Ukraine at D+55: Russia's second phase, and more Shuckworm attacks.
N2K logoApr 20, 2022

Russia's firepower-intensive tactics continue the reduction of cities in the Donbas and along the Sea of Azov. In cyber operations, the FSB's Shuckworm group continues its plodding but troubling intelligence collection.

Ukraine at D+55: Russia's second phase, and more Shuckworm attacks.

Russia continues to attack in the Donbas and along the Sea of Azov; Ukraine's forces continue to fight for the ground. The UK's Ministry of Defence sees a decline in Russian airstrikes against targets in northern Ukraine after an initial, selective surge. "Russia's military presence on Ukraine's eastern border continues to build, while fighting in the Donbas is intensifying as Russian forces seek to break through Ukrainian Defences. Russian air activity in northern Ukraine is likely to remain low since its withdrawal from north of Kyiv. However, there is still a risk of precision strikes against priority targets throughout Ukraine. Russian attacks on cities across Ukraine show their intent to try and disrupt the movement of Ukrainian reinforcements and weaponry to the east of the country."

How quickly the Russian army has reconstituted an invading force that by some estimates (including one by the US Department of Defense, which has been studiously conservative in its assessment of Russian battle damage) lost a quarter of its combat power in the early phase of the invasion will of course be crucial to determining whether it will have more success in this second phase. Ukraine's own forces are seeking to disrupt Russian lines of communication crucial to any such reconstitution.

Shuckworm update: scattershot and crude, but worth keeping an eye on.

Symantec this morning updated their research on the Russian threat actor Shuckworm (also known as Armageddon and Gamaredon) and its activities against Ukraine. Shuckworm first appeared in 2014 during Russia's earlier aggression against Ukraine that resulted in its annexation of Crimea, and the group is generally held to be an FSB operation staged from that conquered province. Its principal focus has since its inception been Ukraine.

Symantec is tracking four variants of the Pterodo backdoor Shuckworm installs in its victims' systems. Installation of multiple versions of, essentially, functionally equivalent malware is one of the group's characteristic bits of tradecraft. The practice seems to be a crude method of establishing and maintaining persistence: if the defenders find and kick one version, well, there are three others they might overlook. "While Shuckworm is not the most tactically sophisticated espionage group," Symantec writes, "it compensates for this in its focus and persistence in relentlessly targeting Ukrainian organizations. It appears that Pterodo is being continuously redeveloped by the attackers in a bid to stay ahead of detection."

Symantec adds, "While Shuckworm appears to be largely focused on intelligence gathering, its attacks could also potentially be a precursor to more serious intrusions, if the access it acquires to Ukrainian organizations is turned over to other Russian-sponsored actors." That's not surprising: developing intelligence is always an early stage in battlespace preparation.

Ukraine, Bloomberg reports, continues to augment its cyber defenses, with significant help from domestic and international corporations.