Ukraine at D+69: Cyberespionage, and assessments of Russia's battlefield performance.
N2K logoMay 4, 2022

Russia continues to search for a remedy for tactical underperformance. The window of relative immunity Russian artillery has enjoyed is expected to begin closing this week, as Ukraine fields NATO-delivered howitzers and counterbattery radars. Cyber operations on both sides continue to concentrate on espionage.

Ukraine at D+69: Cyberespionage, and assessments of Russia's battlefield performance.

The morning situation report from the UK's Ministry of Defence tracks Russian deployment in the northern Donbas. "Russia has deployed 22 battalion tactical groups near Izium in its attempt to advance along the northern axis of the Donbas. Despite struggling to break through Ukrainian defences and build momentum, Russia highly likely intends to proceed beyond Izium to capture the cities of Kramatorsk and Severodonetsk. Capturing these locations would consolidate Russian military control of the north-eastern Donbas and provide a staging point for their efforts to cut-off Ukrainian forces in the region."

Russian underperformance on the ground continues to excite comment. Defense News reviews the inept logistical planning and execution that rendered the Russian army incapable of sustaining an advance. The Washington Post describes Russian failure in what had long been reckoned one of that army's strengths: electronic warfare. Newsweek reports that President Putin has sent General Valery Gerasimov to Ukraine for the dual purpose of bucking up the commanders there (with some frank communication about the consequences of continued lackluster performance) and of finding out just what the situation on the ground actually is.

The Telegraph quotes US sources to the effect  that Russian forces appear to be growing increasingly "casualty averse" in the face of Ukrainian advances around Kharkiv. "There's a casualty aversion that we continue to see by the Russians now," an unnamed US source said, adding that Russian advances in the Donbas had become "very cautious, very tepid." Breaking Defense offers an interesting inside look at Russian troop behavior, understanding, and morale. One of their correspondents was detained by Russian forces on March 4th and held for two weeks before being unceremoniously released on the western side of Chernobyl and told to walk to Belarus. He reported that the general opinion of the Russian troops he encountered was that “We would be in Ukraine a maximum of four to five days and then Ukraine would be conquered, and we would go home.” Their mission was unclear, their information inaccurate, their expectations wildly rosey, and their indiscipline was clear and increasing. That indiscipline looked like what one sees in an army "that knows it's already lost." Or, as an op-ed in the Telegraph puts it, "Vladimir Putin’s military cupboard is bare."

Germany's financial regulator warns of the risk of Russian cyberattacks.

Western authorities continue to warn against the possibility of large-scale Russian cyberattacks that so far have failed to materialize. The latest warning comes from Germany. AFP reports that BaFin, Germany's financial regulatory body, warned Tuesday that there was a "very big" risk of Russian cyberattacks against the financial sector. "The risk that companies in the financial sector will fall victim to cyberattacks or that internal IT security incidents will occur is very big and very present," BaFin president Mark Branson said, in the course of a warning that such attacks could place the international financial system's stability at risk. It's unclear, Branson fears, that the financial system is really prepared for such an eventuality.

An upswing in malware deployed against targets in Eastern Europe.

The surge is connected with Russia's war against Ukraine. Google's Threat Analysis Group has been tracking the increased activity, much of it traceable to Russia (and especially to Fancy Bear, Russia's GRU military intelligence service) but some of it involving the more-or-less Russia-aligned Belarusian and Chinese services. Some of Google's key conclusions are:

  • "APT28 or Fancy Bear, a threat actor attributed to Russia GRU, was observed targeting users in Ukraine with a new variant of malware. The malware, distributed via email attachments inside of password protected zip files (, is a .Net executable that when executed steals cookies and saved passwords from Chrome, Edge and Firefox browsers."
  • "Turla, a group TAG attributes to Russia FSB, continues to run campaigns against the Baltics, targeting defense and cybersecurity organizations in the region. Similar to recently observed activity, these campaigns were sent via email and contained a unique link per target that led to a DOCX file hosted on attacker controlled infrastructure. When opened, the DOCX file would attempt to download a unique PNG file from the same attacker controlled domain."
  • "COLDRIVER, a Russian-based threat actor sometimes referred to as Callisto, continues to use Gmail accounts to send credential phishing emails to a variety of Google and non-Google accounts. The targets include government and defense officials, politicians, NGOs and think tanks, and journalists. The group's tactics, techniques and procedures (TTPs) for these campaigns have shifted slightly from including phishing links directly in the email, to also linking to PDFs and/or DOCs hosted on Google Drive and Microsoft One Drive. Within these files is a link to an attacker controlled phishing domain."
  • And from Belarus comes a familiar threat actor. "Ghostwriter, a Belarusian threat actor, has remained active during the course of the war and recently resumed targeting of Gmail accounts via credential phishing. This campaign, targeting high risk individuals in Ukraine, contained links leading to compromised websites where the first stage phishing page was hosted. If the user clicked continue, they would be redirected to an attacker controlled site that collected the users credentials."
  • Finally, there's Curious George, who's curious about both sides of the conflict and is prospecting Russian targets as much as any other. "Curious Gorge, a group TAG attributes to China's PLA SSF, has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company." The Man in the Yellow Hat is presumably unavailable for comment.

The initial approach of all these groups has tended to be through email phishing.

Dark web norms fray under the stress of a hybrid war.

The New Statesman describes the ways in which the dark web is changing under the stresses of Russia's hybrid war against Ukraine. The criminal precincts of that web have long been dominated by Russophone actors, and there were some general principles that governed their conduct. First among those principles was a rule that cybercriminals should generally avoid the former Soviet Republics that made up the Commonwealth of Independent States. This restriction led organized cybercrime to evolve into something very much like privateering, with the Russian government providing a safe haven for criminal operations, or at least the promise of benign neglect, as long as the criminals targeted countries generally unfriendly to Russia. The present war has changed that, as two of the largest former Soviet Republics are now at war with one another. (Ukraine was a founding member of the Commonwealth of Independent States in 1991, but it's balked at moving to full membership since it's reluctant to recognize, as the organization's charter requires, Russia as the sole legal successor to the USSR.) Conti's declaration that it would be acting in patriotic support of Russia was the most prominent early change in the dark web, which now shows itself amplifying what Virginia Tech political scientist Eric Jardine calls “background malicious cyber activity."

Cozy Bear's typosquatting.

Recorded Future describes a cyberespionage campaign operated by Nobelium, that is, Cozy Bear, Russia's SVR foreign intelligence service. The researchers call the command-and-control infrastructure the SVR is using SOLARDEFLECTION, and they summarize four key conclusions about the state and prospects of the campaign:

  • "Insikt Group is confident that the identified SOLARDEFLECTION infrastructure can be attributed to the threat activity group publicly reported as NOBELIUM; this confidence is based on the use of overlapping network infrastructure previously attributed to NOBELIUM in public reporting, as well as unique variations of Cobalt Strike traditionally used by the group.
  • "Broader themes in SOLARDEFLECTION C2 typosquats have included the misuse of brands across multiple industry verticals, particularly in the news and media industries.
  • "Cobalt Strike servers related to SOLARDEFLECTION monitoring that were also previously linked to NOBELIUM activity used modified server configurations, likely in an attempt to remain undetected from researchers actively scanning for standard Cobalt Strike server features.
  • "NOBELIUM has made extensive use of typosquat domains in SSL certificates and will likely continue to use deceptive techniques, including typosquat redirection, when using Cobalt Strike tooling."

The SVR's mission is collection of strategic intelligence. It's believed, CyberScoop points out, to have been the agency behind much of last year's SolarWinds exploitation,

Typosquatting involves the creation of a domain name that closely resembles one owned and operated by a legitimate organization. For example, consider a domain that might be owned by the (fictitious) MaxOrdinate company. Its corporate domain might be maxordinate[dot]com. A typosquatter might create a similar-looking domain, ӎaҳordinate[dot]com, in which the initial "m" and "a" characters were Cyrillic and not Latin. Close, but no cigar, but also probably close enough for the unwary to overlook. In this case, many of the domains being spoofed are media outlets. Erich Kron, security awareness advocate at KnowBe4, explained how typosquatting works and what organizations can do about it. The technique has been much used by criminals:

“Typosquatting is not a new tactic but continues to be very effective. By closely resembling the name of a well-known brand, attackers can cash in on the trust that the legitimate brand has with the public, and can even get SSL certificates that activate the lock icon in the browser's URL bar, something most people have been told signifies a safe website.

"The power of typosquatting is that at a quick glance, most people may not even notice the slight difference in the domain name, making them believe that it is legitimate. Attackers may easily clone the website from the legitimate domain, using simple and free hacking tools, and add their own little nasty surprises.

"To counter this issue, organizations should educate users on the dangers of typosquatting and email phishing, and teach them how to double check the URL in the browser to ensure they are on the correct website before entering any information or allowing any downloads. In addition, organizations should ensure that they have registered any similar websites to their own that could be used for nefarious purposes, and that they use legal means to recover any that are already registered."

Back in the old days of the younger Internet, we heard that a site featuring adult content registered "whitehouse[dot]com." This was when a lot of users were unaware that there were different top-level domains--to much of the public, everything was a dot-com. The real White House site was dot-gov, but back then who knew? Thus many of the curious who surfed over to whitehouse[dot]com thinking they'd be getting Mr. Obama's latest pensées were instead served up, well, whatever they were serving that day.

Online collection and customer service, Langley-style.

The Washington Post describes a secure portal the CIA has established for the use of any disaffected Russians who may wish to share intelligence. The invitation says (in Russian): "The following are instructions for making secure virtual contact with the US Central Intelligence Agency (CIA). We urge you to take all appropriate measures to protect yourself. Your safety comes first." The invitation is followed by a link to the Agency's Tor site. The CIA explained, in English, "#CIA is providing Russian-language instructions on how those who feel compelled by the Russian Government's unjust war can securely contact us. Our global mission demands that individuals be able to reach CIA securely from anywhere." Russian security services will be watching this closely. The CIA may indeed develop some sources this way, and it will also surely aggravate the characteristic paranoia of the Russian services, who are indisposed, ever, to see the operation of chance, accident, or fatality, and will see spies behind every VPN.