Ukraine at D+599: Stalled offensives and a complex cyber threat.

The Institute for the Study of War (ISW) has been reporting that the major Russian offensive in the vicinity of Avdiivka, in the Donetsk Oblast, is flagging. Ukrainian military officials say they've continued to repel Russian attacks against their positions. Russian milbloggers (and again, these tend to be hard-war ultras, so to a certain extent their complaints count as statements against interest) attribute some of the Russian difficulties to inability to clear Ukrainian minefields, presumably under fire. One milblogger repeats complaints that worn out gun tubes are reducing the accuracy of Russian artillery fire. This is possible, and gun tubes (cannon barrels) do wear out with firing and need replacement. This, if true, is a logistical and management issue. This same source comments that over-optimistic assessments of unimportant local advances against unfortified sections of the zone "may lead Russian forces to 'beat on concrete' fortifications until these forces run out."

US and Ukrainian officials said that they'd anticipated the Russian attacks, and were confident that Ukrainian forces would hold. John Kirby, spokesman for the US National Security Council, said, as paraphrased by the ISW, that "Russian forces appear to be using human wave tactics, wherein the Russian military uses masses of poorly trained and equipped Russian soldiers to attempt to advance - the same practice Russian forces used during their failed winter offensive in winter 2023."

Sunday's update from the ISW saw signs that President Putin is seeking to cool the more enthusiastic expectations of success around Avdiivka. He's described the operations around Avdiivka as an "active defense," not an "offensive," or even "active combat operations."

Russian rail logistics.

Sunday morning the UK's Ministry of Defense (MoD) described the importance of railroads to Russian logistics. "Rail logistics continues to be a vital component in sustaining Russia’s invasion. Russia uses its rail networks to move ammunition, armour, fuel and personnel into Ukraine. The rail network in occupied Ukraine remains largely viable but vulnerable to sporadic interdiction by Ukrainian artillery, air launched missiles and sabotage. In previous conflicts, attrition of rail transportation has required focused, sustained, and repeated attack by air and/or ground forces. Russia almost certainly continues to maintain and improve its rail lines of communication in Ukraine and is constructing a new railway line to Mariupol which will reduce travel times for supplies to the Zaporizhzhia front. Russia is using civilian contractors and equipment to complete this project, likely calculating this will complicate targeting and preserve military railway troop capabilities for urgent tasks elsewhere. The new line falls within the notional range of Ukrainian long-range precision strike capabilities."

The Black Sea Fleet's redeployment to safer waters.

"Since suffering a series of strikes in August and September, the Russian Black Sea Fleet (BSF) has highly likely doubled down on its defensive and reactive posture," the UK's MoD wrote Saturday. "It has relocated many of its prestige assets – including cruise missile capable ships and submarines – from Sevastopol to operating and basing areas further east, such as Novorossiysk. Since July 2022, Ukraine has gained the initiative in the northwest Black Sea, forcing the powerful BSF to defend itself from uncrewed surface vessels (USVs), uncrewed air vehicles (UAVs) and missile attacks as well as special operations. With notable and embarrassing exceptions, however, the BSF has mostly continued to train, maintain and defend itself whilst launching cruise missiles into Ukraine. It can almost certainly continue to do so from the eastern Black Sea." The Black Sea Fleet is now risk-averse. "Despite the BSF’s largely intact capabilities, there is only a realistic possibility of it using its conventional superiority in firepower to seize the initiative in the Western Black Sea. The risk of further military losses and the dire political consequences of Russian naval forces overtly attacking merchant shipping would highly likely outweigh any gain from attempting to enforce a blockade of Ukrainian-bound trade."

The ISW reported that Ukrainian forces hit two Russian naval vessels, the Professor Nikolai Muru tugboat and the Pavel Derzhavin patrol ship, on October 13. As the Black Sea Fleet redeploys to Kerch, Novorossiysk, and Feodosia, lack of pier space and drydock facilities seem to have led them to retain a presence in Sevastopol.

PMCs as social safety valve.

Redut seems to have replaced the Wagner Group as the leading private military company. "The purported Private Military Company (PMC) Redut is recruiting mercenaries under the guise of "volunteers", including former Wagner personnel," the UK's MoD reported this morning. "The Russian General Staff Main Intelligence Directorate (GRU) likely supervises and finances the group’s activities, including its recruitment. Since the start of the invasion, Redut has been involved in combat operations in Donetsk, Kharkiv, Kyiv, and Luhansk oblasts. The group highly likely has over 7,000 personnel. At present, Redut is one of a number of PMCs and Volunteer Corps units being utilised by the Russian Ministry of Defence to augment Russian regular forces. It is a realistic possibility that the Russian Ministry of Defence’s practise of recruiting through 'volunteer' units has contributed to Russia avoiding further unpopular mobilisations."

Void Rabisu deploys lightweight RomCom backdoor against Brussels conference.

Trend Micro describes the recent activities of Void Rabisu, which it describes as "an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine." In this case the intrusion was directed against the Women Political Leaders (WPL) Summit that convened in Brussels between June 7th and 8th of this year. The Summit's goal was to increase the participation of women in politics, and while that may not have been something the threat actors necessarily approved of, it seems likelier that the conference was simply a target of opportunity, a occasion to prospect and compromise devices and systems belonging to political leaders. The ultimate payload Void Rabisu delivered was "a new version of ROMCOM backdoor that we have dubbed as “ROMCOM 4.0” (also known as PEAPOD)."

Void Rabisu is an interesting mixed case of a organization (or, if you will an intrusion set) that has been financially motivated, that trades in the criminal-to-criminal market, but which engages in espionage and, once it's on its target, acts like an advanced persistent threat (APT). "Void Rabisu also acts like an advanced persistent threat (APT) actor when it targets governments and military. In June 2023, Void Rabisu exploited the vulnerability CVE-2023-36884 — still a zero-day vulnerability then — in campaigns using the Ukrainian World Congress and the July 2023 NATO summit as lures. The extraordinary geopolitical circumstances surrounding the war in Ukraine drives some of the financial-seeking threat actors (including Void Rabisu) toward campaigns motivated by espionage." Some of its earlier, more clearly financially motivated actions have been thought to be associated with a Cuba ransomware affiliate, BleepingComputer notes, but the activity now seems focused on zero-day exploitation for the purposes of espionage.

There's no attribution of the activity so far. "While we have no evidence that Void Rabisu is nation-state-sponsored," Trend Micro writes, "it’s possible that it is one of the financially motivated threat actors from the criminal underground that got pulled into cyberespionage activities due to the extraordinary geopolitical circumstances caused by the war in Ukraine." And in general Void Rabisu has consistently acted against Ukrainian interests.  

(Added, 2:00 PM ET, October 16th, 2023.) We received some emailed comments from Max Gannon, Senior Cyber Threat Intelligence Analyst at Cofense, sees some suggestive historical precedent for the Void Rabisu activity. "This is a very interesting and very advanced campaign," Gannon wrote. "The threat actors clearly put a lot of time and effort into not only having a convincing download page, but also having convincing content after the malware is done, which means victims are less likely to notice something suspicious. They also went to great lengths to obfuscate their techniques and make reverse engineering the infection chain difficult. What is most interesting to me is that as the original TrendMicro article says: "While we have no evidence that Void Rabisu is nation-state-sponsored, it’s possible that it is one of the financially motivated threat actors from the criminal underground that got pulled into cyberespionage activities due to the extraordinary geopolitical circumstances caused by the war in Ukraine" about the threat actors behind the attack. This is interesting because targeting conferences (According to Trend Micro Void Rabisu has also targeted the Munich Security Conference and the Masters of Digital conference in 2023) is not something that is typically very profitable. In fact, it is something typically done as part of reconnaissance activities, for example when the Phosphorus APT group targeted the Munich Security Conference in 2020. It will be interesting to see how much Void Rabisu continues to depart from the TTPs typically associated with financial motivation as we move forward."