False flag operations and cyberattacks: prelude to Russian invasion of Ukraine

KYIV -- As world leaders continue to warn Russia to de-escalate tensions with Ukraine, the Kremlin is setting up flag operations, waging cyberattacks, and spreading disinformation as part of a campaign to prepare the groundwork for a potential invasion.

"All the evidence points to Russia being behind the cyberattack," the Ukrainian Digital Transformation Ministry said in a statement Sunday (January 16).

"Moscow is continuing to wage a hybrid war."

The purpose of the attack, said the ministry, "is not only to intimidate society. But to also destabilise ... Ukraine, halting the work of the public sector and crushing Ukrainians' trust in the authorities".

Tensions are at an all-time high between Ukraine and Russia, which Kyiv accuses of having massed 100,000 troops on its border ahead of a possible invasion.

In turn, Ukrainian reservists are preparing for war. The civilian volunteers, who have ballooned to about 100,000 members, complement Ukraine's army, which totals 215,000 soldiers.

'False flags' and disinformation

Russia has put in place saboteurs trained in explosives to carry out a "false-flag" operation to create a pretext to invade Ukraine, US officials alleged Friday.

White House spokesperson Jen Psaki said US intelligence believed Russia could begin the operations "several weeks" before a military invasion, which could start between mid-January and mid-February.

"We have information that indicates Russia has already prepositioned a group of operatives to conduct a false-flag operation in eastern Ukraine," she told reporters.

"The operatives are trained in urban warfare and in using explosives to carry out acts of sabotage against Russia's own proxy forces."

A day earlier, US National Security Advisor Jake Sullivan said that Russia was "laying the groundwork to have the option of fabricating a pretext for an invasion".

Referring to the cyberattack, Psaki said the United States was "concerned" but stopped short of blaming Russia.

However, she said, Russia has ramped up a disinformation campaign on social media, including posts that accuse Ukraine of violating rights and the West of provoking tensions.

"Our information also indicates that Russian influence actors are already starting to fabricate Ukrainian provocations in state and social media to justify a Russian intervention and sow divisions in Ukraine," she said.

Russian-language justifications for Moscow's narratives on Ukraine on social media have jumped by 200% in December to almost 3,500 posts per day, Psaki said.

Sullivan, in his briefing to reporters, said Russia had used similar tactics in 2014 when it seized Crimea and backed an ongoing insurgency in eastern Ukraine.

'Serious' standoff

Even before Friday's assault on key Ukrainian government websites, European foreign ministers had warned that cyberattacks could precede, or accompany, a military incursion that Russia may be planning.

The standoff with Russia "is serious, more serious than anything we've seen in recent years", Austrian Foreign Minister Alexander Schallenberg told reporters at a meeting of the bloc's top diplomats in Brest, France.

"Some say the cyberattack could be the prelude for other activities, military activities," he said.

"This is exactly the kind of thing that we have warned of and that we are afraid of," said Swedish Foreign Minister Ann Linde.

"If there are attacks against Ukraine, we will be very harsh and very strong and robust in our response," she added.

The European Union (EU) meanwhile is moving to help Ukraine counter the cyberattack, EU foreign policy chief Josep Borrell said.

"We are mobilising all our resources to help Ukraine deal with this type of cyberattack," he said, announcing an urgent meeting of the EU's political and security committee and saying that the EU's rapid response cyber unit was also being activated.

NATO support for Ukraine

Kyiv and its Western partners are working on a broad "package to contain Russia" that would include "painful" new sanctions and moves to ramp up defence co-operation with the West, Ukrainian Foreign Minister Dmytro Kuleba said Sunday.

"If [Russian President Vladimir] Putin wants to know why neighbours are seeking to join NATO, he only needs to look in the mirror," he said in remarks released by the Foreign Ministry.

NATO on Monday inked a deal to bolster its cyber support for Ukraine.

NATO Secretary General Jens Stoltenberg said Friday that experts from NATO and its members were already on the ground, working with Ukraine to tackle the latest cyberattack.

He said the new agreement would involve "enhanced cyber co-operation, including Ukrainian access to NATO's malware information sharing platform".

"Under this renewed agreement, we will deepen our collaboration with Ukraine to support them in modernising their information technology and communications services, while identifying areas where training may be required for their personnel," Ludwig Decamps, the head of the NATO Communications and Information Agency, said on Monday.

"With NATO's support we plan to further introduce modern information technologies and services into the command and control system of the Armed Forces of Ukraine," said Ukrainian Ambassador to NATO Natalia Galibarenko.

Russian denial

The Kremlin insists there is no evidence Russia was behind the cyberattack.

"We have nothing to do with it," Putin's spokesman, Dmitry Peskov, told CNN.

"Ukrainians are blaming everything on Russia, even their bad weather in their country," he said in English.

Kyiv late Friday said it had uncovered the first indications that Russian security services could have been behind the cyberattack.

Ukraine's SBU security service said the attacks, in the early hours of Friday, had hit 70 government websites.

The website of the Foreign Ministry for a time displayed a message in Ukrainian, Russian and Polish that read: "Be afraid, and expect the worst."

Within hours of the breach, the security service said access to most affected sites had been restored and that the fallout was minimal.

Microsoft warning

But Microsoft warned Sunday that the cyberattack could prove destructive and affect more organisations than initially feared.

The US software giant said it was continuing to analyse the malware and warned it could render government digital infrastructure inoperable.

"The malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom," Microsoft said in a blog post.

The number of affected organisations could be larger than initially thought, it warned.

But Rick Holland, chief information security officer at San Francisco-based Digital Shadows, said this kind of attack was part of the Russian playbook.

"Whether Russia encourages other actors or directs cyber operations themselves, Russia seeks to disrupt government and private institutions of their geopolitical opponents."

"Recovery depends on each entity, but Ukraine has a long history of responding to and recovering from sabotage attacks from Russia," said John Bambenek of US cybersecurity firm Netenrich.