Ukraine at D+511: Russia declares a blockade (and Turla's back).
N2K logoJul 20, 2023

Indiscriminate missile strikes against Ukrainian port cities accompany Russia's declaration of a Black Sea blockade. Sanctions may be weakening Russia's system of domestic surveillance. The FSB's Turla is back and engaging in cyberespionage.

Ukraine at D+511: Russia declares a blockade (and Turla's back).

Russian strikes against Ukrainian cities continued for the third consecutive night. The Black Sea port cities of Mykolaiv and Odesa were particularly hard hit, the Guardian reports, with a number of civilian casualties. The strikes have been characteristically indiscriminate, but they're more-or-less designed to interfere with export of Ukrainian grain. Some warehouses were hit, but residential areas caught the most missiles. Whether that's due to a deliberate decision, to incompetent targeting, or to simple indifference is unclear.

The Black Sea Grain Initiative is replaced by a Russian blockade.

Russia announced a blockade of Ukrainian ports that took effect at midnight. The Defense Ministry announced, as quoted by Reuters, that "In connection with the termination of the Black Sea Initiative and the end of the maritime humanitarian corridor, from 00.00 Moscow time on July 20, 2023 (2100 GMT on Wednesday) all ships proceeding to Ukrainian ports in Black Sea waters will be considered as potential carriers of military cargo." What actions Russia will take in this regard are unclear. The US Naval Institute notes that under international law of visit and search, Russia's navy can stop and inspect ships to ensure they're not carrying weapons, but asserting that right doesn't make the ships legitimate targets for attack or even (absent weapons being found aboard) seizure.

The UK's Ministry of Defence offered this appraisal of the new Russian blockade of Ukrainian ports. "On 17 July 2023, Russia failed to renew its involvement in the Black Sea Grain Initiative (BSGI). This effectively nullified the security agreement which, despite the war, had ensured the safe passage of vessels exporting grain from Ukraine. Russia is aiming to deter all merchant shipping from Ukrainian ports. Russia likely made the decision to leave some time ago because it decided that the deal was no longer serving its interests. Russia has masked this with disinformation, claiming its withdrawal is instead due to concerns that civilian ships are at risk from Ukrainian mines and that Ukraine was making military use of the grain corridor without providing evidence for these claims. On 19 July 2023, the Russian MoD said it would assume all vessels approaching Ukraine were carrying weapons. The Russian Black Sea Fleet (BSF) will likely now take a more active role in disrupting any trade which continues. However, BSF blockade operations will be at risk from Ukrainian uncrewed surface vehicles and coastal defence cruise missiles."

The US warns that Russia has laid mines in the Black Sea along approaches to Ukrainian ports. “Our information indicates that Russia laid additional sea mines in the approaches to Ukrainian ports,” White House National Security Council spokesman Adam Hodge said in a statement quoted by the AP. “We believe that this is a coordinated effort to justify any attacks against civilian ships in the Black Sea and lay blame on Ukraine for these attacks.” Commentators on Russian state television have this week openly advocated laying mines as a deniable provocation that could be blamed on Ukraine.

The Guardian has a useful summary of the Black Sea Grain Initiative, and the ways in which Ukrainian grain is a vital component of the global food supply. “I think it ought to be quite clear to everyone in the world right now that Russia is using food as a weapon of war,” Al Jazeera quotes a US State Department representative as saying. “Not just against the Ukrainian people, but against all the people in the world, especially the most underdeveloped countries who depend on grain from the region.”

The developing fate of the Wagner Group.

Wagner Group boss Yevgeny Prigozhin has made a video appearance in which he says that his mercenary force will continue, but that the focus of its operations will for the foreseeable future be Africa, that its base will be in Belarus. Radio Free Europe | Radio Liberty quotes Mr. Prigozhin on his grievances and his plans. "You have done a lot for Russia," he said, addressing Wagnerite fighters. "What is happening now on the front line [in Ukraine] is a shame we do not need to take part in. We need to wait until the moment when we are able to fully express ourselves." Thus it seems that not all has been forgiven the Russian Ministry of Defense. He added, "The decision was made that we will stay here in Belarus for some time." That time will be spent retraining itself, and training and transforming the Belarusian army. "During that time, we will turn, and I am fully confident about that, the Belarusian Army into the second-best army in the world, and if need be, protect them.... We must get trained further...and then head to a new destination, to Africa, and then, probably, we will get back to the special military operation [in Ukraine] when we are sure that we will not be forced to shame ourselves and our experience."

POLITICO reports that online sources linked to Mr. Prigozhin's various enterprises has published a valediction of the Wagner Group's fight in Ukraine. “A total of 78,000 PMC Wagner fighters participated in the Ukrainian mission,” the “Wagner Loading” Telegram channel posted yesterday. That participation came at a high cost. “At the time of the capture of Bakhmut (20 May)," Wagner Loading added, "22,000 fighters were killed, 40,000 wounded.” If true, that's a significant fraction of total Russian losses in the war against Ukraine.

Wagner activity in Africa is the proximate cause of His Majesty's Government's decision, announced this morning, to levy sanctions against individuals and organizations connected with the Wagner Group's adventures in that continent. "New UK sanctions target 13 individuals and businesses linked to the actions of the Russian Wagner Group, including executions and torture in Mali and the Central African Republic and threats to peace and security in Sudan," the announcement said in part.

The US announces more support for Ukraine.

Yesterday afternoon the US Department of Defense announced another round of support for Ukraine. The total value of the aid in this tranche is $1.3 billion, and it includes:

  • "Four National Advanced Surface-to-Air Missile Systems (NASAMS) and munitions;
  • "152mm artillery rounds [note--this is an old Soviet caliber, not a NATO standard];
  • "Mine clearing equipment;
  • "Tube-Launched, Optically-Tracked, Wire-Guided (TOW) missiles;
  • "Phoenix Ghost and Switchblade Unmanned Aerial Systems (UAS);
  • "Precision aerial munitions;
  • "Counter-UAS and electronic warfare detection equipment; 
  • "150 fuel trucks;
  • "115 tactical vehicles to tow and haul equipment; 
  • "50 tactical vehicles to recover equipment;
  • "Port and harbor security equipment; 
  • "Tactical secure communications systems; 
  • "Support for training, maintenance, and sustainment activities."

SORM under stress.

A study by the Carnegie Endowment for International Peace concludes that sanctions have rendered Western technology increasingly inaccessible to Russia's government, and that this is placing Moscow's domestic surveillance apparatus, SORM, under stress. SORM rides atop Russia's ISPs and telcos, and those sectors are being hit hard by sanctions levied in response to Russia's invasion of Ukraine. "Ultimately, the FSB-led surveillance state envisioned by the Kremlin prior to the Ukraine war—and by the KGB in its Cold War heyday—is now beset by a potentially crippling web of dependencies," the report concludes. "Much about the program remains shrouded in secrecy. However, available insights suggest that SORM’s fate is largely anchored to that of the Russian tech sector." The Record points out one irony of the situation: about half of Russia's mobile infrastructure had been furnished by Nokia and Ericsson. Both companies have said they won't sell further systems to Russia, and their participation in the sanctions has been supported by Finland's (Nokia's home) and Sweden's (where Ericsson is based) decision to join NATO. Those decisions were given impetus by Russia's invasion of Ukraine.

DeliveryCheck backdoor used against Ukrainian targets.

Microsoft, working with CERT-UA, has identified a novel ,net backdoor being deployed against Ukrainian and other Eastern European targets by the Russian threat actor Microsoft tracks as Secret Blizzard (also known as KRYPTON, UAC-0003, Venomous Bear, or Turla, and generally associated with Russia's FSB security service). The organizations that have attracted the FSB's attention are for the most part found in the defense sector. The attack begins with phishing, the phish hook being a document carrying malicious macros. These install a backdoor, "DeliveryCheck," which establishes persistence through "a scheduled task that downloads and launches it in memory." The backdoor is also in contact with a command-and-control server from which retrieves a variety of follow-on tasks. Various open-source and specialized tools (the latter include Kazuar, which Microsoft describes as "a fully featured Secret Blizzard implant") are used to exfiltrate messages from the Signal Desktop messaging application. The operators seem interested in private Signal conversations, documents, images, and archive files.

The activity isn't confined to Signal. Microsoft also observed the threat actor targeting Microsoft Exchange servers where it installs server-side components of DeliveryCheck using PowerShell Desired State Configuration (DSC). This approach uses a PowerShell script to place a .net payload into memory. This, Microsoft says, "effectively [turns] a legitimate server into a malware C2 center."

Ukrainian police roll up another bot farm working in support of Russian influence operations.

Ukrainian police announced this week that they've broken up a criminal operation working from Ukrainian cities (most of the activity was in Vinnytsia, Zaporizhzhia and Lviv) that amplified Russian propaganda directed against Ukrainian popular opinion. The group is also said to have engaged in data theft and other cybercriminal activities. The police statement said, "Criminal proceedings have been opened under Art. 361 (Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks), Art. 361-2 (Unauthorized sale or distribution of information with limited access stored in electronic computing machines (computers), automated systems, computer networks or on media of such information), Art. 190 (Fraud), Art. 259 (Knowingly false notification of a threat to the safety of citizens, destruction or damage to property) of the Criminal Code of Ukraine. Investigations are ongoing." In addition to the arrests, police seized SIM cards and other hardware.

Surge in DDoS connected to Russian hacktivist auxiliaries' activity.

Cloudflare's report, DDoS Attack Trends for 2023 Q2, sees the recent story of distributed denial-of-service attacks as one of "thought-out, tailored and persistent waves of DDoS attack campaigns on various fronts." The first cause of this trend the company identifies is Russia's hybrid war. "Multiple DDoS offensives orchestrated by pro-Russian hacktivist groups REvil, Killnet and Anonymous Sudan against Western interest websites."