Ukraine at D+173: OSINT for targeting; espionage and influence ops.
N2K logoAug 16, 2022

Ukrainian strikes are reported in Russian rear areas. Retaliatory Russian missile fire hits towns near the Belarusian border. Microsoft identifies and disrupts a Russian cyberespionage and influence operation.

Ukraine at D+173: OSINT for targeting; espionage and influence ops.

Russia's Black Sea Fleet seems to have pulled in its horns, restricting its activities to coastal patrols off Crimea. This morning's situation report from the UK's Ministry of Defence draws some conclusions about how this will continue to limit Russian power projection along the Black Sea coast. "The surface vessels of Russia’s Black Sea Fleet continue to pursue an extremely defensive posture, with patrols generally limited to waters within sight of the Crimean coast. This contrasts with heightened Russian naval activity in other seas, as is typical for this time of year. The Black Sea Fleet continues to use long-range cruise missiles to support ground offensives but is currently struggling to exercise effective sea control. It has lost its flagship, MOSKVA; a significant portion of its naval aviation combat jets; & control of Snake Island. The Black Fleet’s currently limited effectiveness undermines Russia’s overall invasion strategy, in part because the amphibious threat to Odesa has now been largely neutralised. This means Ukraine can divert resources to press Russian ground forces elsewhere." (It not only limits amphibious threats, but also seaborne resupply of Russian forces in the southern portions of Ukraine.)

More strikes hit Russian command posts and rear areas; Russia retaliates against Ukrainian towns in Zhytomyr.

A large ammunition storage facility in Russian-occupied Crimea was largely destroyed in a series of explosions, Reuters reports, and there was comparable damage at an airbase in the occupied province as well. The Guardian summarizes this morning's action in Crimea. "The attacks on Russian-occupied Crimea appear to be escalating. The first took place at an ammunitions depot near Dzhankoi in the north, damaging a railway station and wounding two. Next, there were reports of an explosion about 58 miles (93km) south in Simferopol. Now, there are reports of explosions and black smoke at a military airbase in Gvardeyskoye, near the middle of the region."

Ukrainian officials haven't directly claimed credit for the strikes (which Russia denounced as "sabotage") but their applause, as quoted by Reuters, leaves little doubt as to the origins of the attacks. "Operation 'demilitarisation' in the precise style of the Armed Forces of Ukraine will continue until the complete de-occupation of Ukraine's territories. Our soldiers are the best sponsors of a good mood," Ukrainian presidential chief of staff Andriy Yermak posted to Telegram. "Demilitarisation," of course, has been one of the often-repeated Russian justifications for its special military operation.

In Luhansk, the Guardian reports that a Ukrainian strike hit the Popasna headquarters of the Wagner Group, the private military company that's been providing frontline manpower to Russian forces as regular formations undergo reconstitution. The headquarters' location is thought, Ukrainska Pravda says, to have been compromised by imagery posted in Russian television news reports on the fighting, puff pieces that appear to have had lethal effect. The Telegraph quotes local Ukrainian officials who estimate that Russian casualties from the HIMARS strike amounted to about a hundred. There are rumors, widely circulated but unconfirmed, that Wagner Group boss Yegveny Prigozhin was killed in the strike, but those rumors are so consistent with wishful thinking on the part of Ukraine and its sympathizers that they should be treated with a degree of skepticism. The Telegraph has an account of the Russian media posts that apparently gave away the headquarters' location:

"The attack came a few days after a pro-Kremlin journalist published several photos from a secret base, writing on his social media: 'I arrived in Popasna. Went to Wagner’s HQ. They greeted me like family, told me a few funny stories.'

"The Russian reporter also posted a few photos that revealed the exact location of the base.

"In one of them, Russian mercenaries were seen standing next to a building with shattered windows. The address was visible on a plaque near the front door.

"In another picture, Mr Prigozhin was seen shaking the hand of a uniformed man."

Other strikes have occurred within Russia proper. The Kyiv Independent, citing Russian media reports, claims that a freight railway line in the Kursk oblast was hit this morning tweeting, "Unidentified individuals in Russia's Kursk Oblast on Aug. 16 blew up a part of a railway only used for freight trains, Russian media Baza reported." Kursk is east of Kyiv and north of Kharkiv, and well inside Russian territory.

Russia has retaliated with missile strikes against Ukrainian towns near Belarus. Journalist Olga Tokariuk tweeted this morning, "All Ukraine under an air raid alert now. Explosions as a result from missile strikes reported in the northern Zhytomyr region, bordering Belarus. In the last days, Russia brought a lot of equipment and weapons to Belarusian airfields with a plan to launch more missiles on Ukraine."

Microsoft identifies and disrupts Russian cyberespionage activity.

Microsoft yesterday outlined recent activity of the Russian government threat actor Redmond calls "SEABORGIUM." The company's report begins, "The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM, an actor Microsoft has tracked since 2017. SEABORGIUM is a threat actor that originates from Russia, with objectives and victimology that align closely with Russian state interests. Its campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft."

As is typically the case, different researchers track this (and possibly other, related activities) by different names. "SEABORGIUM overlaps with the threat groups tracked as Callisto Group (F-Secure), TA446 (Proofpoint) and COLDRIVER (Google). Security Service of Ukraine (SSU) has associated Callisto with Gamaredon Group (tracked by Microsoft as ACTINIUM); however, MSTIC has not observed technical intrusion links to support the association."

The group's targets have been found for the most part in the US, the UK, and other NATO allies who support Ukraine during the present war. “SEABORGIUM primarily targets NATO countries, particularly the US and the UK, with occasional targeting of other countries in the Baltics, the Nordics, and Eastern Europe," the report says. “Such targeting has included the government sector of Ukraine in the months leading up to the invasion by Russia, and organizations involved in supporting roles for the war in Ukraine.”

The group gains access through social engineering, phishing campaigns that have targeted both organizations and specific individuals. There's some appearance of linkage to conventional criminal activity, but this seems likely to represent either opportunistic collaboration with gangs or deliberate misdirection. The motives appear to be espionage and influence. "SEABORGIUM intrusions have also been linked to hack-and-leak campaigns, where stolen and leaked data is used to shape narratives in targeted countries. While we cannot rule out that supporting elements of the group may have current or prior affiliations with criminal or other nonstate ecosystems, MSTIC assesses that information collected during SEABORGIUM intrusions likely supports traditional espionage objectives and information operations as opposed to financial motivations."

SEABORGIUM's contribution to disinformation and information operations is interesting. "In late May 2022, Reuters along with Google TAG disclosed details about an information operation, specifically using hack and leak, that they attributed to COLDRIVER/SEABORGIUM. Microsoft independently linked SEABORGIUM to the campaign through technical indicators and agrees with the assessment by TAG on the actor responsible for the operation. In the said operation, the actors leaked emails/documents from 2018 to 2022, allegedly stolen from consumer Protonmail accounts belonging to high-level proponents of Brexit, to build a narrative that the participants were planning a coup. The narrative was amplified using social media and through specific politically themed media sources that garnered quite a bit of reach."

Microsoft's report includes a caution against spreading the narratives that it links to the threat group. "While we have only observed two cases of direct involvement, MSTIC is not able to rule out that SEABORGIUM’s intrusion operations have yielded data used through other information outlets. As with any information operation, Microsoft urges caution in distributing or amplifying direct narratives, and urges readers to be critical that the malicious actors could have intentionally inserted misinformation or disinformation to assist their narrative. With this in mind, Microsoft will not be releasing the specific domain or content to avoid amplification."

What has Microsoft done to disrupt SEABORGIUM? "As an outcome of these service abuse investigations, MSTIC partnered with abuse teams in Microsoft to disable accounts used by the actor for reconnaissance, phishing, and email collection. Microsoft Defender SmartScreen has also implemented detections against the phishing domains represented in SEABORGIUM’s activities."