An apparently deliberate Russian strike against a Ukrainian civilian target (with no plausible military justification or excuse, and nothing to be said in extenuation or mitigation) attracts widespread condemnation. Killnet claims responsibility for DDoS attacks against Lithuanian networks. A look at the way the Dark Crystal RAT is being used against Ukrainian targets.
Ukraine at D+124: Russian missiles hit a shopping mall.
Russian missile strike hits a Ukrainian shopping mall.
A Russian missile strike yesterday hit a shopping mall in the Ukrainian city of Kremenchuk, south of Kyiv and west-northwest of Dnipro, well outside the area of active fighting in the Donbas. Reuters and multiple other sources report that more than a thousand people were in the mall at the time of the strike; the official preliminary casualty report from Ukraine puts the dead at sixteen, with fifty-nine injured. It was a civilian, not a military target. There are only three possibilities: either the Russians misidentified the mall as a military target (in an intelligence failure) or the weapons failed to hit whatever else they may have been aimed at (in an operational failure), or the Russian air force knew exactly what it was shooting at (and hit it). Ukraine has adopted the third explanation, which indeed is by far the most likely, and denounced the strike as as act of terrorism. "This is not an accidental hit, this is a calculated Russian strike exactly onto this shopping centre," Ukrainian President Zelenskiy said in an address yesterday evening.
Ukraine was joined not only by NATO and other sympathetic powers in its condemnation, but by the United Nations as well, which called the attack "utterly deplorable," and it was deplorable whatever the casualties ultimately turn out to be. UN Spokesperson, Stéphane Dujarric said, “Any sort of civilian infrastructure, which includes obviously shopping malls, and civilians, should never ever be targeted,” Moscow has so far not commented on the attack, but Dmitry Polyanskiy, Russia's deputy ambassador to the United Nations, dismissed the incident as opportunistic Ukrainian propaganda, perhaps an outright provocation. "One should wait for what our Ministry of Defence will say, but there are too many striking discrepancies already," Mr. Polyanskiy said. It's unclear what those discrepancies might be.
The weapons used were two X-22s (also called a Kh-22, "X" and "Kh" being alternative Roman transliterations of the Cyrillic letter), a large, air-launched anti-ship missile deployed by the Soviets in 1962 and tracked by NATO as the AS-4 Kitchen. The X-22 has a range of about 600 kilometers and carries a thousand kilograms of high explosive. The Kitchen is an old system and isn't regarded as highly accurate by contemporary missile standards, but it's capable of hitting a big, stationary target (like a shopping mall).
Ukraine's calling the attack "terrorism" isn't idle name-calling. Kyiv has asked Western governments to designate Russia as a state-sponsor of terrorism, with all that implies under international law. (Minimally, the Washington Post observes, it would solidify Russia's place as an international pariah. Four nations--Cuba, North Korea, Iran and Syria--are currently designated state sponsors of terrorism by the US State Department.) While French President Macron declined to go that far, he called the attack "a war crime" and said that NATO and the G7 needed no further reason to tighten the sanctions already in place against Russia. President Zelenskyy has asked the West to help Ukraine expel Russian forces before winter, the Wall Street Journal reports.
The situation on the ground.
The US Department of Defense says that it sees two significant trends in Russia's war against Ukraine: continuing and damaging morale problems in the ranks of the Russian forces, and a growing incidence of Ukrainian partisan activity against Russian occupiers. "Over the last several days, we've become aware of assassinations of local Russian officials. And we're also aware that reporting suggests Ukrainians have been successful in liberating several small towns northwest and west of Kherson."
Today's situation report from the UK's Ministry of Defence reports on the current state of Ukrainian defenses around Lysychansk. "Ukrainian forces continue to consolidate their positions on higher ground in the city of Lyschansk, after falling back from Sieverodonetsk. Ukrainian forces continue to disrupt Russian command and control with successful strikes deep behind Russian lines." It went on to comment on the weekend's wave of missile strikes, many of which were conducted with legacy weapons ill-suited to Russia's current tactical requirements. "Over 24-26 June, Russia launched unusually intense waves of strikes across Ukraine using long-range missiles. These weapons highly likely included the Soviet-era AS-4 KITCHEN and more modern AS-23a KODIAK missiles, fired from both Belarusian and Russian airspace. These weapons were designed to take on targets of strategic importance, but Russia continues to expend them in large numbers for tactical advantage. Similarly, it fielded the core elements of six different armies yet achieved only tactical success at Sieverodonetsk. The Russian armed forces are increasingly hollowed out. They currently accept a level of degraded combat effectiveness, which is probably unsustainable in the long term."
Ukraine is expending its Soviet-era ordnance rapidly, and is asking for accelerated deliveries of NATO artillery and ammunition to replace it, the Guardian reports. NATO has been supplying both Soviet-era ammunition and new NATO standard systems, but at this point the international market for legacy ammunition is drying up, and Ukraine will become increasingly reliant on shipments of newer, NATO-standard weapons. Among the newer NATO artillery systems now in action with Ukrainian forces are US-built M142 High Mobility Artillery Rocket Systems (HIMARS), Task & Purpose reports. "These weapons are in the good hands, dear Americans!" Ukraine's Ministry of Defense tweeted in text accompanying video of HIMARS in action. It's taken less than a month from their arrival to put the HIMARS to use, but supply remains a race in a gunner's and rocketeer's war.
Distributed denial-of-service attacks against Lithuania.
Lithuania has said that the distributed denial-of-service attacks it's sustaining "probably" originate with Russia, SecurityWeek reports. According to CNN, the nominally hacktivist outfit Killnet has now claimed responsibility (the Cyber-Spetsnaz subgroup apparently having faded from the communiqués), and the Lithuanian government expects the attacks to continue, perhaps intensify, in coming days. “Part of the Secure National Data Transfer Network users have been unable to access services, work is in progress to restore it to normal,” Lithuania’s National Cyber Security Centre (NKSC) said. “It is highly probable that such, or even more, intense attacks will continue into the coming days, especially against the communications, energy and financial sectors.” Lithuania is attracting Russian attention because of its refusal to allow prohibited goods to be shipped over its rail lines to Russia's non-contiguous region of Kaliningrad, an enclave surrounded by Lithuanian and Polish territory.
Flashpoint, which has been following Killnet and related pro-Russian chatter, finds that chatter to be notably aggressive. "Flashpoint has identified chatter on various pro-Russian Telegram channels claiming that the current standoff between Russia and Lithuania could escalate to a full-fledged military confrontation, although no evidence of physical violence is yet to take place between Russia and Lithuania as of this publishing."
Dark Crystal RAT described.
CERT-UA earlier this month warned that Windows systems in Ukraine were under attack by Russian operators deploying the Dark Crystal RAT (DCRat). Fortinet's Fortiguard Labs yesterday issued a description of how DCRat (which they describe as "a commercial .NET Remote Access Trojan (RAT) commonly found being sold in underground forums") is being used. While the precise infection vector is unknown, it's believed to be a form of phishing. The payload is carried in malicious macros the victim is induced to run. The typical use to which DCRat is put has been data theft, but it also establishes persistence in victims' systems and can be used to stage a broad range of other attacks. The report concludes, "The RAT can be customized to the attacker’s needs by adding plug-ins. As the RAT primarily focuses on data exfiltration, stolen data will likely be used as a stepping stone for further activities against affected organizations. It can also lead to further damage such as a threat actor maintaining persistence in the long term, stealing personally identifiable information (PII), and confidential data. Targets of this attack are likely in Ukraine. Having a foothold in the compromised Ukrainian organization goes a long way towards inflicting long-term and unthinkable damage, due to the nature of this malware."