Ukraine at D+434: Wipers, and a possible false flag.
N2K logoMay 4, 2023

Drones over the Kremlin may have been a false-flag operation. GRU wipers reappear in Ukrainian networks.

Ukraine at D+434: Wipers, and a possible false flag.

Russian strikes continue to kill Ukrainian civilians. At least twenty-three died overnight during what Reuters describes as a "shelling" of Kherson.

The curious case of drones over the Kremlin.

Two drones exploded over the Kremlin Wednesday in what the Russian government and state-controlled media have denounced as a "terrorist" attempt to assassinate President Putin, planned and instigated by the United States, and then carried out by Ukraine. But this account has been widely questioned. Ukraine's President Zelenskyy has denied any involvement in the incident, which was so small as to barely qualify as an attack. (Video of the incident showed a small explosion, of the sort that might be caused by the fireworks a short-range commercial drone could carry. In any case there were no casualties and no damage.) Russian reaction has been strong, including calls for the complete destruction of Kyiv, the killing of every member of the Ukrainian government, and the extension of the war to Western capitals.

As the AP puts it: "A cloud of questions hangs over the claim. Why did the Kremlin announcement come about 12 hours after the purported incident? Why did no reports of explosions emerge prior to the announcement on the messaging apps that remain full of chatter despite Russia’s crackdown on media and criticism of the war in Ukraine? Why didn’t videos of the purported attacks appear until after the announcement? Why haven’t the images been verified?" The Atlantic runs down the possible explanations for the incident, which we gloss as follows:

  • It might have been a short-range drone strike launched by deep-penetration Ukrainian forces. This seems unlikely.
  • It might have been an attack by Russian dissidents.
  • It might have been either one of the above, detected and permitted by Russian security services with the aim of pushing the Kremlin toward a harder war policy.
  • Or, and this has been the subject of much well-informed speculation, it might have been a provocation, a false-flag operation designed to afford a pretext for nominally retaliatory strikes, an expanded war, and a spur to full mobilization. (Father Gapon, call your office.)

Fuel storage strikes.

The morning report from the UK's Ministry of Defence covers damage to Russian fuel storage sites. "On 3 May 2023 a fire broke out at a Russian fuel depot in Volna on the Russian mainland side of the Kerch Strait, close to the Crimean bridge. It was initiated by a suspected drone strike. This follows a pattern of Russian fuel storage sites being damaged since the start of the year, with fuel depots in occupied Ukraine and the Russia-Ukraine border regions remaining particularly vulnerable to attack. The disruption to the fuel storage and distribution network will likely force adjustments to Russia’s military refuelling operations to mitigate targeting. Russian adjustments could include deploying additional protection measures at fuel storage sites, as seen in Tuaspe in Russia, or relying on infrastructure in less threatened regions."

Wipers reappear in Ukrainian networks.

CERT-UA warns that the threat group UAC-0165, almost certainly Russian and probably the GRU's Sandworm, has deployed RoarBat wipers against networks in Ukraine. "It has been found that the performance of electronic computing machines (server equipment, automated user workplaces, data storage systems) was impaired as a result of destructive influence carried out using the appropriate software." The nominally hacktivist group "CyberArmyofRussia_Reborn" in January of this year claimed a similar attack against the Ukrinform news service. CERT-UA points out that organizations can take measures to protect themselves against RoarBat. "Please note that the successful implementation of the attack was facilitated by the lack of multi-factor authentication when making remote VPN connections, the lack of network segmentation and filtering of incoming, outgoing and inter-segment information flows."