Ukraine at D+602: A hacktivist auxiliary versus a privateer.
N2K logoOct 19, 2023

River crossings by Ukraine aim at establishing bridgeheads over the Dnipro. Ukrainian hacktivists disrupt a Russian privateer. The SBU describes early hunt-forward missions conducted with US Cyber Command.

Ukraine at D+602: A hacktivist auxiliary versus a privateer.

Ukrainian small units have successfully crossed the Dnipro River and established themselves on its eastern bank, the Telegraph reports. The Institute for the Study of War (ISW) says that the crossings so far don't constitute a bridgehead, yet, but that the tactical success has been confirmed by Russian milbloggers. "Russian sources claimed that likely company-sized elements of two Ukrainian naval infantry brigades conducted an assault across the Dnipro River onto the east (left) bank of Kherson Oblast on October 17-18. Geolocated footage published on October 18 indicates that Ukrainian forces advanced north of Pishchanivka (14km east of Kherson City and 3km from the Dnipro River) and into Poyma (11km east of Kherson City and 4km from the Dnipro River)." Russia's Ministry of Defense acknowledged the crossings but dismissed them as failed raids intended to conduct sabotage. Russian milbloggers are also expressing concerns about Russia's ability to stop Ukrainian operations in the Kherson sector--many of Russia's better units formerly deployed there have been withdrawn and redeployed to support Russia's offensive (or "active defense") farther north.

Claim: Kerch Strait Bridge repaired.

The UK's Ministry of Defence (MoD) reports official Russian claims to have repaired the Kerch Strait Bridge, which connects occupied Crimea with the Russian mainland. On 14 October 2023, Russian Deputy Prime Minister Marat Khusnullin declared that damage from Ukraine’s July 2023 strike on the Crimean bridge had been repaired ahead of schedule. Although fully operational, use of the bridge remains restricted due to procedures enacted following the first Ukrainian attack in October 2022. Trucks and fuel supplies continue to be moved by ferry."

The bridge is an important logistical connection for Russian operations in southern Ukraine, but the MoD also assesses it as a vulnerable asset. "The Crimean bridge will remain a vital link in sustaining Russia’s occupation of Crimea and its forces in southern Ukraine. However, it is now almost certainly a significant security burden requiring multi-domain protection, including the use of air defence systems and crews who would otherwise be deployed elsewhere. Russian security forces' confidence in their ability to protect this large and vulnerable structure will continue to be threatened by the ingenuity of Ukraine’s military and security services."

Ukrainian hacktivist auxiliary takes down Trigona privateers.

Members of the Ukrainian Cyber Alliance (UCA) claim to have gained access to servers used by the Trigona ransomware gang. BleepingComputer reports that the hacktivists say they "exfiltrated all of the data from the threat actor’s systems, including source code and database records," and then wiped the servers. The UCA exploited CVE-2023-22515, a recently described vulnerability in Atlassian's Confluence Data Center and Server to gain remote access and elevate their privileges to work their damage. "Welcome to the world you created for others!" a member of the UCA tweeted above a taunting screenshot headlined "Trigona is gone." They're still sorting through the data they exfiltrated from Trigona, but if they find the files contain decryption keys, they say they intend to make those publicly available for the victims of Trigona attacks to use in recovering their systems. 

Trigona is a Russian gang that's operated since at least October of 2022, when its emergence was noted and described by the Malware Hunter Team. It functions as a privateer, its criminal activity tolerated and protected by the Russian government as long as its money-making raids avoid Russian targets and hit adversaries of the Russian state.

The Ukrainian Cyber Alliance is a hacktivist auxiliary working in the interest of the Ukrainian government. It began forming in 2014 (the year Russia invaded and took Crimea) and has since been officially chartered as a non-governmental organization "governed by civic duty" to Ukraine. The group's tagline is "disrupting russian criminal enterprises (both public and private) since 2014." (The lower-case "r" in "russian" (sic) is a common, deliberate gesture of contempt toward the Russian enemy.)

Joint US-Ukrainian "hunt-forward" mission preemptively blunted Russian cyber offensive in 2022.

The Record, citing Illia Vitiuk, head of the SBU's cyber division, describes the ways in which a joint US-Ukrainian "hunt-forward" mission disrupted Russian offensive cyber operations both before and immediately after Moscow's general invasion in February 2022. “Indeed [Moscow’s] expectations for its cyberattacks were far beyond what actually happened, The GRU were responsible for these attacks and they thought that our infrastructure would be on its knees.” Vitiuk said.

Collaboration with U.S. Cyber Command began in December 2021. The joint operation identified and removed much of the malware the GRU had staged in Ukrainian systems. While the wiper attacks Russia conducted to coincide with its invasion were troubling, they fell far short of the devastation that had been widely expected and predicted. “They failed in bringing those kinds of disastrous effects” about, Vitiuk said, and he credits early preparation for Ukraine's successful defense.

It's worth noting that the hunting done in "hunt-forward" missions of this kind was conducted inside friendly networks, not in hostile Russian systems.