Ukraine at D+75: Phishing campaigns and defacements.
N2K logoMay 10, 2022

Victory Day seems to have fallen short of everyone's expectations (especially Fleet Street's). Cyberattacks continue, but whether hacktivist, state-directed, or criminal are unclear. The EU, however, has reached some clarity about the attack on Viasat ground stations that opened Russia's war: Moscow did it.

Ukraine at D+75: Phishing campaigns and defacements.

This morning's situation report from the British Ministry of Defence (MoD) discusses, again, Russian planning failures, specifically that planning's ill-informed and over-optimistic assumptions. "Russia's underestimation of Ukrainian resistance and its 'best case scenario' planning have led to demonstrable operational failings, preventing President Putin from announcing significant military success in Ukraine at the 09 May Victory Day parade," the MoD writes. "Russia's invasion plan is highly likely to have been based on the mistaken assumption that it would encounter limited resistance and would be able to encircle and bypass population centres rapidly. This assumption led Russian forces to attempt to carry out the opening phase of the operation with a light, precise approach intended to achieve a rapid victory with minimal cost. This miscalculation led to unsustainable losses and a subsequent reduction in Russia's operational focus."

More analysts see a growing possibility of outright Russian military defeat, even with Russia's war aims having contracted to the conquest of the Donbas. It's worth remembering that only seventy-five days ago Moscow was demanding "demilitarization and denazification" (effectively, unconditional surrender) as a precondition for negotiations with Kyiv.

The post mortems on President Putin's Victory Day speech agree that it suggested a continuation of current war policy, a reluctance to ask more sacrifice from Russians, and an insistence on NATO's ultimate responsibility for Russia's invasion of Ukraine. The big parade itself received indifferent reviews as a spectacle of menace, especially from the more gung-ho British tabloids. (Like the Sun, which packed as much derision as we think it humanly possible to achieve in its screamer: "VLAD-TASTROPHE: Inside Putin’s damp squib Victory Day Parade from tyrant’s feeble speech and hacked live feed to slimmed down military." All that's missing is a cover version of Sweet Caroline.)

Russian television schedules hacked to display anti-war message.

HackRead reports that yesterday, as the big Victory Day parade was about to begin in Moscow, Russian television schedules were disrupted to display an anti-war message. "On your hands is the blood of thousands of Ukrainians and their hundreds of murdered children," the message said, appearing in lieu of the expected program titles. "TV and the authorities are lying. No to war." Children's television programs flashed shorter messages: "No to war," and "The authorities lie." The messaging was fairly widespread. Most major Russian outlets, including NTV-Plus, Rossiya, Channel One, Yande, Ru Tube, and the Russian Defense Ministry’s channel, Zvezda, were affected. There's no attribution, yet.

Phishing campaign distributes Jester Stealer in Ukraine.

CERT-UA warns that a social engineering campaign distributing Jester Stealer malware is in progress. The phishbait used to induce Ukrainian targets to bite is a warning of chemical attack. The phish hook is an XLS-document with a malicious macro. Bank Info Security points out that one unusual feature of Jester Stealer is that it uses a Telegram channel as opposed to more conventional command-and-control infrastructure to deliver the information it collects. The malware itself is a commodity product freely traded in the criminal-to-criminal market. Again, there's no attribution yet.

European Council formally attributes cyberattack on Viasat to Russia.

The European Council today formally attributed the February 24th cyberattack against Viasat's KA-SAT network to Russia. The attribution was laced with condemnation.

"The European Union and its Member States, together with its international partners, strongly condemn the malicious cyber activity conducted by the Russian Federation against Ukraine, which targeted the satellite KA-SAT network, operated by Viasat.

"The cyberattack took place one hour before Russia’s unprovoked and unjustified invasion of Ukraine on 24 February 2022 thus facilitating the military aggression. This cyberattack had a significant impact causing indiscriminate communication outages and disruptions across several public authorities, businesses and users in Ukraine, as well as affecting several EU Member States.

"This unacceptable cyberattack is yet another example of Russia’s continued pattern of irresponsible behaviour in cyberspace, which also formed an integral part of its illegal and unjustified invasion of Ukraine. Such behaviour is contrary to the expectations set by all UN Member States, including the Russian Federation, of responsible State behaviour and the intentions of States in cyberspace.

"Cyberattacks targeting Ukraine, including against critical infrastructure, could spill over into other countries and cause systemic effects putting the security of Europe’s citizens at risk.

"The European Union, working closely with its partners, is considering further steps to prevent, discourage, deter and respond to such malicious behaviour in cyberspace. The European Union will continue to provide coordinated political, financial and material support to Ukraine to strengthen its cyber resilience.

"Russia must stop this war and bring an end to the senseless human suffering immediately."

Interference with the KA-SAT network was one of the few Russian cyber operations of the war to, first, enjoy a measure of (temporary and quickly remediated) success. It was also, as the EU communique notes, one of the attacks that spilled over to nations other than Ukraine. The attack's timing suggests it was intended to serve as preparation for Russia's invasion.

Report: US intensifies scrutiny of Kaspersky.

Reuters reports, in an exclusive, that the US Administration is increasing its scrutiny of Kaspersky amid concerns that the security firm's widely used tools (already restricted from use within the US Government) could be exploited by Russia for intelligence and cyber operations during Russia's war against Ukraine. The Departments of Justice and Commerce are said to be considering using national security measures put in place during the previous Administration against the Russian software company. Kaspersky has long denied that it's susceptible to the kind of pressure from Moscow that Western governments have feared. Those skeptical of the company point to an obvious reading of Russian domestic law that requires companies to cooperate with the government in precisely the ways that have aroused concern. Neither Kaspersky nor the US Departments of Justice or the Treasury replied to Reuters' requests for comment.

The US Intelligence Community should do less chest-beating over aid to Ukraine.

Or so people in a position to know say that the White House is saying. NBC News reports that sources tell it the President Friday told leaders of the Intelligence Community that the IC's leaks to the media about the effect US intelligence assistance was having in Ukraine were "counterproductive." Public disclosure of intelligence has obviously had its uses in the present war, particularly in the form of pre-bunking Russian disinformation, but it would appear that claiming to have helped the Ukrainian forces sink the Moskva and kill Russian generals goes too far. Or so the anonymice say.