Ukraine at D+328: Russia takes Soledar, announces military expansion.

Russia's Ministry of Defense has announced a major reorganization of the country's armed forces. Reuters reports that Defense Minister Shoigu said the changes were intended to enhance the military's effectiveness in response to the exigencies of the special military operation. The improvement will include a reorganization of military districts, according to the Wall Street Journal, and also an increase in the army's end strength to roughly 1.5 million. That's an increase of around 350,000. Kremlin spokesman Dmitry Peskov echoed Mr. Shoigu's views on the root cause of the war and the attendant military buildup. “This is due to the war that the Western countries are waging—a proxy war," he said during a press availability yesterday. “The security of our country must be ensured.”

Ukrainian forces withdraw from Soledar.

The UK's Ministry of Defence believes that Ukrainian forces have now withdrawn from the contested village of Soledar. "By the end of 16 January 2023, Ukrainian forces had highly likely withdrawn from the Donbas town of Soledar, leaving Russian military and Wagner Group proxy forces in control. Ukrainian forces have likely established new defensive lines to the west. Russia’s advance on Soledar primarily consisted of Wagner forces and was a supporting operation aimed to enable the eventual envelopment of the larger settlement of Bakhmut. One of Ukraine’s two main supply routes into Bakhmut is now under increasing pressure. Imagery shows that since the start of January 2023, the south and east of Bakhmut has continued to be subjected to intense artillery bombardment. Ukrainian forces almost certainly continue to defend against Russian forces on the outskirts of the city.

A side-effect of Russia's war: a drop in paycard fraud.

In the course of surveying paycard fraud during 2022, Recorded Future's Insikt Group noticed a 62% drop in stolen cards being hawked or dumped on the dark web. That drop, Infosecurity Magazine points out, coincides with Russia's invasion of Ukraine. The drop came in two waves. The first was occasioned by an unexpected crackdown on (some) cybercriminal gangs in January of 2022. “The governing theory is that Russia sought to signal its intent to cooperate with the West against cybercrime should the West acquiesce to Russian demands regarding Ukraine,” Recorded Future says. Any expectation of Western good will was soon seen to be a false light. The second wave took place after the invasion proper, and once it became clear that the war Russia had unleashed was going to be far more protracted than anyone expected. “After April, slack carding demand and depressed volumes of ‘fresh’ records were likely a result of Russia’s war," the report continues. "It is highly likely that the war has significantly impacted Russian and Ukrainian threat actors’ ability to engage in card fraud as a result of mobilization, refugee and voluntary migration, energy instability, inconsistent internet connectivity and deteriorated server infrastructure. Russian-occupied areas of the Donbas region of Ukraine were long suspected to have hosted cyber-criminal server infrastructure.” Thus there were issues with respect to criminal infrastructure. Not mentioned is another possibly contributing cause: the mobilization of gangs as cyber auxiliaries of the Russian intelligence and security services. This sector of the criminal underground economy is likely to continue to see a downturn as long as the war continues.

The persistence of nuisance-level hacktivism.

Russian threat actors allegedly disrupted a Ukrainian news conference yesterday, Axios reports. "We just faced a cyberattack on our information platform committed by Russia," Media Center Ukraine, the service convening the event said. "We understand they don't like to hear the truth about this war, but we're not to be stopped, we are online, we are broadcasting." The news conference was set to include an interview with Yurii Shchyhol, Head of State Service for Special Communications and Information Protection, who was to offer an overview of Russian cyber operations during its war against Ukraine. The delay was brief; the interview has since been posted by Ukrinform.

Further notes on conscription-themed Telegram phishing.

Russians have been prospected with phishing attempts, communicated by Telegram messaging, that trade upon fear over the next rounds of conscription. Joe Gallop, Intelligence Analysis Manager at Cofense, wrote to comment on the Telegram bots being used to steal credentials from Russians concerned about further mobilization, and the expansion of the country's conscript pool:

“As the anniversary of the Ukraine invasion approaches, phishing threat actors have reportedly played on Russian enlistment fears in new phishing attacks. The threat actors reportedly sent messages with malicious links that directed unsuspecting Russian citizens to a phishing website supposedly containing a list of people who could be drafted into the Russian army. Phishing attacks are ultimately emotional, and this campaign is no different. Threat actors employed social engineering to capitalize on enlistment fears, making it more likely for individuals to overlook the common signals of a phishing email, including urgent language and grammatical errors. 

"This phishing campaign used Telegram bots to harvest personal data from victims. Telegram bots have become a popular choice for threat actors as they are a low-cost or free single-pane-of-glass solution. According to a recent Cofense Intelligence report, the utilization of Telegram bots as exfiltration destinations for phished information increased by more than 800% between 2021 and 2022. Telegram bots are easy to set up in private and group chats, are compatible with a wide range of programming languages and are easy to integrate into malicious media such as malware or credential phishing kits. 

"To prevent future phishing attacks, organizations must take the necessary steps to train users to recognize phishing emails, give the users a simple way to report those phishing emails, and provide security personnel with the tools and intelligence needed to quickly analyze and remove them. One specific mitigation opportunity for cases like this is to set policies regarding the use of api[.]telegram[.]org (the domain used by programmers to communicate with bots). Adopting actionable intelligence that gives visibility into the risk factors in your network and immediately and decisively responds to phishing threats will help keep malicious actors at bay and ensure the protection of sensitive data.”