The British Ministry of Defence, whose most recent situation map depicts Russian withdrawal from territory it had taken in the north of Ukraine, reports continued Russian airstrikes and artillery fire against cities in the eastern and southern regions. "Progressing offensive operations in eastern Ukraine is the main focus of Russian military forces," the MoD's situation report awkwardly put it this morning. That doesn't mean, as various trolls in the MoD's Twitter comment thread have been barking, that the Russian army is making progress, but rather that its pivot toward the Donbas continues. "Russian artillery and air strikes continue along the Donbas line of control." Note that artillery and air don't involve forces in contact; these attacks are delivered from a distance. The strikes are intended as persuasion through terror, and not as direct support of infantry or armored operations. "Russian strikes against infrastructure targets within the Ukrainian interior are likely intended to degrade the ability of the Ukrainian military to resupply and increase pressure on the Ukrainian government. Despite refocussing forces and logistics capabilities to support operations in the Donbas, Russian forces are likely to continue facing morale issues and shortages of supplies and personnel."
The US Department of Defense concurs. The Washington Post reports that the Pentagon's assessment is that Russian forces have completely left the environs of Kyiv and Cherniv.
US says it neutralized a major GRU botnet.
The US Department of Justice announced late yesterday that the command-and-control functionality of Cyclops Blink, a major GRU-run botnet afflicting WatchGuard firewalls and ASUS routers, had been taken down. The Department described the court-ordered act of lawfare as follows:
"The Justice Department today announced a court-authorized operation, conducted in March 2022, to disrupt a two-tiered global botnet of thousands of infected network hardware devices under the control of a threat actor known to security researchers as Sandworm, which the U.S. government has previously attributed to the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (the GRU). The operation copied and removed malware from vulnerable internet-connected firewall devices that Sandworm used for command and control (C2) of the underlying botnet. Although the operation did not involve access to the Sandworm malware on the thousands of underlying victim devices worldwide, referred to as “bots,” the disabling of the C2 mechanism severed those bots from the Sandworm C2 devices’ control."
Cyclops Blink had been publicly in British-American crosshairs since February 23rd, when the NCSC, CISA, the FBI, and NSA issued a joint advisory describing the malicious campaign. WatchGuard published remediations that same day, and ASUS followed suit shortly thereafter.
The New York Times points out that the takedown was pre-emptive, as Cyclops Blink had simply been staged, and not as far as is known actually been used. It could have been employed in a range of operations, from simple surveillance to destructive attacks. “Fortunately, we were able to disrupt this botnet before it could be used,” US Attorney General Garland said.
Meta disrupts Russian and Belarusian influence operations.
The Washington Post reported this morning that Facebook's corporate parent Meta had disrupted influence networks operated on behalf of the Russian and Belarusian governments:
"The social media giant disclosed the campaigns in a 27-page report, including efforts to falsely report Ukrainian users as breaking the rules and efforts to hack into the accounts of Ukrainian military personnel.
"'We continue to see operations from Belarus and Russia-linked actors target platforms across the Internet,' Facebook Head of Security Policy Nathaniel Gleicher said during a call with reporters. 'We know that determined adversaries like this will keep trying to come back.'
"Facebook, which last year changed its name to Meta, said it has been fighting efforts by Russian authorities to promote propaganda about the war, including false claims about Ukrainian military aggression in the region or blaming Western nations’ complicity in the war. The company said it gave fact-checkers in the region more resources and launched a special operations center with Russian and Ukrainian speakers to monitor war-related issues on the platform."
The Belarusian activity Facebook shut down included work by Ghostwriter. The company's Quarterly Adversarial Threat Report details the Russian and Belarusian operations and the steps Meta took against them. The report says, in part, "Government-linked actors from Russia and Belarus engaged in cyber espionage and covert influence operations online. This activity included interest in the Ukrainian telecom industry; both global and Ukrainian defense and energy sectors; tech platforms; and journalists and activists in Ukraine, Russia, and abroad."
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.