Ukraine at D+196: Counteroffensives, and cyber privateering.
N2K logoSep 8, 2022

Ukraine's counteroffensive gains ground in the north, around Kharkiv, and in the south, near Kherson. Belarus holds military exercises. Conti remnants continue to operate against Ukrainian targets, and their infrastructure comes in for some virtual counterfire.

Ukraine at D+196: Counteroffensives, and cyber privateering.

Ukraine's counteroffensive retakes villages near Kharkiv.

The Telegraph puts Ukrainian gains in its surprise offensive around Kharkiv at about 400 square kilometers. Ukraine also claimed credit for August's strikes against Russian military installations in occupied Crimea, Reuters reports.

In the south, according to Ukrainian and US officials cited by CNN, the goal is to retake Kherson by the end of the year.

"In Kherson Oblast, Ukrainian brigades continue to conduct offensive operations," the UK's Ministry of Defence reported in this morning's summary. Bridges remain high-payoff targets. "Ukraine has probably destroyed a military pontoon bridge at Darivka, which Russian forces had deployed after the nearby road bridge was severely damaged. The Darivka crossing is one of the main routes between the northern and southern sectors of Russia’s military presence along the Dnipro river. Ukraine’s systematic precision targeting of vulnerable crossing points likely continues to impose pressure on Russian forces as they attempt to contain Ukrainian attacks: it slows their ability to deploy operational reserves and resupply materiel from the east."

Reuters reports that Belarus has begun military exercises in the vicinity of Brest. The field exercises will continue through next week; their training objective is to practice "liberating territory temporarily seized by the enemy." 

Zaporizhzhya remains under fire as fears of nuclear accident (or weapons use) continue.

The Ukrainian mayor of Zaporizhzhya has called upon remaining civilians to leave the area around the city's large nuclear facility. He cites continuing Russian bombardment and the risk of a nuclear accident as reasons to evacuate, NBC reports.

Ukraine's senior military officer warned that Russia's use of nuclear weapons in its war cannot be ruled out. The Washington Post quotes Valeriy Zaluzhnyi, writing in Ukrinform: “There is a direct threat of the use, under certain circumstances, of tactical nuclear weapons by the Russian Armed forces. It is also impossible to completely rule out the possibility of the direct involvement of the world’s leading countries in a ‘limited’ nuclear conflict, in which the prospect of World War III is already directly visible.”

Initial access broker repurposes Conti's old playbook for use against Ukraine.

Google's Threat Analysis Group (TAG) has discerned a pattern in Russia's war against Ukraine. "As the war in Ukraine continues, TAG is tracking an increasing number of financially motivated threat actors targeting Ukraine whose activities seem closely aligned with Russian government-backed attackers." Specifically, it's one threat actor, and its activities overlap with a group that CERT-UA tracks as UAC-0098. "Based on multiple indicators, TAG assesses some members of UAC-0098 are former members of the Conti cybercrime group repurposing their techniques to target Ukraine." Thus the pattern is a familiar one: Russia using criminal groups for cyber combat:

"UAC-0098 is a threat actor that historically delivered the IcedID banking trojan, leading to human-operated ransomware attacks. The attacker has recently shifted their focus to targeting Ukrainian organizations, the Ukrainian government, and European humanitarian and non-profit organizations. TAG assesses UAC-0098 acted as an initial access broker for various ransomware groups including Quantum and Conti, a Russian cybercrime gang known as FIN12 / WIZARD SPIDER."

This threat actor has engaged in at least the following campaigns since Russia's war began:

  • Email phishing to deliver AnchorMail, a malicious payload that delivers the Anchor backdoor. Targets varied in this campaign, which ran from April through June, but the Ukrainian hospitality industry was prominently represented among them. This effort seemed to have both a political and a financial motivation.
  • Emails impersonating the National Cyber Police of Ukraine, urging the recipients to download an "update." This May effort also concentrated on Ukraine's hospitality sector.
  • The hospitality sector was also used to pivot to targets among European non-governmental organizations (NGOs) This effort, which also ran in May, used the “Stolen Images Evidence” malware distribution service.
  • In the second half of May, as support by StarLink and Microsoft for Ukraine became matters of general knowledge, the tactics shifted to impersonation of those two companies.
  • Near the end of May Cobalt Strike was delivered by malicious documents built by EtterSilent; these targeted the Academy of Ukrainian Press (AUP)
  • Finally, in June, the group engaged in Follina exploitation. The phish hook was a notification of tax-filing deadline that spoofed the State Tax Service of Ukraine.

In conclusion Google TAG writes, "UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests." TAG also gives due credit to other researchers: its results are, TAG says, consistent with a report IBM published in July, and with earlier observations CERT-UA offered in April.

Tom Kellermann, CISM, Senior Vice President of Cyber Strategy at Contrast Security commented that close cooperation between criminal elements and the Russian state organs is not a new story, and the case of Conti is Exhibit A. “Conti has long enjoyed their perceived 'untouchable' status from western law enforcement due to the protection racket this Cybercartel has with the Glavnoye Razvedyvatelnoye Upravlenie (GRU -Russian: Chief Intelligence Office) and Komitet Gosudarstvennoy Bezopasnosti (FSB)," he wrote. "This alliance by design underscores the use of cyber proxies in geopolitical conflict. Conti’s recent engagement in the war illustrates not only their patriotism to Russia but their need to pay homage to the regime.”

Conti has nominally at least gone out of business, but the story of its fate and effects is more complicated. BleepingComputer offers a convenient rundown of the gang's post-occultation history:

"The Russian-based Conti gang launched a ransomware operation in 2020, taking the place of the Ryuk ransomware group. Over time, the gang grew into a cybercrime syndicate, taking over the development of multiple malware operations, including TrickBot and BazarBackdoor. A Ukrainian security researcher leaked over 170,000 internal chat conversations belonging to the gang, together with the source code for the Conti ransomware encryptor, after Conti sided with Russia following its invasion of Ukraine. While the group has since shut down the 'Conti' brand, the cybercrime syndicate continues to operate after splitting into smaller cells and infiltrating or taking over other ransomware or cybercrime operations. Some ransomware gangs infiltrated by Conti members include BlackCat, Hive, AvosLocker, Hello Kitty, and the recently revived Quantum operation. Other Conti members are now running their own data extortion operations that do not encrypt data, such as BlackByteKarakurt, and the Bazarcall collective."

Other Conti remnants have attracted counterfire, perhaps from hacktivists, or criminal rivals, or security services. Servers the gang had used to distribute Cobalt Strike payloads have been subjected to distributed denial-of-service (DDoS) attacks that displayed anti-war, anti-Russian messages, including "Be a Russian patriot," "15,000+ dead Russian soldiers," "Stop Putin!" and "Stop the war!" BleepingComputer reports that the operators behind the DDoS campaign are unknown. "It is unclear who is behind these messages (it could be anyone from a security researcher, to law enforcement agencies, to a cybercriminal with a grudge for siding with Russia) but it looks like they’re keeping the threat actor busy."

Kyivstar as a case study in telco resiliency.

Kyivstar, the Ukrainian telecommunications provider that serves some 26-million customers, has come under both cyber and kinetic attack, and has had to cope with both hacking and shelling, POLITICO reports. As much as 30% of the company's infrastructure has been damaged, yet capacity has actually increased during the war. Kyivstar credits, in part, disruption of Russian offensive operations by groups like the IT Army of Ukraine, “Part of our success is because we are forcing Russians to defense,” Kyivstar CEO Oleksandr Komarov told the press, explaining that the IT Army is “creating this hassle on [the Russian] side, and it’s making them more weak because of this.”