Ukraine at D+291: Cyberespionage and long-range strike.
N2K logoDec 12, 2022

Ukraine demonstrates an enhanced long-range strike capability. The Cloud Atlas APT shows an increased interest in Russia's war.

Ukraine at D+291: Cyberespionage and long-range strike.

The city of Bakhmut has largely been reduced to burned out rubble by Russian assaults, says the Guardian, citing Ukrainian President Zelenskyy. The military purpose of the assault is difficult to discern, unless the Russian intention is simply to bleed the Ukrainian army, at whatever high cost to itself in Russian blood, acting on the old attrition principle of sacrificing your own to wear down a smaller enemy force. In any case, Bakhmut, militarily meaningless but a Russian prestige objective, seems now a dead city.

Ukrainian sources report, according to the BBC, a Ukrainian strike against a Wagner Group headquarters in Luhansk. In the south, a HIMARS strike also hit buildings in Melitopol the Wagner Group was using as barracks. The Ukrainian government claimed, the Telegraph reports, that Russian forces sustained some two-hundred killed or wounded in that attack.

Russia's strategic goals articulated.

Early this morning the UK's Ministry of Defence (MoD) reviewed recent expressions of Russian strategy and assessed the likelihood of that strategy's success. "On 8 December 2022, Russian presidential spokesman Dimitry Peskov rearticulated the main goals of the ‘special military operation’. He said that one of Russia’s main objectives was the ‘protection’ of residents of the Donbas and south-eastern Ukraine but claimed there was still much work to be done regarding ‘liberation’ of those territories. Peskov’s comments suggest that Russia’s current minimum political objectives of the war remain unchanged. Russia is likely still aiming to extend control over all of Donetsk, Luhansk, Zaporizhzhia, and Kherson Oblasts. Russian military planners likely still aim to prioritise advancing deeper into Donetsk Oblast. However, Russia’s strategy is currently unlikely to achieve its objectives: it is highly unlikely that the Russian military is currently able to generate an effective striking force capable of retaking these areas. Russian ground forces are unlikely to make operationally significant advances within the next several months."

Paying for Russia's war.

The UK's MoD on Sunday offered a report on Russia's military budget. "On 5 December 2022, President Putin signed the law on Russia's Federal Budget. Draft budgets have stated over 9 trillion rubles (US $143bn) will be allocated across defence, security and law enforcement in 2023. This is a significant increase compared to prior years and will represent over 30 per cent of Russia's entire budget. The budget approved by Putin is likely over-optimistic in its expectation of revenue and spending in 2023. Therefore, other parts of Russia's budget are likely to come under increasing pressure to support the costs of the war."

Russia's growing dependence on Iranian supplies.

Saturday's situation report from the UK's MoD continued its appraisal of the implications of Russian dependence on Iranian munitions. "Iran has become one of Russia's top military backers since Russia invaded Ukraine. Iran’s support to the Russian military is likely to grow in the coming months: Russia is attempting to obtain more weapons, including hundreds of ballistic missiles. In return Russia is highly likely offering Iran an unprecedented level of military and technical support that is transforming their defence relationship. Russia has highly likely expended a large proportion of its stock of its own SS-26 Iskander short range ballistic missiles, which carry a 500kg warhead up to 500km. If Russia succeeds in bringing a large number of Iranian ballistic missiles into service, it will likely use them to continue and expand its campaign of strikes against Ukraine’s critical national infrastructure."

The Institute for the Study of War speculates, "The increased pace of Russian drone attacks may indicate that Russian forces accumulated more drones over the three-week period of not using them or that Russia has recently received or expects soon to receive a new shipment of drones from Iran."

The British government has warned that Russia is offering to supply Iran with advanced weapons in exchange for Iranian...advanced weapons, notably Shahed drones. According to the Telegraph, the weapons on offer include air defense systems and combat aircraft. Prominent among the combat aircraft is said to be a consignment of twenty-four SU-35 fighters originally intended for export to Egypt but since canceled by Cairo. The US sees Russia as moving into full military cooperation with Iran. The Federal News Network quotes White House National Security Council spokesman John Kirby as saying that the US Intelligence Community has concluded that Russia was offering Iran “an unprecedented level of military and technical support that is transforming their relationship into a full-fledged defense partnership.”

Mirage News, an Australian service that has generally amplified Moscow's talking points, reports the Russian response to US and UK description of close cooperation between Russia and Iran. Vasily Nebenzya, Russia's permanent representative to the United Nations, dismissed reports of Russo-Iranian military cooperation as “the West’s unfounded allegations.” Mr. Nebenzya said, “the Russian military-industrial complex is capable of coping with any tasks, and we do not need anyone’s help.”

Mr. Nebenzya said that US aid to Ukraine exceeded any aid given to a belligerent by its allies in recorded history, obviously forgetting US Lend-Lease to the USSR (Russia's ancestor state) during the Great Patriotic War. “Military support in this scale has not been provided to any state in history. More than the military budgets of most NATO states has been spent in less than a year on arming Ukraine," Mr. Nebenzya said.

Ukraine's ability to strike targets inside Russia.

Over the weekend Ukrainian HIMARS rockets struck Russian barracks in occupied Melitopol, the southern city believed to be the next principal Ukrainian objective. Melitopol sits astride Russian lines of communication to Crimea.

The Russian news service Kommersant reported that the senior Russian diplomat also warned, at the UN, that the US would be held to legal account for its support of Ukraine. "Russia 'carefully records all such criminal actions of the United States and its allies. They will have specific legal consequences for all those involved,' Mr. Nebenzya promised." He alleged that “US military personnel on the ground are participating in satellite and intelligence assistance, loading accurate coordinates to the guidance software, and monitoring and adjusting the effectiveness of the missile systems.”

The Times of London reports that Washington has given Kyiv at least tacit assent for deep strikes against military targets inside Russia itself (not that Ukraine, as a sovereign state defending itself against an aggressor, needs permission). In any case, the US has reportedly decided that the Russia will and ability to escalate the conflict have abated to the point of no longer being a matter of serious concern.

New Cloud Atlas activity reported.

Both Check Point Research and Positive Technologies report renewed activity by Cloud Atlas, an APT of uncertain provenance that's also known as "Inception." Check Point summarizes:

"Cloud Atlas (or Inception) is a cyber-espionage group. Since its discovery in 2014, they have launched multiple, highly targeted attacks on critical infrastructure across geographical zones and political conflicts. The group’s tactics, techniques and procedures (TTPs) have remained relatively static over the years. However, since the rapid escalation of the conflict between Russia and Ukraine in 2021 and especially after the outbreak of war in February 2022, the scope of the group’s activities has narrowed significantly, with a clear focus on Russia, Belarus and conflicted areas in Ukraine and Moldova. Some evidence discovered while monitoring the group’s latest activities indicates that the group carried out a few successful intrusions and managed to gain full access to some of the targeted environments."

Positive Technologies (a Russian security firm) reports that Cloud Atlas has since 2019 concentrated on Russia, Belarus, Azerbaijan, Turkey, and Slovenia, which constitutes an unusual target list. The group's goals have been "espionage and theft of confidential information." Positive Technologies says, "The group typically uses phishing emails with malicious attachments as the initial vector for their attacks. In the third quarter of 2022, during our investigation we identified a phishing campaign targeting employees of Russian government agencies. The attackers used targeted mailing based on the professional field of the recipients, even though we found no publicly available information about them." Like Check Point, Positive Technologies notes that the group's tactics, techniques, and procedures (their "tools") haven't changed much since they were identified in 2014.

There's a general consensus that Cloud Atlas is engaged in cyber espionage, and has been for almost a decade, but who they're working for or what strategic interests they serve remain unclear. Neither Check Point nor Positive Technologies (nor Kaspersky, for that matter, which first identified the group) offer any attribution. In 2016 Kaspersky, writing in Virus Bulletin reported, very tentatively, that there were circumstantial signs of Chinese activity behind Cloud Atlas. "During the investigation, many researchers were running the various samples found in the wild in an effort to solicit a second‑stage binary from the actors. In multiple instances, an implant was served up to researcher machines that did not fit the typical Cloud Atlas framework. This implant showed characteristics of malware traditionally considered Chinese and used a command-and-control domain that was inactive at the time. The belief is that the actors recognized researcher systems in their logs and instead of serving the normal second-stage binary, they instead provided a 'fake', unrelated piece of malware to cause confusion." But this was far from dispositive. It could equally well be evidence of code borrowing or false-flag operations.

DomainTools took up the question in February of 2021, and their researchers also threw up their hands. "Based on the observed activities, lures, and likely geographic targeting, DomainTools assesses with high confidence that the campaigns in question form part of unspecified espionage operations. While further speculation on particular attribution is possible, insufficient technical evidence exists that would allow DomainTools to attribute this activity to any distinct entity or country."

So whoever they are, and whoever's interests they serve, Cloud Atlas is actively collecting against targets related to Russia's war against Ukraine.

Europe looks to the cybersecurity of its power grid.

The Wall Street Journal reports that kinetic attacks against Ukraine's power grid have motivated European authorities to look to the cybersecurity of their own grid. Ukraine has disconnected its grid from Russia's and connected it to Europe's, and while there's concern about that new exposure, and managing an expanded attack surface, the EU seems also to be concerned about a shortage of qualified cybersecurity operators who could be employed in safeguarding its grid.

International support for Ukrainian cyber defense.

The Hill describes the scope of US Cyber Command hunt-forward operations, US teams have conducted thirty-five operations while deployed to eighteen countries, including Croatia, Estonia, Lithuania, Montenegro, North Macedonia and Ukraine. The UK and other NATO members have also rendered cyber assistance to Ukraine and Eastern European countries at risk of Russian cyberattack.

Assistance is also arriving in Ukraine from the private sector. AFR reports that Canberra-based security firm Internet 2.0 has signed a memorandum of understanding with Ukraine's Ministry of Digital Transformation to provide cybersecurity training to Ukrainian veterans.