Ukraine at D+386: Tactical pause, ongoing cyberespionage.
N2K logoMar 17, 2023

China offers a show of support for Russia as the offensive at Bakhmut stalls. Fancy Bear exploits a recently patched Outlook vulnerability.

Ukraine at D+386: Tactical pause, ongoing cyberespionage.

As China's leader announces a trip to Moscow (where he's expected to express support for Russia's war), Poland says that it will be giving MiG-29 combat aircraft to Ukraine.

Russian officials say that the incident in which one of its Su-27 fighters rammed a US Reaper drone over the Black Sea didn't really happen, and, moreover, that if it did happen, the US drone crashed on its own after executing "provocative maneuvers." “Flights of US strategic unmanned vehicles near the coast of Crimea are of a provocative character creating a pretext for the escalation in the Black Sea zone,” Al Jazeera quotes Kremlin sources as saying.

An apparent tactical pause around Bakhmut.

Al Jazeera sums up the situation in Bakhmut at week's end. "Kyiv’s forces continued to withstand Russian assaults on the now-ruined salt-mining town of Bakhmut in eastern Ukraine. Russian attempts to capture Bakhmut are 'difficult' with no signs Ukraine is ready to withdraw, said the Russian-installed leader of Ukraine’s semi-occupied Donetsk region."

Russian forces may be consolidating their hold on territory they've taken in Bakhmut, the UK's Ministry of Defence writes this morning, moving to the tactical defense until they can reconstitute their units in the area for a renewed offensive. "In recent days, Russian and Wagner Group forces have obtained footholds west of the Bakhmutka River in the centre of the contested Donbas town of Bakhmut. Over the preceding week, the river had marked the front line. Ukrainian Armed Forces continue to defend the west of the town. However, more broadly across the front line, Russia is conducting some of the lowest rates of local offensive action that has been seen since at least January 2023. This is most likely because Russian forces have temporarily depleted the deployed formations’ combat power to such an extent that even local offensive actions are not currently sustainable. Russian leaders will likely seek to regenerate the offensive potential of the force once personnel and munition stocks are replenished. In the meantime, commanders will likely be forced to choose between carrying out offensive operations and conducting a credible defence of the full line."

The Wagner Group may be in its trenches around Bakhmut, but it's expanded its interests internationally. The Telegraph reports that Mr. Prigozhin's army has placed a €15 million bounty on Italian Defense Minister Guido Crosetto.

Russian operators exploit an Outlook vulnerability.

APT28, the GRU's Fancy Bear, has made considerable use of an Outlook vulnerability against its targets. Cybersecurity Dive reports that attacks using the exploit have been used against organizations in Ukraine, Turkey, Romania, and Poland since last April. Deep Instinct offers a detailed account of how the exploitation has played out in the GRU's cyber operations, and concludes with the following advice:

  • "While we found evidence of attacks starting in April 2022, there is a possibility that it was exploited even earlier.
  • "Due to the fact that we used only publicly available data the actual scope of attacked targets could be much higher.
  • "Microsoft attributed the attacks to a Russian-based threat actor; however, public evidence might suggest another threat actor exploited the vulnerability as well.
  • "Since the attack does not require user interaction, we urge everyone using the Outlook application to patch their systems as soon as possible.
  • We also suggest running the PowerShell script provided by Microsoft to find retroactively malicious emails in the exchange server."