Morning status report from the British Ministry of Defense today looks at the growing isolation of the battlefield in Kherson Oblast. “Following a Ukrainian strike against a Russian ammunition train in Kherson Oblast, southern Ukraine, it is highly unlikely that the rail link from Kherson to Crimea will remain operational. Russian forces are expected to repair the railway line within days, although it will remain a vulnerability for Russian forces and their logistical supply route from Crimea to Kherson.Russia has promoted the recently established ferry crossing to replace the damaged Antonovsky Bridge over the Dnipro River in Kherson for civilian purposes, but Russian military forces will almost certainly use for troop movements and logistical resupply It is likely that we will see an increase in the number of civilians attempting to flee Kherson and its surroundings as hostilities continue and food shortages worsen.This will create pressure on transport nodes and routes. ort, which will likely result in measures for motion control being implemented. »
The Wall Street Journal reports widespread Russian bombardment of civilian areas in the southern regions of Ukraine, Dnipropetrovsk to Mykolaiv, as Russia seeks to prevent Ukraine’s counter-offensive. Atlantic Council Ukraine Alert sees Ukraine’s offensive to retake Kherson is likely to be one of the decisive battles of the war. “Since early July, the Ukrainian military has deployed its growing arsenal of long-range artillery and HIMARS precision rocket systems to destroy dozens of Russian command posts and ammunition supply bases across southern Ukraine. ‘Ukraine. More recently, Ukrainian forces have targeted the bridges over the Dnipro River that serve as a lifeline for Putin’s troops in Kherson. Russia has since launched a impromptu ferry serviceindicating that the main Kherson bridge itself is indeed no longer able to support military traffic.”
A summary of the cyber phases of hybrid warfare.
Nozomi Networks released its OT/IoT security report this morning, and in that report details what it observed during Russia’s war against Ukraine. While others have expressed surprise at the relatively ineffective nature of Russian offensive cyber operations, Nozomi’s report sheds light on the attacks Russia is known to have carried out in cyberspace. It concludes that cyber operations have now clearly established themselves as a “force multiplier” (i.e. a combat power factor that gives a force greater capabilities than its unaided manpower would allow it to achieve). achieve) in contemporary combat. The report draws three major lessons from hybrid warfare:
- “War increases cyber activity: Among the various threat actors and motives, advanced persistent threats (APTs) of nation states are the most active in times of war. They are less financially motivated and more focused on cyber espionage, that is, spying on and disrupting communications and other critical enemy systems. Some companies become accidental victims of cyber warfare as a result of threat actor attacks on their targets.”
- “Private companies are stakeholders in the war: In addition to military and government entities, private companies, especially critical infrastructure companies (manufacturing, communications, transportation, energy, etc.) are also prime targets in times of war. Companies must maintain a strong security posture and cooperate with their governments to protect their assets in the event of war. »
- “Wartime Data Security and Contingency Strategies Needed: The Ukrainians have moved their sensitive servers out of the country in case a physical attack is launched on their communication infrastructure. An attack on servers in the country could prevent the Ukrainians from organizing efforts with national troops and even allies, putting them at a disadvantage during the war.”
Both sides have been active in cyberspace, and Nozomi describes some of what she considers to be the most important operations:
Objectively operating in Ukrainian interests, a group of Belarusian hacktivists hit the server of the Belarusian state railway system in an effort to disrupt Russian troop movements across Belarus and protest Minsk’s support for the imminent aggression by Moscow against its neighbour. The operation took place on January 25, while Russian invasion forces were still in place, a month before the February 24 invasion.
The other campaigns described by Nozomi were carried out by Russian operators. On the day of the invasion, Viasat suffered a cyberattack that disrupted the ground stations of the satellite communications provider. The terminals were offline for a brief period, and SpaceX’s StarLink service restored Ukrainian communications within days. “Based on forensic investigations,” says Nozomi, “it appears that the attackers were able to use a KA-SAT management mechanism to simultaneously deploy a destructive payload to multiple KA-SAT modems. The payload rendered modems unable to reconnect to the network by erasing their flash memory.” The payload deployed against the Viasat systems was AcidRain. This cyberattack inflicted collateral damage (or brought Russia secondary benefits, since the collateral effects themselves advanced Russian interests). “A notable ripple effect of this cyberattack was the loss of sight of Enercon’s 5,800 wind turbines in Germany, which could no longer be monitored remotely.7,8,9 ViaSat later confirmed that the wiper AcidRain ice had caused the disruption, thus triggering the influx of malware used during the Russian-Ukrainian war.”
The Viasat incident was not the only time Russia deployed windshield wipers against Ukrainian targets. Following a series of CISA alerts, Nozomi summarizes:
- “HermeticWiper: HermeticWiper overwrites the Master Boot Record, rendering the operating system unable to boot. HermeticWiper was used in conjunction with HermeticWizard, which provided worm functionality to spread HermeticWiper to entire networks.”
- “IsaacWiper: IsaacWiper, also used in conjunction with Hermetic Wizard, overwrites user files with random data, rendering any attached storage drive unusable.”
- “CaddyWiper: CaddyWiper works the same way as other wipers. Not only does it attempt to overwrite the victim’s files with “null” data, but it also then attempts to erase the Master Boot Record (MBR ), corrupting the victim’s stored data.”
- “WhisperGate: In January 2022, Microsoft Threat Intelligence Center (MSTIC) discovered this wiper. Like the wipers above, it aims to erase data, rendering devices unusable… If a computer contains multiple drives , such as one for storing personal files and another for storing digital backups – the wiper could also destroy all copies of these files stored on external devices such as USB sticks or network drives.
Windshield wipers have been a distinctive aspect of Russia’s cyber campaigns.
Russian services also attacked industrial control systems (ICS). INCONTROLLER was one of the observed ICS attack tool suites. Mandiant’s initial report on INCONTROLLER described it as “likely state-sponsored”, and it has since been attributed by other sources to Russia. On April 13, the United States Cybersecurity and Infrastructure Security Agency (CISA) described the effects of INCONTROLLER in alert AA22-103A. The tools covered a range of programmable logic controllers (PLCs) and operational technology (OT) servers. CISA described the tools as having a modular architecture that allowed them to conduct “highly automated exploits” against selected targets, and that these automated exploits could be executed by less skilled cyber grunts – once the tools are deployed, the attackers do not. need a high degree of technical virtuosity to succeed. “APT actors” (i.e. Russian intelligence and security services) “can take advantage of the modules to search for targeted devices, perform device detail reconnaissance, download configuration/code malware on the targeted device, backup or restore device content, and change device settings,” CISA explained.
And a familiar attack tool, Industroyer, deployed by the Russian Sandworm (i.e. GRU unit 74455) against sections of the Ukrainian power grid in 2015, was upgraded to version 2. “It is possible,” writes Nozomi, “that Sandworm uses Industroyer as a broader framework to create future variants that specifically target other protocols ICS”.
Nozomi does not discuss the nuisance level downgrades and distributed denial-of-service attacks that both sides have carried out, and it remains true that Russian cyber operations fall well short of the devastating effects widely expected during the preparation for the war in January. . But it’s a relative lack of effect, and it’s not for lack of trying.