Governance, Risk and Compliance, Threat Management

Leaked US secret NATO-Ukraine war docs likely altered, say experts

Military Exercises In Western Ukraine

UPDATE: As the Pentagon investigates the leak of classified war documents on social media, security pros remain skeptical that versions of the documents circulating online are genuine and are likely part of a Russian disinformation campaign.

“Russia has tried to undermine confidence in the Ukrainian military with disinformation delivered through a variety of schemes,” said John Hultquist, head of Mandiant Intelligence Analysis at Google Cloud.  

On Friday the Pentagon said it is investigating a reported "security breach" of reported classified war documents. The documents allegedly reveal US and NATO support for Ukraine. The New York Times first reported the incident on Thursday. Citing military experts, the Times reported some of the documents appear to have been selectively altered.

In an update to this report, added Monday, April 10, SC Media heard back from inquires made to the Department of Defense. The agency said the leaked Russia-Ukraine war documents case had been referred to the Department of Justice, which opened a criminal investigation. 

Pentagon Deputy Press Secretary Sabrina Singh said the DOD continues to review and assess the validity of the photographed documents that are circulating on social media sites and that appear to contain sensitive and highly-classified material.  

“An interagency effort has been stood up, focused on assessing the impact these photographed documents could have on U.S. national security and on our allies and partners,” Singh said. “Over the weekend, U.S. officials have engaged with allies and partners and have informed relevant congressional committees of jurisdiction about the disclosure.”   

The N.Y. Times reported Sunday that some of the most sensitive material in the documents posted online are barely 40 days old and contain maps of Ukrainian air defenses and a deep dive into South Korea’s secret plans to deliver 330,000 rounds of much-needed ammunition in time for Ukraine’s spring counteroffensive. 

Versions of documents can't be trusted

Mandiant's Hultquist said agents within Russia regularly leak realistic, but fake documents. On several occasions, Hultquist said they have planted fabricated disinformation embedded in real leaked data.

Data points under scrutiny in the document, dated March 1, include details of Ukrainian combat brigades, training assistance by the US and NATO and casualty estimates. According to reports, versions of the document widely being circulated selectively alter casualty data to exaggerate Ukrainian casualties and minimize those of Russian troops

“In all cases, the goal is to launder their disinformation through careless intermediaries,” said Hultquist. “We are very fortunate that this leak has received such a skeptical reception.” 

Meanwhile the Pentagon confirmed it is investigating who may have been behind the leak of the documents, which appeared on Twitter and on Telegram.

On Friday, the Pentagon' Deputy Press Secretary's Singh said in a statement that “we are aware of the reports of social media posts, and the department is reviewing the matter.”

Military analysts have been reported as saying that the documents may have been modified in certain parts from their original contents, in essence overstating American estimates of Ukrainian war dead while underplaying the estimates of Russian soldiers killed.

Based in Ukraine, David Balaban, owner of Privacy-PC and a SC Media contributor, said that the "top-secret war documents" have all the hallmarks of a Russian misinformation campaign. From his unique perspective, Balaban said local (Ukraine) reaction to the documents is that the leak is part of a "misinformation campaign deployed by Russian intelligence agencies, and it has distinct signs of psychological warfare."

He added, "some facts in the local papers do reflect the actual situation on the ground, that’s data available from open sources, derived from statistical analysis of known military supplies as well as the predicted scenarios of operational and tactical moves of the Ukrainian armed forces."

He said credible details in versions of the leaked report he has seen are likely combined with factual inconsistencies.

"The number of casualties on both sides of the conflict is badly distorted in Russia’s favor, which suggests that one of the likely goals of this move is to give Ukrainians and the civilized world a false sense of doom and imminent defeat," he wrote in an email interview.

Russia's goal, he suspects, is to slow down military support from the West and sabotage the announced Ukrainian counteroffensive.

Mykhailo Podolyak, adviser to the Head of Office of the President of Ukraine, commented on the leak via a tweet on Friday stating: “Since the collapse of the USSR, Russian intelligence has degraded to such an extent that the only way to wash away the "Salisbury adventures", "three-day plans" and other failures is Photoshop and "virtual pseudo-leaks." Moscow is desperately trying to disrupt the counteroffensive. But the Russians will see the real plans on the battlefield. Soon.”

Podolyak also emphasized that this story is indisputable evidence of an information game. “If you have a stable channel for obtaining intelligence data from the Pentagon, you won’t ruin it for the sake of single-day information hype.”

Leaks are consistent with Russia’s cyber war on Ukraine

Chuck Everette, Field CISO at Virsec, added that Russia has been conducting cyber operations against Ukraine since before the invasion even started. Everette said Russia has run extensive phishing campaigns targeting Ukraine and NATO countries to further their objectives during the war in Ukraine. These activities include cyber espionage and pre-positioning starting in January 2022 continuing into destructive cyberattacks throughout the conflict.

“We have seen extensive use of malicious attacks such as Caddywiper, Nearmiss, Skyfall, and Dharma during the conflict,” said Everette. “It has been observed that during the first four months of the invasion more destructive cyberattacks have been used then in the previous eight years.”

Everette added that the three main goals of the Russian cyberattacks have been to splinter international support to Ukraine, weaken the Ukrainian government, and maintain support in Russia for ongoing war efforts. In the case of the leaked intelligence reports posted on Twitter, Everette said this is in line with the three main goals of Russia in the cyber war.

Craig Burland, chief information security officer at Inversion6, added that leaks regarding the affairs of the Russian military carry layers of intrigue, especially as the war in Ukraine has dragged on and Russian cyber ops have proved ineffective. 

Burland posed the following questions: Are these documents forgeries to spin a new narrative about Russian capabilities? Are they actual leaks from inside the Pentagon? Is there another Snowden-like insider threat lurking? 

“Rest assured the U.S. government’s cybersecurity professionals have been scouring systems for the last two days trying to figure that out,” said Burland. “I expect that all-nighters will continue for those teams until evidence is found proving or disproving what actually happened.” 

(This article was updated on 4/10 at 1pm ET to include additional comments from The Department of Defense)

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.