Ukraine at D+567: Investigating Meduza's Pegasus infestation.
N2K logoSep 14, 2023

The Pegasus attack against Meduza remains unattributed. A representative of the IT Army of Ukraine shares some wartime lessons from the hacktivist auxiliary.

Ukraine at D+567: Investigating Meduza's Pegasus infestation.

Ukrainian ground forces continue their slow advance in the southeast.

The Ukrainian missile strike against Russian Black Sea Fleet units in Sevastopol may have been more damaging than at first believed. Russian sources say that ten cruise missiles and three uncrewed surface boats were used in the attack, and that all three boats and seven of the ten missiles were intercepted. Three missiles found their targets. Naval facilities at the Sevmorzavod repair yards in the Ordzhonikidze Shipyard were damaged, and video of fires at the shipyard has been widely circulated. Two ships in drydock were damaged, a Ropucha class amphibious warfare ship (probably the Minsk) and a Kilo class submarine (probably the Rostov-on-Don). Russian officials said both vessels would soon return to service, but the Institute for the Study of War (ISW) says satellite imagery shows that both warships have been destroyed. "The apparent destruction of the two vessels will likely render the dry dock inoperable until Russian forces can clear the debris, which may take a significant amount of time. The extent of the damage to Sevmorzavod’s repair facilities beyond the dry dock is unclear, and any damage to one of the Russian Black Sea Fleet’s main repair facilities in occupied Crimea will likely have reverberating impacts in the event of further Ukrainian strikes on Russian naval assets."

Another strike against occupied Crimea last night destroyed a Russian S-400 air defense battery near Yevpatoriya, Radio Free Europe | Radio Liberty reports.

Progressive decoupling.

The UK's Ministry of Defence sees a milestone along what will be a long path toward disentanglement. "On 10 September 2023, Energoatom, Ukraine’s nuclear power plant operator, announced it had successfully refueled a reactor at its Rivne Nuclear Power Plant (NPP) using Western-produced nuclear fuel assemblies. All of Ukraine’s NPPs have reactors based on Soviet designs and until February 2022 it relied on Russia for nuclear fuel. Since Russia’s full-scale invasion, Ukraine has accelerated plans to diversify its supply. With nuclear energy supplying approximately half of Ukraine’s electricity, Energoatom’s success in sourcing and installing Western fuel is a major waypoint in Ukraine’s long-term decoupling from Russia, whose influence over Ukraine’s energy supply is severely diminished."

The Meduza spyware incident.

Investigation of the installation of Pegasus spyware on the phone of Galina Timchenko, an expatriate Russian journalist who's the founder and CEO of the exiled Russian Meduza news service, continues. While circumstantially Russian security services would be the obvious suspects, it's not at all clear that such attribution would be correct. There's the possibility that an intelligence service of another government, possibly Latvia, which gave Meduza refuge when it was forced from Russia, could be responsible. Research by Access Now and Citizen Lab stops short of calling out any government as responsible for the incident. There have been twenty-two operators of Pegasus in fourteen European countries. Latvia is thought to be one of the forty-five countries worldwide where Pegasus has been used, but Riga isn't known to have deployed the surveillance tool outside its borders. The installation of the spyware took place while Timchenko and her device were in Germany.

Meduza has long been a critic of President Putin's regime. The publication's editor-in-chief said, in a long statement about the incident, "Hackers have been targeting Meduza’s founders and employees since the very first months of our existence. Their tactics have included DDoS attacks, phishing attempts, sophisticated attacks on our email newsletters, and elaborate attempts to hack our mobile application (which can still circumvent Russia’s censors)." Meduza expressed its gratitude to Europe in general and to Latvia in particular: "We’re very grateful to Europe. The hospitality of Latvia, where our editorial office has been located since 2014, is one of the key factors that has allowed Meduza to succeed." But the statement went on to express concerns that Meduza and organizations like it may now be caught between the repressive apparatus of the governments they've fled and the suspicious intelligence services of the counties that offer them asylum.

Lessons from a Ukrainian hacktivist auxiliary.

Technopedia discussed wartime lessons learned from the operations of the IT Army of Ukraine with one of the group's spokesmen, Harv Xavier. He drew four lessons from the hacktivist auxiliary's experiences. They seem equally applicable to its Russian counterparts.

  1. "DDoS Attacks are a Go-To Tool for Hackers." The IT Army says that distributed denial-of-service (DDoS) is one of its "go-to techniques." It's used it especially against Russian logistical targets. Interestingly, such attacks against "specialized stores" has made it somewhat more difficult for newly mobilized Russian troops to purchase "quality equipment," targeting that says as much about Russian logistical shortfalls as it does about Ukrainian hacktivism. Banks have also been targets of DDoS attacks.
  2. "Exposed Data Assets Will Be Weaponized." The IT Army has frequently resorted to doxing. Much of the doxing has targeted individual Russian servicemembers and adherents of Russian patriotic organizations. Some of the compromised data have been turned over to law enforcement authorities.
  3. "Websites Remain a High-Value Target." Defacement is a common tactic.
  4. "Never Underestimate How IT Systems Can Be Exploited." Disruption of connected services can cause physical, kinetic, inconvenience. Xavier cited a Moscow traffic jam deliberately induced by abusing Yandex Taxi's ride-hailing service as an example.

The attacks share these features: they're opportunistic, they don't require a high degree of technical sophistication, and they lend themselves to decentralized execution.