Ukraine at D+680: Missile strikes over a static front.
the cyberwire logoJan 5, 2024

Both sides exchange missile strikes (and conflicting claims of their effectiveness). The GRU is now, by general consensus, responsible for the long-running cyberattack against Kyivstar.

Ukraine at D+680: Missile strikes over a static front.

The lines in Russia's special military operation have remained relatively static this week, the UK's Ministry of Defence reports, as Russian assaults continue to be inconclusive. The AP describes the missile strikes both sides have exchanged over that front. TASS claims that over the past week Russia has conducted a large number of successful strikes--at least forty--against Ukrainian "decision-making centers, military-industrial complex and infrastructure."

Missile strikes against Russian military targets in occupied Crimea.

Opposite sides tell a conflicting story, but there was a Ukrainian strike against Russian command and air defense targets in occupied Crimea. Ukrainian authorities claim success; Russian authorities say the incoming missiles were all shot down.

"Ukrainian military officials reported that Ukrainian forces struck at least one Russian military target in occupied Crimea," the Institute for the Study of War (ISW) writes, "while Russian officials and milbloggers claimed that the Ukrainian strike was unsuccessful. Ukrainian Armed Forces Center for Strategic Communications (StratCom) stated on January 4 that Ukrainian forces struck a Russian command post near Sevastopol in the afternoon. Ukrainian Air Force Commander Lieutenant General Mykola Oleshchuk implied that Ukrainian strikes against Sevastopol and Yevpatoria may have targeted the locations of Russian military leaders. Oleshchuk also amplified footage of a smoke plume geolocated to the eastern outskirts of Uyutne and a report by a Crimean source, which stated that a projectile reportedly struck a Russian air defense unit near Uyutne (just west of Yevpatoria). The Russian Ministry of Defense (MoD) claimed that Russian forces shot down 10 Ukrainian missiles over Crimea. Russian sources, including the MoD and Sevastopol occupation governor Mikhail Razvozhaev, claimed that Russian air defenses repelled the Ukrainian strike."

Newsweek reports one rumor circulating in the aftermath of the attack: chief of Russia's general staff, General Valery Gerasimov, may have been at the Sevastopol headquarters targeted by the strike, and various social media accounts are claiming that he was killed. The stories might be true, but it's equally likely (if not more likely) that they represent either disinformation or simply malign social media gossip.

Seeking missiles from abroad.

Russia has made extensive use of Iranian Shahed drones in strikes against Ukraine. According to the AP, the US says that Russia has also obtained and used ballistic missiles from North Korea, and it's seeking to obtain additional supplies of such missiles from Iran.

The North Korean missiles were used against Ukrainian cities in Tuesday's strikes, the US says. The ISW thinks Russian interest in obtaining ballistic missiles from other pariah states derives from the advantages against air defenses that a mix of weapons lends strikes.

Hacktivist personae and GRU fronts.

BleepingComputer describes the effects of the wiper phase of the cyberattack against Kyivstar, based on an account given by Illia Vitiuk, director of cybersecurity at the Security Service of Ukraine (SBU) cybersecurity. He characterized the attacks as were extensive and devastating, and recovery, while possible (Kyivstar has said services were fully restored by December 20th) has been challenging. Kyivstar itself, CyberScoop reports, declined to confirm the SBU's description of the attack. Kyivstar has denied that data were either lost or stolen in the attack.

EMEA Tribune quotes a Kyivstar statement on the incident: “The official investigation of the cyberattack on the Kyivstar network that took place on 12 December 2023 is still ongoing and various lines of enquiry are being considered and voiced, but until the official completion of the investigation, none of them can be considered final. All information on the progress of the cyberattack investigation is available on the official website of the Security Service of Ukraine, which is directly involved in this process. No facts of leakage of subscribers’ personal data were revealed during the investigation.”

Adam Meyers, head of Counter Adversary Operations at CrowdStrike, sent us comments on the cyberattack. CrowdStrike is calling it a GRU operation, with the hacktivist group that claimed credit serving simply as a GRU front. “CrowdStrike Counter Adversary Operations assesses with moderate confidence that the tradecraft in the attack against Kyivstar is likely attributable to Russian GRU adversary VOODOO BEAR, operating under pro-Russian hacktivist persona Soltnsepek," he wrote. "Reports around the destruction of Kyivstar’s virtual infrastructure coincide with reports of air raid sirens in Kiev malfunctioning, as well as payment terminals and multiple banks suffering disruption, and issues reported with payment for public transportation."

Meyers added, "Since the onset of the conflict, Russian cyber operators have conducted intrusion operations for espionage, information operations, and destructive purposes against Ukrainian targets. An overarching motivation for the adversary is to contribute to psychological operations seeking to degrade, delegitimize, or otherwise influence public trust in state institutions and sectors such as government, energy, transportation and media. Ukraine remains the laboratory of cyber conflict as various pro-Russia groups continue to leverage cyber and psychological operations, disinformation and misinformation to demonstrate the impact of physical and digital warfare.”