Currently, coverage of the conflict in Eastern Europe is saturating the mainstream news outlets.  As usual, we are trying to sort out the signal from the noise.   We have been on the lookout for open source intelligence that is a convergence of cyberwar activity, technological disruption, security and resilience, and risk awareness (which is also differentiated from the traditional media outlets).

A month ago, we provided an analyst of two incidents in the Ukrainian conflict that occurred on the same day (Friday, January 14th):  the Russian Federal Security Service (FSB) takedown of the REvil Ransomware Gang and a major cyberattack on Ukrainian government websites.  At the time, these events felt neither coincidental nor unrelated.

The following is an update on both events as tensions rise in Eastern Europe.  Only time will tell if they are confirmed pieces of the larger information war waged by Putin.  In the meantime, best to track them in real-time or check in for signals in the weeks ahead.

REvil Gang Arrestee Tied to Colonial Pipeline Hack  – as well as Darkside’s Kaseya and JBS Foods Cyberattacks (all in 2021)

 

“…the REvil Gang arrest (and offering up the individual connected to cyberattacks in the U.S.) is possibly all a false flag.”

As we first reported, Russian authorities included (in their press release about the arrest of the REvil Gang) specific details of a request and material evidence provided for the arrest by U.S. authorities.  Overall, follow-up reports of the arrest suggest a growing sentiment that the Russian authorities were out to optimize the appeasement value to the U.S. by arresting the notorious and well-known ransomware gang – with diminishing returns over time.

A former US Cyber Command officer, Josh Lospinoso, told ZDNet that Russia is likely throwing REvil under the bus, taking the group down in order to claim they are taking this onslaught of cyber-physical critical infrastructure attacks seriously. “Leveraging cyber operations is a textbook Russian strategy during geopolitical negotiations — whether that takes the form of launching offensive campaigns or playing the ‘good guy’ like we’re seeing here — as it gives the country plausible deniability and levels the playing field with more economically and militaristic powerful countries,” Lospinoso said.

So too was the current U.S. administration trying to optimize the arrest as a win for the White House.  Soon after the arrest, The Record reported that “a senior Biden administration official said  ‘we understand that one of the individuals who was arrested today was responsible for the attack against Colonial Pipeline last spring’.”  Last year, the FBI attributed a separate Russian hacker group known as DarkSide to the Colonial Pipeline incident.  It is not unheard of that the REvil gang individual “worked for one organization before leaving for another or worked for both simultaneously.” (1)

Today, a month out from the arrests – and seemingly at the brink of a ground war in Europe – the current implications of the arrest include the following:

• For reasons of traditional diplomacy,  throwing the REvil Gang (and the individual attributed to attacks on U.S. companies and infrastructure) under the bus would A) soften the U.S. stance on Russia’s growing military operations near Ukraine during January meetings in Geneva between Russia and the U.S. and B)  law enforcement activity, and progress on the international cybercriminal front, would “decouple” American interests in the region from Ukrainian interests.  In other words, continued success and progress on the cybercriminal front would be more important to the U.S. than the issues surrounding Ukraine.   Much to the chagrin of the Russians, neither has proven true.
• Not mutually exclusive from the implications above, the REvil Gang arrest (and offering up the individual connected to cyberattacks in the U.S.) is possibly all a false flag.  A scenario:  The Russians gave up the REvil gang while still planning to lean on non-state actors within Russia for plausibly denial cyberwar operations against Ukraine and/or information war efforts which enable a ‘small footprint’ invasion of Ukraine.

What Next?

• While an invasion and ground war of Ukraine is a clear threat, the probability of more cyber activity is very high.  Information war efforts that are clearly related to Ukraine can be analyzed in real-time and also provide long-term research analysis.  We will only know how this arrest ‘maps’ to a larger cyberwar ecosystem (and the amassing of troops at the Ukrainian border) if the REvil gang, their networks, and online presence(s) bubble up on the radar in the weeks ahead.
• REvil gang members arrested on the 14th of January are slated for release on March 13th.  For now, we think it provides a differentiated OSINT analysis to expressly track this gang and its movement or announcements in the press for the next few weeks.

Ukrainian Data Wiping Attack Considered False Flag Operation

“…an attempt to provoke and distort reality…”

We provided the following analysis in the lead up to what is now attributed as the Whisperware Ransomware Attack:

CISA Insights Bulletin Urges U.S. Preparation for Data Wiping Attacks

What’s Really Behind WhisperGate Attacks Against Ukraine?

Ok.  Now bear with us:  we have tracked down a report of a formal attribution for the attack.  But the notion of ‘false flag’ becomes so convoluted here  – it kind of boggles the mind.

In a nutshell:  the Russians are now trying to hang a ‘false flag’ attribution to the January 14th data wiping cyberattack in Ukraine. A detailed breakdown of the attribution is found here.  The top-level details are:

• All of the [details of the attribution of the attack] have led Ukraine’s State Service for Communications and Information Protection (CIP) and the Ukrainian government to believe that all of this is somehow a false flag operation meant to blame a “fake” pro-Ukrainian group for an attack on their own government, rather than the common assessment that Russian threat actors are behind the attack.
• The deliberate use of the WhisperKill malware on January 13-14, 2022, which is morphologically similar to the WhiteBlackCrypt malware and manipulatively associated with Ukraine’s Special Services of the Armed Forces (SSO) is an attempt to provoke and distort reality in order to accuse Ukraine of attacks on January 13-14, 2022 year,” CIP officials said today.

The Russians simply do not have a pollyanna enough working definition of the ‘American Psyche” to think that the U.S. IC would fall for this cyber false flag operation.  Reports are that Putin is remarkably disparaging and dismissive of the Ukrainian President, so maybe a similar assessment of the Ukrainian intelligence community and cyber resources is fueling this feeble-minded false flag operation attempt.  If so, this incident does not contribute to an assessment of Putin as a rational actor – and reflects a clouding of the strategic mind brought on by Putin’s hubris, arrogance, and dismissiveness of the resolve and resources of the Ukrainians – and the Americans.

What Next?

• This false flag operation attribution will only prove a direct piece of the Ukrainian conflict puzzle as more is revealed through Putin’s action, Russian military maneuvers, and state and non-state cyber activities in the days and weeks ahead.   The question right now is:  Did Whispergate put something in the ‘gate’ that enables the launch of a larger cyber offensive move?
• As expected, we are seeing signs of other threats.   A recent headline:    Ukraine dismantles social media bot farm spreading “panic”.

In the case of both cyber incidents, the perspective offered by OODA Loop contributor Emilio Iasiello in a recent post applies here:  “What is clear is that 2022 is setting up to be a year where state cyber operations will continue, with governments’ content to provide a token denial of their involvement. Depending on their outcomes, geographic hot spot areas will likely signal the next evolution of state use of offensive cyber operations, which could potentially set a new normal. If this happens, expect the aperture for unchecked cyber malfeasance to further widen and the hopes for cyber norms to be that much harder to achieve.”

In the days, months and years ahead, we will probably be able to port this research and analysis of the Ukrainian Gray Zone Conflict over to cyber activities in the China/Taiwan Gray Zone.   OODA Loop contributor Emilio Iasiello jumpstarts our efforts in his recent post:  Will China Replicate Russia’s Cyber Offensives in a Taiwan Reunification?

Further Resources:

https://oodaloop.com/archive/2021/12/22/c-suite-guide-to-improving-your-cybersecurity-posture-before-russia-invades-ukraine/

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community