Ukraine at D+384: Close combat and preparation for a long war.
N2K logoMar 15, 2023

Russia forces a US drone down in international airspace as the Duma takes steps to secure a continued supply of manpower. Ukraine's SSSCIP looks at Russia's cyber order of battle as Kyiv moves to regularize its own hacktivists.

Ukraine at D+384: Close combat and preparation for a long war.

Ukraine's president says the country is determined to continue to fight for Bakhmut as close combat continues in the city, Radio Free Europe | Radio Liberty reports.

A Russian Su-7 collides with a US MQ-9 drone.

A Russian Su-27 fighter yesterday collided with a US unarmed MQ-9 reconnaissance drone in international airspace over the Black Sea, damaging the drone enough that US controllers brought the drone down in international waters. The US Department of Defense described the Russian conduct as deliberate. "Several times before the collision, the Su-27s dumped fuel on, and flew in front of the MQ-9 in a reckless, environmentally unsound and unprofessional manner. This incident demonstrates a lack of competence in addition to being unsafe and unprofessional," said US Air Force Gen. James B. Hecker, commander, U.S. Air Forces Europe and Air Forces Africa. "This incident follows a pattern of dangerous actions by Russian pilots while interacting with U.S. and allied aircraft over international airspace, including over the Black Sea. These aggressive actions by Russian aircrew are dangerous and could lead to miscalculation and unintended escalation." The Telegraph reports that the US has summoned the Russian ambassador for an explanation. 

Keeping manpower available.

Russian public officials and employees face tighter restrictions on foreign travel, according to the UK's Ministry of Defence. "Since the start of Russia’s invasion of Ukraine, Russian public officials and workers have been subject to increasingly severe foreign travel restrictions. Some officials have likely had to forfeit their passports to the Federal Security Service. Employees closer to the centre of power face more severe restrictions; Kremlin officials are banned from all international leisure travel. This is a widening of existing measures which date from the Soviet era. Travel restrictions were tightened after the Russian annexation of Crimea in 2014. The measures are likely designed to prevent the flight or defection of increasingly disaffected officials. There is a realistic possibility that as the securitisation of the Russian state continues, travel restrictions will be tightened for an increasing number of public sector employees."

In the Duma, the Moscow Times reports, legislation has been introduced by United Russia party member Andrei Kartapolov (a frequent guest on Russian state television) and two other deputies that would raise the upper age limit of conscription from the present 27 to 30. It would also gradually raise the minimum age of conscription over the next three years from 18 to 21, although 18-year-olds would remain eligible to volunteer.

SVR's APT29 used Polish state visit to the US as phishbait.

BlackBerry has been monitoring a campaign by Russia's SVR. "The new NOBELIUM campaign BlackBerry observed creates lures targeted at those with interest in the Ministry of Foreign Affairs of Poland’s recent visit to the U.S., and abuses the legitimate electronic system for official document exchange in the EU called LegisWrite. It partially overlaps with a previous campaign discovered by researchers in October 2022." ("Nobelium" is the name under which Microsoft and others track APT29, also known as Cozy Bear.) The campaign's objective appears to be cyberespionage, accomplished by penetration of European diplomatic organizations interested in aid to Ukraine. As BlackBerry notes, APT29's approach to gaining access to its targets involves routine phishing, but its actions on the objective, once it's in, are determined, clever, and persistent. "Its operators are known to be stealthy, extremely patient, and skilled in utilizing innovative intrusion techniques that abuse Microsoft technologies and services."

(Added, 2:00 PM ET, March 17th, 2023. We were in correspondence with Dmitry Bestuzhev, Most Distinguished Threat Researcher at BlackBerry, who expanded on their research. "Nobelium is a targeted attack group that relies on various tools or weapons to steal confidential target information. As an APT group, it seeks to stay undetected on a victim's machines as long as possible to collect more data," he wrote. "Exfiltrated information serves the threat actor behind it to keep informed and make better decisions in the real world, where geopolitics are involved. We should understand that APT attacks are a vehicle, in this case, a nation-state uses this to stay informed with the confidential information from the targets' side." There's also some camouflage involved. Bestuzhey added, "Nobelium also relies on legitimate, but compromised infrastructure for their C2s, such as the popular notepad application Notion. So, they’re hoping to hide their malicious network traffic and give it a benign guise – presumably learning from their mistakes of two years ago, to wipe out personal metadata that could identify them.")

Ukraine's SSSCIP reports on trends in Russian cyber activity.

The State Service of Special Communications and Information Protection of Ukraine reviews trends in Russian cyber activity and notes the continuing close connection between cyberattacks proper and influence operations. The report's introduction argues that Russian cyber offensives are conducted by what amounts to an established community. "Hackers, who attack Ukrainian civil, military and government organizations, as well as Russian hacktivists/cyber criminals, are real people, who live their lives, who have first and last names, who have families, who travel. They have bosses with their specific cultures and management approaches, they have old habits, favorite tools, and techniques they use to simplify their lives. In this report, we attempted to explain our observations of the human context."

The SSSCIP also emphasizes that the cyber phases of Russia's war have long held lessons for the larger world. "Since 2014, Ukraine has been a testing ground for Russia’s cyber capabilities, providing a possibility for others to observe and learn about their tactics, techniques, and procedures. We had many serious breaches that helped the world to better prepare for future attacks."

Temporary fluctuations aside, the FSB's Gamaredon remains the most "persistent" of the Russian threat groups. Episodic lulls in Gamaredon's activity last summer seem to have been due to a lower operational tempo during reconnaissance phases of its campaigns. Gamaredon, however, is very far from being the only player, and a range of state groups and hacktivist auxiliaries have remained active throughout the war. (The GRU's Fancy Bear and the SVR's Cozy Bear, to take two other agencies, are also prominently mentioned in dispatches. Nor should their kid brother, Belarus's GhostWriter, be overlooked either.) These groups organize their operations around general goals and themes, without much evidence of direct command and coordination. "Because of formal attribution complexity, we suggest that in Q3–Q4 2022, Russian government-related adversaries focused on pursuing a common set of priorities and not actively coordinating."

The SSSCIP sees Russia's cyber order of battle as significantly influenced by a range of constraints. "Russian government APTs are usually limited in resources/manpower. They can’t involve more people in the agency as there are trust limits and top IT cybersecurity talents who work for the commercial sector don’t want to work for the criminal government (in many cases resulting in their leaving the country). Government cyber agencies also have strict rules and serious limitations. Usually, such a unit comprises 5 to 10 hackers and 10 to 15 analysts. That’s why in 2022, they outsourced part of their targets to affiliated criminal and hacktivist organizations who supply raw data to them." The most prominent hacktivist auxiliaries include XakNet (UAC-0106), the CyberArmyofRussia (UAC-0107), Zarya (UAC-0109), and, of course, KillNet (UAC-0108).

Among the trends catching Bank Info Security's eye is a tendency for Russian intelligence and security services to present their activity under a false flag of ordinary criminal actions.

The SSSCIP's report concludes with a brief list of familiar best practices any organization can take to protect itself from Russian cyberattacks. Indeed, the recommendations are generally applicable, and would be useful against a range of threats.

Regularizing hacktivist auxiliaries.

Ukraine has also drawn hacktivists to its cause. Newsweek's Shaun Waterman has an account of how Ukraine's government is moving to bring the IT Army in particular toward status as a properly regulated cyber reserve. The article explains, "it appears that Ukraine's cyber reserve would effectively replace or absorb the loosely organized volunteers of the IT Army with a much more formal force, the core of which would be former conscripts, identified as technically adept during their post-highschool compulsory military service and given special training with technical skills." The motivation for doing so would be to bring clarity to the volunteer hacktivists' status under international law, and to provide the sorts of controls over their activity that the laws of armed conflict suggest are appropriate. The IT Army itself welcomes the development. "We fully trust the efforts of the working group to legalize a massive fight in the cyber sector and welcome the moment when it will stop being the grey zone. We ... believe that the integration of the IT Army into the cyber reserve will help in building a more effective defense against cyber threats."

The closest model for the kind of reserve system Ukraine is establishing is found in Estonia. There, the Cyber Defense Unit forms part of the Estonian Defense League. "This is exactly the model we would like to see in Ukraine," Nataliya Tkachuk, Secretary of Ukraine's National Coordination Center for Cybersecurity, said. "We would like to see conscripts not only defend the country using their IT skills, but also acquire up-to-date and necessary knowledge in the field of cybersecurity and defense during their service."