Ukraine at D+83: Mariupol falls. Chaos ransomware goes political, abandons criminal pretenses.
N2K logoMay 18, 2022

Ukrainian resistance in Mariupol is ending. Ukraine wants to exchange prisoners, but Russia considers prosecuting Ukrainian p.o.w.s for "crimes against humanity." Russia's war effort receives an unexpectedly candid review on Russian television. The operators of Chaos ransomware go all-in for Russia's cause. A hacktivist claim of compromising Russian ground security robots is unconfirmed.

Ukraine at D+83: Mariupol falls. Chaos ransomware goes political, abandons criminal pretenses.

The situation map published late yesterday by the British Ministry of Defense (MoD) shows Ukraine in full possession of Kharkiv and making progress toward the reconquest of Kherson, along the Black Sea. It also shows Russia consolidating control over Mariupol, as resistance in the Azovstal works comes to an end. This morning's situation report concentrates on the reduction of Mariupol and what the MoD thinks the battle reveals about the Russian army: 

"Despite Russian forces having encircled Mariupol for over ten weeks, staunch Ukrainian resistance delayed Russia’s ability to gain full control over the city. This frustrated its early attempts to capture a key city and inflicted costly personnel losses amongst Russian forces. In attempting to overcome Ukrainian resistance, Russia has made significant use of auxiliary personnel. This includes a deployment of Chechen forces, likely consisting of several thousand fighters primarily concentrated in the Mariupol and Luhansk sectors. These forces likely consist of both individual volunteers and National Guard units, which are routinely dedicated to securing the rule of Chechen Republic Head, Ramazan Kadyrov. Kadyrov likely maintains close personal oversight of the deployment, while his cousin Adam Delimkhanov has likely acted as the Chechen field commander in Mariupol. The combat deployment of such disparate personnel demonstrates Russia's significant resourcing problems in Ukraine and is likely contributing to a disunited command which continues to hamper Russia’s operations."

The final reduction of Mariupol is a defeat for Ukraine, but some observers see it as a successful economy-of-force operation that so tied up Russian forces that they were unable to complete their encirclement of the Donbas.

The Guardian quotes Ukraine's general staff on the surrender of Azovstal's defenders: “The ‘Mariupol’ garrison has fulfilled its combat mission. The supreme military command ordered the commanders of the units stationed at Azovstal to save the lives of the personnel … Defenders of Mariupol are the heroes of our time.” Ukraine is seeking to exchange Russian prisoners it's taken for the Mariupol defenders now in Russian custody, but, the New York Times reports, Russian authorities have said nothing about an exchange. Moreover, Russian investigators announced their intention of interrogating the prisoners to “check their involvement in crimes committed against civilians.” Members of Russia's Duma are calling for the execution of the captured Ukrainian troops on the grounds that they've committed "crimes against humanity." Why crimes against humanity and not war crimes? Because in the official Russian view this isn't a war, but a protective and defensive special military operation, and also because crimes against humanity was the fourth charge lodged against Nazi war criminals at the Nuremberg trials in 1945, and thus it fits the official line that the Ukrainian fighters are literal Nazis.

The International Criminal Court continues its investigation into alleged Russian war crimes and crimes against humanity, sending a 42-member investigation team into Ukraine, where it joins French forensic experts already on the ground, Al Jazeera reports.

That Russia's war against Ukraine has so far been less than fully successful received an unusually candid acknowledgement on Russian television. “The situation for us will clearly get worse,” the New York Times quotes Mikhail M. Khodaryonok as saying on Rossiya-1's widely watched "60 Minutes" news talk show. Khodaryonok is a retired colonel and "a conservative columnist on military affairs." He went on to say “We are in total geopolitical isolation and the whole world is against us, even if we don’t want to admit it." The Times and other outlets are carrying a link to the program. English subtitles have been added, and it's worth watching (and listening to) in full.

Chaos ransomware group declares for Russia.

Conti did so back in February, while the LockBit crew has tried to remain neutral ("apolitical"). Now another ransomware gang, the operators of Chaos, has declared for Russia, Fortinet researchers report. It's customary for ransomware to include a message that normally demands a ransom and tells the victims how they can recover their files (after paying). There's none of that here; this is the message Chaos has been displaying recently: "Stop Ukraine War! F**k Zelensky! Dont go die for f**king clown! You can see the truth here:" with a link that takes the recipient to a Russophone propaganda site, the "Information and Coordination Center.” That page (which leads with the motto "Victory will be ours") explains its purpose in a "Who we are section." The site's goal appears to be recruitment of hacktivists and influencers:

"Our priorities are:

"In connection with the full-scale information and economic war unfolding against the Russian Federation, the Information Coordination Center ... was created - a group of like-minded people whose main goal is to combat the spread of false information about the activities of the Russian Federation and the Russian Armed Forces.

"1. Blocking channels on Telegram, VK 2. Blocking propaganda sites,

"2. Blocking propaganda sites that disseminate false information

"3. Investigating violations of rights and civil rights and freedoms

"Current Targeting Guidelines

"In order to participate and contribute to the information confrontation, please see the Toolkit section, where you can learn how to work most effectively in each area.

"If you know of a fake news channel or website which is spreading false information, defaming Russia, or violating human rights and it is not on our list, please contact us."

It includes a list of resources "currently being coordinated," and it offers other items like names of Ukrainian soldiers killed in action, and the names of alleged Ukrainian war criminals.

Chaos, while it's a ransomware builder in the C2C market, clearly isn't a conventional ransomware gang. Fortinet concludes:

"The Chaos ransomware variant that this blog covers is unique in the sense that the attacker has no intention of providing a decryption tool or file recovery instructions for its victims to recover their affected files. Finding them is a tall order for non-technical victims, which pretty much makes the malware a file destroyer. Clearly, the motive behind this malware is “destruction.” The politically inclined messages also indicate that the attacker is pro-Russian and frustrated with the current situation. And with the Chaos ransomware builder now readily available, its options allow anyone to create destructive malware. And with no end to the war in sight, FortiGuard Labs expects more malware like this to emerge."

Report: hacktivists claim to have compromised Russian-manufactured ground surveillance robots.

The Daily Dot reports that a hacktivist group, "CaucasNet," says it successfully compromised Tral Patrol 4.0 unmanned ground video surveillance systems. Hashtagging #OpRussia and #GloryUkraine, CaucasNet's Twitter feed crowed, "We hacked the patrol robots of the Russian company «SMP Robotics». Now we control the Robotics robots all over the world, we broadcasted the anthem of Ukraine and the Georgian song «300» on all the robots on May 9th." Tral Patrol robots have been sold in many countries, but CaucasNet claimed in particular that they'd hacked the systems at Moscow's Sheremetyevo International Airport. The airport did not confirm any incident to the Daily Dot, saying only, “Sheremetyevo International Airport does not confirm the fact of hacker hacking of the security system." Like most hacktivism, this amounts to a nuisance. And like most hacktivist claims, this one should be received with open-minded skepticism.