Ukraine at D+85: Russian attempts to reconstitute its forces, under pressure.
N2K logoMay 20, 2022

Russian forces appear to attempting to consolidate their positions in the Donbas and along the Azov coast while their government seeks to reconstitute the units that have taken severe personnel and equipment losses during the invasion of Ukraine. Cyber phases of the war continue to concentrate on disinformation and nuisance-level attacks, many of these conducted by nominal hacktivists.

Ukraine at D+85: Russian attempts to reconstitute its forces, under pressure.

Apparently many, but not all, of the Ukrainian defenders of the Azovstal works in Mariupol have surrendered, the British Ministry of Defence reports. "As many as 1,700 Ukrainian soldiers are likely to have surrendered from the Mariupol Azovstal steel factory.," this morning's situation report said. "An unknown number of Ukrainian forces remain inside the factory. Once Russia has secured Mariupol, it is likely they will move their forces to reinforce operations in the Donbas. Staunch Ukrainian resistance in Mariupol since the start of the war means Russian forces in the area must be re-equipped and refurbished before they can be redeployed effectively. This can be a lengthy process when done thoroughly. Russian commanders, however, are under pressure to demonstrably achieve operational objectives. This means that Russia will probably redistribute their forces swiftly without adequate preparation, which risks further force attrition." An updated situation map shows currently contested areas.

Someone's evidently given Colonel Khodaryonok a talking to. After some surprising truth-telling about Russian isolation and combat failure on Rossiya-1 Monday, he's returned to the airwaves with a much rosier assessment. Among other things, he predicted swift destruction of the guns Ukraine has received from the US. Russia does not have recent experience delivering counterfire against an opposing army in the field, so this would amount to pulling a very big rabbit out of the Russian army's hat.

Russia's blockade of Ukraine's Black Sea ports is, the US, the UK, and UN agencies say, contributing to global food shortages, but Russia says it will maintain its blockade until sanctions are lifted. The US is said to be considering supplying Ukraine with Harpoon anti-shipping missiles to help break that blockade, and Ukrainian sources hint at direct action aimed at the destruction of Russia's Black Sea fleet.

Continuing expectations of escalation in cyberspace.

Microsoft President Brad Smith, speaking yesterday in London at the Microsoft Envision conference, renewed calls for laws of conflict in cyberspace, Infosecurity Magazine reports. The rules he envisions are essentially transpositions of traditional jus in bello considerations: proportionality, discrimination, and the avoidance of perfidy. They're none the less sound for being familiar. Smith sees the hybrid war in Ukraine as having lent new urgency to the development of international norms.

The cyber phases of Russia's hybrid war have shown some correlation with kinetic operations, but less than many had expected. PCMag describes the ways in which cyber operations appear to have been conducted without close coordination with conventional forces.

The limitations of an alliance of convenience.

China has generally supported Russia's invasion of Ukraine, but that support has limits, and Chinese cyberespionage against Russian targets has continued. Security Affairs reports that a cyberespionage group, “Space Pirates,” is targeting the Russian aerospace industry. Active since at least 2017, the group is believed to be associated with China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27. Positive Technologies discovered the attacks in 2019 targeting a Russian aerospace enterprise. They've seen the malware reappear in 2020 against Russian government organizations, and again in 2021 against another Russian enterprise. Positive Technologies stops short of directly attributing the activity to Beijing, but circumstantial evidence points in that direction.

Check Point has also observed the activity, and they're not reticent about either attribution or identifying victims. A report yesterday "details a targeted campaign that has been using sanctions-related baits to attack Russian defense institutes, part of the Rostec Corporation. The investigation shows that this campaign is part of a larger Chinese espionage operation that has been ongoing against Russian-related entities for several months. CPR researchers estimate with high confidence that the campaign has been carried out by an experienced and sophisticated Chinese nation-state APT. In the below blog, the researchers reveal the tactics and techniques used by the threat actors and provide a technical analysis of the observed malicious stages and payloads, including previously unknown loaders and backdoors with multiple advanced evasion and anti-analysis techniques." They think the activity bears significant similarities to earlier campaigns by Twisted Panda. The goal is evidently theft of intellectual property, and the choice of sanctions as phishbait shows "once again how quickly Chinese espionage actors adapt and adjust to world events, using the most relevant and up-to-date lures to maximize their chances of success."

Fronton botnet shows versatility.

Fronton, a botnet allegedly built by a subcontractor of Russia’s Federal Security Service (FSB), is much more versatile than initially thought, ZDNet reports. When the botnet was first exposed by a hacktivist group in 2020, its primary goal was presumed to be launching DDoS attacks. Now, researchers at Nisos say the botnet is more properly viewed as “a system developed for coordinated inauthentic behavior on a massive scale.” Nisos explains that Fronton “includes a web-based dashboard known as SANA that enables a user to formulate and deploy trending social media events en masse.”

Russian hacktivists hit Italian targets, again.

Late last night Russia-aligned hacktivists of the Killnet group (and its Legion affiliate) hit another series of Italian targets, specifically websites operated by the Italian foreign ministry and its national magistrates association, Reuters reports. The group last week had conducted a similar operation against Italian organizations. Those were organized as retaliation for Russia's exclusion from the Eurovision song contest. The nature of the attacks hasn't been further specified.