Ukraine at D+47: Industroyer resurfaces in Ukraine.
N2K logoApr 12, 2022

A maneuver hiatus won't affect fire, as Russian atrocities are widely expected to continue as Moscow regroups and refocuses. Ukraine alleges Russian use of chemical agents against Mariupol. Hacktivists count coup against Russian organizations. GRU resumes disruptive cyberattacks against Ukrainian infrastructure.

Ukraine at D+47: Industroyer resurfaces in Ukraine.

The UK's Ministry of Defence sees Russia's withdrawal from northern Ukraine as simply preparation for an intensified push into the Donbas. "Fighting in eastern Ukraine will intensify over the next two to three weeks as Russia continues to refocus its efforts there," this morning's situation report said. This in any case is where the artillery is falling. "Russian attacks remain focused on Ukrainian positions near Donetsk and Luhansk with further fighting around Kherson and Mykolaiv and a renewed push towards Kramatorsk." And Belarus is no longer serving as a staging area; it's not geographically suitable for upcoming planned operations. "Russian forces continue to withdraw from Belarus in order to redeploy in support of operations in eastern Ukraine."

Reports of chemical weapon use in Mariupol.

Ukrainian reports of Russian use of chemical weapons in Mariupol are so far unconfirmed, but are being taken seriously by US and UK authorities, who have warned of this possibility for some time. What weapons are alleged to have been employed aren't clear. It appears that Ukrainian forces fighting in Mariupol say they've seen Russian drones dispensing riot control agents ("tear gas") which is indeed a chemical weapon, albeit a less-than-lethal one. Some of the reports say the riot control agent was mixed with another, unspecified chemical agent, but reports are still preliminary and unclear.

These reports should be distinguished from earlier allegations of illicit Russian use of white phosphorus smoke agent as an incendiary against civilian targets. Such use would also be prohibited, but white phosphorus has legitimate military uses as smoke or marking ordnance. (There's an irony here: Russia, and the Soviet Union before it, has long pushed for an international accord to designate smoke rounds as chemical munitions.)

GRU deploys a new version of Industroyer against a Ukrainian energy company.

Sandworm, also known as Voodoo Bear, and in the org charts Unit 74455 of Russia's GRU, has deployed CaddyWiper destructive malware and an Industroyer variant being called, simply, "Industroyer2." ESET tweeted the results of its findings early this morning, and provided additional details in a report also published today. "ESET researchers collaborated with CERT-UA to analyze the attack against the Ukrainian energy company. The destructive actions were scheduled for 2022-04-08 but artifacts suggest that the attack had been planned for at least two weeks. The attack used ICS-capable malware and regular disk wipers for Windows, Linux and Solaris operating systems. We assess with high confidence that the attackers used a new version of the Industroyer malware, which was used in 2016 to cut power in Ukraine. We assess with high confidence that the APT group Sandworm is responsible for this new attack."

The incident seems, at first look, an attempted repetition of the 2016 Russian cyberattacks against the Ukrainian grid that ESET mentioned in its report. CERT-UA offered a further description of the attack. It intended to use Industroyer2 against "high-voltage electrical substations" in a fashion tailored to the individual substations. CaddyWiper was used against Windows systems (including automated workstations), and other "destructive scripts" (OrcShred, SoloShred, and AwfulShred) were deployed against Linux systems.

CISA warns of vulnerability GRU exploited in firewall appliances.

The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday added eight vulnerabilities to its Known Exploited Vulnerabilities Catalog. Among them was the high severity privilege escalation flaw (CVE-2022-23176) in WatchGuard firewall appliances the GRU had exploited to build up its Cyclops Blink botnet, disrupted last week by the US FBI. BleepingComputer quotes WatchGuard on the effects of exploitation: "WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access." The company issued its own warning at the end of February. WatchGuard's mitigation advice may be found here.

Tim Erlin, VP of strategy at Tripwire, wrote to remind us that exploitation requires both a vulnerability and a misconfiguration: “While the focus of this warning is on a vulnerability, it’s important to note that any actual attack involves both a vulnerability and a misconfiguration. There are few, if any, cases where the vulnerable interface should be open to the Internet, but based on the reported exploit activity it’s clear that a significant number of organizations are running with just such a configuration. Patching this vulnerability is important, but there are configuration changes that can be made quickly to reduce the attack surface as well.”

Anonymous-affiliated actor NB65 counts coup against Roscosmos.

The Telegraph reports that Network Battalion 65 (NB65) has posted images it claims show that it succeeded in compromising servers at the Russian space agency Roscosmos. Roscosmos boss Dmitry Rogozin, lately much given to incandescent verbal sputtering in a westward direction, downplayed the effects of the attack and called NB65 a bunch of “scammers and petty swindlers.“ That's as may be, but it appears that NB65 did obtain some access to Roscosmos networks, and that the hacktivist or hacktivists deployed some of Conti's ransomware code therein.

Anonymous releases data taken from Russian enterprises in #OpRussia.

Hack Read says that Anonymous has hit three more Russian enterprises, Aerogas (oil and gas production services), Forest (logging), and Petrovsky Fort (office space). The collective leaked roughly 437,500 emails belonging to the companies. Petrovsky Fort, lost about 300,000 emails (about 244 GB), Aerogas lost 145 GB (including 100,000 emails) and Forest lost 37.7 GB worth of information, including 375,000 emails. Petrovsky Fort and Aerogas are state-owned. The material has been posted to the familiar Distributed Denial of Secrets site.

Purge in the FSB's Fifth Service.

President Putin has purged 150 officers of the FSB's Fifth Service, the section responsible for operations in the Near Abroad. The Times calls it "Stalinist." That seems correct enough in style, if not necessarily in effect, since there are no reports of the summary executions that were the central feature of a Stalinist purge. The officers out of favor have lost their jobs, some of them their liberty, but as far as is known none of them have lost their lives. Mr. Putin is said to be furious over the Fifth Service's failure to provide either an accurate appreciation of Ukrainian resistance to Mr. Putin's war of choice or effective and decisive clandestine operations in support of that war. The Fifth Service's former director, Sergei Beseda, has been transferred from house arrest to confinement in the Lefortovo Prison. His official charges are said to accuse him of embezzlement, but few doubt that his actual offense has been operational and intelligence failure.

The Times sources its story to Bellingcat. The gadfly news service has long been a burr under official Russian saddles, and its founder, Elliott Higgins, is being sued for libel by the Wagner Group, the Times reports. Higgins's attorney says the suit is an “obvious case of strategic litigation against public participation (Slapp).”

As Mr. Putin says he sees the matter.

Long-suffering Russia is waging a good war, President Putin said in a speech this week at the Vostochny Cosmodrome in the far eastern Amur district. "Its goals are absolutely clear and noble," he said, and, moreover, Russia had no other realistic options other than its special military operation. "It's clear that we didn't have a choice. It was the right decision." Besides, it's effectively a humanitarian intervention. "On the one hand, we are helping and saving people, and on the other, we are simply taking measures to ensure the security of Russia itself."

It's fair to say that few international observers see it the same way. "Clear," seems true enough: the goal is, or at least was, Russian re-engorgement of Ukraine, although events seem to have trimmed Russia's sails and focused it on the Donbas. "Noble" and "no choice" are pure mendacity, but accurately represent the Russian disinformation line. Consider by way of contrast the AP's report of the ongoing reduction of Mariupol, whose mayor claims that 10,000 civilians have been killed by Russian fire. Counting the dead in wartime is notoriously difficult, and 10,000 may be too high (or possibly too low) but there's no serious doubt that civilian casualties in Mariupol and elsewhere have been very heavy, and have been the deliberate work of Russian forces.