In a special event hosted by the Alperovitch Institute, some of cyber security’s most distinguished speakers share their thoughts on the unfolding cyberwar in the midst of the Ukrainian conflict. Aside from the DDoS attacks and website defacements, and a sense of heightened alert around the globe, there has so far been a lack of devastating attacks. Are the APTs on all sides keeping their powder dry, or is there something else going on?
With questions and contributions from Chris Krebs, JD Work, and John Scott Railton and moderated by Thomas Rid, listen to the thoughts and insights of speakers such as SentinelLabs’ Principal Threat researcher Juan Andres Guerrero-Saade, Olga Belogolova (Meta/Georgetown University), Daniel Moore (Meta/King’s College London), Gabby Roncone (Mandiant/Georgetown University), Ben Read (Mandiant/Georgetown University), Robert Lee (Dragos), Lee Foster, and Dimitri Alperovitch (Silverado Policy Accelerator).
With thanks to Sean Ainsworth for recording this event.
Click ‘play’ to listen!
The War in Ukraine and Cyber Operations by Alperovitch Institute for Cybersecurity Studies: Audio automatically transcribed by Sonix
The War in Ukraine and Cyber Operations by Alperovitch Institute for Cybersecurity Studies: this mp4 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Thomas Rid:
Evening, it’s 8:00 p.m. Eastern. I understand that there are a couple of people here from the UK and perhaps even further east, so welcome especially to you, because it’s very late where you are. So I’m Thomas Reed, Professor of Strategic Studies at Johns Hopkins University. I write books about technology and conflict, and we are going to talk about. Um, this big question out there, the surprise out there. Where’s the cyber war in Ukraine? This is a question that I haven’t raised, but a lot of people have raised. We’ve seen a couple of High-Profile press stories and Wall Street Journal The Economist, but really asked where like, why have we not seen a more high profile cyber attacks, computer network operations just before the conflict, just before the start of the war, at the invasion and in the early phases, especially in Ukraine, especially in that country that has seen some of the most sophisticated, the most. A costly cyber attacks in the past seven years, depending on when you start counting. So. The way this is going to run this, this space, it is, it works like this. We’re basically going to talk amongst ourselves for something like 45 minutes to an hour. We we this meaning sorry if the only thing that’s getting. Oh, so we are. When I say we, I’m referring to a group of people that are, you know, around the Alperovitch Institute at Johns Hopkins, it’s a new research institute that was that we founded and are still starting up right now on cyber security studies.
Very generously endowed by Dmitri Alperovitch, who is with us tonight, is one of the participants in this conversation. Thank you, Dimitri, for coming tonight, especially. And so moving for the next hour will be discussing four questions. First question is. Essentially, where is that cyberwar, what has happened so far in terms of actual observable computer network operations in the context of the Ukraine war? So first state of play, what’s happening? What do we know? Second question and we’ll do each one in a round amongst this group. I’ll introduce them in a moment. So the second question is, well, what may happen or version of that question, what perhaps has happened already, but we just don’t know about it yet. So what kind of cyber attacks should we actually expect in a situation like this? The third question, then, will be how do these operations, these covert digital operations or not? So covert operations, how do they fit into the wider picture of the campaign of the war? How really, how important are they? What’s their role in the bigger picture? And finally, if we have time after that, we are going to. Open for a conceptual question, what does all that mean for the future conversation about computer network operations, cyber conflict? All right. So I would introduce the speakers as they speak whenever they speak for the first time, just so you don’t have to listen through a long round of introductions.
And let’s start with that first question. What is what have we seen so far in terms of computer network operations in Ukraine and in order to tackle that question? I will just cold call on one of our speakers and why don’t I start with Danny Moore, Daniel Moore? He Danny is my former student, a Ph.D. student, also a former Israeli IDF officer who is an extraordinary set of experience now works at Meta, but obviously here speaks only for himself. He has a book out soon that is called offensive cyber operations, so he I couldn’t think of anybody better to be the first one to jump in here. Danny, what have we seen so far? All right.
Daniel Moore:
Hi, everyone. So what have we seen so far is actually not that much. I know that there’s a lot of noise and a high volume of attacks comparatively more than we usually see. But the vast majority of what we’ve been seeing is a combination of either denial of service attacks or wiper operations, which I think some of my other friends here can more fully to. But as a sum total of operation, it’s quite less than we have expected. And principally, I think, one of the biggest gaps in regards to our expectations and clearly this campaign has this war has changed or tones our expectations in many ways. But on the cyber side, we a lot of us expected information dominance as an early objective for the Russian forces to tackle critical national infrastructure and communication networks. Cell networks control the narrative through this. It is conducive to what they would want to do before. And I’m admittedly quite surprised that they haven’t even attempted to do this now. But I think it’s important, and a lot of folks here would agree that what we have seen is not necessarily indicative of what there is. We do have a perspective bias, both because we’re consistently being targeted by influence operations from both sides, but also because whatever happens on the military side, we might not have visibility into. So long story short, we see a volume of things, maybe not the quality or quantity that we would have wanted and maybe not as tethered to specific military objectives as we would expect.
Thomas Rid:
Interesting. I’m sure as I look through the speakers’ list, I mean, especially when you come to mind because you have just spent some good chunk of time last week, I think, or earlier this, I’m losing track of time, spent some time investigating one of the pieces, one of the events, malware samples that we’ve seen earlier in the campaign. Can you sort of put that into a little bit of context for us and just to introduce you to Juan Andres Guerrero, many of you will know him now with SentinelOne one of the most respected EPP hunters, I think in the wider community? So delighted to have you.
Juan Andres Guerrero-Saade (JAG-S) :
Thank you, Thomas. So, yeah, thanks everybody for joining, and we finally were able to kind of straighten out most of the speakers here. So, you know, it’s kind of an odd question for me to talk about know where is a cyberwar? Have we not seen it? Because, I mean, to some extent, it’s been a more or less exciting or eventful conflict on the side of cyber. For those of us that have been really sort of knee-deep in the different operations, different pieces of malware that have been coming out, I’m thinking, you know, mostly Ben Reed is here. I’m sure his team has dealt with quite a bit, Gabby as well. I see Silas in the crowd. Tom, who works with me, we’ve all been swamped with all kinds of different ops, mostly around these different pieces of wiper malware to talk about sort of the diversity of threats that we have here. And I know that recently there was a graphic that I retweeted. There are at least five or six different groups that we see active against Ukraine with a variety of different operations. Whether it’s, you know, disinfo ops, whether it’s wiper malware or hack and leak operations and, you know, phishing and so on. So to some extent, I mean, there is quite a bit of cyber activity as an enabler as a support to what’s going on.
But I think we’re also kind of in a strange period of objection where there has been so much talk of cyberwar as its own thing that I think we kind of sold ourselves on this mirage of what cyberwar quote-unquote would look like. And instead, what we’re seeing is sort of the disappointing reality of war, which includes cyber components but really isn’t led and sort of entirely mired in them.
So I think great, great observation from you there earlier at the top that. If we look to zoom in to more closely into the kinds of events that we’ve seen, then perhaps really what we’re looking at is that the press coverage one for one, but also perhaps the just the stress of the war itself for all people in Ukraine, including obviously incident responders has probably. Created a bit of fog of war and the cyber investigations context, and many of us have simply not had missed some of the interesting events that have happened in this context. The other person that comes to mind here, as I look at our speakers, is Rob Lee, who probably through his company. Drago’s is the CEO of Greg and an old friend of many of us here probably has some good visibility into a set of events that some of us, most of us will not have. So, Rob, what are what are you seeing?
Robert Lee:
Yeah, I think in Ukraine leading up to the conflict, there was a lot of different kind of pre-positioning kind of activity that was taking place, but of course, it never manifested in anything that we would observe. I think too many of the comments that were made in this group, whether in Chad or here tonight, I think there’s been maybe an overestimation by Russia if its capabilities and going into the conflict and not relying on certain cyber capabilities. Maybe they didn’t feel they had a need. Maybe it wasn’t a reliable option. I mean, I think, you know, I look back to my time in the military and we always the cyber folks, if you will, always wanted to present commanders with cyber options because that was our goal and it was a focus. But when you’re sitting next to somebody or you’re presenting to a general and saying, Hey, I’ve got a 70 percent chance that I can take down that integrated defense system and we need three months prep and here’s what we can do. And the pilot standing next to you says, Yeah, I can like take off right now and bomb it in two hours. And with a ninety-eight percent confidence here, those commanders are generally going to go for those non-cyber capabilities. So I think cyber as a tool ends up being really, really helpful pre-conflict, potentially in conflict. But I think when bombs start dropping, there’s no amount of anything that we associate with cyber that’s actually all that relevant in terms of what people are actually clearing now outside of Ukraine, there’s a lot more activity going and maybe we’ll get to that later. But we started seeing some groups that the United States government has attributed to Russia starting to target just at a high level, not anything that would say compromises and taking down systems, but starting reaching out, doing reconnaissance, kind of targeting key electric and liquid natural gas sites around the United States starting back in October. And we ended up informing the community and federal government on that then. And I think that raised a lot of concern of potential future efforts, not saying that anything is going to come to bear. But obviously it represents a concern when you see some of those capable groups starting to be real precise in the places that they’re hitting.
So bottom line, there’s maybe a lot more pre-positioning that has happened in various networks and various targets that we simply haven’t seen revealed publicly yet. And so presumably a lot more will come up come out over the next weeks and months. When you raise your hand and Dmitri as well.
Juan Andres Guerrero-Saade (JAG-S) :
Well, what we’re talking about visibility, and I think this is sort of an important near and dear point to those of us that are sort of trying to work on the threat until space trying to understand the situation. We had our clearest visibility as to what was happening in Ukraine in the weeks leading up to it in the hours leading up to the invasion. It was actually a really interesting period as we became aware of Hermetic wiper and some of these other components around, I want to say four or five p.m. Eastern Time with the invasion starting at what I want to say around midnight or two a.m. our time. And it was sort of this interesting tempo where you could see reports of the attacks increasing. But I think that was the end of having any kind of fidelity of observation and telemetry into what was going on there and sort of important to understand the medium for cyber attacks and for any kind of cyber components as being so tragically tied into internet infrastructure electricity. Just the general availability of systems and even just people on those machines to click and make mistakes and so on. I think the kind of banality of cyberwar is precisely that. You know, once bombs and bullets really come into play, the reliability of cyber goes from that 70 percent that Rob spoke of to perhaps a meager 20 or 30 percent. Let’s see if the systems are still up. Let’s see if we can even get there anymore. And that’s where it kind of all starts to fall off for us in the telemetry side.
Thomas Rid:
Yeah, great points, Dmitry. You also raised your hand and then Ben.
Dmitri Alperovitch:
Yeah, I think it’s important to kind of put things in perspective here that one of the things that cyber is just fantastic at right is the ability to cause damage to the ability to do disruption, the ability to do cohesion in that gray zone between peace and war, where you have conflict between states, but they’re not quite at the kinetic stage and you’re trying to keep things below that level of threshold of actually engaging in a war, but still nevertheless impact economic pain, impact paying politically and so forth through interference campaigns. Once the bombs actually start flying, as some of the folks have said, cyber becomes much less useful. It may still be useful at a tactical level, and what I did expect before the war is that we might see very specific attacks on the communications infrastructure, and we certainly saw some and we can talk about that later, but not to the extent that I expected, in part because I did not expect the Russians to be so bad at having secure communications between their own units that they ended up relying on Ukrainian communication systems, including their cell phone communications, to actually keep in touch with each other. And as a result, them taking down the Ukrainian communications networks became much less interesting and appealing. But the other thing that I thought that they might do is is target the mobilization databases, and I think that we need to appreciate just how badly the assumptions have been on the part of the Russians about this whole war that it is very clear now in terms of their initial actions in the first couple of days of conflict that they really thought that they could just roll into Kiev with a company of armored vehicles and the Ukrainians would surrender that there would be no resistance, that the Ukrainian armed forces would just dissipate. So they really didn’t plan on cyber or much of anything else. For that matter. Very little air power, for example, was used in those initial days, E.W., et cetera. And that makes sense when you start thinking about it in that context that they thought this would be fast and quick and they didn’t need to use a whole lot of disruption or destruction in cyberspace or otherwise to achieve their objectives. And the other thing that I think is also becoming very clear is how few people in the Russian government and even the Russian military actually knew about this invasion. It turns out that the U.S. intelligence community and frankly, the rest of the world that has been paying attention to the warnings coming from the Biden administration knew much more about the invasion plans and what Russia was going to do than the Russian military. Much of the Russian military. The secrecy and the paranoia cannot be underestimated in terms of the impact that this had on the whole campaign that the Russians have waged here. The logistics problems that they’ve had, the communications problems and the cyber. So it wouldn’t surprise me in the least if they actually didn’t even tell the cyber guys that the invasion was going to take place until the very last minute when the orders went out because of the secrecy that Putin insisted upon, in part because I think he was very paranoid with all the disclosures that the U.S. intelligence community was making about his plans for false flag operations and so forth.
Thomas Rid:
Yeah, you’re making you’re raising a fascinating question there, obviously, about the coordination of different parts of the Russian security establishment or even just within the military establishment in terms of when to and what exactly would be launched on the 24th of February there. And by the way, before we, I just want to make a moderate comment. As the moderator, I just quickly zoomed, scrolled down and saw that there are so many extremely, I mean, so many friends, but also just extremely impressive individuals from this wider community in this space right now. So if you would like to come in and say something and you’re not speaker, I personally was occasionally invited to become a speaker when I was like, not ready because I was doing something that would have been inappropriate to speak it within while I was doing that. Like, you know, taking kids down and the if you want to speak, just hit a request. I won’t request you without you requesting first. But I would like to send a note that we’re an open, informal space here. Danny had your hand up.
Daniel Moore:
Yeah, I just wanted to add that I know we’re pretty thirsty community in the sense that we keep looking for something to instruct us on what cyber operations during conflict are supposed to look like. And now that we we haven’t seen it here. We’re sort of scrambling to redefine the space. So yes, there’s a lot to learn from here.But I also want to caution that this might not be the most representative of the potential of what we could be seeing, both at the outset of war time and during both on the strategic side and on the tactical side. There is certainly a lot of potential to target military networks and critical infrastructure and to facilitate early objectives through these means. And I agree with Dmitri that at a certain point, it becomes more tactical than strategic ones for deep into into wartime. But yeah, I would also caution not to overindex on what we’re seeing here is truly representative.
Thomas Rid:
I think this is a fundamentally important point to not jump to conclusions, to larger conclusions based on the state of the information that we currently have. I will just point out many of some of you here have discussed this already in privately with with with us today. But just a six about six hours or earlier today, the story broke that Viasat, the European network satellite internet service provider, was likely breached in preparation of of what looks like perhaps a command and control counter command and control operation, because apparently the Ukrainian military was a user of Viasat services, and the time of that breach was the time of the attack allegedly was 5:00 a.m. local time in Central Europe on the 24th. So that appears to have been some form of cooperation and coordination. Ben, you had your hand up and then one.
Ben Read:
Yeah, thanks. Exciting to be here. And like everybody speaking on behalf of myself and not necessarily my employer, but I want to both sort of support a lot of the sort of echoes of the Dimitrius said. In terms of that, not nothing seems to have been super well integrated in terms of the weather was sort of counter suppression of enemy air defenses or sort of other stuff. So it’s not entirely surprising that cyber doesn’t stand out there as kind of like having all of the heavy hitter sort of things moving in sync. So I think that’s an important point to remember when we’re when making a judgment that on sort of capabilities is that we haven’t seen them in general, but I do kind of want to also at the same time, speak to what we have seen because I do think it is not. It’s certainly not nothing. I mean, there have been three waves of at least three waves of wiper attacks against entities sort of in Ukraine and sort of along with them, dos website to basements. Again, not not the sort of like sexy stuff, but but still notable. And I do think that the impact of those is unknown. I mean, the Ukrainian government’s been able to get their message out primarily through Facebook and Twitter. And that’s a whole separate conversation.But we don’t have necessarily full insight into how much disruption actually happen from those. And at the same time, you’ve also seen sort of from Facebook’s blog post, a sort of disrupted operation trying to compromise Ukrainian service members Facebook accounts and post videos of Ukrainian soldiers surrendering from Ghostwriter. So there is a bunch going on and it is not super well planned out or super well integrated with the sort of full plan, but that kind of fits. Cyber doesn’t. There’s not sort of like as we kind of see and there’s not some kind of magical folks doing cyber who know everything and are omniscient. It kind of tracks with the rest of it. But I do think it’s important to remember that a number of things have happened and we don’t know. And obviously, that devices have stuff still out there as well. But but just about there and there has been things that happened in the certainly where we’re not over yet. And again, things are last thing. This is all there has been sort of continued and we’ll get to this later. But in terms of outside activity outside of Ukraine, there has been sort of a continued high tempo of sort of espionage operations trying to get perspective on what European capitals want to do and things like that.So there’s definitely a lot of Russian cyber going on.
Thomas Rid:
And Ben, when you say espionage operation, you mean in in a way that appears to be timed around the conflict or just your run of the mill regular activity.
Ben Read:
It’s been a consistent volume of it for the last six, 12 years or whatever, but certainly in the last couple of months, certainly significant operations against European ministers, foreign affairs, et cetera. But I mean nothing out of the normal, but it’s normally a high, high tempo there.
Thomas Rid:
Great. So thank you. Three. Hands up there’s John Scott Railton from the Citizen Lab, then Juan and Chris Krebs. John, let me jump in before before John does.
Juan Andres Guerrero-Saade (JAG-S) :
Just to piggyback on Ben’s point, there has been quite a bit of stuff going on. There are some different subsets that we would want to split up and, you know, at the risk of maybe nerding out a little too much on on the front of the, you know, threat intel stuff that we’re seeing. But you know, you’ve got stuff happening in Belarus that I think is quite interesting. I mean, Ben and Gabby have done amazing work on on Ghostwriter or I want to say eleven point fifty one, but I’m not good with your numbers. That in itself has been sort of fascinating and sort of watching this disinfo ops side of the house’s collection side of the house that the Russians seem to be involved in. And at the same time, seeing a bit of pushback on the part of the Russian and cyber partisans sort of affecting the train system a couple of times now and trying to kind of put up some kind of a front in Belarus on the part of the Russian groups that we’re seeing. I do think that it’s worth noting that it isn’t business as usual for Russian cyber.
Thomas Rid:
We’re not seeing Turlock and APT28 and Nobelium and these sort of sets that we’ve gotten used to and that we’re very familiar with to some extent, there is some level of preparation in that we are seeing entirely new components being dropped by groups that we have yet to be able to characterize. So to some extent, there was some level of preparation, but it’s more on the, you know, novel cyber side of the house of not having everything sort of defanged by the fact that we’re familiar with them. It’s just, you know, it’s not overwhelming and it’s novelty, but it is effective in what it’s been done. Yeah, great. Great point. Before John, just quickly, before John, you come in. I just wanted to quickly welcome many more listeners here in this room. We are growing fast. This is an event by the Alperovitch Institute at Johns Hopkins University. We are discussing where the cyber war in Ukraine and the war in Ukraine, where is whether the cutting edge cyber operations that we’ve seen so far? What may we see next? And what does it all mean for this bigger conversation? John Scott Railton from the Citizen Lab is next.
Ben Read:
Hi, everyone, it’s great to be here. What an amazing group of people to from my perspective, I feel like the Viasat thing is a bit of an indicator of what’s to come. If we look back at other conflicts where there have been large areas that are sort of like low internet connectivity where Russia is part of a war. I think that maybe this moves us towards the next steps conversation. There’s going to be a lot of focus on targeting the ways that Ukrainians are getting connected and staying connected, and then also trying to peek in and to sort of intelligence collection both broad stroke but also like tactical stuff of their activities. What’s interesting about the Viasat case is that I think early on people thought maybe this is some kind of satellite jamming, but it actually looks like update supply chain poisoning, which is really interesting. And it seems to have affected lots of terminals, lots of like user ground terminals in countries around Ukraine as well. Obviously, there’s no attribution at this point in. Viasat is like basically not saying anything publicly, but it’s an incredibly interesting situation. I’d also flag today. I’m sorry, Tom, did you
Thomas Rid:
Say actually, I just want to ask you, you may have seen the Spiegel covered the story with a really interesting piece. They, the German government seems to think, perhaps in contrast to what you just said. I’m curious how you make sense of that. They appear to think that some of the some of the outside Ukraine effects wind turbines, for example, were collateral effects.
Ben Read:
Yes, that seems that seems absolutely right. I’m sorry if it sounded like I was saying something different that this is all in fact collateral. And it’s it’s interesting because in general, like in the conflicts where there has been like jamming against satellites and in many cases, what jamming looks like is actually a ground station blasting something up at the satellite to make it hard for the satellite to do its communication business and find find signals on the ground. There’s collateral effect. So one sort of historic example now is that back in 2011, there were parts of Libya that were under opposition control and Gadhafi wanted to shut their connectivity down. A lot of them are using Syria. And so he did a fairly extensive jamming effort focused at the particular spot beam that was on Libya and wound up having collateral effects throughout the region. Here, this is something totally different. They seem to be focused on the update systems for these like KOB and satellites that Viasat uses and supplies terminals for in Ukraine. But in the end, it looks like they’ve had this collateral effect, too. So Germans and French and others are sort of like. Leaving their systems turned off in the hopes that by the time the update process, which takes a while, gets done. Whatever the update is, that’s that’s being poisoned has been removed.
Thomas Rid:
Yeah, fascinating for me. One of the fascinating questions of that case is whether we would have learned of the compromise relatively early, as we have without the collateral effects, because some of them may have prompted investigators to look more closely.
Ben Read:
Oh yeah. And just to build on that, I think there’s there’s talk. So today I want to say Elon Musk and Starlink is a conversation. We could have at some point said that there was some selected jamming of Starlink terminals or communications somehow in Ukraine, and I just don’t know what what he’s referring to yet. But as a general rule of thumb, if there is satellite communications jamming happening, it almost always is going to have collateral effects. And so you’ll likely hear about it from lots of places and so sporadic statements about satellite jamming unless it’s like something very close to the user in the terminal, you’re going to hear a lot about because it’s going to affect lots of different parts of like Sakata and critical infrastructure, which rely on those systems from fixed terminals.
Thomas Rid:
Fascinating. Chris Krebs, you had your hand up.
Chris Krebs:
Tom, thanks for having me on, and thanks for pulling us this spaces together. So I think a couple kind of observations off the off the top end. So there are a number of folks out there in the community that have been anticipating scenario development, war gaming. And Dimitri obviously has been at the forefront of saying, Hey, here’s what I think is going to happen. And this has been going on for several months anticipating this and perhaps in some. Some respects kind of like stretching the boundaries of what the establishment Actually thought, what was practical or possible, but nonetheless, when when the Russians went in a couple of weeks ago, it was like, Oh, well, you know, they were, they were they were kind of right all along. But but I feel like right now we’re we may be in a different space, right? I think a lot of the assumptions built in up front were that a the Russians were well coordinated and integrated. You’ve already talked about the Dmitri talked about that just just a few minutes ago. And so when we think about like, why haven’t we seen these things, I’m not sure that’s the right question, necessarily. It’s more about what did they try? Was it effective and how to align with their objectives? I think there’s a second question we have to start asking right about now. There’s a lot of the kind of the anticipatory questions and planning were more about thinking that the Russians were going to win this one and win it going away. And now we’re in a really interesting position where the Ukrainians are doing quite well. In fact, on the battlefield, they’re doing even better politically. A number of folks I see Renee dresses on, she had a great thread this morning about kind of what’s happening in the information ecosystem. And Tom Thomas, you’ve talked about this as well, but we anticipated a series of actions from the Russians. We’ve all talked about that we’ve prepared clients and and other folks. But I feel like the outcomes might be a little bit different now. And so we may be in a little bit different space in terms of what the Russians might do and how as the the economic sanctions or ratcheting up pressure on the domestic economy there may become economic necessity. So I think that’s the real challenge is kind of looking around the corner of what’s happening next, given we may be in completely brand new space and the mythology of the Russian cyber cyberattack capability may not be a what we thought it was or built, you know, put in a position to be successful. And we have a completely different set of political outcomes in front of us. And so that’s I think the real challenge here is how do we how do we anticipate, how do we talk about this in a responsible, reasonable way to make sure that we’re preparing, whether it’s again, you know, clients, government officials, the general public for what may be next?
Thomas Rid:
Absolutely. And you mentioned Rene Diretta and I just want to send a signal again out to anybody who’s listening. She’s obviously listening as well that you’re welcome to request speaker role if you feel like it. I don’t want to be too aggressive and request speakers without asking them first, but please do a request if you’d like to come in. And John had his hand up John Scott Railton.
Ben Read:
Just to totally put a giant highlighter through what Chris just said. I was looking back at a case study I wrote for the Libyan Civil War and remembering how in the first weeks there were so many periods where everyone thought they knew what the state of play was and then something big changed. Power went out, internet went out and everything changed. And I just I can’t stress enough that I’m sure that that Chris is right and that in a week we’re going to be having an entirely different conversation.
Thomas Rid:
Hmm. Rob, I think you wanted to come in and couldn’t find the hand up button.
Robert Lee:
Oh, that was a that was a general comment, but I will. Sorry, taking our signal chatting online? No, but look, it’s just not necessarily commenting on that. I think that the folks commenting on the fact that we may not be seeing all the things that are actually happening, I think that’s very fair. But again, we do know these groups are capable if we’re talking specifically on cyber. Not only are these groups capable, what we do know as a matter of fact that there are some of them that are currently developing offensive capabilities against things like industrial control system environments. It’s just it’s inherently escalatory. And so I think in Ukraine is a perfectly good bounding in the conversation. What happens next outside of Ukraine, especially in NATO and U.S. and allied countries? That’s that, to me, is the most interesting piece of this, but I know we’re probably going to have that conversation later, but there is a lot more happening than I think people are realizing. And if you’re going to impact infrastructure and if you’re going to have cyber operations like you don’t do that on the day of the conflict, you do that months ahead of the conflict. And so that’s where from a cyber perspective, I think a lot of the focus should be. Yeah, but let’s let’s that’s a great comment there. Let’s try to focus on that question. What could happen next? What may have already happened? We just don’t know about it yet.
Thomas Rid:
What’s the kind of computer network operation attack that we, we we should expect in a situation like this? And how would you assume escalation looks like? I think, Jade, you had your hand up and then one.
JD Work:
Hey, folks. Great to be here tonight with you all. I definitely did want to foot stomp much of the activities that will be seen in the current phases that perhaps have not been observed to date because of collection limitations or telemetry limitations, but also the things that will be used as this begins to escalate, particularly as the global reaction likely far exceeds the Kremlin’s pre-war calculus. They almost certainly did not anticipate what is effectively a developing economic blockade of the country on multiple levels. They’ve lost access to cloud services, they’ve lost access to aviation services, they’ve lost to the global financial system and a variety of critical ways. Initially, the warnings from a lot of folks were focused on this idea of symmetric retaliation. The initial I’m always skeptical of pure symmetry because the adversary sees things in very different ways. But as we begin to look at the manner in which they react next, it’s the things that are most critical to their survival. I mean, the seizure of aviation capabilities is incredibly important nationally. And if they can’t maintain engines, if they can’t maintain systems, they’re highly likely to drive espionage activity, but also potentially retaliatory activity to try to find a point in which countries are unwilling to continue further action. And insofar as many of the sanctions activities are actually a thing of private decision where private entities cannot accept that counterparty risk with firms and other entities operating in what is basically a revisionist regime that those companies are subject to pain points in a way that state policy is not. So I think we’re entering a period of incredibly heightened risk for a lot of private entities that are reacting not in considerably on their own accord in response to the general tenor and response to the uncertainty of the environment, but very much subject also to retaliation as a result of that. I’ll also say there’s a tremendous amount of pain points that are happening in these internecine developments. I mean, whatever credence you want to give to the reporting around the initial attempts at seizure of key Ukrainian government assets in on the twenty fourth. And the idea that there were perhaps competing mercenary groups and competing factional sponsorship. We know, for example, from other commercial reporting that there have been penetrations of different private sector, different private military companies operating out of Russia, potentially responding to different factional pressures. And the idea that this espionage was used to shape or effects, it used to shape how successful those missions were or were not even as the overall initial seizure campaign was failing. It’s just this fascinating dynamic that hasn’t really been surfaced. I think.
JD Work:
Thanks, JD, for your input there. Dmitri wanted to jump in, I think.
Dmitri Alperovitch:
Yeah, Thomas, I want to get back to what John brought up about satellites because I do think that’s a really interesting part of the conversation here. And that’s where we’re seeing a lot of things happening because we’re seeing some degraded communications on the Ukrainian side in Kiev and Kharkiv. Mobile service seems to be really sketchy. So a lot more people are relying on satellites and we have data on here who is one of the foremost experts on RF. And I know, Rob, you’re seeing some GPS jamming in Ukraine as well, which could potentially affect Starlink. Right? So maybe jump in here with your views.
Thomas Rid:
Yes. So I mean, there’s a lot of satellite communication protocols out there, which is probably one of the most ubiquitous ones that a lot of modern technology relies on. So GPS isn’t just used for positioning on the ground, which is something that is like a tactical advantage to knock out. But also, there’s a lot of timing synchronization that Gps is used for. So jamming GPS could actually be an attack on the telecommunication infrastructure because LTE base stations use GPS to essentially discipline their local oscillators and their clocks. So it might be more than just like a simple sort of like location in jamming that’s going on, and it could be a larger sort of like Attack against the Infrastructure, including telecommunications. And, for example, even ATMs use GPS timing to timestamp transactions. Excellent. When you say, Rob, if I may just follow up on Dimitri’s question, what kind of can you say a little more about the kind of GPS jamming that you, that you that we have observed that you may have observed? Yeah. So just recently, Hawkeye 360 published effectively some research on what they noticed. So Hawkeye 360 is a RF surveillance company that pretty much has satellites up in space so they can listen to things that occur on the ground, and they’ve noticed and picked up quite a bit of interference around the GPS L1 band. So pretty much there are jammers on the ground, probably close to the border of or like the former border of where the conflict was, where Russian troops might have actually wound up jamming GPS to to their advantage. So from the ground jamming GPS for other things that are on the ground, so pretty much swapping out the signal coming from the satellites.
Thomas Rid:
Hmm. So, so of of all the activity that we’ve seen so far. And let’s let’s think creatively about the kind of targeting activity that may come next. When does it get really interesting? What’s the most effective type of operation that we’ve seen so far? I’m curious what you would you say, whether anybody wants to jump in on this question?
Juan Andres Guerrero-Saade (JAG-S) :
Well, effective towards what I mean, and not to turn the question back against you, Thomas, But I think we are the title of even the space, I think speaks to some confused expectations that we seem to have regarding what the potential role of cyber could be in a conflict. And the conversation tends to go right back to something like not Petya, right? Where it’s the kind of attack that just cascaded everywhere had this amazing amount of spillover. It was incredibly costly. And I think folks expected something sort of breathtaking that way. And its absence seems to be what causes folks to think, you know, well, where is the great cyber war that we were expecting? I think to some extent. That expectation of sort of novelty and outsized effects is drowning out things like what Rob was just speaking about, where we see tactical wins or at least attempts at sort of tactical effects being undertaken in very specific settings. Including mediums like the Viasat modems that got bricked, I mean, I think you’re right, that had it not been something that spilled over into effects in Germany, we may not have heard about this at all. I mean, I had only heard about it in that context. And originally, of course, folks assumed, Oh, this is some kind of play at increasing energy dependence and whatnot. I think that gives the attackers way more credit in that in this particular case, I think they’re they’re they’re trying to get their tactical wins. And every once in a while, the interconnected nature of the internet just sort of slaps us in the face in ways that we hadn’t expected.
Thomas Rid:
Yeah, I mean, it’s also worth just pointing out what probably is obvious to most people here. And that is that the. Ukrainian armed forces are currently obviously in an existential war, so they are most likely not going to reveal that they have become the victim of a successful attack against their C2 infrastructure that they would probably trying to deal with it, but certainly not or perhaps not try to make that public for obvious reasons. So that, of course, is another reason why, you know why I think you’re right. One that we have very low visibility here. And of course, I think I mean, for sure, like many here, would agree that the expectations of the whole notion of cyber war are completely misguided in some context, and certainly here.
Dmitri Alperovitch:
Well, I want to plug your book, Thomas, that you wrote over 10 years ago that cyber war will not take place. And I think the events of the last 10 days have certainly proven your rights so far on that point. But I do want to sort of pivot the discussion a little bit towards what’s next. You know, I’ve been very public with a few predictions in the last couple of months. One of them was, of course, the invasion itself. But the other one was that in response to severe sanctions, which we’re now seeing quite unprecedented, not even the sanctions themselves, but just the complete disconnecting of Russia from the global economy through, in many cases, voluntary measures by Western companies to pull out to break contracts with Russia and so forth that the Russian was not going to take that lying down and it’s going to retaliate against the West, including in cyberspace. Of course, we have not yet seen anything significant in that front, but I do think that we’re in the sort of phony war stage of the conflict when it comes to Russia vis a vis the West and particularly the cyber retaliation. They’re obviously quite busy right now prosecuting a war in Ukraine. I don’t think that they’re interested in further escalating the fight and having a cyber tit for tat with the West until they get Ukraine more under control. But I think as soon as they start accomplishing their more military objectives on the ground in Ukraine, they may revert back to looking at the West. And how do we how do they target us and put pressure on us, including trying to split the Europeans from the alliance that we’ve established to confront Russia? I expect that there might be targeted. They might be targeting energy infrastructure in Europe. They might even target in the US as well. They might go after financial infrastructure, sort of as direct retaliation for sanctions, but curious what everyone else is thinking amongst this group of really August experts.
Thomas Rid:
Danny Moore had his hand up for a while and then Scott.
Daniel Moore:
So there’s a couple of things I would expect and we might not necessarily see them, but I think there’s the capability for them. One is there’s still a whole military tactical dimension that pairs nicely along with electronic warfare. I mean, if we think about the military equipment that’s in operation in Ukraine, a lot of it traces its roots to Russia or Russian technology. So there’s certainly the potential there for targeting. And they had enough time to do research and possession, although what would work on the tactical level. But aside from that, more on the strategic side, I expect we may see what I can only call operational abominations, essentially operations that try to achieve some kind of effect or create noise. And that could be either against just some set of organizations or even a infrastructure target. And then it wildly either overshoots or undershoot its intended objectives. That would be probably the most consistent piece of behaviour that I would see from these threat actors that are often technically highly complicated and successful, but then operationally incur some kind of failure at some point in their operational lifecycle. So the problem with this is that I’m actually less concerned about intentional targeting of foreign critical national infrastructure. But I certainly think that there’s a lot of potential for collateral as a result of the temple picking up and operations not having their intended effects. So I have a lot of concern for what this could mean for both Ukraine and targets out of Ukraine. And I actually think that the vice attack is a great example of this because there was no real operational need for them to infect or impact targets outside of Ukraine or at least Ukraine and its allies, especially if they controlled patching cycle where they could through command control, choose where they’re distributing their compromised patches. They either don’t care at the operational level or are incapable of executing this successfully. There’s a lot of previous evidence of this from former operations, whether that’s the Ukrainian energy grid or even Petya. And I’m concerned about what that means for the continuation of the conflict we had. Thank you, Rob, for this. We had who will fits in best one, Rob or John?
Dmitri Alperovitch:
I think we had Rob than John than one.
Robert Lee:
Right. Yeah. Just in terms of future activity, I think there’s and I appreciate Daniel talking about kind of the electrical system side of it. We were talking casually about this where if you impact GPS, I don’t think most normal folks would immediately understand the impact of an electric system. And you generally can’t run an electric system without the accurate timing of GPS. So there’s a lot of potential for collateral. But I do think people kind of get on either side of this of either cyber is useless and it’s never going to be impactful or, oh my God, somebody sent a phishing email to the power company. We’re all going to die. It’s like both extremes of that tend to be pretty ridiculous. But when you’re looking into U.S. and NATO aligned countries and we look at some of the targeting that we’ve seen on some of these companies, especially critical infrastructure, there are not truly many sites that are really fundamentally critical and everything critical infrastructure not being wrong. Everybody’s important, everyone’s unique snowflake. But you’re talking about very critical sites and we tend to be pretty fragile. And that’s where there are a couple sites. I can think of literally a handful that if you were to take down two or three of them, we can’t deploy troops in South China Sea or we can’t actually export fuel out of the country. There’s just very large focus on a couple of sites. And what we’ve seen is enough to be alarming, but without kind of getting to the extreme of it. What I’ll note is it’s unlikely we should expect to see attacks actually destroying infrastructure. Kind of what Dimitri was talking about the beginning and the grey zone discussion. We would expect to see cyber as a tool of shaping behavior and saying, Hey, please stay out of this conflict. So could we see a small term disruption as a signal of, hey, we could do more? I think that’s very realistic. Should we expect to see multiple portions of the electric system go down with key transmission and pieces of equipment getting destroyed and month long outages? No, no, of course not. Not outside of a true exchange of conflict. But those small time disruptions can have an oversized impact on the populace, and I’ll kind of sum it up here to say, you know, everyone freaks out about industrial attacks. And the reality is a lot of our infrastructure providers have put a large focus on stability, reliability, safety. And so of course, these attacks are possible and probably more so than people realize. But the idea that we’re all going to die off of an hour long power outage is ridiculous, but you could really scale that out with misinformation and similar to where a population of folks in any country could be very resistant to going further in any conflict, expecting that the art of the possible is now everything. Yeah. So, Rob, you made great comment, especially about the scaling out by using other tactics that are sort of adjacent to CND and seeing a narrowly defined and I just want to just want to briefly open our perspective.
Thomas Rid:
And just by observing that many of you will have seen the significant leak of names that the Ukrainian Pravda published of Russian mainly motorized rifle unit names tens of thousands, if not more than 100000 names of individual Russian soldiers with or personnel with full name, address, phone number or passport number date of birth. It was a pretty, pretty extraordinary leak. And of course, the leak highlights this question Where does it come from? Was it a hack and leak? Was it a seguinte collection and leak? Was it perhaps a leaker and then leaked? Meaning did somebody volunteer this information? And I say this to highlight that many cyber operations and there’s a long history of those may not appear as cyber operations because ultimately what we see of them is a leak. And leaks are obviously harder to attribute than actual breaches because they don’t provide the same types of artifacts and IOCs in forensics. But maybe this is a good moment to and I’ve seen one John and Jade with their hands up, but maybe this is a good moment to call on to bring in. Run Coney and also Lee Foster, who work in Derby works with ban on hunting, on investigating, if I’m not mistaken, mainly Russian operations and actors, and Lee has a unique perspective as somebody who is also covering the disinformation. I owe information operations side of the house. So to both of you, Gabby and Lee, what are you seeing that we haven’t touched based on yet? And what are you expecting? Maybe Gabby first?
Gabby Roncone:
Hey, yeah, so I think Ben covered when he spoke earlier, sort of what we’ve been seeing, but something I’d like to touch on is your is your question about sort of what we’re going to see next. And so going back to what we have been seeing right, we’ve been seeing the variety of different wipers, the dos and the defacement. And I don’t know if this is betraying the younger, but you know, like when I see Dustin defacement, I think that’s so 20 tons, right? Like these as as I think JAG said, are not novel tactics that they’re using in order to shape this environment right now. And so kind of where I am sort of struggling and I would sort of pose this question also to the group and people who are tuning in is like, what is the threshold for the high sophistication cyber attacks to be deployed? So if they do exist and I’m I’m sure that they do. I mean, even a couple of weeks ago, right, we saw I think it was. The U.K. and CSC post a blog on Cyclops Blink, which is San Worm’s newest BPM filter malware, which is again pretty, pretty novel and interesting. And obviously, even though that doesn’t or may not have a direct connection to this conflict, it’s sort of implies that those tools are available and ready to be used and have gone through the development cycles needed to be deployed at various points. And so given that the Russian forces are sort of wearing thin and the Ukrainian forces are doing great right now, at least according to the messaging that that I’m seeing, where do these elevated cyberattacks come into play? And I don’t I don’t really have an answer to that question because I think I personally would have expected these more high. Novel High Destructive Cyberattacks to be happening sort of now, but we haven’t seen that, so that’s sort of my take, and I definitely like to open up to the group if that sort of sparks any thoughts.
Thomas Rid:
Fantastic. Let’s let’s bring in Lee, the foster your former colleague to see what he’s thinking, what you’re thinking, Lee about the Io disinfo developments in this space. I know it’s extremely fast moving, very chaotic, very hard to attribute, obviously, and to understand what is done by whom. So this is a tough question that I’m throwing at you here.
Robert Lee:
Yeah. Thanks, Thomas. You kind of hit it at a strategic level, right on the head, right? To state the obvious, the information space right now around the conflict is a huge mess, and it’s going to take a long time to kind of untangle everything and get to attribution behind specific incidents. And that’s reflective, I think, just of the complexity of the the information environment. I mean, if you think about it simply from a kind of state actor standpoint, you’ve got, you know, Russia needs to kind of now justify its actions. Domestically, it’s cracking down on its kind of domestic information space, which perhaps it wasn’t anticipating needing to do so prior to the conflict. It’s trying to push messaging out to the Ukrainian populace, Ukrainian military to try and get them to not resist. And obviously, there’s a whole messaging dynamic targeting the rest of the world. And if we bring this around to the discussions of where does this go next, I can see attempts to try to weaken support for any united western or global response to the invasion. Similar to what we’ve seen in many other contexts, right? Trying to undermine kind of the domestic political environment within those countries, whether it be in the US or elsewhere in Europe and so on, to try and defend, disincentivize any kind of united front for that. We also know from prior to the invasion, the US government, European governments kind of announced this kind of Russian false flag plot to kind of justify an incursion. We now see, obviously that that wasn’t kind of required in order for Putin to make this this calculation. I think there’s an interesting research question there for somebody in terms of what was the knock-on effect of that early kind of exposure of that operation. But I don’t think the kind of motivation behind it is necessarily going away. Right. I think given the problems Russia is facing in the information space from this, I think that that need to kind of provide a justification remains. And so one thing I would anticipate here is to what extent does Russia try to use incidents on the ground, you know, kind of violence in Ukraine and repurpose kind of video So on incident reports to post fact justify the incursion. Yeah, that’s a fantastic point there. Also, the one thing that I just I’m just so stunned by and I think must be true for many in this space here is that the amount of creativity that we see on the iOS side, the memes and the artwork, even the creativity of what really looks like. A form of active measure, sometimes that is coming out of this conflict, and I’m phrasing it deliberately, vaguely because many of it doesn’t appear to be produced by any Ukrainian actor, but by supporters from the outside, and it’s just filtering into the conflict and shaping our views in ways that I think we’re not prepared to fully understand. I just caution that more broadly. Sorry. I was just going to say of caution that more broadly, right, there’s you know, there’s a lot of external actors that are kind of picking up on the on the developments in Ukraine to further their own particular narratives and so on. And that aligns with things we see kind of, you know, accusations from the QAnon community around how, you know, Russia is seeking to destroy US bioweapons labs in Ukraine. It’s an age old kind of narrative that’s spun out about Ukraine. But there’s no evidence of kind of Russia pushing that right. It’s coming from domestic groups elsewhere. Yeah. Great point. I still see hands up. But Olga Balog, lover, just joined as a speaker. We had to. This is a bit of a buggy app. It appears we had to first remove you as a speaker in order to be able to get you in. So Olga, did you want to come in on the disinfo? I o or something else?
JD Work:
Yes. Yeah, that’s exactly. You know, I think I wanted to talk a little bit about what I think has been really interesting here. A lot of us studying influence operations think a lot about the covert side of influence operations, deceptive manipulative campaigns, fake accounts, all types of things that we’ve seen before. But what’s interesting here in this particular conflict that we’ve seen both from the Russian and Ukrainian side, there’s a lot of overt influence. And I think that’s been sort of jarring for for those that are watching because they’re expecting something else. And and what they’re seeing sort of from the very, very beginning is the use of overt channels, including state controlled media outlets on the part of Russian threat actors and and in particular, using these channels to signal what exactly the Russian government is trying to do. And I think what’s interesting as well is a lot of us focus on foreign influence operations, but I think we we forget that a lot of what Russia is trying to do is signal to its own domestic audiences and in particular in this conflict to justify actions ahead of invasion. But also, you know, to continue to sort of delude people about what is actually happening on the ground. And I think in that particular piece, you know, watching what’s happening in terms of the closing of the information environment that’s continuing to happen over the last couple of days in Russia domestically is particularly concerning and including the closing and shutdown of certain, you know, the remaining independent media outlets like Echo Moskvy and Novaya Gazeta. You know, it’s really concerning because the Russian domestic population is increasingly becoming isolated in the information environment in this conflict, and so much of what the Russian government is interested in doing is targeting them, not us.
Thomas Rid:
Yeah, those are great points, and I just want to like add on a personal note, I’ve had a number of conversations with. Acquaintances and colleagues in Russia over the past few days, and it’s truly, truly on a personal level, it’s really heartbreaking what’s happening inside Russia? So many people fleeing the country and and of course, all eyes are on Ukraine first and foremost, for obvious reasons. But but the tragic tragedies that we’ve seen playing out on sort of personal and family levels in Russia, you know, shouldn’t be underestimated here. Just as on a human level, I felt it’s important to make that comment, John. And then.
Ben Read:
It’s interesting this point about what’s happening in Russia when I think back to the last couple of conflicts where Russia has done hacking, one of the things that is a perennial target is civil society, and that includes diaspora groups that are volunteering and bringing resources in, but also any of the homologues of the Ukrainian government working in NATO and U.S. governments are likely to be targeted. Some of that, surely, to create, hack and leak branded products. But I think after what we’ve seen in the last few days in Russia, just the number of people who are leaving as well and the changing roles of civil society there. I have to assume that we’re going to see a lot more targeting of organizations in the U.S. and in Europe that do work with Russian colleagues and with Russian civil societies. Similarly, a big thing that happened during the Syrian conflict was a lot of targeting of aid organizations and other people who are coordinating humanitarian aid and movement. And I think as we’re having these conversations about the bigger strategic things that are going on, it may be a while before we really understand the scope and scale of account compromises and malware operations that are targeting these different people spread out around the world in order to create things that Russia thinks may really in some sense, either for domestic or international audience, enable them to change the realities or the perceptions, but are that are going on? Certainly, we saw that thinking back to Syria about things like the use of chemical weapons, you know, they’re sort of red lines. Russia had been, you know, observing certain atrocities by the Assad regime and help them cover for it. And now that Russia itself may be responsible for some of those atrocities. I have to imagine something similar will happen here to.
Thomas Rid:
Hmm. Very sobering comment there, but of course, very plausible at the same time that we will see some more domestic targeting in Russia, which obviously there’s been a lot already over the past decade, as we’ve seen in some of the I remember just an anecdote that the famous bitterly leaked at GRU created because they forgot to set those accounts on private. That’s the one that had the Podesta link in there also contained a good amount of internal Russian political targets that were rather eyebrow raising, shall we say, to those who have seen the data.
Ben Read:
Yeah. And remember just to just to build on that, remember what we called the tainted leaks case that we investigated a good while ago, which was also discovered through a combination of things like shortness, where Russia actually was hacking civil society in the U.S. and U.K. and elsewhere in order to get material that they would then modify and manipulate for a domestic audience to try to diminish the credibility of Navalny by suggesting that he was getting foreign funding. So I think more of that surely to come.
Thomas Rid:
Yeah, yeah, yeah. Planting of evidence is next. I suspect JD. In that light, I would also say, particularly as the global de facto blockade begins to bite heavily in the elite, this is going to be incredibly important to sustain and control internal tensions develop. We’ve already spoken about the domestic political impacts of high casualties that are being reported, and we don’t know the truth on the ground of these casualty figures, but it certainly looks bad for the Russian forces previously in the 2014 period and associated years. There was extensive targeting of several of the opposition groups within Russia that were involved with soldiers, mothers type movements. These have been particularly prominent in the nineteen eighties and having a very unique cultural resonance that was considered a serious domestic internal opposition threat. That same level of targeting of international conflict monitors, including folks like Bellingcat, has been previously documented. Interestingly enough, this brings up the other line of to back to Gabby’s point on what are the exclusive capabilities that have been developed in-house by these very high tier teams? And then what are the capabilities being used for rapid capabilities, generation or prompt effects where the adversary knows they’re going to be burned and are using them effectively, deliberately de novo because they’re not being valued very highly or held in reserve? And the extent to which the leverage of criminal groups, as we’ve seen in the Conti leaks, for example, really is a sobering moment, not least of which because in the weeks leading up to the invasion itself, we saw a series of targeting which had, let’s say, strategically ambiguous dual use implications, the targeting of multiple ports, the targeting of oil and gas infrastructure by ransomware.
Thomas Rid:
Again, there’s a strong criminal motivation factor in many of those targets, but the potential to leverage those targets, particularly the ill advised statements about Conti that they apparently tried to walk back. But as we see the group’s factionalized, as we see these dynamics play out. We also saw targeting of a U.S. defense industrial base player that provides truck transport logistics to the NATO forward deployed presence, which is itself an interesting moment because it’s not a terribly profitable business to be hitting. Again, all the pre-war estimates suggest a red line was the provision of lethal aid and then direct involvement in the conflict. Well, we have extensive lethal aid being provided. To what extent that Red Line has already been crossed worries me. I just would like to comment. For the record, the record meaning also that this sad event is not recorded because some of us messed up the settings on the back end. But the real challenge of moderating this event is actually the signal group of the speakers here because that’s what the content is just flying past me because I can’t pay attention. The thing that I owe Gabby had her hand up. And also, I wanted to call on Ben Reid, who is one of our speakers but hasn’t spoken yet. So Gabby and then Ben, you are also a team.
Gabby Roncone:
Hey. Yeah, so I just wanted to sort of jump off that point. One of the really interesting things that I found about what we’ve seen so far with Ukraine targeting and that I think was briefly brought up before. I can’t remember by who, but one of the groups that we’ve been tracking and we’ve been tracking them since I think January Twenty Twenty One is a group that we track is UNC. Twenty-five to eighty-nine. I know everyone loves the numbers and can remember all of them. Trust me, I can’t always remember the right numbers too. So it’s OK. But I’m twenty-five. Eighty-nine is a group that. And we mentioned this in our recent blog on a sort of what we expect for Russian cyber activity with this conflict. I think it was written by Ryan Holland, James Sadowski from Mandiant, but they are a group that has co-opted criminal tools actually to do espionage sort of across the board, but also my again, super low confidence. But like be potentially related to some of the stuff that’s been going on the destructive stuff in Ukraine. And so this is a huge shift because, you know, we’re used to seeing the sandworms of the world right, doing their thing in the destructive realm, the temp isotopes. And in this case, we have this group that is using pretty easily detected criminal malware that they can get from wherever they want and end deploying that, at least in their early stages. And so again, like that’s sort of all I the mystery about this group continues to sound me, but their potential linkage with destructive attacks makes them noteworthy. And again, going back to the sophistication level, they’re right. They might not be sandworm level and they might not be super sophisticated, but that doesn’t mean that they won’t have any impact. And so, yeah, definitely a group to keep an eye on and a shift in Russian act TTPs that I am personally very, very interested in.
Thomas Rid:
So I have. Thank you, Gabi. Ben, would you would you like to jump in as well?
Ben Read:
Sure. So, I mean, you get me some great analysis from her. The thing that I wanted to touch on and I had children waking up, so I had to drop off the apologies if I missed somebody else covering this. But the thing I wanted to touch on is sort of one of the things sort of my impression has been that. The Russian, like the ideal Russian scenario, is that the West kind of stays out of this. This is an internal problem. This is one people sort of that line. And so it’s just it’s none of the concern of sort of NATO or things like that. So that I think to me explains some of the Russian government doesn’t want them to get involved. So there’s not a reason to do too much sort of operational preparation of the environment or sort of like pre-positioning of stuff. Obviously, that’s been going on for a long time. The stuff Rob touched on, but the. But that but there’s there’s good explanations for why that there was not that much sort of of that prior previously or sort of teed up. And as we all know, those kind of spectacular operations take a while to set up. But as was mentioned by JD, sort of like, has that red line been crossed? And I think the U.S. is a obviously where I’m sitting, it’s where a lot of us are sitting, who aren’t up really, really late. But Europe is taking a very central role here in this and sort of rhetorically leading the way on a lot of this. So that’s really where I would be concerned because that is a place that has historically shrugged a little bit more in reaction to Russian aggression. So will that change be met with a similar kind of counter escalation?
Thomas Rid:
Yeah, fascinating point you’re raising there. I do think a lot of people in Europe have come around to basically become a lot more hawkish on Russia. But also the question that you’re raising is do they have the instant response, forensic investigation infrastructure in place in the private sector? You know, I’m excluding the U.K. here for a moment that actually would allow them to put, put there to actually deliver on those on there and actually detect what’s really going on and take action. Juan and than Dmitri, your hands up.
Juan Andres Guerrero-Saade (JAG-S) :
So I mean, there have been so many great points, and I think we’ve been kind of swerving in a lot of different directions, but something that I heard Jade bring up and I’m really glad Jade’s on the call. I think so many things have happened. Sorry, so many things have happened that it’s easy to get lost in what are just a series of absolutely amazing events that I hope we can all take good time to to appreciate and do a postmortem on when it isn’t such a horrible conflict that we’re sort of watching unfold day to day, but one that I really don’t want to just brush under the rug is this change of our insights into Conti and TrickBot? I mean, ransomware has been this horrible plague on us, everyone in the West over the past couple of years. And it’s, you know, it’s become a part of everyone’s, I mean, normal folks. People that don’t live by monitor light are very well aware of ransomware and concerned about it, and it has sort of become this strange justification for the cybersecurity industry. And looking at it in the context of Russian operations, there was always this plausible deniability. There was this notion of sort of this cutout, this relationship where we thought, Well, you know, to what extent is the Russian government involved? To what extent are they simply being allowed to operate without having any kind of concerns or difficulties from the government? Versus to what extent are they being coordinated by the Russian government? And with with the Conti leaks, we have this fantastic bit of insight into how Conti was being in some ways tasked at least partially tasked by the FSB or by the Russian government. And I’m just wondering if we can finally kind of cross the Rubicon of just looking at at least a couple of these ransomware groups and treating them entirely as part of these sort of official Russian forces? Can we can we essentially just take that bold step of no longer looking at them as somehow having a degree of separation from the Russian government?
Dmitri Alperovitch:
Well, I think I think that’s really complicated one, because you have members of this group says we’re now seeing who are from non-Russian countries, Russian speaking but non-Russian. So Ukrainian members most likely had an effect on splitting Conti and outing all their members and internal chat communications. And that’s probably true of many members. We know that their members from Kazakhstan, from Belarus and other places. So yes, individual members may be working, maybe even under control of certain members of the intelligence services, but I don’t think you can extend that to the whole group. And we can see now why. Let me just jump back for a second to the disinfo space because it really needs to be said very explicitly. The Ukrainians are just absolutely kicking Russians, but it’s not on the ground, but certainly in information warfare space the way that they’re able to leverage what they discover on the ground. It’s like cell phones of fallen soldiers or captured soldiers and then outing that very rapidly, sometimes within hours, both on social media and sometimes even in official channels like the famous speech by the Ukrainian ambassador to the U.N., where he read the text messages between a fallen soldier from Russia and his mother. And obviously, we have seen the in some cases, I’m not afraid to use the word propaganda that the Ukrainians are putting out about their successes on the battlefield, particularly this famous fighter pilot that’s nicknamed the ghost of Kiev that has single handedly at this point, I believe, has shot down twenty one Russian planes. If he keeps going, he’ll single handedly destroy the entire Russian Air Force. If you if you believe the Ukrainian figures here. But in response to that, you are actually seeing the Russians get really concerned. They are appreciating that they’re losing this information battle and as a result, you’re seeing them actually admit directly that they’re doing targeting of the Ukrainian information warfare units through artillery and airstrikes because they appreciate the damage that it is doing to them. From a morale perspective, because a lot of this information is certainly seeping through to Russia on Telegram channels and the like. And obviously globally as well. But I wanted to go back to John because John has incredible amount of information, having dealt with people like dissidents and journalists who have worked in challenging environments. We may very well have people from Ukraine joining us. Right now tonight in this chat on Twitter space. John, do you have any advice for people of how they should be thinking about secure comms if you’re on the ground in the zone of conflict right now?
John Scott Railton:
Yeah, don’t don’t trust your life to somebody tweet about OPSEC. You know, it’s it’s interesting. I was just as you were Dmitri making this this point about the information war and who’s winning. I saw like the first tweet published by Russia, the first video published by Russia that had footage of captured Ukrainian military vehicles. And I feel like Russia is almost certainly learning and watching what works for Ukraine and will mirror it in general for folks who are at very high risk. Given the nature of this risk, it’s like impossible to give good advice quickly and glibly. And so instead, what we usually encourage people is to get in touch with somebody who has expertise. If you’re in touch with an organization that has it, staff talk to them, have them reach out to somebody, et cetera, et cetera. What I remember from many conflicts before is there’s so much excitement in the early days, especially about like new exotic, untested technologies. Everybody who has like some app that they’ve been thinking about for secure messaging and suddenly saying, Man, we really need to push this into the conflict. And that’s almost always the wrong answer. And I look at this as something that may last for weeks and months, and people have to be around for a while. And for that to happen, they need advice systematically. So I can’t really give good advice that I that I’m confident with beyond the boring use two factor authentication on everything. And the one reason why that’s really relevant right now is we saw Mehta and others talking about Ghostwriter, focusing on taking over accounts of people in Ukraine and potentially using those accounts to push out disinformation. I think that particular threat is almost certainly going to continue and we’re going to see more like it. So account security is a big deal, but for the rest of it? Talk to an expert.
Thomas Rid:
Excellent question, Dimitri, on making this space helpful for people who would like to have to protect themselves and thanks John, for the response and that spirit and I do have Danny and Leigh on the list, but in that spirit, I would just like to throw up a question myself. And that is. That if this conflict, which at this stage is still a possibility to put it diplomatically, if this conflict ends up with a protracted or with a with an insurgency phase where you have a Ukrainian insurgency against some form of Russian occupation. Of course, we can’t speculate about how that may look like or not, but I think it’s not unlikely that this insurgency will be very special in the sense that it will be the first insurgency in the history of insurgencies. I know this is a big statement, but I think it’s true that certainly the first insurgency in the 21st century that will be supported by two intelligence or by multiple intelligence superpowers that the United States and other Five Eyes countries, especially the UK. That has never happened before. Because remember, the Five Eyes were busy being the insurgents for the past 20 years, and they’re now in a position to put some of the lessons that they learned trying to go after militants to work, helping militants to protect themselves and to succeed against another well-equipped intelligence establishment that I think is is uncharted terrain and really quite sobering, but also fascinating to think about what the possibilities are there. So what could how could an insurgency be supported remotely, so to speak? Not just remotely, but obviously also remotely through some of the tools that we’ve been we’ve been discussing tonight. That, I think is a fascinating question that, of course, we can only speculate about right now, but it’s a fascinating one. Let me get back to Danny and Lee Downing and Lee.
Daniel Moore:
So actually, my comment touches on what you’re asking because as much as we want cyber to matter and it does to some degree, I think we can all agree that the much more significant aspect here is the influence campaign waged on both sides, essentially the war over defining a compelling narrative. And this is one of those areas where it’s so surprising that Russia failed to show up. It’s embedded so deeply and for so long into their doctrine, and they invest quite a lot in trying to preemptively shape the political landscape that they want, in part to either shorten conflict or even avoid it altogether. And the fact that they were not able to do so well at the outset of the conflict here is huge. So as as this devolves potentially into insurgency and counterinsurgency, it’s. It’s going to be incredibly important that this insurgency projects an image of success, of hitting targets of exacting a toll of again shaping the narrative in a way that Russia has no chance of eking out a victory in a protracted conflict. So. And this is something that certainly Western intelligence agencies and the Ukrainians themselves can do a lot to help prop up, both by continuing to record all of these things and share them and providing them avenues to do so. Amplifying them wherever that’s possible and working to counter Russian narratives as well. And I think a lot of what we’ve seen the expenditure of Western intelligence assets simply to call out the bluffs on some of the Russian narratives is a good example of this, and I would like to see a continuation of those efforts. But in essence, as have been so far, so it shall continue to be that cyber is going to play second fiddle to the influence side.
Thomas Rid:
So very helpful comment, actually, especially from you. I will, I will add. Let’s bring in Lee. You had your hand up for a while and then I’d love to open get. I’m getting some direct messages from people in the audience. I’d love to open to a few audience questions as well. So but first, Lee?
Lee Foster:
Yeah, I think my my comment is actually a question kind of threads into what you, Danny and Dmitri just talked about Thomas at the beginning of the talk. You kind of highlighted this question about what does this all mean for the future of the cyber conflict? But I kind of extrapolate on that and talk about the info space in the way that the Donald just did. Dmitri pointed out the huge successes the Ukraine has had by the rapid release of information and so on. And I brought up earlier this evening kind of the Western intelligence community’s kind of early exposure of a planned Russian false flag to justify the incursion. And one thing I do wonder about is to what extent is what’s playing out here fundamentally change the nature of how kind of actors look at releasing information based on the perceived successes that there’s been in the conflict so far in terms of rapid release of information. But I believe that as kind of an open ended question for people to input on. Thank you, Lee. Before we open, Dmitri is doing a space tomorrow, so plug it.
Dmitri Alperovitch:
Yeah, thank you, Thomas. So same time tomorrow, eight o’clock, I’ll be doing a Twitter space focus on the military dimensions of this conflict with two military experts on Russia’s military, in particular Michael Kaufman and Rob Lee. Not not the probably the expert we have with us tonight, but the Rob League, the Russian military expert. Like me, they both have been convinced for the last three months or so that Russia was going to invade. Unfortunately, we were all proven wrong, and we’ll talk about how the campaign is going from the Russian perspective, how the Ukrainian defense is holding up and what we can expect next on the kinetic level to complement the cyber discussion. So thanks. Thanks for allowing me to plug in Thomas, of course.
Thomas Rid:
Pleasure and see. I see this space, by the way, should be absolutely fantastic. The people that Dmitry invited. I mean, I personally can’t wait to to listen in. Pyotr, you wanted to Pyotr ISIS alumni and you can introduce yourself. You wanted to say something. Yes.
Thank you very much, Thomas. Appreciate you inviting me up. It’s it’s great honor to be here. And Dmitry, I’ve listened to you a few times in Clubhouse, but Justin never came to me to ask you a question. So a pleasure to engage with you as well. No, I just. Cybersecurity isn’t my main area of international relations. I mainly look at great power politics and grand strategy, but obviously with the international relations element and the trans nationality of the way that things are going, I’m surprised by the lack of usage of the cyber security cyber attacks thus far from the Russians. I must admit. And given the growing connections that they have with China, I’m just curious if there were to be a potential campaign if we want to call it like that with China over Taiwan. What lessons could we take from this situation at the moment in terms of the build up that Russia has done, the usage of sort of Belarus and other pariah states to undertake sort of cybernetic attacks? How can we better prepare ourselves in the future for sort of these things and potentially maybe deter them because I think cyber security is something that lacks a coordinated central. Revised framework, the UN, for example, where I do most of my work is is very behind the times in terms of we don’t. There isn’t a framework in place to help combat against cyber attacks and these sorts of things. So just I know that’s a very sort of open ended question, but I’m just curious to have your your takes on that and how we can sort of work on this going forward because this is surely going to will galvanize other countries with their interests elsewhere. But thanks a lot. Thank you for this question. I think Ben Reed, you have your hand up.
Ben Read:
Sure. So there’s I’m neither China nor Russia expert, so I don’t want to get too far down the rabbit hole on the comparison. But one thing where I think it’s not worth drawing too much is that especially over the past five years or so, we’ve seen a much more centralized control over Chinese cyber capabilities where they’re they’re well coordinated. They have their talking points. They’re sort of they’re quitted both with each other and both with and with national goals. So I would because so much of this has been surprising in terms of the lack of coordination with cyber. I don’t think we should read too much into that being impossible. And especially given how closely China has centralized that command is and how well sort of political control it seems to be under. I think we would expect would expect really the opposite with them that they wouldn’t sort of do this. I mean, there’s leadership dynamics. There’s all kinds of complicating things, but I really don’t. I think this may be more sui generis genesis or power. If you say that in terms of the lack of use of cyber versus what you might see, especially from China.
Thomas Rid:
Umm, thank you, Ben. Let me just moderating on this app is actually not straightforward. And do we have another audience question, and we just see requests from one request just disappeared? Juan, you had your hand up as well. Uh, yeah, so perhaps on the tail end of Ben’s point, I do think that there’s there’s an element here that we should consider about the amount of preparation that did go into this on the cyber side of things. I mean, I think we’re we’re talking about this massive there have been no preparation and there was no activity where I think what we’re seeing is actually quite different, right? Whether if we can see the Viasat hack as a credible. Case and something that was done by the Russians, presumably that in itself would have taken some groundwork. It would have taken some preparation, the sets of wipers that we’re seeing this new tool kits that have been pulled out precisely for these operations in Ukraine involve a certain amount of preparation and a certain amount of coordination in that we’re not seeing them trip over other established Russian groups as far as we know.
Dmitri Alperovitch:
Yet although one, this could be something that was sitting on the shelf, particularly the VSV hack. It’s always useful to have updates. Can break satellite modems that you can just pull off the shelf when ready. Sure.
Juan Andres Guerrero-Saade (JAG-S) :
No, I’m sure. I’m sure to some extent that, you know, it’s not like they just invented everything for this in particular. But to some extent, there’s enough coordination, enough preparation in all of this to not watch, let’s say, a twenty eight get burned because one of these groups, one of these new groups that are involved in in Ukraine, decided to fake or mess up a wiper somewhere like there’s a certain amount of this that I think is in itself sort of noteworthy in that the TTP have changed. The techniques have changed precisely for this campaign and something that I want to at least, you know, I feel bad. I feel uncomfortable giving the Russians credit under, you know, any of the current circumstances. But there is something to be said about how these new wipers are built in, that they avoid having anything to do with self spreading mechanisms. They’re not. They’re not not. They’re not only not not Petya, they’re not like bad rabbit. They’re not in any way really being used in a way that’s supposed to sort of maximize access and have potential spillover. And I wonder to what extent that is kind of a lessons learned from not Petya or an attempt not to inflame sort of external actors or external targets and victims in all of this, or if we just got lucky. So excellent points, I would add another point that anybody who is, by the way, doing one of these spaces, I mean, just brace yourself for like a massive flow of information in terms of private messages.
Thomas Rid:
At the same time, it is is not easy. Great comment from Joe Cox. He is suggesting we should also mention the Joseph Cox should also mention the decentralised activity that that is happening. The anonymous declaring, quote unquote cyber war on Russia. And and of course, a similar similar observation that decentralized activities is sort of probably more significant than centralized activity is playing out on the on the inflow of information operations side of the of the game here. We’ve now been going for a little more than 90 minutes and I think it’s Saturday evening. Some people are getting tired. So I I think we should probably think about bringing this space to a close. And this is my first. I’ve been deeply impressed by the quality of the conversation, by the quality of the audience here, especially. So thank you for joining. And of course, thanks especially to all the speakers tonight that made this possible on a Saturday evening, really much appreciated. And I think let’s let’s do this again at some point. I like the informality of it all. Thank you for putting this together. It’s been pretty great. Thanks so much. Thanks. Thanks. I really appreciate this clubhouse. Thanks, Thomas. Appreciate it. Now, turns out you cannot talk at the same time. Ok, guys, take care, right? Thanks again, folks, talk to you all soon. Yes, indeed. And.
Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.
Automatically convert your mp4 files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.
Sonix has many features that you’d love including transcribe multiple languages, advanced search, powerful integrations and APIs, world-class support, and easily transcribe your Zoom meetings. Try Sonix for free today.