liz Truss told the BBC that, “We’re going to be introducing new legislation so that we can hit targets including those who are key to the Kremlin’s continuation and the continuation of the Russian regime. There will be severe costs on an invasion into Ukraine. And we would target Russian financial institutions, we would target energy companies, we will target oligarchs close to the Kremlin."
In the US a bill introduced in the Senate is consistent with earlier Administration statements on sanctions. According to the Wall Street Journal, "The legislation under negotiation among members of the Senate Foreign Relations Committee and others would target major Russian banks, hit Russians’ savings and pensions and limit the market for Russia’s sovereign debt, among other elements, Chairman Sen. Bob Menendez (D., N.J.) said Sunday."