Ukraine at D+340: Static lines, heavy local fighting, and wiper malware.
N2K logoJan 30, 2023

Wiper malware makes a reappearance in Russian cyberattacks.

Ukraine at D+340: Static lines, heavy local fighting, and wiper malware.

Lines remain relatively static while heavy fighting continues in the vicinity of Bakhmut, in the Donetsk region, CNN reports. Euronews recounts conflicting claims of local advances in villages around the city. Rocket and cannon fire continues to strike civilian targets in Donetsk, Kherson, Kharkiv, and Zaporizhzhya. Al Jazeera quotes Ukrainian President Zelenskyy as saying the fighting in Donetsk in particular is "very tough." Ukraine is preparing to receive shipments of tanks promised by NATO members, and has asked, according to the New York TImes and other sources, for combat aircraft and, the Hill reports, longer-range missiles. NATO welcomes closer ties with the Republic of Korea and asks Seoul to consider increasing its support for Ukraine.

Russian mobilization creep: more call-ups under partial mobilization seem increasingly probable.

The UK's Ministry of Defence, in this morning's situation report, discusses the likelihood of further rounds of partial mobilization. "Russian authorities are likely keeping open the option of another round of call-ups under the ‘partial mobilisation’. On 22 January 2023, media reported that Russian border guards were preventing dual passport holding Kyrgyz migrant workers from leaving Russia, telling the men that their names were on mobilisation lists. Separately, on 23 January 2023, Russian presidential spokesperson Dmitry Peskov said that the decree on ‘partial mobilisation’ continues to remain in force, claiming the decree remained necessary for supporting the work of the Armed Forces. Observers had questioned why the measure had not been formally rescinded. The Russian leadership highly likely continues to search for ways to meet the high number of personnel required to resource any future major offensive in Ukraine, while minimising domestic dissent."

Wagner Group's early convict recruits complete their tours.

France24 reports that convicts recruited by the Wagner Group last year, having completed their six-month tours (or having received disabling wounds) are returning home. It's unclear, so far, what their reception will be. It also appears that prison recruiting was a short-term approach to manpower shortages, and not one designed for a long war.

Russian Ministry of Education announces mandatory military training in secondary schools.

The Kremlin has deliberately and self-consciously positioned Russia as the successor to the Soviet Union, especially in its (utterly implausible) attempt to position its invasion of Ukraine as not only defensive, but also as the simple continuation of the Second World War. The UK's Ministry of Defence notes the revival of a Soviet-era educational practice. "In recent weeks, the Russian Ministry of Education has provided more detail on the rollout of the previously announced plan to include basic military training in Russia’s secondary school curriculum. The module within the ‘Basics of Life Safety’ course will include training with AK series assault rifles and hand grenades, military drill and salutes, and the use of personal protective equipment. The lessons will become mandatory from 01 September 2023. In addition, in December 2022, the Ministry of Science and Higher Education announced a ‘military training basics’ programme for university students. The initiatives highlight the increasingly militarised atmosphere in wartime Russia, as well as being a (likely deliberate) evocation of the Soviet Union: similar training was mandatory in schools up to 1993." Military training in secondary schools is unlikely to represent a short-term solution to shortages of trained troops.

Casualties at Makiivka were much higher than Russia announced.

On Saturday the UK's Ministry of Defence (MoD) updated Russia's losses in Ukraine's January 1st missile strike. "Russia highly likely suffered more than 300 casualties in a strike on troop accommodation at Makiivka near Donetsk City on 01 January 2023. We assess that the majority were likely killed or missing, rather than wounded. Following the strike, the Russian Ministry of Defence took the rare step of publicly acknowledging it had suffered casualties, claiming 89 killed. Russian officials likely assessed that it was not viable to avoid comment in the face of widespread criticism of Russian commanders over the incident." The public announcements, the MoD believes, are characteristic. "The difference between the number of casualties Russia acknowledged and the likely true total highlights the pervasive presence of disinformation in Russian public announcements. This typically comes about through a combination of deliberate lying authorised by senior leaders, and the communication of inaccurate reports by more junior officials, keen to downplay their failings in Russia’s ‘blame and sack’ culture."

New GRU wiper malware active against Ukraine.

Security firm ESET says a new strain of wiper malware they're calling "SwiftSlicer" has been deployed against Ukrainian networks. ESET Research tweeted, On January 25th #ESETResearch discovered a new cyberattack in Ukraine. Attackers deployed a new wiper we named #SwiftSlicer using Active Directory Group Policy. The #SwiftSlicer wiper is written in Go programing language. We attribute this attack to #Sandworm." The Sandworm group is operated by Russia's GRU, and SwiftSlicer represents a successor to HermeticWiper and CaddyWiper, both of which the Russian service had deployed against Ukraine in the early phases of the invasion. HermeticWiper was identified in February 2022, during the opening days of the invasion; CaddyWiper was observed the following month. ESET has not identified the organization or organizations affected by SwiftSlicer.

The Ukrainian Computer Emergency Response Team (CERT-UA) on Friday reported identifying five distinct strains of wiper malware in the networks of the Ukrinform news outlet. The strains, and the systems the affected, were: CaddyWiper (Windows), ZeroWipe (Windows), SDelete (Windows), AwfulShred (Linux), and BidSwipe (FreeBSD). The Russian hacktivist group "CyberArmyofRussia_Reborn" claimed credit in its Telegram channel for the infestations. BleepingComputer says that two of the strains, ZeroWipe and BidSwipe, represent either novel malware or, if they're existing, known strains, they're being tracked under unfamiliar names by CERT-UA.

Two weeks ago a Russian cyberattack interfered briefly with Ukrinform online broadcasts. The interest in Ukrinform offers some confirmation of the Ukrainian view that Russian cyber operations are more closely connected with influence operations than they are with tactical operations.

Latvia reports cyberattacks by Gamaredon.

The Gamaredon APT (also known as Primitive Bear, and a threat group widely believed to be operated by Russia's FSB) appears to have attempted a phishing attack against Latvia's Ministry of Defense last week. The Record reports that Latvian officials said the attempts were unsuccessful.

Russia and the US trade accusations of malign cyber activity.

TASS quotes Russia's Deputy Foreign Minister Oleg Syromolotovas saying that the US has been responsible for recruiting and training members of Ukraine's auxiliary IT-Army, a hacktivist group active against Russian targets. "It is telling that the United States is putting its aggressive policies into action. They made no attempt to conceal the fact that their cyber command is conducting operations against our country. We are well aware that Washington is aggressively recruiting hackers, training the so-called IT Army of Ukraine, and using information and communication technologies of their partners and controlled private companies to carry out cyberattacks against Russia's information infrastructure." This is, Mr. Syromolotovas said, without irony, "'openly moving towards the militarization of the information domain,' despite the desire of the majority of UN member nations for the peaceful use of information technologies. 'They are enforcing NATO developments on cyberwarfare standards, attempting to change international law to fit them. Unfortunately, this falls within Washington's aggressive bloc-thinking, which is moving the globe toward ultimate confrontation,'" the diplomat concluded.

On Friday Roskomnadzor, Russia's Internet agency, blocked Russians' access to the US FBI and CIA sites, Interfax reports. "On the basis of Federal Law No. 149-FZ 'On Information, Information Technologies and Information Protection,' Roskomnadzor restricted access to a number of resources belonging to state structures of hostile countries for distributing materials aimed at destabilizing the social and political situation in the Russian Federation. These resources revealed materials containing unreliable socially significant information, as well as discrediting the armed forces of the Russian Federation." 

Blocked along with the FBI and CIA is the US State Department's Rewards for Justice site, which offers a bounty for information on four categories of malign activity: "Terrorism," "Foreign Election Interference," "Malicious Cyber Activity," and "North Korea." On Thursday, shortly after the US Justice Department announced the international operation that disrupted the Hive ransomware gang, Rewards for Justice tweeted the following offer: "If you have information that links Hive or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government, send us your tip via our Tor tip line. You could be eligible for a reward." That is, to gloss the offer, we're looking at you, Russia. Hive is a Russian criminal ransomware operation, and like most Russian gangs, it has connections with Russia's security and intelligence organs. Information tying Hive to the Russian government could qualify for an award of up to $10 million.

A hacktivist auxiliary's social support system.

Military auxiliaries exist within a social context that provides both moral and (sometimes) even financial support. Consider benign examples that will be familiar to readers in the US, like the Civil Air Patrol and the Coast Guard Auxiliary. (They function as civic organizations in civil society at least as much as they operate as auxiliaries of the Air Force and the Coast Guard.) The same seems to be true to a limited extent with hacktivist organizations serving as security and intelligence service auxiliaries. Radware describes the support system that's grown up around Russia's Killnet group. "It is not common for analysts to have the opportunity to study the social circles of criminal organizations, but occasionally a group emerges that is more transparent than others," Radware writes. "Examining a criminal organization’s social presence can give analysts valuable insights into the structure and operations of the organization, as well as the relationships and connections between its members and the community around them."

Killnet is the sort of group that lends itself to such analysis, and Radware describes three organizations that have been prominent in their support of the hacktivist mission:

  • Infinity Music. A music label whose star, "rapper" Kazhe Oboyma, has published a song called “KillnetFlow (Anonymous diss).” This isn't financial support. Rather, it's support in the form of bad-boy street cred.
  • HooliganZ Jewelry. A Moscow-based designer of street-thug inspired jewelry is selling Killnet-branded drip. And it's worth noting, in passing, how much both Infinity Music and HooliganZ Jewelry owe to American popular culture--their street cred is derivative, and that's something the Kremlin can't be entirely comfortable with.
  • Solaris Marketplace. This is more familiar ground. Solaris is a darknet criminal marketplace, and it's made financial contributions to Killnet.

Radware concludes, "From financial contributions to active participation in illegal activities to passive support through art and entertainment, the social circles of Killnet demonstrate the complexity of criminal organizations’ relationships, connections, and structure."

What a Russian media ban means: perspective from a banned outlet.

Meduza, the expatriate Russian news service that publishes in Russian and English from its headquarters in Latvia, was banned in Russia last week. Russia's Prosecutor General’s Office designated the service as an illegal, “undesirable organization” on the grounds that Meduza’s activities “pose a threat to the foundations of the Russian Federation’s constitutional order and national security." It's not, apparently, strictly speaking illegal to read Meduza in Russia (although as a practical matter it's unwise to rely on Moscow's concepts of legality) but interacting with Meduza in other ways is decidedly risky, clearly proscribed by Russian law.

Meduza offers a primer on what users in Russia (and nota bene, travelers, it's "users in Russia," not just "Russian users") might face should they run afoul of the law. "Liking" and "commenting" are gray areas, maybe not illegal stricto sensu, but it's probably safer to steer clear of even such low-grade interaction. The same can be said of forwarding Meduza newsletters (but printing them is probably worse, and would be construed as intent to distribute). Linking to or reposting Meduza content is clearly illegal, and carries criminal penalties. "The first time a Russian national is convicted of sharing content from an “undesirable” organization, the penalty is a fine of 5,000 to 15,000 rubles (about $70 to $215). Subsequent offenses carry the risk of felony prosecution, and violators can face up to four years in prison, community service, restrictions of freedom, or a raised fine of up to 500,000 rubles (more than $7,000)." 

The advice probably applies to any in-Russia use of the FBI, CIA, or Rewards for Justice sites (see above).