Ukraine at D+579: Phishing for drone operators.
N2K logoSep 26, 2023

Russia continues to strike Ukrainian cities, especially the grain storage facilities in Odesa, as Ukrainian forces expand their salient in Russian lines.

Ukraine at D+579: Phishing for drone operators.

"The tactical situation in Verbove remains unclear amid continued Ukrainian offensive operations in western Zaporizhia Oblast on September 25," the Institute for the Study of War wrote Monday. "The Ukrainian General Staff reported that Ukrainian forces continued offensive operations in the Melitopol (western Zaporizhia Oblast) direction and offensive assaults in the Bakhmut direction, inflicting losses on Russian manpower and equipment and depleting Russian forces along the entire front line. Russian sources claimed that Ukrainian forces reached northern Verbove (18km southeast of Orikhiv) but that Russian forces pushed them back to their original positions. Russian sources have yet to directly address a claim from a source reportedly affiliated with the Russian Airborne (VDV) Forces that Ukrainian forces control half of Verbove as of September 24."

The current condition of Russia's Black Sea Fleet.

The UK's Ministry of Defence this morning assessed the effects of Ukrainian strikes against the Black Sea Fleet. "The Russian Black Sea Fleet (BSF) has suffered a series of major attacks in recent weeks, culminating in strikes on its headquarters on 20 and 22 September 2023. These attacks have been more damaging and more coordinated than thus far in the war. The physical damage to the BSF is almost certainly severe but localised. The fleet almost certainly remains capable of fulfilling its core wartime missions of cruise missile strikes and local security patrols. It is, however, likely that its ability to continue wider regional security patrols and enforce its de facto blockade of Ukrainian ports will be diminished. It also likely has a degraded ability to defend its assets in port and to conduct routine maintenance. A dynamic, deep strike battle is underway in the Black Sea. This is likely forcing Russia into a reactive posture whilst demonstrating that Ukraine’s military can undermine the Kremlin’s symbolic and strategic power projection from its warm water port in occupied Sevastopol."

Radio Free Europe | Radio Liberty reports that Ukrainian official sources now claim that thirty-four Russian officers, including the commander of the Black Sea Fleet, were killed in the strike. Estimates of total casualties vary widely, ranging from "hundreds" to a low tally of one dead and twenty-seven missing. Both the high and low estimates, especially the lower tolls reported, are almost certainly exaggerated.

The Ukrainian way of war.

The Institute for the Study of War yesterday also offered an appreciation of what it calls "the Ukrainian way of war." It regards that way as clearly successful, and fully deserving of Western support and patience. "Ukrainian forces have, with Western support, defeated Russian objectives repeatedly: in Kyiv, in Kharkiv, in Kharkiv Oblast, in Kherson, and now, to a growing extent, in Ukraine’s south. Ukraine has prevented Russian forces from establishing air dominance and is eroding Russian naval superiority and increasingly making the Russian military’s presence less tenable in Crimea — realities that were previously unthinkable to many." The essay doesn't argue that Ukrainian decision-making or execution have been flawless (no army is ever flawless) but rather that Ukraine should be given full support. In particular, it argues that an ability to hinder Western decision-making with threats and false narratives remains one of the few good options left to President Putin. Russia is playing for time, both to permit mobilization and in the hope that Ukraine's supporters will grow tired of the war. Western activity in the information space in particular should be conducted with this in mind.

Phishing for Ukrainian military drone operators.

Securonix is tracking a phishing campaign that’s targeting the Ukrainian military with malware-laden attachments posing as drone instruction manuals. The threat actor, which Securonix identifies as one Ukraine's CERT-UA tracks as UAC-0154, deploys maliciously altered Microsoft help files (.chm) to deliver the malware. “The payload is an obfuscated binary that gets XOR’d and decoded to produce a beacon payload for MerlinAgent malware. Once the payload establishes communication back to its C2 server, the attackers would have full control over the victim host. While the attack chain is quite simple, the attackers leveraged some pretty complex TTPs and obfuscation methods in order to evade detection.” Securonix tracks the campaign as STARK#VORTEX.

UAC-0154 has been using MerlinAgent for some time. The malware is an open-source, post-exploit command-and-control tool, a remote-access Trojan (RAT). It's intended for legitimate research and testing, but as is the case with so many other tools, it's a dual-use item. In August CERT-UA said UAC-0154 had deployed MerlinAgent in another phishing campaign, in this case one that dangled "INTERNAL CYBER THREAT.chm" as the bait in emails that misrepresented themselves as coming from CERT-UA.

The nature of the phishbait shows that Ukrainian military units, drone users in particular, are being targeted. Securonix notes that the social engineering aspect of the campaign allows the documents to bypass technical defenses. “It’s apparent that this attack was highly targeted towards the Ukrainian military given the language of the document, and its targeted nature,” the researchers write. “Files and documents used in the attack chain are very capable of bypassing defenses, scoring 0 detections for the malicious .chm file. Typically receiving a Microsoft help file over the internet would be considered unusual. However, the attackers framed the lure documents to appear as something an unsuspecting victim might expect to appear in a help themed document or file.”

UAC-0154 remains unattributed, but whoever's behind it, from UAC-0154's targeting seems to be acting at the very least against the Ukrainian interest, and therefore in the Russian interest.

The UK adopts a hunt-forward approach to cyber war.

Lieutenant General Tom Copinger-Symes, deputy commander of the United Kingdom’s Strategic Command, where he holds responsibility for the Ministry of Defence’s offensive and defensive cyber capabilities, told the Record in a long interview that his command has, on the strength of lessons learned from Russia's hybrid war against Ukraine, decided to adopt a hunt-forward strategy similar to that followed by US Cyber Command.