The UK's Ministry of Defence sees Russia's withdrawal from northern Ukraine as simply preparation for an intensified push into the Donbas. "Fighting in eastern Ukraine will intensify over the next two to three weeks as Russia continues to refocus its efforts there," this morning's situation report said. This in any case is where the artillery is falling. "Russian attacks remain focused on Ukrainian positions near Donetsk and Luhansk with further fighting around Kherson and Mykolaiv and a renewed push towards Kramatorsk." And Belarus is no longer serving as a staging area; it's not geographically suitable for upcoming planned operations. "Russian forces continue to withdraw from Belarus in order to redeploy in support of operations in eastern Ukraine."
GRU deploys a new version of Industroyer against a Ukrainian energy company.
Sandworm, also known as Voodoo Bear, and in the org charts Unit 74455 of Russia's GRU, has deployed CaddyWiper destructive malware and an Industroyer variant being called, simply, "Industroyer2." ESET tweeted the results of its findings early this morning, and provided additional details in a report also published today. "ESET researchers collaborated with CERT-UA to analyze the attack against the Ukrainian energy company. The destructive actions were scheduled for 2022-04-08 but artifacts suggest that the attack had been planned for at least two weeks. The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems. We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine. We assess with high confidence that the APT group Sandworm is responsible for this new attack."
The incident seems, at first look, an attempted repetition of the 2016 Russian cyberattacks against the Ukrainian grid that ESET mentioned in its report. CERT-UA offered a further description of the attack. It intended to use Industroyer2 against "high-voltage electrical substations" in a fashion tailored to the individual substations. CaddyWiper was used against Windows systems (including automated workstations), and other "destructive scripts" (OrcShred, SoloShred, and AwfulShred) were deployed against Linux systems.
CISA warns of vulnerability GRU exploited in firewall appliances.
The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday added eight vulnerabilities to its Known Exploited Vulnerabilities Catalog. Among them was the high severity privilege escalation flaw (CVE-2022-23176) in WatchGuard firewall appliances the GRU had exploited to build up its Cyclops Blink botnet, disrupted last week by the US FBI. BleepingComputer quotes WatchGuard on the effects of exploitation: "WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access." The company issued its own warning at the end of February. WatchGuard's mitigation advice may be found here.
Anonymous-affiliated actor NB65 counts coup against Roscosmos.
The Telegraph reports that Network Battalion 65 (NB65) has posted images it claims show that it succeeded in compromising servers at the Russian space agency Roscosmos. Roscosmos boss Dmitry Rogozin, lately much given to incandescent verbal sputtering in a westward direction, downplayed the effects of the attack and called NB65 a bunch of “scammers and petty swindlers.“ That's as may be, but it appears that NB65 did obtain some access to Roscosmos networks, and that the hacktivist or hacktivists deployed some of Conti's ransomware code therein.
Anonymous releases data taken from Russian enterprises in #OpRussia.
Hack Read says that Anonymous has hit three more Russian enterprises, Aerogas (oil and gas production services), Forest (logging), and Petrovsky Fort (office space). The collective leaked roughly 437,500 emails belonging to the companies. Petrovsky Fort, lost about 300,000 emails (about 244 GB), Aerogas lost 145 GB (including 100,000 emails) and Forest lost 37.7 GB worth of information, including 375,000 emails. Petrovsky Fort and Aerogas are state-owned. The material has been posted to the familiar Distributed Denial of Secrets site.
The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.