Ukraine at D+145: SVR exploits shared drives.
N2K logoJul 19, 2022

Russia aspires to a counterfire program, but is achieving a counter-farming program. The SVR's Cozy Bear is observed conducting cyberespionage against a range of diplomatic targets, but without an obvious clear connection to Russia's war. Ukraine's shake-up of its intelligence service continues.

Ukraine at D+145: SVR exploits shared drives.

Russia looks ahead to the next phases of its war.

The British Ministry of Defence in its morning situation report continues to claim that there are serious troop shortages in the Russian forces engaged in the Donbas. "Russia continues to commit what are nominally six separate armies to its Donbas offensive. At full strength, before the invasion, these formations were established for around 150,000 personnel. In recent weeks, Russia has often operated with company-sized groupings of around 100 personnel when undertaking offensive operations in any one sector at a time. Russia has struggled to sustain effective offensive combat power since the start of the invasion and this problem is likely becoming increasingly acute. As well as dealing with severe under-manning, Russian planners face a dilemma between deploying reserves to the Donbas or defending against Ukrainian counterattacks in the southwestern Kherson sector. Russia’s stated immediate policy objective is to seize all of Donetsk Oblast. While Russia may still make further territorial gains, their operational tempo and rate of advance is likely to be very slow without a significant operational pause for reorganisation and refit."

Moscow appears to be turning to the contract soldiers of the Wagner Group, an organization whose existence the Kremlin officially denies. Newsweek reports that the Wagner Group has had to lower its standards, recruiting prisoners who serve in exchange for amnesty and a $3500 bounty, payable upon the contract soldier's completion of service in the Donbas (and upon their survival of a tour at the front).

Indirect fire.

Western-supplied artillery, notably the HIMARS rocket system, which has become to Ukraine's indirect-fire war what the Javelin anti-tank missile is to its direct-fire war, has begun to tell against Russian targets, especially command posts and ammunition supply points, and Russian forces have taken notice. The Wall Street Journal reports that Defense Minister Shoygu has directed his commanders to make HIMARS a priority target. It won't be an easy target set for Russian artillery to successfully service. The HIMARS is a little smaller than the sort of box truck you might rent from U-Haul for a cross-town move, and its cross-country mobility capability is far better. HIMARS is a shoot-and-scoot weapon; it emplaces and displaces rapidly. Russian forces have shown an ability to hit large, stationary targets, like neighborhoods. Whether it will be able to successfully destroy large numbers of HIMARS remains to be seen. It won't be easy, and Russian forces have shown little aptitude for hitting fleeting targets of the kind HIMARS presents.

What Russian artillery is capable of doing may be seen in Ukrainian farmland. According to the Washington Post Russian shelling has been directed at planted fields with the objective of setting them afire and destroying the crops before they can be harvested.

SVR cyberespionage exploits penetration-testing tools.

Palo Alto Networks’ Unit 42 reported this morning that the Russian threat actor Cozy Bear (associated with the SVR foreign intelligence service and also known as Cloaked Ursa, APT29, and Nobelium) is leveraging trusted, legitimate cloud services in its campaigns, the better to avoid detection. Their two most recent campaigns have used Google Drive cloud storage services, and when this is combined with encryption, malicious activity is more difficult to detect. The most recent campaigns have had diplomatic themes, feigning an agenda of an ambassadorial meeting with, and are believed to have targeted Western diplomats between May and June of 2022. The documents suggest the target to be either foreign embassies in Portugal or foreign embassies in Brazil. The payload is carried in a link to a malicious HTML file that drops Cobalt Strike. 

Cobalt Strike is, of course, a legitimate penetration-testing toolset that’s often abused by threat actors. It’s not the only such tool that’s being misused this way. See Unit 42’s earlier post describing the SVR’s use of the less-well-known Brute Ratel tools in similar campaigns.

Shaking up Ukraine's intelligence services.

The replacement of both the head of Ukraine's SBU intelligence service and the country's chief prosecutor (technically suspensions, since there's the possibility of their restoration to office pending the outcome of investigation) indicates the extent to which Kyiv is troubled by the problems of disloyalty in the security and intelligence services. The SBU, like its Russian counterparts the FSB and SVR, is a successor organization to the old Soviet KGB, with all the liabilities that come with that heritage: corruption, cronyism, and, perhaps most significantly, susceptibility to compromise by its Russian counterparts. The Telegraph describes some of the specific incidents that prompted the suspensions, and its account points out the difficulties involved in reforming a service with deep institutional roots and a questionable cultural heritage. Contentious Ukrainian domestic politics further complicates efforts at reform.