Ukraine at D+392: Assessing hacktivist claims.
N2K logoMar 23, 2023

Hacktivists of various allegiances are making exaggerated claims of effective attacks against OT networks and systems. Disinformation continues, recently emanating from Belarus.

Ukraine at D+392: Assessing hacktivist claims.

Russian drone and missile strikes against civilian residences, including apartment buildings and university dormitories in Zaporizhzhia and near Kyiv, continue to kill noncombatants, the AP reports.

The morning situation report from the UK's Ministry of Defence focuses on fighting in northern Luhansk. "Since the start of March 2023, heavy fighting has continued in parts of the Svatove-Kremina sector of the front line in northern Luhansk Oblast. Russia has partially regained control over the immediate approaches to Kremina town, which was under immediate Ukrainian threat earlier in the year. In places, Russia has made gains of up to several kilometres. Russian commanders are likely trying to expand a security zone west from the defence lines they have prepared along higher ground, and integrate the natural obstacle of the Oskil River. They likely seek to recapture Kupiansk, a logistics node. Operationally, Russia’s intent in the north-east likely remains defensive. Commanders probably fear this is one of the sectors where Ukraine could attempt major offensive operations."

Hacktivists' claims of attacks on OT networks are overstated.

Mandiant researchers have observed a trend in which hacktivist groups are increasingly claiming to have successfully attacked operation technology (OT, technology that monitors or controls industrial equipment, processes and events). The trend crosses political commitments and allegiances, but in general Mandiant finds that the claims of success have been exaggerated, as have claims on the part of hacktivists to disinterested independence of state influence or direction. On the other hand, there do seem to be signs that hacktivist groups are trading information on OT systems, and that they've exhibited a growing technical familiarity with such systems' vulnerabilities.

"Hacktivism leverages cyber threat activity as a means to convey political or social narratives. As such, any attempts to inflict damage on a victim may only be a means to this end or one of multiple objectives. Historical hacktivist activity has largely focused on simpler attacks that are intended to get the attention of broad audiences, such as website compromises or denial of service attacks," the report says. And attacks against OT are seen as providing the kind of high-profile, attention-getting effect the hacktivists desire.

The report concludes and summarizes, "In 2022, Mandiant observed a significant increase in the number of instances where hacktivists claimed to target OT. While we observed activity across different regions, most of these cases were conducted by actors that have mobilized surrounding the Russian invasion of Ukraine. The implication of this is that the increase in hacktivism activity targeting OT may not necessarily become consistent over time. However, it does illustrate that during political, military, or social events, OT defenders face a heightened risk."

Ghostwriter remains active in social engineering attempts to target Ukrainian refugees.

The Ghostwriter threat group has resumed a campaign in which bogus emails misrepresenting themselves as originating with the governments of Latvia, Lithuania, or Poland are hitting the in-boxes of organizations working with Ukrainian refugees. The content of the emails warns that the Ukrainian government is about to undertake mass conscription of military-age men with the intent of feeding the conscripts into combat against Russia. Bloomberg writes, "Ukrainian men of military age, the emails warned, were scheduled to be rounded up and sent home. They would then be forced to fight against Russian troops, according to a supposed agreement between Ukraine and its allies. People who received the emails should immediately provide personal information and any known whereabouts of Ukrainians living nearby, the messages said." The goal is to inspire fear and mistrust. Mandiant attributes Ghostwriter to Belarus, Russia's one reliable ally in its war against Ukraine.

An overview of the cyber phases of Russia's hybrid war to date.

The Atlantic Council convened a group of experts to assess the cyber phases of Russia's war so far, and to see what lessons might be drawn. In some respects the conclusion is the familiar one: Russian performance has fallen far short of prewar expectations. Apparently both Russia and its adversaries were surprised. Russian influence operations proved to be "unprofessional, sloppy, and without much engagement on respective platforms." Ukraine's communications infrastructure proved surprisingly resilient under cyberattack. Internationally, corporations have concluded that doing business in Russia is a bad bet, and that seems to represent a long-term trend. And Western governments should trim their expectations about how devastating offensive cyber campaigns are likely to prove.

Obsolete tanks removed from storage by Russia's MoD.

Russia has taken obsolete T-54 and T-55 tanks out of long-term storage and is moving them west, the Telegraph reports, toward the fighting, which suggests that losses among modern T-72 and T-80 vehicles have been heavy. Task & Purpose reviews some of the sources of the imagery showing the tanks being moved on rail cars. Much of the imagery has been taken by private persons and circulated in social media. The T-54 entered service in 1948; the T-55, an evolutionary development of the T-54, was fielded in the 1950s.