Ukraine at D+68: Cyber skirmishing and outrageous info ops.
N2K logoMay 3, 2022

Russia appears to have revised its war aims to concentrate on the annexation of the Donbas and the Azov coastal regions it's currently fighting for. Microsoft sees additional signs of increasing Russian cyber operations.

Ukraine at D+68: Cyber skirmishing and outrageous info ops.

The UK's Ministry of Defence, in its morning situation report, assesses Russia's prewar investment in a military new look as a failure. "Russia’s defence budget approximately doubled between 2005 and 2018, with investment in several high-end air, land and sea capabilities. From 2008 this underpinned the expansive military modernisation programme New Look. However, the modernisation of its physical equipment has not enabled Russia to dominate Ukraine. Failures both in strategic planning and operational execution have left it unable to translate numerical strength into decisive advantage. Russia’s military is now significantly weaker, both materially and conceptually, as a result of its invasion of Ukraine. Recovery from this will be exacerbated by sanctions. This will have a lasting impact on Russia’s ability to deploy conventional military force."

The US Intelligence Community, whose track record of predicting the evolution of Russian intentions has been strong, yesterday said that it saw signs of Russian intention to annex the Donbas and the Azov coast, the Washington Post reports.

The influx of weapons from NATO to Ukraine accelerates. The first set of promised US 155mm M777 gun-howitzers has arrived in Ukraine, and some two-hundred Ukrainian gunners have completed training in their use, Task & Purpose reports.

Inside Defense reports that Microsoft foresees an increase in Russian attempts to conduct disruptive cyberattacks.

Briefly noted: Mr. Lavrov doubles down on accusations of Nazism (anti-semitic version).

Did you know that Hitler was Jewish? Neither did anyone else. Actually, the rumor has been around for awhile, and has long been a trope in anti-semitic circles. We'll discuss it at greater length in this Thursday's Pro Disinformation Briefing, but it deserves a quick mention today.

Russian disinformation has, since before the invasion of Ukraine, claimed that Ukraine is under the control of actual, literal Nazis. It's therefore a threat to Russia, and so Russia is not only the victim of prospective aggression, but is also a liberator. "Denazification" is one of the principal stated aims of the special military operation.

Many, most, observers have pointed out how unlikely this is (that is, unlikely in the extreme). Among other things, President Zelenskyy is himself Jewish, and would seem an unlikely Nazi conspirator. But no, Russian Foreign Minister Lavrov explained in an contentious interview on Italian television: Hitler himself was Jewish. “So what if Zelenskyy is Jewish? The fact does negate the Nazi elements in Ukraine,” Mr. Lavrov said. “Hitler also had Jewish blood,” he added; “the most ardent anti-Semites are usually Jews.” The Atlantic Council has a summary of Mr. Lavrov's outrageous claims. Outrage in Israel is understandably high, and Israel, which has sought to retain some shred of good relations with Russia even as most of the rest of the civilized world has moved toward increasingly stringent sanctions, has demanded an apology.

Russia reroutes Internet traffic in occupied regions of Ukraine through Russian services.

The occupiers shut down the Internet in Kherson over the weekend, and then restored it by routing traffic through Russian infrastructure. Netblocks reports that "On 1 May, hours after the internet blackout in Kherson, regional provider Skynet (Khersontelecom) partially restored access. However, connectivity on the network has been routed via Russia’s internet instead of Ukrainian telecoms infrastructure and is hence likely now subject to Russian internet regulations, surveillance, and censorship."

The Stormous gang, hacking on behalf of Russia.

Trustwave has been tracking the activity of Stormous, a group largely unknown before Russia's invasion of Ukraine, and which since February has announced ransomware attacks against Western targets. The attacks are designed to work in the interest of Russia by disrupting or otherwise discrediting Western brands, prominent companies, and other organizations. An attack it claimed against Coca-Cola is representative: flashy and unconfirmed. Stormous has been received skeptically by the security industry, as many analysts regard them as scavengers of old leaks, and not as exhibiting any genuine ransomware chops.

While Stormous came to prominence only with Russia's war against Ukraine, it may have been active, Trustwave says, as early as the summer of 2021. The researchers say:

"Our initial analysis of Stormous indicates the gang likely has members located in Mid-Eastern countries and Russia. Some of the group's postings are written in Arabic along with its public pro-Russian stance, which is consistent with the region. Moreover, two of the group's members that were arrested were from mid-eastern countries.

"The group communicates through a Telegram channel and an .onion website on Tor. There is little chatter on the Telegram channel, with the conversation mainly comprised of the group’s proclamations. While the group identifies itself as a ransomware group, it is not operating as a Ransomware-as-a-Service (RaaS), and it’s not known what type of ransomware it may be using in their campaigns."

They remind Trustwave of another wildcard outfit, Lapsus$: "The group's motivating principles and behavior somewhat resemble the Lapsus$ hacker group, which targets entities mainly in the Western hemisphere. Like Lapsus$, Stormous is quite “loud” online and looks to attract attention to itself, making splashy proclamations on the Dark Web and utilizing Telegram to communicate with its audience and organize to determine who to hack next."

While Lapsus$ seems to have been motivated by cash and cachet, the lulz and money, Stormous's motivation appears to be political. They say they're hacking in the Russian cause, and there's no reason not to take them at their word. But the group may have experienced a setback. Trustwave updated its report late yesterday: "The Trustwave SpiderLabs team has noted Stormous’ underground website became inaccessible on April 29. At this time it is not known why the site is down. We will continue to monitor for additional threat intelligence."

Update on the attack against Ukrposhta.

Security Scorecard has released a summary of its study of the distributed denial-of-service attack against Ukrposhta, Ukraine's national postal service. The attack seems to have represented a reprisal for Ukrposhta's issue of a stamp commemorating the Snake Island middle finger of defiance ("Russian warship, go [eff] yourself") and the subsequent destruction of the Russian warship in question, Black Sea Fleet flagship Moskva. Some of the key points Security Scorecard brings out include:

Ukrposhta was able to recover from the attack without undue difficulty. Security Scorecard thinks it sees signs that the Zhadnost botnet may be running out of resources: "SSC observes the first time use of Russia-based bots and the re-use of Zhadnost infrastructure, a possible indication Zhadnost is starting to exhaust its inventory of unique infrastructure."