Ukraine at D+419: GRU cyber ops scrutinized.
N2K logoApr 19, 2023

Much dissection of current Russian cyber operations, even as Ukraine receives essential weapons and prepares its (kinetic) counteroffensive.

Ukraine at D+419: GRU cyber ops scrutinized.

Ukraine has received the first deployments of the Patriot air-defense missiles it has long sought. Ukraine's Defense Minister Oleksii Reznikov tweeted, "Today, our beautiful Ukrainian sky becomes more secure because Patriot air defense systems have arrived in Ukraine. Our air defenders have mastered them as fast as they could. And our partners have kept their word. This is the result of hard work led by our President. Thank you to my colleagues, and the American, German, Dutch people."

The AP quotes a senior Ukrainian official, Oleksiy Danilov, the secretary of Ukraine’s National Security and Defense Council, as saying that his country was completing its preparations for a spring offensive, and that it would attack when it was ready, at a time of its own choosing.

The Telegraph reports local sources as describing what appears to be an impending Russian withdrawal from parts of Kherson. Units have been seen packing up and loading both equipment and the spoils of looting. The partial withdrawal may represent a shortening of lines in anticipation of Ukraine's expected offensive.

I spy, with (at least two of) my Five Eyes, a Fancy Bear.

The GRU's exploitation of vulnerable Cisco routers has drawn a joint warning from UK and US intelligence agencies. "The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) are releasing this joint advisory to provide details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021. We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor."

The vulnerability Fancy Bear has taken advantage of since 2021 at least is CVE-2017-6742 (Cisco Bug ID: CSCve54313). Cisco announced the vulnerability in June 2017 and issued patches and mitigations. Cisco Talos yesterday published its appraisal of the threat:

"Because of the large presence of Cisco network infrastructure around the world, any sustained attack against network infrastructure would likely target Cisco equipment, but attacks are by no means limited to Cisco hardware. In reporting on Russian intelligence contracting documents, samples of which were recently shared with Cisco Talos, it was shown that any infrastructure brand would be targeted, with one scanning component targeting almost 20 different router and switch manufacturers (see the image below). Looking at past research, in 2018 Talos looked into the VPNFilter threat, also believed to be of Russian origin, which showed a well-developed capability targeting Asus, Huawei, Linksys, MikroTik, Netgear, QNAP, TP-LINK, Ubiquiti, and Upvel devices."

Cisco Talos also points out that Russia isn't the only nation-state whose intelligence services are collecting in this manner. China has also been active. Much of the exploitation, Cisco Talos says, has been post-compromise, enabled by stolen credentials. Both Cisco and the British and American intelligence agencies who issued the joint warning offer sound advice for reducing risk.

Other GRU activity: more on Sandworm (a.k.a. FROZENBARENTS).

Google's Threat Analysis Group this morning published an update on what it's observed recently from Russia's Sandworm (or, as Google calls it, FROZENBARENTS) a well-known group associated with the GRU's Unit 74455. Its activities continue to include intelligence collection, information operations, and leaks of stolen data over Telegram. "As we described in the Fog of War report, FROZENBARENTS remains the most versatile GRU cyber actor with offensive capabilities including credential phishing, mobile activity, malware, external exploitation of services, and beyond. They target sectors of interest for Russian intelligence collection including government, defense, energy, transportation/logistics, education and humanitarian organizations." One of FROZENBARENTS's favored modes of gaining access to its targets is exploitation of vulnerable EXIM mail servers.

Among the information operations Google describes are those mounted by the CyberArmyofRussia and the CyberArmyofRussia_Reborn, both of which are now clearly identifiable as front groups, fictitious identities created, operated, and maintained by the GRU. "The CyberArmyofRussia_Reborn Telegram channel has primarily been used for posting stolen data and DDoS targets. In several recent incidents, FROZENBARENTS compromised a webserver of the target organization and uploaded a webshell to maintain persistent access to the compromised system. The attackers then deployed Adminer, a single file PHP script for managing databases, to exfiltrate data of interest. Shortly after exfiltration, the data appeared on the CyberArmyofRussia_Reborn Telegram channel." Among the favored narratives boosted by the GRU fronts has been the long-running false claim that biological weapons have been used in Ukraine, and that this has been done at the instigation of the US, which is (falsely) claimed to be responsible for the proliferation of biological warfare agents around the world.

Narrative laundering.

The UK's Ministry of Defence looked this morning at Russian information operations. "Since the start of its full-scale invasion of Ukraine, the Russian state has systematically used information operations as a major element of its strategy. It has cultivated multiple channels and proxies to spread disinformation: the intentional creation and sharing of false or manipulated information. One component of Russia’s disinformation is ‘narrative laundering’, whereby Russia promotes information from proxies, or unverified social media sources, which then permeates to more mainstream or state-run media. This aims to cloud the source of the information, making it easier for the Russian state to distance itself from the message. It then promotes misleading fragments of the narrative, while masking its vested interest. Russian state actors present manipulated narratives in both orchestrated and opportunistic ways. Their current priorities almost certainly include discrediting the Ukrainian government and reducing international support for Ukraine."

Ransomware in Russia's war against Ukraine.

Citing other research by Google's Mandiant unit, Breaking Defense reports that Russia's GRU has increasingly turned to ransomware. This is read as either a sign of weakness (“GRU’s shift to using ransomware may be a sign they are undergoing tooling shifts and don’t have the resources to rely on writing or modifying custom malware") or as possible misdirection, shifting attention away from Russia's military intelligence service and toward conventional, financially motivated criminals.

Mandiant's report explains, "The most recent phase of operations was characterized by a resurgence in disruptive cyber attacks in Ukraine. Though some of the attacks appeared similar to disruptive attacks seen in previous phases, this new wave of disruptive attacks appeared to deviate from the historical norm. Earlier attempts relied on quick turnaround operations using CADDYWIPER variants, but the attacks undertaken in October to December saw GRU clusters deploying ransomware variants on targeted networks. This shift is consistent with Microsoft’s reporting on the Prestige (PRESSTEA) ransomware deployment by IRIDIUM in Poland. Though the cycle of access and action appears to have continued during this phase, GRU’s shift to using ransomware may be a sign they are undergoing tooling shifts and don’t have the resources to rely on writing or modifying custom malware."

Belarusian contributions to Russia's cyber war.

Belarusian cyber operators are making an ongoing, albeit minor, contribution to the cyber phases of Russia's war against Ukraine. As Google's Threat Analysis Group reports, "PUSHCHA, a Belarusian threat actor, has consistently targeted users in Ukraine and neighboring countries throughout the war. Their campaigns typically target regional webmail providers such as i.ua, meta.ua and similar services. The phishing campaigns are targeted, focused on small numbers of users in Ukraine."

KillNet’s new hacker course: “Dark School.” 

KillNet has been up to more than its now familiar gasconade of having “paralyzed NATO infrastructure.” On April 4th they announced they will be hosting an online hacking masterclass. Applicants are required to pay $500 in cryptocurrency, and can expect to learn nine subjects: distributed denial-of-service (DDoS, an obvious curricular choice), Google AdWords arbitrage, forgery, carding (credit card fraud), OSINT/DEANON, Pegasus (Android spyware), social engineering, “methods of cyber warfare”, and “diversion in the network.” 

The hacktivist auxiliaries have also sweetened the deal: anyone who buys into their class gets free access to the NATO cyber training materials they stole. In addition to all of the material they promise “private video lessons, written manuals, personal communication with instructors 24/7 for 2 weeks.” They will also prepare an “updated methodology” for their courses every thirty days for a year. 

And membership has its benefits: you, too, could become a KillNetter: “Particularly active students will be invited to our team!” There is no set start date, but KillNet claims the classes will begin when they have reached 2,000 applicants. The course is offered in English, Russian, Spanish, and Hindi. We recommend against signing up, but if you do, be sure to leave a digital apple on the remote teacher’s virtual desktop.

US Air Force opens investigation into alleged leaker's ANG wing.

The Secretary of the Air Force has directed the Service's Inspector General to open an investigation into compliance with safeguards for classified material at the 102nd Intelligence Wing, the organization to which Airman 1st Class Jack Teixeira, the accused Discord Papers leaker, had belonged. "The Secretary of the Air Force directed the Department of the Air Force inspector general to investigate overall compliance with policy, procedures and standards, including the unit environment and compliance at the 102nd Intelligence Wing related to the release of national security information," an Air Force representative told Military.com. Air Force Secretary Frank Kendall appeared before the Senate Appropriations Defense Subcommittee yesterday to explain the ongoing investigation, Air & Space Forces Magazine reports. “There is a full-court press going on about this,” Secretary Kendall said in his testimony. “We are all disturbed about it and we are working very very hard to get to the bottom of it and take corrective action.”

Until further notice, the 102nd Intelligence Wing has lost its mission, the AP reports. The Air Force told the AP, “The 102nd Intelligence Wing is not currently performing its assigned intelligence mission. The mission has been temporarily reassigned to other organizations within the Air Force.” The wing's website describes that now suspended mission: "To provide world wide precision intelligence and command and control along with trained and experienced Airmen for expeditionary combat support and homeland security."

Energy supplies and preparation for a long war.

Gazprom, the Russian state-owned natural gas supplier, has warned Europe that the mild winter it had over the past few months let the continent escape the consequences of its support for Ukraine, and that Western buyers of now-embargoed Russian natural gas can't count on that happening again this coming winter. There is, the Telegraph quotes Gazprom as saying,“no guarantee that nature will make such a gift” again. In the company's view, the fault for shortages and suffering next winter will lie with the West's "politically motivated decisions aimed at halting the imports of Russian pipeline gas.” The statements suggest that Russia is preparing for a protracted war.