Ukraine at D+166: Cyberespionage campaign is interested in both sides.
N2K logoAug 9, 2022

Long-range Ukrainian fires hit military targets in Crimea, and Ukrainian partisan activity in the occupied territory rises. A threat actor--and signs point to Chinese intelligence--is conducting cyberespionage against industrial targets in Russia, Belarus, and Ukraine.

Ukraine at D+166: Cyberespionage campaign is interested in both sides.

From the UK's Ministry of Defence this morning: "Over the weekend, Russia has continued to focus efforts on reinforcing defences in southern Ukraine. Despite the shift in effort, Russia has maintained attacks on Ukrainian positions in Donetsk oblast. Over the last 30 days, Russia’s assault towards the town of Bakhmut has been its most successful axis in the Donbas; however, Russia has only managed to advance about 10km during this time. In other Donbas sectors where Russia was attempting to break through, its forces have not gained more than 3km during this 30 day period; almost certainly significantly less than planned. Despite its continued heavy use of artillery in these areas, Russia has not been able to generate capable combat infantry in sufficient numbers to secure more substantial advances."

Ukraine appears to have increased its use of long-range fires against Russian military targets. The Guardian reports large explosions at an airbase in Crimea, and these were apparently produced by Ukrainian missiles.

Ukrainian partisan warfare increases in Russian-occupied areas.

The AP reports a rising tempo of Ukrainian partisan warfare against occupying Russian forces. The partisans have engaged in sabotage of transportation infrastructure (like bridges and trains), in attacks against senior Russian occupation officials, and in developing targets for attack by conventional Ukrainian HIMARS. Ivan Fedorov, mayor of Melitopol, says, according to Newsweek, that partisan activity will prevent the Russian occupiers from holding the bogus secession and annexation referenda they have planned for the territories under their control. "They want to do it in August, but it's not possible," Mayor Fedorov said, speaking in particular of the Zaporizhzhia and Kherson oblasts, where the Russians plan to establish puppet republics like those they've set up in Donetsk and Luhansk. Fedorov elaborated on the upcoming referendum, which sounds more like a census than a proper election. "They don't understand how they can save their 'referendum,'" the mayor said. "Now, they don't want to do it in one day, they want to do it across one week. They don't want special voting places, but instead people who will go to flats and ask, 'Do you want to live as Russians or not?'"

Nuclear risks and nuclear threats.

Shelling (probably Russian, but the Russians say it was the Ukrainians) of the Zaporizhzhia nuclear power station has raised concerns about the possibility of a radiological accident. Zaporizhzhia is under Russian control, and the occupiers have refused a United Nations request that International Atomic Energy Agency (IAEA) inspectors be allowed to visit the plant. UN Secretary-General Antonio Guterres said yesterday that “Any attack to a nuclear plant is a suicidal thing," but the Russian authorities haven't budged from their refusal.

From Russian television, it seems clear that Moscow wants the blame for any nuclear accident or incident to be placed on its British and American competitors, whom the Kremlin has sought to position as the hidden hand behind what the Special Military Operation characterizes as Ukrainian nazism. For all of last week's official Russian deploring of what they heard as Western nuclear saber-rattling, Rossiya-1 was characteristically vigorous yesterday as panelists on its Vremya Pokazhet ("Time will Tell," in Newsweek's translation) political talk show. "It would make sense to address directly Ukraine and the countries supporting it," said pundit Yuri Kot, "for example Britain and America first and foremost, and say to them, ‘If, God forbid, the Zaporizhzhya nuclear power plant is damaged and a disaster happens, two missiles will instantly land in your decision-making centers, one in Washington and the other in London. Nuclear ones! And that’s it!" Thus Ukraine, not Russia, is responsible for the threat to Zaporizhzhya, and Kyiv is just following the lead of its masters in London and Washington.

Russian recruiting turns to high pay and ethnic solidarity.

In an attempt to fill its depleted ranks (Military.com cites US officials as putting Russian casualties at between seventy and eighty thousand, killed or wounded) the Telegraph reports that Moscow is both offering large financial inducements to volunteers and is recruiting heavily from smaller, non-Russian regions to form single-ethnicity battalions. Tatar and Yakut units are being recruited along these lines; so far the most prominent single-ethnicity formation has been Chechen. Major Yevgeny Tokmakov, who's running recruiting in Tatarstan's capital Kazan, explained the rationale behind such recruiting. It comes down to cohesion, he said. “The idea is to form battalions from Tatarstan natives so that they stand shoulder-to-shoulder with each other, with familiar people and go ahead to perform their combat duty."

Cyberattacks against Russian (and Ukrainian, and Belarusian) targets.

Malwarebytes reported last week that an unknown threat actor was deploying an attack tool the researchers called "WoodyRAT" against Russian targets. WoodyRAT has a range of capabilities, including writing arbitrary files, staging and executing other malware strains, collecting information from infected devices, and deleting files. The researchers conclude, "This very capable Rat falls into the category of unknown threat actors we track. Historically, Chinese APTs such as Tonto team as well as North Korea with Konni have targeted Russia. However, based on what we were able to collect, there weren't any solid indicators to attribute this campaign to a specific threat actor."

Other activity against industrial targets in Russia, Ukraine, and Belarus is being tracked by Kaspersky and others (SecurityWeek lists Recorded FutureGroup-IBProofpoint, CybereasonDr.Web, and NTT Security among them). Circumstantial evidence points to TA428, a Chinese threat actor also known as Colourful Panda and Bronze Dudley. Kaspersky concludes:

"A Chinese-speaking group is highly likely to be behind the attacks.

  1. "We can see significant overlaps in tactics, techniques, and procedures (TTPs) with TA428 activity.
  2. "The attack analyzed used the same weaponizer, which embeds code of a CVE-2017-11882 exploit in documents, as in earlier TA428 attacks that targeted enterprises in Russia’s military-industrial complex.
  3. "Some indirect evidence also suggests a Chinese-speaking group very likely being behind the attack. This includes:
  • "the use of hacking utilities that are popular in China, such as Ladon,
  • "the fact that the second stage CnC server is located in China,
  • "the fact that the CnC server registration information includes an email address in the Chinese domain 163.com specified in the administrator’s contact data."

And the timing of the activity shows the characteristic 8:00-to-5:00 workday, Shanghai time, that's marked the clock-punching diligence of Chinese cyber operators in the past. These incidents suggest that, however closely aligned Russia and China might be, espionage services will collect against belligerents wherever their announced sympathies may lie.