Ukraine at D+405: Soft power and cyberwar.

Explosions are reported in Russian-occupied Mariupol, which some observers regard as a sign of preparation for a Ukrainian counteroffensive. That assessment seems premature, but a Ukrainian counteroffensive seems likely to begin within weeks.

New plans for Russian sovereign debt.

"On the 28th March 2023, Russian Prime Minister Mikhail Mishustin said that a move to issuing some of Russia’s sovereign debt in foreign currencies was ‘under development’," the UK's Ministry of Defence wrote in this morning's situation report. "The move is almost certainly an indication that Russia anticipates external financial support from foreign states it deems ‘friendly’. Once the development is completed, investors from other countries will be able to purchase Russia’s sovereign debt and therefore finance some of Russia’s future budget shortfalls. Such investors would be indirectly financing Russia’s invasion of Ukraine. In recent months, Russia’s own banks have been the main entities purchasing Russian state debt. However, they are unlikely to have the capacity to fully fund anticipated future budget deficits. Russian officials likely see external debt issuance as one way to plug gaps in Russia’s finances as they plan for a long war in Ukraine. However, it remains unclear whether Russia will succeed in implementing the measures."

Killnet attempts DDoS attack against German ministry.

The Russian hacktivist auxiliaries of Killnet have attempted to disable a recently established German government website devoted to the economic reconstruction of Ukraine. The distributed denial-of-service (DDoS) attacks "have so far successfully been repelled," a representative of the Federal Ministry for Economic Cooperation and Development (Bundesministerium für wirtschaftliche Zusammenarbeit und Entwicklung, or BMZ) told Spiegel. TVP World reports that the attacks began last week when the BMZ established the site and continued into yesterday.

Zimbra vulnerability exploited by Winter Vivern added to CISA's KEV.

Proofpoint's report last week on Winter Vivern (also known as TA473) described the Russian threat actor's exploitation of a Zimbra vulnerability, CVE-2022-27926 to gain access to Zimbra-hosted webmail portals from with the threat actor can gain access to NATO organizations involved with support for Ukraine. Winter Vivern impersonates Western organizations to conduct highly targeted, carefully prepared phishing operations against its targets. On Monday CISA, the US Cybersecurity and Infrastructure Secuirty Agency, added CVE-2022-27926 to its Known Exploited Vulnerabilities (KEV) Catalog. US Federal Civilian Executive Branch organizations have, under Binding Operational Directive 22-01, until April 24th to check their systems and secure them.

Surprises and lessons from Russia's hybrid war.

Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA) told the Washington Examiner that, surprising as it's been that Russia hasn't hit US targets harder to disrupt American support for Ukraine, Russia hasn't been idle in the cyberspace around Ukraine proper. "Frankly, I'm surprised that we have not seen attacks against critical infrastructure at home," Easterly said. Russia's relative restraint seems, she suggests, due to deterrence (Russia understands that the US would regard a major attack as "highly escalatory"). "I also think they've been very, very busy in Ukraine," she added. "Though we very much focus on the kinetic activity because it is so horrific, there's been a lot of cyber activity against [Ukraine's] critical infrastructure, civilian infrastructure."

The Council on Foreign Relations has an essay on a lesson that might be easily overlooked. In the essay, author Jason Healey argues that Ukrainian resilience in the face of Russian cyberattacks is evidence of the importance of soft power in cyber conflict. "Ukraine’s cyber defenses have been remarkably resilient," Healey writes. "There are multiple sources of this defensive strength, in particular the savvy, energy, and determination of Ukrainian cyber organizations, who have been adapting to Russian offensive campaigns since at least 2014, has been critical. Kyiv has also been backed by cyber defense assistance from the private sector and offensive and defensive cyber interventions by U.S. Cyber Command." He adds, "These advantages were driven in large part by the strength of Ukrainian soft power. Connections to allies, global tech firms, and networks of information security researchers allow states to mobilize defenses unavailable to others."

Anonymous Sudan’s KillNet connection.

Anonymous Sudan and KillNet (the Russian hacktivist auxiliary mainly focused on the War in Ukraine) earlier this year publicly announced that they were working together. Anonymous Sudan may even be a sub-organization of a larger Russian threat actor, as a February report from Trusec argued.

CYE yesterday published an update on Anonymous Sudan, which has recently achieved some notoriety recently amid suspicions of a connection to Russian intelligence services. “At this point, we have no hard evidence that can connect directly between the group to Russian official entities,” CYE writes. The CyberWire has seen some evidence of contact between Anonymous Sudan and Russia’s Killnet cyber auxiliary. KillNet’s Telegram page where, on March 25th, a picture was shared from the Anonymous Sudan’s webpage showing a planned schedule for attacks against named universities, airports, and hospitals in Australia. Anonymous Sudan’s activities don’t appear to be financially motivated. As CYE comments, “Anonymous Sudan cites geopolitical events that it perceives as anti-Muslim as the catalyst for its DDoS attacks.”

Anonymous Sudan, which claims to be the newest flavor of the online hacktivist group Anonymous, seems to have emerged early in 2023. Its connection, if any, to the larger (and notoriously loose) Anonymous hacktivist collective remains a matter of speculation. Trustwave wrote last week that Anonymous Sudan has “carried out a series of Distributed Denial of Service (DDoS) attacks against Swedish, Dutch, Australian, and German organizations.”