Ukraine at D+383: Hacktists squad up.
N2K logoMar 14, 2023

The horror of continued close combat in Bakhmut eclipse cyberespionage and desultory hacktivism.

Ukraine at D+383: Hacktists squad up.

Fighting continues in Bakhmut, with little change in the lines, but with heavy casualties.

Signs of a shell shortage.

The UK's Ministry of Defence diagnoses, in this morning's situation report, the causes of Russia's apparent incapacity for effective offensive operations. "In recent weeks, Russian artillery ammunition shortages have likely worsened to the extent that extremely punitive shell-rationing is in force on many parts of the front. This has almost certainly been a key reason why no Russian formation has recently been able to generate operationally significant offensive action. Russia has almost certainly already resorted to issuing old munitions stock which were previously categorised as unfit for use. A presidential decree of 03 March 2023 laid down measures for the Ministry of Trade and Industry to bypass the authority of the managers of defence industries who fail to meet their production goals. Russia is increasingly applying the principles of a command economy to its military industrial complex because it recognises that its defence manufacturing capacity is a key vulnerability in the increasingly attritional ‘special military operation.’"

A new cyberespionage group emerges.

Researchers at Cisco Talos have identified a new threat actor, and a new cluster of activity, in Eastern Europe and the former Soviet Union. They're calling the group "YoroTrooper," and, while it appears to be a Russophone group, Cisco Talos thinks the evidence is too ambiguous for clear attribution. The threat actors, for example, may speak Russian, and there are "snippets of [the] Cyrillic [alphabet] in some of their implants," but this simply shows linguistic familiarity, and doesn't necessarily mean that they're either based in Russia or are Russian nationals. Some of the targets are also Russian-speakers, and the victimology for the most part consists of countries in the Commonwealth of Independent States, former Soviet Republics that remain on speaking terms with Russia.

The Talos Group writes, "YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS), based on our analysis. We also observed YoroTrooper compromise accounts from at least two international organizations: a critical European Union (EU) health care agency and the World Intellectual Property Organization (WIPO). Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan. We assess the actor also likely targets other organizations across Europe and Turkish (Türkiye) government agencies."

The group's purpose is judged to be espionage. YoroTrooper makes heavy use of malicious domains and typosquatting to ensnare its targets. "The infection chain consists of malicious shortcut files (LNKs) and optional decoy documents wrapped in malicious archives delivered to targets. The actor appears intent on exfiltrating documents and other information, likely for use in future operations." Its tools include a mix of commodity and specially built malware.

Again, attribution is so far unknown, but the group will bear watching.

Squad up (but not IRL).

BleepingComputer reports that the Ukrainian game developer GSC Game World, whose STALKER 2: Heart of Chornobyl has been widely anticipated, has come under cyberattack by Russian hacktivists who claim to have stolen game-specific material (storylines, images, etc.) which they threaten to release unless their demands are met. The hacktivists, on the VK channel, write that they want GSC to change its attitude toward players from Belarus and Russia, lift the ban on a player ("NF Star") who's been booted from the game's Discord channel, and permit Russian localization for STALKER 2. In short, "Don’t ruin people’s enjoyment of the game due to politics." Games Industry reports that GSC Game World is hanging tough. "We have been enduring constant cyberattacks for more than a year now. We have faced blackmail, acts of aggression, hacks, attempts to hurt players and fans, and efforts to damage the development process or the reputation of our company," GSC says. "We are a Ukrainian company, and like most Ukrainians, we have experienced many things that are much more terrifying: destroyed houses, ruined lives, and the deaths of our loved ones. Attempts to blackmail or intimidate us are completely futile."