Ukraine at D+666: Kyivstar attack may represent a new cyber phase of the hybrid war.
the cyberwire logoDec 22, 2023

Unattributed cyberespionage campaigns afflict both sides. The Kyivstar cyberattack is now regarded as the most effective Russian cyber operation since its attack against Viasat ground stations in the opening hours of the invasion.

Ukraine at D+666: Kyivstar attack may represent a new cyber phase of the hybrid war.

Early this morning Russia launched twenty-eight Iranian-supplied Shahed drones against Ukrainian cities, with most, about two dozen, directed against Kyiv. Radion Free Europe | Radio Liberty reports that twenty-four were shot down by Ukrainian air defenses, but those that leaked through did damage on the ground.

As assessment of the war to date.

Twenty months into Russia's invasion, it might be possible to forget that Ukraine was generally expected to fall within a matter of days. But the Institute for the Study of War (ISW) argues that this doesn't represent permanent and inevitable Russian failure. "The failure of Russian operations in Ukraine to achieve Russian President Vladimir Putin’s maximalist objectives thus far is not a permanent condition, and only continued Western support for Ukraine can ensure that Putin’s maximalist objectives remain unattainable. US Secretary of State Antony Blinken stated on December 20 that Putin has already failed to achieve his principal objective of 'erasing [Ukraine] from the map and subsuming it into Russia.' The Russian military has failed to force Ukraine to capitulate to Putin’s maximalist objectives to replace the Ukrainian government with one acceptable to the Kremlin under veiled calls for 'denazification,' to destroy Ukraine’s ability to resist any future Kremlin demands under calls for 'demilitarization,' and to prohibit Ukraine’s right to choose its own diplomatic and military partnerships under calls for Ukrainian 'neutrality.'"

Continued Western support is essential to Ukraine's continued defense. Should that assistance fail, Russia could still achieve its declared goals. The present stalemate is unlikely to endure in any case. As the ground freezes hard in January and February, it will become easier to maneuver combat vehicles, and the tempo of action along the front can be expected to increase. An assessment from the Estonian military however, reported in ERR, emphasizes that such small gains as Russian forces have shown themselves capable of are insufficient to produce any significant operational effect. "'he Russian Federation's forces have continued offensive operations all along the front and have found some success near Avdiivka and the villages north and south of the town. It is possible Avdiivka will fall, while it also depends on what Ukraine decides – whether to try and hold it or fall back. The city has not been surrounded yet," Estonian Ministry of Defense spokesman Colonel Tarmo Kundla said at a weekly briefing at the Ministry of Defense. "Even if Russian troops manage to take the city, it will be a tactical victory with solid PR potential, while it will not provide them with major operational level success. It remains unlikely the Russian Federation will be able to seize larger swathes of territory in the Donetsk Oblast in the near future."

Apprehension elsewhere in the Near Abroad.

Russia's neighbors continue to express concern over Moscow's intentions. Most recently, the ISW reports, "The Uzbek Ministry of Foreign Affairs (MFA) summoned Russian Ambassador to Uzbekistan Oleg Malginov after Russian ultranationalist and former Russian State Duma Deputy Zakhar Prilepin suggested that Russia should annex part of Uzbekistan." The remarks were sufficiently alarming to warrant Tashkent's call for an official explanation from Moscow. In isolation the suggestion might be written off as one fanatic's musing, but in the context of the extravagant expansionist claims routinely offered on Russian state television, it would seem negligent not to treat them seriously. (For examples of such official media rhetoric, see this discussion of nuclear strikes against Western cities, and this consideration of continuing the Russian advance beyond Ukraine and farther west into Europe, both captured and subtitled by the Russian Media Monitor. These programs aren't outliers. Such expansionist thinking is as common in Russian media as is advocacy of atrocity and genocide.)

A continuing cyberespionage campaign against Ukrainian targets.

Deep Instinct reports on the continuing activity of "UAC-0099," a threat actor of uncertain provenance that's been conducting cyberespionage against Ukraine since the middle of 2022. It's been seen exploiting CVE-2023-38831. This is a vulnerability in earlier versions of RARLAB WinRAR archive management software that, as NIST's National Vulnerability Database explains, "allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive." The phishbait has typically been a bogus court document, usually a summons, and the hook it carries is an unobtrusive exploit unlikely to be noticed by the victim.

"The tactics used by 'UAC-0099' are simple, yet effective. Despite the different initial infection vectors, the core infection is the same — they rely on PowerShell and the creation of a scheduled task that executes a VBS file," Deep Instinct writes. "Monitoring and limiting the functionality of those components can reduce the risk of 'UAC-0099' attacks — and/or identify them quickly in the event of compromise." The most recent version of WinRAR isn't vulnerable to this exploitation.

Circumstantially UAC-00099 looks like a Russian operation. The victimology is consistent with Russian intelligence service targeting, and Google has seen similar exploitation of CVE-2023-38831 by known Russian threat actors, notably the GRU's Sandworm. But Deep Instinct offers no attribution, nor, interestingly, did CERT-UA in a May 6th, 2023, advisory about UAC-0099.

And a continuing cyberespionage campaign against Russian targets.

Another threat actor of uncertain origin and allegiance is spying on targets in Russia. The group, Cloud Atlas, has been seen before, and it's known to have cultivated targets in Azerbaijan, Belarus, Russia, Slovenia, and Turkey, a politically heterogeneous set of countries in loose geographical proximity. Consensus regards it as a state-directed group, but it's not clear which state Cloud Atlas is working for.

Citing a report earlier this week from Russian cybersecurity firm F.A.C.C.T., the Record describes a recent phishing effort that prospected "a Russian agro-industrial enterprise and a state-owned research company." Two phishing emails were observed, one baited with an offer to send postcards to soldiers fighting in Ukraine and to their family members, the other with an account of changes to laws governing military reserves. Malicious attachments in the emails exploited CVE-2017-11882, a Microsoft Office vulnerability patched in 2017 but still undergoing active exploitation in the wild. It's an arbitrary code execution vulnerability, and the emails containing the payload are preceded by reconnaissance emails containing no malware.

An update on the Kyivstar attack.

The Kyiv Post reports that Kyivstar has fully restored its services, quoting the telco as saying, “The company’s specialists worked non-stop to swiftly restore subscribers’ ability to use all communication services throughout Ukraine and abroad after the largest hacker attack in the history of the global telecommunications market.” Kyivstar thanked its customers for sticking with it, said it would be waiving many fees, and announced that it was making a substantial donation "for the needs of the Armed Forces of Ukraine."

The Russian hacktivist auxiliary Solntsepek has claimed responsibility, apparently credibly. “We, the Solntsepek hackers, take full responsibility for the cyber-attack on Kyivstar," the group said in its Telegram channel.“We attacked Kyivstar because the company provides communications to the Armed Forces of Ukraine, as well as government agencies and law enforcement agencies of Ukraine.”

An analysis by the Atlantic Council considers the possibility that the attack on Kyivstar--a rare, large-scale success in the cyber phase of the hybrid war, and the most consequential Russian cyberattack since the takedown of Viasat ground stations in the hours after the invasion--may foreshadow an intensification of Russian efforts. Ukrainian defenses have proven formidable, but it would be unwise to conclude that Russian offensive capabilities might not respond by evolving into more effective forms.