IronNet Blog

IronNet Monthly Global Threat Update

Written by General (Ret) Keith Alexander and the IronNet Team | Feb 6, 2023 10:07:34 PM

For the past year, IronNet leadership and threat analysts have provided weekly in-depth analyses of the Ukraine-Russia conflict to key IronNet partners. As the war continues into its second year, we have decided to share these insights with the wider public on a monthly basis to provide greater visibility into the war's geopolitical, kinetic, and cyber activity. Beyond the Ukraine-Russia War, these blogs will also analyze relevant geopolitical actions by nation-states such as China, Iran, and North Korea that may have wider implications for global stability and cybersecurity.

We will release these blogs on the first Monday of each month, aiming to strategically assess the intersection of geopolitical activity and cyber operations and focusing on the strategies and motivations of Russia, China, Iran, and North Korea that pose a threat to the United States and its allies in cyberspace.

Three main takeaways this month:

  • As Ukraine keeps up the pressure in the north while pushing back in the highly strategic south, we assess the potential of the U.S supplying weapons to help Ukraine retake Crimea and the devastating blow it would deliver to Russian President Vladimir Putin and, in turn, Russia’s war effort. 
  • Though China has so far avoided direct military support for Russia, there remains concerns about the possibility of China supplying weapons to Russia in fear of how a Russian failure in Ukraine would impact its potential invasion of Taiwan.
  • While Ukraine has experienced astounding success in its cybersecurity efforts – neutralizing more than 4,500 cyber attacks since the start of 2022 – Russian hacktivist DDoS attacks continue to target NATO countries and state-sponsored APT Sandworm renews its efforts on launching wiper malware attacks against Ukraine. 

Russia-Ukraine battleground update

In general, Ukraine’s efforts throughout January seem more focused on their military campaign and strategic operations, while Russia — severely weakened by compromised forces and resources — has been shoring up its information campaign to win internal support from the Russian people.

  • In early January, Ukraine kept up the pressure in the north (e.g., Bakhmut) while also trying to break through in the highly strategic south, particularly in the key Kherson Oblast. Driven by President Vladimir Putin’s strategic goal of reclaiming territory seized by Peter the Great, Russia is fighting hard despite not having the necessary forces to take and hold land. 
  • On January 31, however, Russia claimed that it had seized a village north of Bakhmut. 
  • It is worth noting that Russia may have moved troops from Kherson in the south to take this village, as drawing on resources from the strategic south would weaken Russia’s presence there.
  • The coveted area of southern Ukraine remains a hot spot, as it would give Russia a direct line to Crimea for easier access to the Black Sea, but Ukraine continues to defend this land, which allows them to keep control of the strategic Sea of Azov. 
  • Granted that much work remains for Ukraine to defend and hold this region (and potentially move toward reclaiming Crimea), there have been reports of Ukrainian partisan groups joining the effort to fight for southern Ukraine. 

 

                                  Source: BBC

Weapons support and implications for Crimea

In mid-January, the Biden Administration considered the provision of additional weapons support to help Ukraine push back on Crimea. In our opinion, focusing on Crimea would be a highly strategic move that, quite frankly, would shake the foundations of everything Russian President Vladimir Putin has claimed he has accomplished (namely, “taking back” Crimea in 2014 for Mother Russia). Ukraine’s rightful re-taking of Crimea would fundamentally shift the course of the war.

  • The Biden Administration announced in late January that the United States is supplying Ukraine with 31 M1 Abrams tanks and training on these behemoth tanks that can go as fast as 60 mph across terrain. You may recall the Russian logistics disaster when the invasion first started in Kyiv. With M1 tanks at their service — and, just as important, training on moving an armored battalion or two — Ukraine could alter the calculus of this protracted war very quickly and significantly. 
  • If we consider lessons from history, the question is whether Ukraine  with these newly supplied tanks would adopt a WWI-like approach by creating a deliberate, heavily guarded front line (e.g.,  like the French Maginot Line) that attacks and defends “trench by trench” (as currently is the case in the northern Donbas region). Or does Ukraine employ a WWII-like breakthrough strategy where they punch through the front line, creating chaos 60-100 miles deep past the front line? Of course Ukraine would need sufficient ammunition, fuel, food, and battalion-size units for any kind of breakthrough approach. Should breakthrough pursuits become possible, however, they would have a game-changing effect on this heretofore prolonged conflict. Currently, neither side is prepared for this kind of warfare. 

The Russian information war

Throughout January, there was a surge of information operations on the part of Russia while Ukraine advanced operational activity to keep pressure in the north and fight for the south. 

  • Russia continued to make the claim that it is protecting its country as it is “under attack” by Ukraine and its supporters. Specifically, Russian Foreign Minister Sergei Lavrov has positioned Russia as a victim of aggression by the "collective West" (led by the United States). 
  • While Ukraine defends its rightful land, directing its efforts on military operations, Putin is working hard to weave a false narrative to convince the Russian people that Ukraine and western allies, including the United States, are attacking Russia — with all Russian efforts intended to protect Mother Russia. The West sees through this fiction; we hope the Russian people eventually will, too, for their sake — and for the future of Ukraine’s freedom. 

China on the sidelines

We must consider the outlier in the Ukraine-Russia war: China. There is growing speculation that China (and/or Chinese state-sponsored entities) may be supplying support for the Russian effort. 

  • Although this concern has not been validated, we can theorize the implications of China changing its stance to support Russia, especially should any assistance ever include munitions. 
  • In an imagined, perfect, post-Putin world, where Russia evolves into a friendly state led by someone like Alexey Navalny (a current voice of opposition to the Kremlin) who would want to work with the West, this scenario would pose a risk to China’s northern border. At present, China is not threatened by any potential land excursions. A Russia that becomes a more NATO-like country, however, could change that risk landscape (figuratively and literally) for China with respect to an invasion of Taiwan. 

Cyber updates this month

Ukrainian success in cybersecurity

  • Ukraine’s Secret Service (SSU) revealed in late December that it has neutralized more than 4,500 cyber attacks since the start of 2022. Stating that Russia “launches an average of over 10 cyber attacks a day,” the chief of cybersecurity for the SSU added that Ukraine was hit with three-times more cyber attacks than 2021 (where 1,400 cyber attacks were recorded) and five-times more attacks than 2020 (where 800 attacks were recorded). 
  • Throughout the war, Ukraine has creatively used various forms of technology to aid its war efforts and get ahead of Russian troops:
    • Following one of the deadliest strikes on Russian forces since the invasion, which took place on New Year’s Day in Makiivka, the Russian Ministry of Defense stated the main reason Ukraine was able to track troops and launch a strike was because of Russian soldiers using banned cellphones on the front line. Throughout the war, Ukraine has leveraged Russian soldiers’ use of open cell phone lines to track force positions, and they have also intercepted these calls to get inside information and gauge the morale of Russian troops.
    • In addition to Russian cell phone tracking, Ukraine has also leveraged crowdsource technology to gain greater visibility over incoming Russian drones and missiles. Ukrainian volunteers developed a mobile app to allow civilians to report sightings of incoming strikes, with the hope of being able to intercept a higher proportion of drones and missiles. To use the app, which is called ePPo, all that users have to do is point their device in the direction of the incoming object, and the app will send a location report to the country’s military. This crowdsourcing tactic allows the entire population of Ukraine to aid the war effort in strategically countering and preparing for incoming missile strikes.

Hacktivist DDoS attacks continue

  • DDoS (distributed denial-of-service) attacks continue to bombard a range of Western organizations, with reports by SentinelOne on January 12th of pro-Russian hacktivist group NoName057(16) disrupting services across the financial sector of Denmark and launching attacks on organizations across Poland, Lithuania, and more – including targeting the websites of 2023 Czech presidential election candidates.
  • Though GitHub disabled the accounts used by NoName057(16) to host its attack code and DDoS tool website, the group still poses a significant risk. Outside of relocating its code, NoName057(16) is also one of the few hacktivist groups that distributes cryptocurrency to its top DDoS contributors, thus providing encouragement for people to contribute technical resources for attacks.
  • In retaliation for Germany’s decision to send tanks to Ukraine, pro-Russian hacktivists launched a coordinated DDoS attack against the websites of German government agencies, banks, and airports. A distributed denial-of-service (DDoS) attack floods servers with a high volume of internet traffic, thereby knocking the servers offline and making them unavailable. In this case, the pro-Russian group KillNet, along with other pro-Russian hacktivist collectives that KillNet called to arms, made some sites temporarily unavailable but had little other tangible effect.
    • Even though impact was minimal, organizations in the U.S. and other NATO countries should be vigilant of possible cyber attacks by pro-Russian groups in retaliation for supplying aid and weaponry to Ukraine.
  • On January 31st, sources reported that pro-Russian hacktivist group KillNet launched a series of DDoS attacks against several hospital websites across the U.S. and the Netherlands. Carried out in response to the U.S.’s announcement to send dozens of Abrams tanks to Ukraine and the Netherland’s announcement to send a Patriot missile defense system to Ukraine, KillNet’s DDoS attacks caused temporary disruption to the websites of a handful of facilities, including the ​​University of Michigan Hospital and the Stanford Health Care Center. 

Russian state-sponsored APT Sandworm demonstrates a renewed focus on wiper attacks

  • In mid January, CERT-UA reported that Russian APT Sandworm targeted Ukraine’s national news agency (Ukrinform) with five different data wipers after conducting recon since early December. This wiper attack on Ukrinform was only partially successful – Sandworm was only able to wipe the data on some of Ukriniform’s systems, like several data storage systems, which did not impact the news agency’s operations and was quickly localized by authorities. 
  • Several days later, ESET researchers reported on a new Sandworm-attributed wiper called SwiftSlicer targeting an unspecified Ukrainian organization. Written in Go and deployed through Active Directory Group Policy, SwiftSlicer is the latest destructive malware to come out of Russia since the beginning of the war, raising concerns that Russian APTs may attempt more wiper attacks against Ukraine and NATO targets in coming months. 
  • There were also reports on January 31st that Sandworm used yet another wiper called NikoWiper to target an energy company in Ukraine in October 2022. As the wiper deployment coincided with missile strikes by Russian on Ukrainian energy infrastructure, it’s apparent there was a coordination in objectives between these two efforts. 

Global calls for collective defense

In mid-January, Ukraine’s top cybersecurity leader announced the need for a “Cyber United Nations” – specifically, he said: “What we really need in this situation is a hub or a venue where we can exchange information, support each other and interact.” The IronNet Collective Defense platform, including the IronDome “cyber radar picture” of the threat landscape, is essential to these efforts. Rather than traditional, slow information-sharing, the platform enables organizations to collaborate in real-time and identify unusual behavior propagating across multiple networks, thus significantly increasing the ability of those enterprises to detect, collaborate on, and stop the threat before it spreads.  

The attacks we are seeing all across Europe and the U.S. in large part go on unobserved with a response often taking place after the intrusion has already occurred. Without a Collective Defense approach, the national capabilities to fire back are hindered or even impossible, as the government does not see the attacks in time to help. As you know, IronNet provides this real-time visibility with our Collective Defense platform.

Conclusion

No one can answer how long the conflict will continue. Right now, the situation is like bending a bar. When does something happen on either side to make the bar break? We assess that Ukraine’s road to victory would be contingent on Ukraine’s holding Russia in the northern Donbas region while also cutting across the southern part of Ukraine to take Crimea. While no one can predict when such a resource-dependent scenario would play out, it remains clear that Ukrainian President Volodymyr Zelenskyy will never give up even an inch of Ukrainian land. We think Zelenskky’s ardent fight to keep Putin’s claim on Ukraine at bay is the right approach.