Ukraine at D+600: Nusiance-level hacktivism and cyberespionage.
N2K logoOct 17, 2023

Ukraine's slow progress in the south continues as Russia stalls in Avdiivka (and rebrands an offensive as an active defense). Hacktivist auxiliaries hit Belgian targets, and cyberespionage and sabotage campaigns are discovered in Ukraine.

Ukraine at D+600: Nusiance-level hacktivism and cyberespionage.

Russian forces appear to have been stopped in their attempt to take the Donetsk town of Avdiivka, the Wall Street Journal and others report. A shift in official Russian messaging is being taken as a sign that the Kremlin recognizes the offensive as having stalled.

The UK's Ministry of Defence this morning offered an appreciation of the situation. "Russia has highly likely begun a coordinated offensive across multiple axes in the east of Ukraine. Russian forces in Donetsk are conducting a combined arms offensive on the heavily fortified town of Avdiivka. which has been on the frontline since 2014. The town is a major obstacle in preventing Russian forces from their wider objective of taking control of the Donetsk Oblast, Russia's attack is being carried out with multiple armored battalions, which are attempting to envelop the town. It is likely to be the most significant offensive operation undertaken by Russia since January 2023. Entrenched Ukrainian forces have so far likely held back the Russian advance, with the latter sustaining heavy equipment and personnel losses. Slow progress and high casualties have likely triggered a change in messaging from Russia, from an offensive to 'active defence', as successfully clearing Avdiivka looks increasingly unlikely in the short term."

The Institute for the Study of War (ISW) cites Russia's own Children's Rights Commissioner to the effect that roughly 4.8 million Ukrainians, including 700 thousand children, have been "accepted" by Russia, that is, transported to Russia. The Washington Post reports that four of the 700 thousand children taken are to be returned to their families under an agreement brokered by Qatar.

Ukrainian telecommunications providers hit by cyberattack.

CERT-UA reported Sunday that eleven telecommunications providers in Ukraine had experienced interference by "an organized group of criminals tracked by the identifier UAC-0165." The goal of the attacks seems to be disruption as opposed to theft or extortion. The Hacker News says that "A successful breach is followed by attempts to disable network and server equipment, specifically Mikrotik equipment, as well as data storage systems."

A Russian credential-harvesting campaign.

Researchers at Cluster25 are tracking attacks by what they characterize as a "Russia-nexus nation-State threat actor." The campaign aims at harvesting credentials, and it involves phishing with a baited pdf that carries an exploit for CVE-2023-38831, a vulnerability in WinRAR compression software versions prior to 6.23. The phishbait is a pdf that purports to share indicators of compromise associated with malware strains that include SmokeLoader, Nanocore RAT, Crimson RAT, and AgentTesla. Cluster25 offers no more specific attribution than "Russia-nexus," but the Hacker News speculates that the activity may be run by the SVR foreign intelligence service.

Russian hacktivist auxiliaries hit Belgian websites.

In what they've declared to be retaliation for Belgian support for Ukraine, the Brussels Times reports. Websites belonging to the Belgian Senate, Federal Public Service Finance, the Prime Minister’s Chancellery, and the monarchy were affected last Sunday. Service had returned to normal on all but the Senate's site by early Monday morning. The hacktivists' posted a message to the Senate's site complaining of Belgium’s commitment last week to supply Ukraine with F-16 fighters by 2025.