Ukraine at D+679: Sandworm's patient campaign against Kyivstar.
the cyberwire logoJan 4, 2024

Ukrainian special forces hit a Russian airfield east of the Urals. Ukraine's SBU reveals that the GRU's Sandworm was in Kyivstar's networks for months before its cyberattacks were discovered.

Ukraine at D+679: Sandworm's patient campaign against Kyivstar.

Ukrainian diversionary units destroyed a Russian Su-34 fighter-bomber at the Shagol airfield near Chelyabinsk, the Telegraph reports. This is well behind the lines: Chelyabinsk is east of the Urals, more than a thousand miles from the Ukrainian border.

More civilian casualties from Russia's new year strikes have been discovered as recovery crews search through the rubble in Ukrainian cities. Radio Free Europe | Radio Liberty says that the death toll in Kyiv alone is now thirty-two, with more than forty killed in total.

P.O.W. exchange.

The United Arab Emirates, which have succeeded in continuing to talk to both sides during the war, brokered a large prisoner-of-war exchange between Russia and Ukraine, the AP reports. Two-hundred-thirty Ukrainian prisoners (including some defenders of Snake Island taken in the early stages of the war) were returned. Russia received two-hundred-forty-eight POWs in exchange.

The hard-war milbloggers approved of the exchange because Russia received a few more prisoners back than it released to Ukraine. Russia's agreement to the swap seems to have been intended partially to confute widespread charges that Russian forces have systematically mistreated prisoners-of-war. The Institute for the Study of War (ISW) offers informed conjecture on the Kremlin's motivation. "The Russian leadership may have chosen to engage in such a large POW exchange at this time to undermine reports of Russian abuses of Ukrainian POWs and posture Russia as interested in operating within the bounds of international law and norms. ISW has frequently assessed that senior Russian officials are often very invested in portraying Russia as adhering to humanitarian and other legal guidelines, and the timing of this POW exchange may be part of this wider informational effort."

Sandworm was in Kyivstar's networks for months.

Illia Vitiuk, who leads Ukraine's SBU cybersecurity department, has told Reuters that the Sandworm element of Russia's GRU had gained access to telecom provider Kyivstar's networks at least as long ago as May of 2023. Sandworm probably began its attempts against Kyivstar as early as March of that year. Its goal was collection, mostly of data on individual users of Kyivstar's services, followed in the last stages of the operation by destruction of data and disruption of services. A nominally hacktivist group, Solntsepyok, had claimed credit for the attack, but Solntsepyok is almost surely a GRU front.

The effects of the attack on Kyivstar were severe and widespread, but mostly affected civilian users as opposed to military operations--the Ukrainian military doesn't make much tactical use of civilian telecoms. Vitiuk sees the attack as a warning. "This attack is a big message, a big warning," he said, "not only to Ukraine, but for the whole Western world to understand that no one is actually untouchable." Kyivstar is a large, wealthy, private company, a subsidiary of the Netherlands multinational VEON, and it was by no means a soft target. Kyivstar was known for its extensive investment in cybersecurity, but it was successfully attacked nonetheless.

UAC-0050 deploys RemcosRAT against Ukrainian targets.

Uptycs researchers report new developments in the investigation of UAC-0050's cyberespionage operations against Ukraine. "Our Threat Research Team initiated an investigation after the Uptycs platform alerted to a suspicious .lnk file on December 21, 2023. Analysis revealed UAC-0050's deployment of RemcosRAT in a targeted cyber intelligence operation against Ukrainian government agencies."

RemcosRAT is no novelty, and UAC-0050, a group of uncertain control but clearly aligned with Russian intelligence interests, has for the last few years used it as one of its preferred tools. The use of a malicious .lnk file, however, has rendered the attack more effective and more difficult to detect and counter. "In this case," Uptycs writes, "the malicious .lnk file gathers information regarding antivirus products installed on the target computer. It verifies if the display name corresponds to 'Windows Defender'. If so, it proceeds to replace the term with an empty string. As a result, the condition within the ‘if’ statement becomes false, preventing the execution of the ‘exit’ statement. Consequently, the script seamlessly continues with any subsequent code."

The report offers defensive recommendations and a list of indicators of compromise.

"Happy New Year" changed to "Glory to Ukraine."

TASS is authorized to disclose that a "light garland" (that is, an LED curtain) in Veliky Novgorod was altered so that instead of spelling out "Happy New Year," is displayed "Glory to Ukraine." Police confiscated the garland and charged the "owners of the apartment under Part 1 of Article 20.3.3 Code of Administrative Offenses (public actions aimed at discrediting the use of the Armed Forces of the Russian Federation)."

The Record explains the wayward messaging as a firmware exploit developed in Ukraine during December and subsequently distributed to users of the decoration in Russia. The message was designed to switch at the stroke of midnight on New Year's Eve. It's hard luck for the hapless consumer, who after all now must appear in court after doing nothing more subversive than setting up an apparently innocent holiday sign, but as the Record observes, it's not otherwise a very consequential hack.