Ukraine at D+174: Cyber and EW in combined arms operations.
N2K logoAug 17, 2022

Ukraine shows its long-range attack capability, and in so doing demonstrates a determination to take back territory occupied by Russia. That includes Crimea, which Russia had regarded as secure and uncontested. Nuisance-level Russian cyber action continues, but meaningful contributions in the fifth domain seem to come only when cyber is integrated with long-range fires.

Ukraine at D+174: Cyber and EW in combined arms operations.

Occupied Crimea is now disputed territory.

This morning's situation report from the UK's Ministry of Defence highlights yesterday's explosions at Russian military facilities in Crimea. "On 16 August 2022, both Russian and Ukrainian officials acknowledged that an ammunition dump had exploded near Dzhankoi in northern Crimea, where a nearby railway and electricity sub-station were also likely damaged. Russian media also reported that smoke was rising from near Gvardeyskoye Airbase in the centre of the Crimea. Dzhankoi and Gvardeyskoye are home to two of the most important Russian military airfields in Crimea. Dzhankoi is also a key road and rail junction that plays an important role in supplying Russia’s operations in southern Ukraine. The cause of these incidents and the extent of the damage is not yet clear but Russian commanders will highly likely be increasingly concerned with the apparent deterioration in security across Crimea, which functions as rear base area for the occupation."

Both Russia and Ukraine have been reticent about the incidents, but they represent in all likelihood Ukrainian strikes, and the New York Times reports that Ukrainian officials have indicated that those strikes were conducted by special operations forces. "A senior Ukrainian official, speaking on condition of anonymity to discuss Tuesday’s operation, said that an elite unit was responsible for the explosions," the Times writes, adding, "Russia’s Defense Ministry called the blasts an 'act of sabotage' — a significant acknowledgment that the war is spreading to what the Kremlin considers Russian territory." An article in Le Monde argues that the place President Putin has accorded Crimea in popular Russian culture will make it difficult for him not to deliver a large, effective, and obvious riposte to Ukrainian strikes on the peninsula, occupied by Russian invaders since 2014. Crimea is also a vital base and staging area for Russian operations along the Black Sea.

DDoS attack against Energoatom's public website.

Russian nuisance-level attacks continue against Ukrainian targets, most recently taking the form of a distributed denial-of-service (DD0S) action against the website of Energoatom, the Ukrainian state corporation that operates the country's four nuclear power plants. Energoatom described the incident, which took place Monday, as "the most powerful hacker attack since the beginning of the full-scale invasion of the Russian Federation." The corporation said the attack was mounted from "the territory of the Russian Federation" and carried out by the Russian group Narodnaya Kiberarmya, the "popular cyber army," a hacktivist front organization. Energoatom said that the attack used 7.25 million bots and lasted for about three hours. It had, the corporation said, a negligible effect on visitors to the website. Energoatom's plants include the presently occupied and besieged Zaporizhzhya nuclear facility. The DDoS had no discernable effect on operations at this or any other plant. The immediate risk to Zaporizhzhya is shellfire, not DDoS.

A criminal group aligned with Russian interests.

eSentire’s Threat Response Unit (TRU) has released a report on the Golden Chickens malware suite and its origins. Golden Chickens is an oft-used cyber weapon of choice for Russia’s FIN6, Cobalt Group, and Belarus’ Evilnum. In a search for the identity of “badbullzvenom,” the threat actor behind the Golden Chickens suite, it was revealed that they claim to be Moldovan, speak Romanian, French, and English, and are in cahoots with the Cobalt Gang. A second threat actor, who goes by “Frapstar” and the username badbullzvenom self-identifies as “Chuck from Montreal” and speaks French, is interested in stolen Canadian credit cards, and claims to own a BMW 5Series car. His identity has been discovered by the TRU, despite going to great lengths to disguise himself. As new campaigns and source code improvements have been taking place with Golden Chickens, with attacks as recent as July, it’s clear that there is still a threat actor working on the malware, and the TRU continues to track the movements of the suite.

Lessons learned from the cyber phases of Russia's hybrid war.

Some familiar and unsurprising lessons are among those the US Army is drawing from its observations of Russia's special military operation. First, non-kinetic attack techniques, including both cyber and electronic attack, are more prominent in the gray zone at the lower-intensity portion of the spectrum of conflict. When conflict moves to actual shooting, they remain useful, but they no longer have the centrality they did in the deniable gray zone. Fed Scoop quotes Lieutenant General Maria Gervais (deputy commanding general of US Army Training and Doctrine Command) as telling TechNet Augusta yesterday that, “The conflict also reveals an important aspect of both EW and cyber: neither is dominant on its own and they work best when converged with other multi-domain effects." She offered as an example of this the observation that "the ability to use EW [electronic warfare] to detect an adversary is most formidable when matched with long-range precision fires."

Second, Russian "information troops," which had been thought of as roughly equivalent to US Cyber Command, have turned out in fact to be optimized more for propaganda and counterpropaganda than for cyber operations, whether offensive or defensive.

Third, traditional electronic warfare, mostly jamming and radio direction finding, have increasingly come into their own as the conflict moved into conventional warfare. And, while there's been a convergence of cyber operations with electronic warfare, both are valuable insofar as they're integrated into combined arms operations. “Now both EW and cyber have played major roles in the fighting in Ukraine. It demonstrates the types of threat the unified network will face in conflict with a peer or a near-peer adversary,” General Gervais said. “The unified network will need to operate in an environment where it will face significant challenges from EW and cyber. It must be resilient enough to handle these threats while providing the Army and the joint force the speed and relevancy to converge multi-domain effects against an adversary. Ukraine serves as a stark reminder of this challenge.”

And, fourth, cyber and electronic warfare capabilities require constant adjustment in combat. Cyberspace, the fifth domain of conflict, is an artificial domain shaped by human activity in ways that the other four domains--land, sea, air, and space--are not. Cyber capabilities in particular, a piece in Breaking Defense argues, "Unlike a weapon that can be tested, validated, and put on a shelf knowing that it will work when needed, deployed information warfare and cyber capabilities have to be continually tuned and optimized in order to be relevant to the warfighter."