Ukraine at D+70: Economy of force.
N2K logoMay 5, 2022

As Victory Day (May 9th) approaches, Russia considers modes of escalation as it trims its objectives and seeks to overcome maneuver failure before the window closes on its ability to deliver fires. Privateers and hacktivists continue their activity in the cyber phases of the hybrid war.

Ukraine at D+70: Economy of force.

The UK Ministry of Defence describes continuing, indiscriminate bombardment. "Despite Russian ground operations focusing on eastern Ukraine, missile strikes continue across the country as Russia attempts to hamper Ukrainian resupply efforts. As Russian operations have faltered, non-military targets including schools, hospitals, residential properties and transport hubs have continued to be hit, indicating Russia’s willingness to target civilian infrastructure in an attempt to weaken Ukrainian resolve. The continued targeting of key cities such as Odessa, Kherson and Mariupol highlights their desire to fully control access to the Black Sea, which would enable them to control Ukraine’s sea lines of communication, negatively impacting their economy."

Developments in Belarus.

Belarus is also figuring in the war news today. The British MoD assesses Minsk's current round of military exercises as normal, but as offering some potential for Russian exploitation, perhaps in an economy-of-force role. "Belarusian land forces have been observed deploying from garrison to the field, for exercises. This is in line with seasonal norms as Belarus enters the culmination of its Winter Training cycle in the month of May. Russia will likely seek to inflate the threat posed to Ukraine by these exercises in order to fix Ukrainian forces in the North, preventing them from being committed to the battle for the Donbas. Deviation from normal exercise activity that could pose a threat to allies and partners is not currently anticipated." The Washington Post has a description of the exercises, which are being described as quick-reaction exercises.

Embarrassed by acts of anti-Russian sabotage, Minsk is preparing to enact a law that would punish acts of terrorism with death. "Terrorism" should be read as "sabotage," as an action prominently singled out for death is disruption of rail traffic, something the Atlantic Council points out has been a signature activity of Belarusian citizens opposed to Russia's war against Ukraine. Opinion polling, insofar as it can be considered reliable, suggests widespread disapproval of Russia's war and concerns about Belarus's involvement among the country's citizens.

LockBit 2.0 hits Bulgarian refugee agency.

CyberScoop reports that the LockBit 2.0 ransomware gang, a Russophone privateering outfit, has hit the Bulgarian State Agency for Refugees under the Council of Ministers. “All available data will be published!” the gang said on its site, giving a May 9th deadline for publication (but no public ransom demand). May 9th, of course, is Russia's Victory Day holiday. Bulgaria has received somewhere in excess of 200,000 Ukrainian refugees, and Bulgaria has been aligned with Ukraine in the present war.

Hacktivists working in the Ukrainian interest use compromised Docker images for DDoS.

CrowdStrike reports that pro-Ukrainian hacktivists, operating probably under some form of direction or at least inspiration from Kyiv's IT-Army, have been using compromised Docker images:

  • "Container and cloud-based resources are being abused to deploy disruptive tools. The use of compromised infrastructure has far-reaching consequences for organizations who may unwittingly be participating in hostile activity against Russian government, military and civilian targets. 
  • "Docker Engine honeypots were compromised to execute two different Docker images targeting Russian, Belarusian and Lithuanian websites in a denial-of-service (DoS) attack.
  • "Both Docker images’ target lists overlap with domains reportedly shared by the Ukraine government-backed Ukraine IT Army (UIA). 
  • "The two images have been downloaded over 150,000 times, but CrowdStrike Intelligence cannot assess how many of these downloads originate from compromised infrastructure. 
  • "CrowdStrike customers are protected from this threat with the CrowdStrike Falcon Cloud Workload Protection module."

Hacktivists and privateers have chosen sides in the war, and Cybersixgill has a summary of how those sides are shaping up.