Ukraine at D+252: Retreat across the Dnipro?
N2K logoNov 3, 2022

Russian sources in Kherson say that Russian forces plan to withdraw east, back across the Dnipro River, but Ukraine views the statement with caution. Russian officials chide the US for lack of cooperation in cyberspace. The RomCom cybercriminal group looks more like a unit controlled by a Russian intelligence service.

Ukraine at D+252: Retreat across the Dnipro?

Reuters reports that Kherson's quisling governor has said that Russian forces intend to withdraw back east, across the Dnipro River. "Most likely our units, our soldiers, will leave for the left (eastern) bank," said Kirill Stremousov, the Russian-installed deputy civilian administrator of Kherson, said in an interview carried on the propaganda outlet Solovyov Live. Ukrainian officials reacted cautiously, and are wary of a ruse designed to lure Ukraine forces into a Cannae, an envelopment trap. Should Russia withdraw east of the Dnipro, that would represent a major concession of territory and dramatic retrenchment into more defensible positions.

Russia continues to lose armored vehicles at a high rate.

Obsolescent armored vehicles replacing losses are proving a problem for the Russian army, the UK's Ministry of Defence reports this morning. "Russian soldiers serving in Ukraine are likely frustrated that they are forced to serve in old infantry combat vehicles which they describe as aluminium cans. In mid-October, in the face of Ukrainian offensives, Russian armoured vehicles losses increased to over 40 a day: roughly equivalent to a battalion’s worth of equipment. In recent weeks Russia has likely resorted to acquiring at least 100 additional tanks and infantry fighting vehicles from Belarussian stocks. Armoured units and artillery are central to Russia’s way of war; the force in Ukraine is now struggling partially due to difficulties in sourcing both artillery ammunition and sufficient serviceable replacement armoured vehicles."

IAEA finds no evidence of Ukrainian dirty bomb.

Deutsche Welle reports that the International Atomic Energy Agency (IAEA) has found no evidence of Ukrainian work on a radiological weapon, the "dirty bomb" Russia had warned the world that Ukraine had under preparation. The IAEA inspected three locations allegedly associated with a dirty bomb. "Our technical and scientific evaluation of the results we have so far did not show any sign of undeclared nuclear activities and materials at these three locations," IAEA Director General Rafael Mariano Grossi said. "Additionally, we will report on the results of the environmental sampling as soon as possible."

Russia had also revived earlier charges that Ukraine was developing, or already had in its possession, biological weapons (for waging "germ warfare"). The UN Security Council yesterday rejected a Russian resolution that would have established a commission to investigate Ukraine's compliance with biological warfare conventions. US Ambassador Linda Thomas-Greenfield explained, the Telegraph reports, that "'The US voted against this resolution because it is based on disinformation, dishonesty, bad faith and a total lack of respect' for the Security Council." The Telegraph adds, "Deputy Russian ambassador Dmitry Polyanskiy regretted the outcome of the vote, saying: 'Western countries demonstrated in every way that the law does not apply to them.'"

Russia regrets US lack of cooperation in cyberspace.

Newsweek interviewed Artur Lyukmanov, Acting Director of Russia's Department of International Information Security, on Russia's views concerning international norms for the use of information communication technologies (ICTs). "Russia insists on the principles of justice, sovereign equality of states, non-interference in internal affairs and peaceful settlement of conflicts. These are the principles of the U.N. Charter," he said. In practice this has meant central Russian control over information--"sovereign equality" and "non-interference in internal affairs" mean Russia's ability to control the information its population receives. He went on to argue that international norms in cyberspace should involve joint inquiry into cyber incidents. "We are striving to reach such an understanding that governments and their competent agencies could directly investigate cyberincidents putting aside unsubstantiated assessments." A demand to show us the evidence has long been the customary Russian response to accusations of misbehavior. "Ideally, ICTs should be used for their intended purpose—as a means of communication, storage and transfer of useful and creative knowledge—for development, not destruction." Failure to reach an accommodation over such norms is all too likely, he said, to result in mutual destruction.

Russophone gang increases activity against Ukrainian targets.

BlackBerry describes the recent activity of RomCom, a threat actor that presents itself as a financially motivated criminal organization, but which is more likely to represent a group acting on behalf of the Russian government. BlackBerry had earlier noted the group's use of spoofed versions of "Advanced IP Scanner" to hit Ukrainian military targets. The company's researchers have since found that RomCom has expanded its operations to exploit the brands of SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro.

"In preparation for an attack, the RomCom threat actor performs the following simplified scheme: scraping the original legitimate HTML code from the vendor to spoof, registering a malicious domain similar to the legitimate one, Trojanizing a legitimate application, uploading a malicious bundle to the decoy website, deploying targeted phishing emails to the victims, or in some instances, using additional infector vectors," BlackBerry explains.

So far Ukraine has been the primary target of the latest RomCom campaign, but there are signs pointing to some targeting of Anglophone countries, especially the United Kingdom. "RomCom RAT, Cuba Ransomware, and Industrial Spy have an apparent connection. Industrial Spy is a relatively new ransomware group that emerged in April 2022," BlackBerry concludes. While RomCom has sought to cloak itself in crime, the group seems to be working under the direction of a hostile intelligence service. "However, given the targets' geography and characteristics, combined with the current geopolitical situation, it's unclear if the real motivation of the RomCom threat actor is purely cybercriminal in nature." BlackBerry doesn't go this far, but it's difficult to resist the inference that RomCom is working for the Russian organs.