Ukraine at D+634: FSB's LitterDrifter.
N2K logoNov 20, 2023

Privateers and hacktivist auxiliaries hit targets of opportunity connected with strategic objectives. Ukraine investigates cyber operations in support of alleged war crimes. Dissent and repression inside Russia.

Ukraine at D+634: FSB's LitterDrifter.

Ukraine claims to have established bridgeheads over the Dnipro River in the Kherson Oblast from which they're pushing Russian forces out of artillery range of the river's west bank. The bridgeheads are now, the Telegraph reports, citing Ukrainian sources, some five miles deep. A bridgehead, formally, is more than a foothold. It's ground taken and held that's large enough to support sustained operations across a major water obstacle, like a river. This is a significant advance, far more than the raids that Ukraine has acknowledged for some weeks. Russian pro-war milbloggers continue to offer a moderately pessimistic view of the situation: late autumn rains and their attendant mud are making it difficult for armored vehicles to maneuver. While Ukraine makes modest progress against Russian lines, Russian forces aren't succeeding in their assaults against prepared Ukrainian positions around Avdiivka.

The Institute for the Study of War (ISW) reported that Russian drone strikes continued through the end of last week, with Iranian-build Shahed drones used against infrastructure targets across Ukraine. Ukrainian air defenses shot down twenty-nine of the thirty-eight Shaheds launched on Friday and Saturday. The leakers hit facilities in the Odesa and Cherniv oblasts. Russian milbloggers claimed successes against "an oil depot in Altestove, Odesa Oblast, the Starokostyantyniv airfield in Khmelnytskyi Oblast, and Kyiv City, Kyiv Oblast."

The UK's Ministry of Defence (MoD) Saturday described heavy fighting "on the Kupiansk axis, in Luhansk Oblast; around Avdiivka in Donetsk Oblast; and on the left bank of the Dnipro river in Kherson Oblast." There's been no substantial progress by either side. "Russia continues to suffer particularly heavy casualties around Avdiivka. Eyewitness reports suggest small uncrewed aerial vehicles and artillery (especially cluster rounds) continue to play a major role in disrupting the attacks of both sides." The MoD expects the onset of winter to render major advances by either side unlikely.

Dissent and repression.

The UK's MoD this morning assessed the state of dissent inside Russia. "On 7 November 2023, wives of deployed Russian soldiers conducted what was probably the first public street protest in Moscow since the invasion of Ukraine. The protestors gathered in the central Teatralnya Square and unfurled banners demanding the rotation of their partners away from the frontline. Since February 2022, social media has provided daily examples of Russian wives and mothers making online appeals protesting against the conditions of their loved ones’ service." For now, repression seems to have the upper hand, but the example of Soviet-era dissent over the war in Afghanistan suggests the future of dissent may be complicated. "However, Russia’s draconian legislation has so far prevented troops’ relatives from coalescing into an influential lobbying force, as soldiers’ mothers did during the Afghan-Soviet War of the 1980s. Police broke up the Teatralnya Square protest within minutes. However, the protestors’ immediate demand is notable. The apparently indefinitely extended combat deployments of personnel without rotation is increasingly seen as unsustainable by both the troops themselves and by their relatives."

The FSB deploys LitterDrifter in cyberespionage against Ukraine.

Gamaredon (also called Shuckworm, Actinium, and Primitive Bear) is a Russian threat group whose members Ukraine's SSU has identified as FSB agents working from occupied Crimea. It's had a long-standing interest in Ukrainian targets, and that remains its focus, but it's also begun to show up globally, in operations against the US, Vietnam, Chile, Poland, Germany, and Hong Kong. The threat group is deploying a new VBS-written worm, "LitterDrifter," which spreads through infected USB drives, establishes persistence in affected systems and communicates with a flexible command-and-control infrastructure. Most of the LitterDrifer infestations observed have been found in Ukrainian systems, and it seems likely that its appearance in other countries is a secondary effect of its worm functionality. As Check Point observes, worms can and do spread beyond their initial targets, and that may well be the case here. LitterDrifter isn't particularly advanced or sophisticated, but it's well constructed and effectively deployed. This is consistent with the FSB's record of deploying attacks that are good enough: the security service is interested in effects, not art.

Russian security firm says China and North Korea are the source of most cyberattacks against Russia.

Solar, a Russian cybersecurity firm wholly owned by Rostelecom, Russia's largest digital services provider, said at SOC Forum 2023 in Moscow last week that most of the cyberattacks hitting Russia originated from China and North Korea. The cyberattacks are not, as one might have expected, financially motivated crime from an imperfectly controlled underworld. The Record reports that Solar said the incidents represent cyberespionage, the work of advanced persistent threats working to collect data from the telecommunications and government services sectors.

It's surprising to see China and North Korea identified as the principal current cyber threats to Russia. Moscow is assiduously courting Beijing's and Pyongyang's support for the war against Ukraine. Russian diplomacy has obtained tepid support from China, and much more enthusiastic approval (with the promise of large shipments of ammunition) from North Korea. Solar is not an immediate agency of the state, but it, like other Russian companies, exists at the sufferance of the central government. Russian enterprises can generally be expected to align themselves with the state's narratives.

Solar's report contrasted sharply with the familiar government line enunciated at the conference by Pyotr Belov, deputy head of Russia's National Coordination Center for Computer Incidents (NCCCI). Mr. Belov described the principal threat as emanating from the same Western countries who are supporting and supplying Ukraine. The intelligence services of those countries "are also actively involved in coordinating the activities of hackers” who "carry out continuous attacks on Russian information infrastructure."

Privateers and auxiliaries engage targets of opportunity.

LockBit, the well-known ransomware gang that operates with Russian permission and effectively as a Russian privateer, claims to have compromised networks at Belgium's Sabena Engineering, a company involved in supplying F-16s to Ukraine's air force. The Telegraph reports that LockBit has threatened to release sensitive data taken in the attack if their ransom isn't paid by November 26th. Sabena says it's investigating the incident, and that it's confident that, whatever it finds, flight safety will be unaffected.

Ukrainian hacktivist auxiliaries, which have tended to work closely with their country's intelligence services, have maintained pressure on Russian corporations. Urimuri quotes a representative of the Cyber.Anarchy.Squad who explains that their targeting principles are simple: they'll go after whatever targets of opportunity present themselves. “My colleagues and I work on the principle: ‘If something can be hacked, then it must be hacked.’ We believe in targeting everything that is accessible, especially if it is significant in defeating the enemy.” Many of the auxiliaries see their efforts as part of a larger effort to hobble the Russian war economy, which remains under stress from sanctions and partial mobilization.

Alleged war crimes include cybercrimes.

Ukrainian investigators say, POLITICO reports, that they've collected evidence of about 109,000 Russian war crimes. Most of them by far fall into familiar categories of violations of the laws of armed conflict--mistreatment of prisoners and civilians, massacres of noncombatants, and so on--but some of them represent novel crimes allegedly committed in cyberspace. The cybercrimes are largely connected with kinetic war crimes: cyber operations in support of other war crimes, especially attacks against prohibited targets.