Ukraine at D+286: Phish or cut bait.
N2K logoDec 7, 2022

Russian and Chinese intelligence services make use of war-themed phishbait as Russian security organs work to shutter evasive and persistent independent access to information. And the Kremlin needs a primer on jus in bello, on the difference between terrorism and attacks against legitimate military targets.

Ukraine at D+286: Phish or cut bait.

Ukrainian drone strikes against Russian air bases and military fuel depots continued yesterday, and Russian President Putin convened a Security Council meeting to assess "domestic security," presumably to deliberate ways of shoring up defenses against further Ukrainian attacks against Russian rear areas, the Telegraph reports. Kremlin spokesman Dmitry Peskov said "necessary measures" were being taken to secure Russia against drone strikes that Mr. Peskov characterized as "terrorist acts." Accusations of terrorism are wayward and unfounded: the Ukrainian missiles (probably Soviet-era Tupolev Tu-141 Strizh reconnaissance drones repurposed for the land attack mission) struck military targets, a sharp contrast with Russian strikes against hospitals, dwellings, and commuter-filled roads.

"You can't tell the boss that."

"Russia has recently started extending defensive positions along its international border with Ukraine, and deep inside its Belgorod region. On 6 December 2022, the governor of Belgorod announced he was establishing local ‘self-defence units’," the UK's Ministry of Defence writes in this morning's situation report. "Trench digging has been reported in Belgorod since at least April 2022, but the new constructions are probably more elaborate systems, designed to rebuff mechanised assault." The reasons for the preparations are probably complex, ranging from the theatrical to the ill-informed. "There is a realistic possibility that the Russian authorities are promoting defensive preparations within internationally recognised Russian territory to burnish patriotic feeling. However, it probably illustrates some Russia decision-makers’ genuine (but false) belief that there is a credible threat of invasion by Ukrainian forces." This sort of misjudgment, the MoD thinks, has been a characteristic feature of Russian official thinking since before its invasion of Ukraine. "Paucity in strategic assessment is one of the critical weaknesses in the central Russian government architecture: as highlighted by Russia’s original decision to invade Ukraine. Impartial official analysis is almost certainly frequently undermined by a tendency toward group-think and politically expedient conclusions." That is, in the Kremlin, you probably tell the boss what the boss wants to hear. It's a problem that frequently impedes sound decision-making in authoritarian governments (and authoritarian organizations of all kinds).

Russian intelligence goes phishing.

The Record reports that a threat actor with links to Russia is running phishing campaigns impersonating US defense, aerospace, and logistic companies. Recorded Future’s Insikt Group tracks the activity as TAG-53, and sees its operation as overlapping a threat actor other researchers follow as the Callisto Group, COLDRIVER, and SEABORGIUM. One of the threat actor's principal goals appears to be credential harvesting. Recorded Future isn’t sure if the impersonated entities are the specific targets of the operation, but the researchers note that most of these organizations “share a focus around industry verticals that would likely be of interest to Russia-nexus threat groups, especially in light of the war in Ukraine.” The companies being impersonated include US firm Global Ordnance, Polish defense company UMO Poland, the not-for-profit Commission for International Justice and Accountability (CIJA), US-based satellite communications company Blue Sky Network, logistics company DTGruelle, and Russia’s Ministry of Internal Affairs. Microsoft's research into (and disruption of) SEABORGIUM back in August concluded that the group's principal targets were NATO governments, military organizations, and think tanks, with Ukrainian organizations representing secondary targets. SEABORGIUM has been associated with Russia's SVR foreign intelligence service, and particularly with SVR disinformation efforts.

Mustang Panda uses Russia's war as phishbait.

Chinese-government cyberespionage actor Mustang Panda has been, BlackBerry reports, using documents with a Ukrainian-war theme as lures in a phishing campaign actively prospecting targets in Europe, the Middle East, Africa, South and East Asia, and Latin America. The sectors the threat group seems most interested in include "Mining, Education, Telecoms, Financial, CDN Companies, Internet Service Providers, Internet Security Firms, [and] Web Hosting Companies." BlackBerry characterizes the phishbait as "well-thought-out." The payload is usually a version of PlugX, sometimes with minor changes intended to help the malware evade detection.

Proton and Russian censorship.

Proton, best known for its secure email service, also offers a range of privacy-enhancing access solutions (including VPNs), and the company has drawn unusually close attention from Russian censors who regard it as a threat to their ability to control the Russian population's access to unfiltered information. The measures taken against Proton by Moscow's security organs run from blocking to the troll-posting of negative reviews of Proton's services. The New York Times has an account of the back-and-forth between Proton and the Kremlin, as the Swiss company works to keep its service accessible to Russian users.