Ukraine at D+92: Artillery, DDoS, and remittances in a hybrid war.
N2K logoMay 27, 2022

Fighting in the Donbas becomes an artillery duel as Russia reconstitutes its armored forces with obsolescent tank stocks. DDoS continues to be the principal mode of hacktivists acting in the Russian interest. And sanctions are having the side effect of inhibiting ransomware gangs.

Ukraine at D+92: Artillery, DDoS, and remittances in a hybrid war.

This morning's situation report from the UK's Ministry of Defence (MoD) focuses on Russian operations in the Donbas, and on the equipment being used to reconstitute the Russian army's losses. "Russian ground forces continue their attempt to surround Severodonetsk and Lyschansk, recently capturing several villages north-west of Popasna. Russia is pressuring the Severodonetsk pocket although Ukraine retains control of multiple defended sectors, denying Russia full control of the Donbas. Russia’s Southern Grouping of Forces (SGF) likely remains tasked with occupying southern Ukrainian territory. In recent days, Russia has likely moved 50-year-old T-62 tanks from deep storage into the SGF’s area of responsibility. The T-62s will almost certainly be particularly vulnerable to anti-tank weapons and their presence on the battlefield highlights Russia's shortage of modern, combat-ready equipment."

Civilian casualties continue to run high in Ukraine. UN investigators have confirmed a total of civilian dead in excess of 4000, al Jazeera reports, but believe the actual losses are much higher. The fighting in the Donbas has developed, as foreseen (see Task & Purpose for an account), into an artillery match as Russian forces continue to have difficulties with maneuver and as Ukrainian forces deploy the 155 mm cannons and associated counterbattery radar received from Western armies.

Pro-Russian DDoS attacks.

Imperva offers a timeline of distributed denial-of-service (DDoS) attacks conducted in the Russian interest by nominally hacktivist organizations. Killnet is the most notable of those groups. Imperva's timeline shows Killnet's development:

  • "23 January 2022 – KILLNET emerged as a pro-Russian hacker group.
  • "25 February 2022 – created a post on their Telegram titled ‘ANONYMOUS, YOUR TIME IS UP!’ in response to pro-Ukrainian hacktivist elements.
  • "28 February 2022 – the group created a ‘call to arms’ post addressing hackers in the ‘Russian Federation and the CIS countries’.
  • "Also February 2022 – the group shared a link to the Telegram group of Cyber Army of Russia encouraging KILLNET followers to subscribe to the channel to see KILLNET attacks.
  • "Date unknown – Announced partnership with XakNet – indicating several pro-Russian hacktivist elements have joined forces to conduct cyber warfare operations against Ukraine and its allies. Attacks have included multiple cyber attacks against pro-Ukrainian targets including a US airport and several Ukrainian government entities.
  • "20 April 2022 – The U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed KILLNET as one of several pro-Russia cybercrime groups which could pose a threat to critical infrastructure organizations."

KIllnet's targeting has been varied, but its activities haven't risen above a nuisance level. DDoS is easy to attempt, but it's proving difficult to conduct with significant effect. For all that, Microsoft cautions, in an NPR interview, not to dismiss the cyber phases of Russia's hybrid war as inconsequential: there has been no shortage of attempted disruption of Ukrainian networks since shortly before the Russian invasion began.

Sanctions and their effect on ransomware.

Ransomware operations appear to be on the way to becoming collateral damage in the sanctions that have been imposed on Russia. CPO Magazine, citing recent remarks by NSA cyber security director Rob Joyce, describes the ways in which controls on bank transfers and other remittance mechanisms have inhibited payments to ransomware gangs. "Ransom payments are more difficult to process due to lack of access to assorted banking options, and inability to purchase necessary technology to set up the infrastructure for new ransomware campaigns." Collateral damage in this case may be wayward as a description of what's going on, since the effect while not directly intended isn't unwelcome, either. Call it a side benefit; call it gravy.