Ukraine at D+454: Anti-Putin partisans, and trouble at KillNet.
N2K logoMay 24, 2023

Skirmishing continues around Bakhmut. Russia claims to have ejected anti-Putin Russian partisans from Belgorod. Russian cyberespionage rises, hacktivist auxiliaries show signs of decline, and criminal gangs revert to the criminal mean.

Ukraine at D+454: Anti-Putin partisans, and trouble at KillNet.

Russian authorities say they've pushed enemy forces out of the Belgorod region. Those forces are now generally thought to be composed of anti-regime Russian partisans (the Washington Post characterizes them as "militias made up of Russians fighting on Ukraine’s side in the war"). Radio Free Europe | Radio Liberty reports that fighting appears to have ended, and that "one of two groups claiming to be behind the raid -- the Russian Volunteer Corps (RVC) -- said on social media that 'one day we will return to stay.'" Ukrainian authorities, who deny organizing or participating in the operation against Belgorod, described the cross-border operation as a reconnaissance-in-force; Russian authorities call it terrorism. A Telegraph essay describes the partisans as the mirror image of the deniable "green men" Russia deployed in various conflicts over the past decade.

Fighting continues in Bakhmut as Ukrainian forces continue attacks designed to encircle the dead city. Another Telegraph essay argues that Russia's implausible declaration of victory in Bakhmut represents an attempt to redefine success in the face of widespread operational failure, capped this week by the "hugely embarrassing" incursion into Belgorod.

The Irish Times says that Ireland has been rendering "significant" cybersecurity support to Ukraine during Russia's war, and that Dublin regards that assistance as a contribution to collective security.

Morale in Russia's forces.

The UK's Ministry of Defense this morning discussed the Russian army's growing AWOL problem. "Credible research by independent Russian journalists suggests that between January and May 2023, Russian military courts dealt with 1,053 cases of personnel going absent without leave (AWOL) – more than during the whole of 2022. Russia’s military has struggled to enforce discipline in its ranks throughout its operations in Ukraine, but its issues have highly likely worsened following the forced mobilisation of reservists since October 2022. Court data suggests that most of those found guilty of going AWOL are now punished with suspended sentences, meaning they can be redeployed to the ‘special military operation’. Russia’s efforts to improve discipline have focused on making examples of defaulters, and promoting patriotic zeal, rather than addressing the root causes of soldiers’ disillusionment."

Radio Free Europe | Radio Liberty reports that Wagner Group proprietor Prigozhin continued his criticism of the government this morning, saying that his mercenary force had lost some 20,000 troops in the fighting for Bakhmut alone, and that the Special Military Operation had, instead of "demilitarizing" Ukraine, "turned Ukraine's army into one of the most powerful in the world." He also said that the war might end with a mutiny of Russian troops.

CERT-UA identifies probable Russian cyberespionage campaign.

Ukraine's CERT reports that an apparent Russian cyberespionage campaign has succeeded in compromising accounts belonging to the Embassy of Tajikistan. The threat actors, whom Ukraine tracks as UAC-0063, have used those accounts in a phishing campaign designed to install a keylogger (LOGPIE), a backdoor (CHERRYSPY), and a filestealer (STILLARCH or DownEx) in targeted devices. "It was found that on April 18, 2023 and April 20, 2023," CERT-UA writes, "e-mails were sent to the department's e-mail address, supposedly from the official mailbox of the Embassy of Tajikistan in Ukraine (probably as a result of the latter being compromised), the first of which contained an attachment in the form of a document with a macro, and the second - reference to the same document." The campaign has affected not only targets in Ukraine, CERT-UA says, but also organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India. Bank Info Security writes that the campaign bears some similarities to past operations by Fancy Bear, Russia's GRU.

Russian privateers (or front groups) hit Western targets in extortion attacks.

Two recent extortion actions against Western targets appear more opportunistic attacks than they do closely coordinated combat support operations.

BlackBasta, recently seen in action against Swiss-based technology company ABB, continues to show a predilection for attacks against industrial firms. The double-extortion ransomware gang published data stolen from Rheinmetall on BlackBasta's extortion site this past Saturday. According to BleepingComputer, samples on the site included "non-disclosure agreements, technical schematics, passport scans, and purchase orders." Rheinmetall confirmed that it had indeed come under attack by the Russian criminal organization: "Rheinmetall is continuing to work on resolving an IT attack by the ransomware group Black Basta. This was detected on 14 April 2023. It affects the Group's civilian business. Due to the strictly separated IT infrastructure within the Group, Rheinmetall's military business is not affected by the attack." Rheinmetall is a well-known German manufacturer of steel, defense systems (one of its products is the widely used NATO 120mm smooth-bore tank main gun) automotive systems and engines. For more on BlackBasta and the attack on Rheinmetall, see CyberWire Pro.

The cyberattack the Philadelphia Inquirer sustained at mid-month may now be attributed to a specific criminal group. The Cuba ransomware gang has claimed responsibility. The Inquirer had closely held details of the attack it sustained, disclosing few details. The paper's operations were significantly disrupted, and outsiders speculated that the paper was being extorted by cybercriminals. Yesterday, BleepingComputer reports, those suspicions received some confirmation. The Cuba ransomware group on May 23rd posted data stolen from the Inquirer on Cuba's extortion portal. The files, which Cuba says it obtained on May 12th, are said to include "financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, and source code." The Cuba gang has no connection with the government or nation of Cuba. It's rather a criminal and espionage organization operating from Russia under Russian government direction. For more on Cuba and the attack on the Philadelphia Inquirer, see CyberWire Pro.

Slackers, bro'.

KillMilk announced today that he's dismissing the core roster of KillNet because its fifty constituent groups with their twelve-hundred-fifty members aren't participating in hacktivism, or at least not enough. So they're all fired. He added that when KillNet returns, if it does, it will be with a whole new roster. KillMilk will be working alone until he rebuilds the group. He says he'll begin drafting a new roster tomorrow. So spare a thought for your local hacktivist auxiliary: it's hard to find good help.