Ukraine at D+525: Ukraine's deliberate mineclearing, and Russia's continuing war against grain.
N2K logoAug 3, 2023

Ukraine's offensive continues to work through Russian obstacles while relying on heavy artillery fire to reduce defending Russian units. Both the FSB and SVR shift offensive cyber tactics.

Ukraine at D+525: Ukraine's deliberate mineclearing, and Russia's continuing war against grain.

Russian long-range strikes against Ukrainian cities continue, with at least ten drones shot down approaching Kyiv in the predawn darkness this morning, Al Jazeera reports. Ukraine's counteroffensive is relying on heavy artillery barrages to reduce Russian positions as opposed to attempting to move rapidly through heavily mined obstacles.

The UK's Ministry of Defence thinks that undergrowth is impeding offensive operations by both sides. "Undergrowth regrowing across the battlefields of southern Ukraine is likely one factor contributing to the generally slow progress of combat in the area. The predominately arable land in the combat zone has now been left fallow for 18 months, with the return of weeds and shrubs accelerating under the warm, damp summer conditions. The extra cover helps camouflage Russian defensive positions and makes defensive mine fields harder to clear. Although undergrowth can also provide cover for small stealthy infantry assaults, the net effect has been to make it harder for either side to make advances." Most landmines are laid on the surface, contrary to what one might have seen in war movies, and brush makes them harder to spot.

NATO is watching the Wagner Group in Belarus closely, and the Alliance's eastern flank is preparing for possible Wagnerite action against NATO territories proper, the AP reports. And the BBC describes Russia's ongoing campaign to destroy grain. Josep Borrell, the EU's high representative for foreign affairs and security policy, calls Russia's withdrawal from the Black Sea Initiative a cynical exercise in the use of food as a weapon, and predicts that it will fail to coerce vulnerable countries into a de facto alliance with Russia. Ukrainian President Zelenskyy characterizes President Putin's tactical aim as the collapse of global food markets, with the attendant famine that would induce.

BlueCharlie (FSB) shakes up its infrastructure.

Industry research has been exposing Russian cyber operations, and the increased light this has shed on their activities has led Russia's FSB to add a number of domains to its attack infrastructure the better to escape unwanted scrutiny. Recorded Future reports that the FSB activity it tracks as BlueCharlie (Microsoft calls it "Star Blizzard," formerly "Seaborgium") has registered ninety-four new domains for its infrastructure. That infrastructure supports credential-harvesting, intelligence collection, and hack-and-leak operations. The FSB's targets are Ukraine and members of the NATO alliance. The hack-and-leak operations follow an FSB tradition of going beyond simple collection and analysis to conduct activities online that create and develop narratives that support Russian disinformation.

Midnight Blizzard's (SVR) targeted social engineering.

Microsoft reported late yesterday that the Russian threat group Midnight Blizzard (which Redmond formerly tracked as Nobelium, which others follow as APT21, and which US and British intelligence services identify as an operation of Russia's SVR) is currently engaged in highly targeted social engineering attacks against a range of Western targets. The goal of the operation, as is almost invariably the case with SVR work, is espionage.

The present campaign is credential phishing, and it uses security-themed subdomains as phishbait. (The subdomain names often use homoglyphs--characters that resemble, to the eye, a letter of the alphabet, but which in fact are different characters entirely. For example, the Cyrillic letter that corresponds to the Greek rho might stand in for the Latin letter "p.") The attack is staged from previously compromised Microsoft 365 tenants owned by small businesses, and it's designed to capture authentication tokens that can be used in further attacks.

The attack typically proceeds in three stages. The first step is a request to chat in Microsoft Teams. That request often impersonates a technical support or security team member. The next step requests action on the target's authentication app, direction to enter a code into their Microsoft Authenticator app. The third step is successful multifactor authentication. "If the targeted user accepts the message request and enters the code into the Microsoft Authenticator app, the threat actor is granted a token to authenticate as the targeted user," Microsoft explains. "The actor gains access to the user’s Microsoft 365 account, having completed the authentication flow." From this point Midnight Blizzard enters its post-compromise phase, which involves information theft and, in some instances, the addition of a managed device to the organization's network.

The SVR is casting a wide net. Its targets are found in the government, non-governmental organization (NGOs), IT services, technology, discrete manufacturing, and media sectors. Midnight Blizzard is the group generally held responsible for the Sunburst campaign that exploited a SolarWinds vulnerability.

(Added, 12:30 PM, August 3rd, 2023.) We heard this morning from David Raissipour, Mimecast's Chief Technology and Products Officer, who points out the risks that come with the convenience collaboration platforms offer. “Collaboration platforms have become ubiquitous in workplaces today; but with the immense value these tools bring to businesses comes an equal or greater amount of risk. We're seeing this real-world risk in this week’s news about a Russian government-linked group launching phishing attacks on dozens of businesses via Microsoft Teams," Raissipour wrote. "While this news garners widespread attention and hopefully awareness, the truth is that this type of breach is not necessarily new or uncommon. In fact, new Mimecast research found that 94% of organizations have experienced a threat via a collaboration platform – despite 74% of cybersecurity leaders expressing confidence in their cyber readiness to defend against these hacks. Cybersecurity leaders must use this moment as a warning sign, and arm their teams with the right skills and technologies to better identify and mitigate attacks across every critical business platform. At Mimecast, we’re expanding our suite of security solutions to ensure organizations using critical platforms like Microsoft Teams can do so safely and smartly.”

(Added, 12:45 PM ET, August 3rd, 2023.) Darren James, senior product manager with Specops Software, offered perspective on how Midnight Blizzard has leveraged Microsoft Teams as an attack tool. “Now that cloud services are so ubiquitous across all types of organization, so they have also become the latest battleground for criminal and nation state sponsored threat actors such as Midnight Blizzard (formerly Nobelium). Microsoft Teams, one of the most popular collaboration tools on the market, has now become a social engineering tool for these groups," he wrote. "In this latest attack they are using compromised Microsoft Tenants to spear phish specific users, whose passwords have already been compromised, by reaching out to them using Teams and impersonating service desk personnel. They then ask the users to approve their 2FA requests, thus giving the threat actor access to that user’s Microsoft 365 account and all the data and applications associated with it. This once again shows that organizations must take a multi-layered approach to combating these evolving online threats. They should enforce strong, secure passphrases which have not been breached, alongside phishing resistant MFA, conditional access, provide training to all staff about the threat of phishing attacks and password hygiene. These steps are vital to protect organizations from this attack vector. Service desks themselves can also fall victim to similar social engineering attacks, so it is a must that verification of any callers to the service desk should also be undertaken before any requests are actioned.”

How NoName057(16) moved on to Spanish targets.

Radware reports that the Russian hacktivist auxiliary, much of whose activity has been directed against Ukraine and its Eastern European sympathizers (notably Poland and Lithuania), claims to have conducted distributed denial-of-service (DDoS) attacks against Spain. The attacks began on July 19th and continued through the 30th. Radware reports that the attacks were timed to coincide with Spain's elections, and that their targets included two organizations involved with administering the elections: the Junta Electoral Central and the Instituto Nacional de Estadística. Most of the effects, however, were felt by the travel and financial services sectors, with telecommunications and news organizations also affected. Radware puts the total number of victims at around fifty. At the outset of the campaign, NoName057(16) published communiqués in its Telegram channel excoriating Spain for "waging a proxy war against Russia," and promising to make Spain feel the cost of its support for Ukraine.

NoName runs what Radware characterizes as a crowd-sourced botnet, "Project DDoSia," to whose members it provides client software that contributes to the attack traffic. "This is very aligned with IoT DDoS botnets," Radware explains, adding, "The difference? Instead of being installed on compromised IoT devices, it is installed on home PCs, mobile phones and cloud servers by volunteers." NoName also offers payments to members who make the most attacks. One of the unusual features of a NoName campaign is its reconnaissance. The group's admins "investigate the target website and identify the most resource-intensive parts of the site," thereby enabling their volunteers more effectively to choke the site with traffic.

And NoName057(16) hasn't confined itself to Spanish targets.

The Russian hacktivist auxiliary yesterday also claimed to have interrupted seven Italian banks' websites. MarketWatch reports that NoName057(16) said it conducted successful DDoS attacks against sites belonging to Banca Popolare di Bari, Intesa Sanpaolo, Banca Monte dei Paschi di Siena, BPER Banca, Banca Popolare di Sondrio, FinecoBank, and Mediobanca Banca di Credito Finanziario's CheBanca. Italy's National Cybersecurity Agency said the banks reacted well and reported neither material damage nor compromise of customer data.