Ukraine at D+19: Digging in, bringing up the guns, and recruiting hackers.
N2K logoMar 15, 2022

Some Russian forces are reported to have paused their advance in order to dig in. The Russophone cyber underworld is feeling patriotic tugs in different directions. A new wiper is discovered in Ukrainian networks. Russia may face default as early as tomorrow.

Ukraine at D+19: Digging in, bringing up the guns, and recruiting hackers.

The operations map maintained for the public by the British Ministry of Defence (MoD) shows more Russian airstrikes but continued sluggish progress of ground forces. The Telegraph's map shows fighting concentrated around Kyiv, Kharkiv, Donetsk, Mariupol, and Mykolaiv. There are reports that in some areas, notably around Kyiv, Russian forces have halted their advance and turned to constructing field fortifications. That is, they're now digging in, not moving forward.

CNN reports that a senior US Defense official told reporters at a background briefing yesterday that "almost all" of the Russian advances "remain stalled." For its part, TASS is authorized to disclose that the special military operation is proceeding well. Kremlin spokesman Dmitri Peskov said, "Russia has a sufficient potential for conducting the special military operation in Ukraine. The operation is proceeding in accordance with the original plan and will be completed on time and in full." In this Mr. Peskov echoed Defense Minister Shoigu's remarks of last week. But the head of the Russian National Guard did acknowledge, in a separate statement, that the operation was proceeding more slowly than anticipated, but only because the Ukrainians were using illegal tactics, and so Russian forces have been pulling their punches on humanitarian grounds: “This [delay] is only because the Nazis are hiding behind civilians, the elderly, women and children and set up firing positions at kindergartens, schools and residential buildings.”

(The Russian National Guard is not, as American readers might think, a military reserve, but rather an internal security force organized and equipped along military lines but separate from the Ministry of Defense. Although it was established only in 2016, the National Guard may be usefully viewed as a successor to the old Soviet MVD. The National Guard is charged with suppressing riots and maintaining public order. It would be expected to play a major role in pacifying conquered Ukrainian provinces.)

This morning the British MoD reported that "multiple demonstrations have taken place over several days in the Russian occupied cities of Kherson, Melitopol and Berdyansk." The demonstrations occurred as rumors surfaced of Russian plans to detach additional regions from Ukraine. "Reporting suggests that Russia may seek to stage a “referendum” in Kherson in an attempt to legitimise the area as a 'breakaway' republic' similar to Donetsk, Luhansk and Crimea. Further protests were reported in the city yesterday with Russian forces reportedly firing warning shots in an attempt to disperse peaceful protesters." And Russian actions suggest a motive for the abduction of Ukrainian mayors. "Russia has reportedly installed its own mayor in Melitopol following the alleged abduction of his predecessor on Friday 11 March. Subsequently, the Mayor of Dniprorudne has also reportedly been abducted by Russian forces. Russia is likely to make further attempts to subvert Ukrainian democracy as it attempts to consolidate political control of Ukraine."

The New York Times reports that recent talks had no results.

Biowar disinformation.

Late yesterday Britain's Ministry of Defence tweeted a warning of the likelihood of Russian false-flag provocations. "Russian accusations that Ukraine intends to use chemical and biological weapons continue," the MoD said. "We have seen no evidence to support these accusations." A false-flag operation might be under preparation. The MoD added, "Russia could possibly be planning to use chemical or biological weapons in a ‘false-flag’ operation. Such an operation could take the form of a faked attack, a staged ‘discovery’ of agents or munitions or fabricated evidence of alleged Ukrainian planning to use such weapons. A ‘false-flag’ attack would almost certainly be accompanied by extensive disinformation to complicate attribution." Some of the mendacious stagecraft, should it appear, may be designed to give retrospective justification to Russia's invasion of its neighbor: "Intelligence suggests Russia likely intended to use ‘false-flag’ operations to justify their initial invasion of Ukraine on 24 February."

Other false-flag operations alleged.

The Atlantic Council, citing the Kyiv Independent, says that a Russian aircraft may have fired into Belarus in an attempt to give the impression that Ukraine had attacked its neighbor. "Russian aircraft allegedly attacked Belarus village Kopani from the Ukrainian air space. Ukraine considers the attack to be a provocation to drag Belarus into Russia’s war in Ukraine," the Kyiv Independent tweeted. The paper also followed up its initial tweet with a caution: "Several Belarus media reported they found no confirmation of the strike." There are four plausible lines of speculation about these allegations: they report deliberate Russian provocation; they report a Russian accident; they reflect Ukrainian disinformation; or, finally, they represent misinformation spawned in the fog of war.

A new wiper is discovered in Ukrainian systems.

ESET researchers have found a new wiper they're calling "CaddyWiper," the third one Russian operators have used to hit Ukrainian targets during Russia's war against Ukraine. "This new malware erases user data and partition information from attached drives," ESET tweeted. "ESET telemetry shows that it was seen on a few dozen systems in a limited number of organizations." First observed yesterday morning at 0938 UTC (that's 1138 Kyiv time, or 0538 US Eastern Time), the malware seems to have been compiled the same day it was deployed. CaddyWiper has little in common with its two predecessors. As ESET put it, "CaddyWiper does not share any significant code similarity with #HermeticWiper, #IsaacWiper or any other malware known to us. The sample we analyzed was not digitally signed." It did share one tactic with HermeticWiper: deployment via Group Policy Object (GPO), which suggests to ESET that "the attackers had prior control of the target's network beforehand." The wiper's operators are apparently interested in maintaining persistence in the targets' networks. "Interestingly, CaddyWiper avoids destroying data on domain controllers. This is probably a way for the attackers to keep their access inside the organization while still disturbing operations." The Verge reports that the effect of the attack seems so far to have been small. One organization appears to have been affected, but the consequences of that attack (and the organization's identity) remain publicly unknown.

CERT-UA warns of bogus security warnings.

Ukraine's CERT has warned that emails misrepresenting themselves as government advice on improving security are in fact malware vectors, carrying Cobalt Strike and other malicious packages. BleepingComputer characterizes the emails as fake anti-virus updates.

Cyber criminals look for letters of marque from both sides (and some of them are looking like hacktivists).

Researchers at Aqua Security review the techniques, many involving commodity malware and cloud-native services, being used in the cyber phases of Russia's hybrid war against Ukraine.

Help Net Security reports that "financially motivated" (that is, criminal) cyber groups are choosing sides in Russia's war against Ukraine. In a rough-and-ready way, the criminals have tended to side with Russia (for whom many of them have historically served as privateers) and the hacktivists (like Anonymous) have tended to side with Ukraine. But this may be changing, as some Russophone gangs are expressing a willingness to hack Russian targets if there's a good prospect of making it pay. There also appear to be personal and ideological rifts in the underworld that are leading some gangs toward one side rather than the other. Thus privateering is converging with hacktivism. Accenture reports that this is something new:

"For the first time, in the more than 10 years that Accenture’s Cyber Threat Intelligence (ACTI) team has been tracking Dark web activity, we’re seeing previously coexisting, financially motivated threat actors divided along ideological factions. These actors, who previously acted opportunistically, with financial motivations and a global (minus CIS) outlook are now following a highly targeted attack pattern. Pro-Ukrainian actors are refusing to sell, buy, or collaborate with Russian-aligned actors (Exhibit 2) and are increasingly attempting to target Russian entities in support of Ukraine. However, pro-Russian actors are increasingly aligning with hacktivist-like activity targeting 'enemies of Russia,' especially Western entities due to their claims of Western warmongering. This change in targeting and motivation has had several far-reaching consequences for underground actors and the threat they pose."

Some of the more politically committed Russian gangs, CyberScoop reports, may turn their attentions to Western targets.

How's the mood in the Russian underworld? The Intercept looks through Conti's leaked chatter and finds that the hoods generally are patriotic supporters of Mr. Putin's war, but that they're sort of honked off that they can't buy Apple products now.

Despite no major Russian cyberattacks against Western targets, warnings continue to circulate.

US Senator Mark Warner (Democrat of Virginia) who chairs the Senate Intelligence Committee says he's surprised by Russia's apparent failure to mount cyberattacks against the US and other Western targets. TheHill quotes him as saying, “I am still relatively amazed that they have not really launched the level of maliciousness that their cyber arsenal includes.” 

Twenty-two US Senators have sent a letter to Homeland Security Secretary Majorkas asking for a briefing on the Russian cyber threat. They want to know, specifically, what the Cybersecurity and Infrastructure Security Agency (CISA) is doing to protect the US against that threat, which specific US "entities or sectors" are likely to be targets, how is Shields Up Technical Guidance being disseminated, what the Department of Homeland Security is doing against Russian disinformation, and, finally, how is CISA coordinating with international partners.

Ukrainian cybersecurity firms and intelligence services mobilize against Russia.

POLITICO describes how Ukrainian cybersecurity firms have pivoted from defense to offense, deploying their capabilities against Russian targets. The account takes Hacken as representative of the trend, and describes the challenges of adjusting to the different set of norms that prevail in wartime.

Cyber units of Ukraine's intelligence services are said to have successfully infiltrated the Kalashnikov Concern, a major Russian defense company. "Over three terabytes of data has been downloaded for analysis, which included everything from technical specifications of their civilian and military weapons to all of their financial data including off-shore shell companies, bank accounts, and customers (both licit and illicit)," Inside Cyber Warfare reports, adding that technical details of weapons have been shared with Western intelligence agencies.

More on President Putin's purge of the FSB's Fifth Service.

The Center for European Policy Analysis (CEPA), a Washington-based "nonpartisan, nonprofit, public policy institution" with Atlanticist commitments, offers a brief and interesting account of the rise and fall of Colonel General Sergei Beseda, director of the FSB's Fifth Service, also formally known as the "Service of Operational Information and International Relations." The Times reported that Colonel General Beseda and his deputy, Anatoly Bolyukh, were placed under house arrest last week, nominally in connection with an investigation into corruption. Corruption, particularly in the form alleged, embezzlement of funds intended to support covert operations, isn't inherently implausible, but sources within the FSB have suggested that the real reason for the arrests is President Putin's dissatisfaction with the panglossian hogwash the Fifth Service fed him during the run-up to the invasion of Ukraine. The upshot of that intelligence was that the planned invasion would be a walkover, and that pro-Russian sentiment was widespread in Ukraine. As CEPA puts it, "The Fifth Service was responsible for providing Putin with intelligence on political developments in Ukraine on the eve of the invasion. And it looks like two weeks into the war, it finally dawned on Putin that he was completely misled. The department, fearful of his responses, seems to have told Putin what he wanted to hear."

Colonel General Besada has been under sanction by the US Treasury Department for his role in "undermining Ukrainian sovereignty" since 2014, when Russia invaded and annexed Crimea from Ukraine. He's now apparently in even hotter water at home. His reputation is a dark one: he's a bureaucratic infighter who sought to embarrass the rival SVR foreign intelligence service with disinformation in the course of a squabble over equities. He was also present in Kyiv when the former, Russia-aligned regime massacred about a hundred protesters in February 2014. The target of the protests, President Victor Yanukovych, fled to Russia shortly thereafter. Beseda, suspected of having played a role in the bloody but ultimately unsuccessful repression of the dissenters, was sanctioned by the European Union in July of 2014.

(A note on military ranks: a Russian Colonel General is roughly equivalent to a US or British Lieutenant General.)

A protester crashes a Russian news broadcast.

Bloomberg reports that Russian state-directed television news show Vremya ("Time") broadcast by First Channel was briefly disrupted by a young woman, subsequently identified as Marina Ovsyannikova, an editor with the station, who walked behind a newsreader holding a sign that said, in English, "NOWAR," followed by the message, in Russian, “Stop the war. Don’t believe propaganda. They’re lying to you.” She spoke a few sentences (including "Stop the war"). The newsreader, First Channel veteran Yekaterina Andreyeva, spoke louder in an attempt to drown our Ms Ovsyannikova, and then the program cut, quickly, to a generic scene of a hospital. The New York Times has video of the protest.

First Channel told TASS "An incident took place with an extraneous woman in shot. An internal check is being carried out." The gesture of dissent was brief but remarkable. Ms Ovsyannikova was taken into custody by police and will probably be charged with "an administrative violation for 'discrediting' Russia’s armed forces."

A Meduza editor tweeted a link to a video Ms Ovsyannikova posted shortly before her protest. The Telegraph's translation of her remarks runs as follows:  "Unfortunately in recent years I worked on Channel One, making Kremlin propaganda and I am now very ashamed of this. I'm ashamed that I allowed lies to be spoken from the TV screen. I'm ashamed I allowed Russian people to be zombified. We were silent in 2014 when this was all just beginning. We didn't go to protests when the Kremlin poisoned Navalny. We just silently observed this anti-human regime. And now the whole world has turned away from us."

Ukrainian President Zelenskyy praised Ms Ovsyannikova's protest in a televised address to the Russian people. He urged Russians not to let their country become “a very large North Korea." He also had a word for Russian soldiers in the field, saying that Ukraine could monitor their communications and was well aware of the misgivings they had over Russia's war. “You will not take anything from Ukraine. You will take lives,” the New York Times quoted him as saying. “But your life will also be taken.” Any Russian soldiers who surrendered were promised that they'd be treated with dignity. “Choose,” President Zelenskyy concluded.

Winning the influence war.

With due allowances for the natural sympathy Ukraine has attracted, and the inevitable biases that accompany such sympathy, Ukraine does seem to have decisively outmaneuvered Russia in the influence theater. POLITICO outlines ten techniques that have helped Kyiv gain mindshare at Moscow's expense:

  • Prebunking, to get ahead of the Russian disinformation narratives.
  • "HIghlighting heroism," putting out stories of extraordinary Ukrainian resistance and endurance.
  • Emphasizing narratives favorable to the Ukrainian cause.
  • Glorifying martyrs of the Ukrainian resistance.
  • Presenting Zelenskyy as a "man of the people."
  • "Amplifying civilian harm," that is, ensuring that evidence of atrocities and indiscriminate targeting of noncombatants was reported and repeated in many channels.
  • Emphasizing civilian resistance.
  • "Encouraging others to jump on your bandwagon" by calling for volunteers and other support, and offering ways for sympathizers to make gestures of assistance.
  • "Humanizing your side," with, for example, images of soldiers and civilians sheltering with or cradling their pets.
  • Mockery: ridiculed the enemy's poor preparation and confusion.

Russia may be forced into default tomorrow.

An interest payment totaling $117 million (£90 million) on a bond is due to City funds on Wednesday. The payment is legally required to be made in dollars, but it seems likely that the Russian debtor will offer payment in rubles, now severely devalued. Should payment be offered rubles, the Telegraph reports that fund managers are expected to refuse it, as would be their right. That would probably push Russia into default, accelerating the already rapid flight of capital from the country. Since Russia's invasion of Ukraine the ruble has dropped from about 75 to the dollar to a current value of 130 to the dollar, that is, less than one cent. Russian finance minister Anton Siluanov has said his country has the funds to meet its obligations, and that a hostile West is freezing central bank and government foreign currency accounts in order to engineer "an artificial default." Artificial or not, default seems increasingly likely.

Offered without (much) further comment.

Elon Musk has challenged President Putin to single combat. "I hereby challenge Владимир Путин [Vladimir Putin] to single combat[.] Stakes are Україна [Ukraine.]" He repeated his challenge in a subsequent tweet, "Вы согласны на этот бой?" or, "Do you agree to this challenge?" Cyrillic and Russian in the originals. But how will Mr. Putin get the message? we hear Twitter's blocked where he lives, poor guy.