Skip to content

Input Needed: Cyber Aspects of Ukraine

October 29, 2014

A couple of months ago I teased many of you by promising a synopsis of a presentation on the cyber aspects of Ukraine.  That will come.

I would like to get your input, however.  What cyber aspects did you see?

Some friends of mine are implying there was cyber play in February 2014 and I saw a little, but I saw little cyber play leading up to or as part of the Crimea operation.  I saw zero cyber play as part of the initial Luhansk and Donetsk operations and zero as part of the Donbass campaign. Lately I have seen a little cyber play, as far as Ukraine is involved, but nothing remotely resembling a concentrated, devastating campaign.  Harassment, yes, in line with Harassment and Interdiction of field artillery from Russia, but that’s about it.

Ukraine crisis proves cyber conflict is a reality of modern warfare.  I don’t see any “proof” in this article.  The author makes the mistake of confusing information operations with cyber.

Why hasn’t Russia unleashed a cyber attack on Ukraine?

Ukraine PM’s office hit by cyber attack linked to Russia  This “attack” does not appear to be a large one.

The most extreme report was this, but I did not see corroborating reports.  :

The mobile phone network and internet connections were severely hampered, government websites were overwhelmed with “denial of service” attacks, social networks were corrupted, and some of Ukraine’s phone and internet cables were cut by pro-Russian forces.


The only part I saw that might remotely be construed as cyber is social media, online news sites, where cyber is a merely a medium, not a domain.  Some say the “cyber domain” was a knee jerk reaction and is not warranted.

Now some are saying that all future hybrid wars will include cyber.  “All” is one of those words I truly attempt to not use.  In this case perhaps most hybrid wars, but certainly not all.

What say you?  What ‘cyber play’ did you see during many of the Ukraine stages?  What did I miss?

German Typhoons Intercept 7 Russian AF Combat Planes over Baltic Sea in one Day

October 29, 2014

Sorties of combat aircraft send a message.  They send a message of provocation, a reminder that the potential of these actions leading to a confrontation can quickly accelerate into war.

Yesterday’s headline “German Typhoons have intercepted 7 Russian Air Force combat planes over the Baltic Sea today” states that there has been a recent increase in provocative actions and numbers by Russia’s Air Force, resulting in increasing launches of the Quick Reaction Alert from NATO aircraft.  Increasing tensions, increasing angst that Russia is not in control of its own momentum.

Russia clearly understands this dangerous game.  Russian diplomats are speaking more provocatively, refusing to back down.  Their language feels like words leading to a hostile actions.  Once again, this information war may lead to conventional actions.

Russian actions are not limited to the air, however. “Estonia: Russian border incidents signal new divide” indicates increased air incursions resulted in the Russian ambassador to Estonia being summoned, which means a diplomatic chewing out.  A warning of sorts. Stop it. The incidents do not stop there, however.

• Russian military aircraft have buzzed NATO territory over the Baltic Sea and the airspace of Norway, Canada and Alaska, prompting intercepts by those countries’ air forces.

• Sweden on Friday called off a week-long search for a suspected Russian submarine it said sent out a distress signal Oct. 17 from Swedish waters before disappearing. Russia denied any of its ships were in distress or in the Swedish archipelago. Sweden is not a member of NATO but agreed in September to perform exercises with the alliance and to call on its help in emergencies.

• Russia seized Estonian intelligence official Eston Kohver on Sept. 5 and is holding him in Moscow. Estonia says Russia took Kohver in a cross-border raid while he waited to meet with an informant in the southeastern town of Miikse. Moscow says he was detained in Russia.

• Russia reopened criminal cases against 1,500 Lithuanians who refused to sign up for compulsory service in the Soviet military in 1990 and 1991. At the time, the Soviet Union was in a state of collapse, and Lithuania had declared its independence.Lithuania refuses to hand the people over, warning them to avoid non-EU and non-NATO countries.

• Latvian media reported the Russian Embassy in Riga was recruiting ethnic Russians to fight with pro-Russian separatists in eastern Ukrainian. Russia dismissed the allegations.

Russia is clearly flexing their muscles, sending a message.  Their intended message is probably “We are Russia, we are free to do things, so back off”.

One Surface to Air missile, however, would change everything.  This is a truly dangerous game.  So stop it, Russia.

DoD declassifies its long-awaited joint doctrine for cyberspace operations

October 29, 2014

Monday – 10/27/2014, 10:00am EDT

By Jared Serbu

As the Federation of American Scientists first pointed out earlier this week, the Defense Department has just posted an unclassified version of its joint military doctrine for cyberspace operations.

The document — Joint Publication 3-12 — was first issued in March 2013, but it was marked as secret. The new unclassified version doesn’t give any indication of what had to be scrubbed in order to make the publication safe for public viewing, but in general, it’s clear the department is trying to consolidate all of its thinking on cyberspace operations into one cohesive document. As the Government Accountability Office noted in2011, cyber doctrine until recently has been scattered across 16 different joint pubs and dozens of other service-specific documents.

Much of the content in the unclassified version won’t be surprising to anyone who’s been watching the evolution of the Pentagon’s cyber policy over the last three years, and we won’t attempt to summarize all 70 pages here, but a few items of note:

  • The doctrine reiterates the U.S. government’s consistent position that the Department of Homeland Security has the lead for defending civilian agency and private sector networks — but not always. It asserts that a Presidential directive or unspecified “standing authorities” could allow DoD’s missions to “take primacy over, and subsume the standing missions of other departments or agencies.”
  • DoD cyber officials usually describe the military’s day-to-day defensive cyber mission in terms that suggest it’s mostly made up of passive countermeasures that are designed to defend its own networks from adversaries. But the doctrine makes clear that certain rules of engagement allow DoD to attack the attacker as part of that defensive mission, “and may rise to the level of use of force.”
  • Not surprisingly, the unclassified version includes comparatively little discussion about offensive cyber operations. But it strains to remind future commanders that the fact that they’re working in cyberspace doesn’t obviate the need to abide by the Law of War and other foreign treaty obligations. Cyber attacks by the U.S. military can only be directed at military targets, defined as “those objects whose total or partial destruction, capture, or neutralization offers a direct and concrete military advantage.”

Overall, the publication makes a serious effort to translate cyberspace into the military’s familiar doctrinal lexicon, describes it the same terms that generals think about when they’re pondering the six joint functions of warfare in the physical world, and paints the clearest picture that’s been publicly released to date as to how DoD plans to command and control its cyber forces.

But it also acknowledges the complexity of the military’s newest domain, with all the overlapping authorities, capabilities and interests that go along with it.

Continued at

Sophisticated Chinese cyber-espionage operation unveiled

October 29, 2014
tags: ,

The Axiom group is believed to have targeted US agencies and companies, says cyber security coalition

A coalition of cyber security companies said Tuesday that a Chinese cyber-espionage syndicate is responsible for planting malicious software (malware) on computers owned by Western government agencies, private companies and human rights groups over the past six years, including the high-profile 2010 Aurora attack on Google.

The Axiom hacking group is believed to have ties to the Chinese government and be the most sophisticated cyber-espionage operation emanating from China, the coalition, which includes tech giants Microsoft and Cisco, said in a report.

“This is a great example of the capabilities of a well-funded adversary,” said Morgan Marquis-Boire, a senior researcher at the University of Toronto’s Citizen Lab, who worked at Google during the Aurora attack. “You see what is clearly a very professional group of people who are changing their tools, using sophisticated attacks, and being highly successful against a range of targets.”

The report comes as Secretary of State John Kerry and President Barack Obama prepare for successive visits to China over the next fortnight. It is expected they will broach the burgeoning cyber conflict between the U.S. and China. In recent years, the Obama Administration has made a point of calling out China on its alleged cyber spying, which includes the theft of U.S. trade secrets as well as a crackdown on political dissidents and journalists within the country, with Axiom playing a role.

Continued at

Vladimir Putin Employs An Army Of Skilled Hackers, Report Finds

October 28, 2014

No, really?  Putin employs an army of skilled hackers?

Russia has had hackers since the late 1990s.  I know this because some reporters are digging through old Moonlight Maze archives and asking me questions.  Darn, I didn’t know I could talk about much of Moonlight Maze, but apparently almost everything I know is unclassified now.  Funny, it all used to be Top Secret, multiple codeword way back then.  15 years ago…

But, according to the Huffington Post, here, hackers are being used to spy on Eastern European governments, NATO and the country of Georgia.

The most commonly used technique is spearphishing.  C’mon guy.  They send you an email, you ignore it…

The report comes after investigators in the United States have attributed a string of recent cyberattacks against America’s major retailers and banks to hackers in Russia. Security experts have said Russian cybercriminals were likely behind last year’s Target hack, which exposed credit card data belonging to 40 million customers, although they have not said the hackers were working directly for the Russian government.

Popular Russia Listserv Said To Be Increasingly Taking The View From Moscow

October 28, 2014

Johnson’s Russia List, hosted at George Washington University, is considered by many to be a great source of information about Russia.  According to Buzzfeed, however, the listserv is growing more pro-Russian, creating distrust in some.

Johnson’s Russia List began in 1996 and was for a time the only important Russia-focused listserv for people who worked in Russia-related matters. A New York Timesprofile from 1997 describes its founder David Johnson as an “obsessive Russia-watcher” who “began his list during the blustery, tense period before last year’s Russian presidential elections. His was a self-proclaimed E-mail crusade against the mainstream press, particularly The New York Times, which he thought was ‘demonizing the Yeltsin opposition.’” The piece adds that “Mr. Johnson’s left-leaning political agenda is what rankles and lures his readers. He gives priority placement to people like Fred Weir of The Hindustan Times, a Canadian journalist whose coverage of Mr. Yeltsin’s Communist opponents was far less critical than that of most foreign journalists.”

The list has been accused of including too much “Russian propaganda”, causing journalists and diplomats, alike, to cease their subscriptions.

To sign up for the list, send your email address to and request addition to Johnson’s Russia List.  Johnson’s Russia List is also on Facebook at

Are there other unbiased sources of information for Russia?

FireEye Releases Report on Cyber Espionage Group With Possible Ties to Russian Government

October 28, 2014

FireEye Research, Analysis Exposes Long-Standing Operations by APT28 Targeting Government, Military, and Security Groups of Interest to Russia

MILPITAS, CA–(Marketwired – Oct 28, 2014) – FireEye, Inc. (NASDAQ: FEYE), the leader in stopping today’s advanced cyber attacks, today released a comprehensive intelligence report that assesses that an advanced persistent threat (APT) group may be sponsored by the Russian government.

The report — APT28: A Window into Russia’s Cyber Espionage Operations? — details the work of a team of skilled Russian developers and operators, designated by FireEye as APT28, that has been interested in collecting information from defense and geopolitical intelligence targets including the Republic of Georgia, Eastern European governments and militaries, and European security organizations, all areas of particular interest to the Russian government.

“Despite rumors of the Russian government’s alleged involvement in high-profile government and military cyber attacks, there has been little hard evidence of any link to cyber espionage,” said Dan McWhorter, FireEye VP of Threat Intelligence. “FireEye’s latest advance persistent threat report sheds light on cyber espionage operations that we assess to be most likely sponsored by the Russian government, long believed to be a leader among major nations in performing sophisticated network attacks.”

This FireEye report offers details that likely link APT28 — a threat group whose malware is already fairly well-known in the cybersecurity community — with a government sponsor based in Moscow, exposing long-standing, focused operations that indicate government backing.

Unlike the China-based threat actors tracked by FireEye, APT28 does not appear to conduct widespread intellectual property theft for economic gain, but instead is focused on collecting intelligence that would be most useful to a government. Specifically, FireEye found that since at least 2007, APT28 has been targeting insider information related to governments, militaries, and security organizations that would likely benefit the Russian government.

The report includes malware samples compiled by FireEye that indicate that the developers are Russian language speakers who are operating during business hours consistent with the time zone of Russia’s major cities, including Moscow and St. Petersburg.

FireEye experts also found that APT28 has systematically evolved its malware since 2007, using flexible and lasting platforms indicative of plans for long-term use and sophisticated coding practices that suggest an interest in complicating reverse engineering efforts.

In addition to the report, FireEye is releasing indicators that can be downloaded at

The full report, including examples of APT28 targeted attacks and malware indicators, can be accessed at

About FireEye, Inc.

FireEye has invented a purpose-built, virtual machine-based security platform that provides real-time threat protection to enterprises and governments worldwide against the next generation of cyber attacks. These highly sophisticated cyber attacks easily circumvent traditional signature-based defenses, such as next-generation firewalls, IPS, anti-virus, and gateways. The FireEye Threat Prevention Platform provides real-time, dynamic threat protection without the use of signatures to protect an organization across the primary threat vectors and across the different stages of an attack life cycle. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence, to identify and block cyber attacks in real time. FireEye has over 2,500 customers across 65 countries, including over 150 of the Fortune 500.

© 2014 FireEye, Inc. All rights reserved. FireEye is a registered trademark or trademark of FireEye, Inc. in the United States and other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.

Originally published at


Get every new post delivered to your Inbox.

Join 1,240 other followers