Ukraine at D+133: Privateering during an "operational pause."
N2K logoJul 7, 2022

There's apparently an "operational pause" for reconstitution in Russia's Donbas offensive, but Russian privateering and influence operations pick up their pace.

Ukraine at D+133: Privateering during an "operational pause."

This morning's situation report from the UK's Ministry of Defence (MoD) reports signs of reconstitution as Russian action against Donetsk includes much fire but little maneuver. "On 06 July 2022, heavy shelling continued along the Donetsk front line, but with few advances being made by Russia. Russian units involved in last week’s gains are now likely re-constituting." (Other sources agree, seeing this, according to the Telegraph, as an "operational pause" for reconstitution.) The MoD's daily report goes on to discuss Moscow's recent policy moves related to the war. "On 05 July 2022, a law proposed by the Russian government on ‘special economic measures’ passed its first reading in the Duma. The legislation is likely to be adopted and will give the authorities special powers over labour relations; the reactivation of mobilisation facilities; and to release assets from state reserves. The legislation is likely an attempt by the Kremlin to put into place economic measures to support the ‘special military operation’ without a formal declaration of state mobilisation, which remains politically sensitive. It also allows Russia to avoid acknowledging that it is engaged in a war or its failure to overcome Ukraine’s military that was outnumbered and outgunned."

Trickbot's privateering.

IBM's Security X-Force this morning published an account of Trickbot's recent activity, the well-known Russian cybercriminal gang, and its new interest in Ukraine. "Following ongoing research our team, IBM Security X-Force has uncovered evidence indicating that the Russia-based cybercriminal syndicate “Trickbot group” has been systematically attacking Ukraine since the Russian invasion — an unprecedented shift as the group had not previously targeted Ukraine." There's some overlap with other criminal gangs, including the perhaps retired but probably quietly returned Conti operation. "Between mid-April and mid-June of 2022 the Trickbot group, tracked by X-Force as ITG23 and also known as Wizard Spider, DEV-0193, and the Conti group, has conducted at least six campaigns — two of which have been discovered by X-Force — against Ukraine, during which they deployed IcedID, CobaltStrike, AnchorMail, and Meterpreter." Ukraine is no longer on a Near Abroad do-not-touch list. "Prior to the Russian invasion, ITG23 had not been known to target Ukraine, and much of the group’s malware was even configured to not execute on systems if the Ukrainian language was detected."

Thus TrickBot, hitherto known for its straightforwardly mercenary interest in banking Trojans and the like, appears to be a Russian privateer after all, an instrument of state power that's permitted to realize a profit from its operations. X-Force elaborates:

"The observed activities reported in this blog highlight a trend of this group choosing targets that align with Russian state interests against the backdrop of the ongoing conflict. In addition to an announcement by the Conti Ransomware group (which IBM tracks as part of ITG23) that they would act in support of Russian state interests at the beginning of the invasion of Ukraine, leaked chats between ITG23 members indicated that two senior individuals within the group had previously discussed in mid-April 2021 the targeting of entities that “work against the Russian Federation” and agreed that they were (Russian) “patriots.” Additionally, the Executive Director of Bellingcat claimed to have received a tip that a cybercriminal group was in communication with Russia’s Federal Security Service (FSB)."

The six campaigns X-Force has tracked show evidence of more precise targeting than Trickbot has typically shown, and that targeting aligns closely with Russian state interests. The payloads recently dropped against Ukrainian targets include CobaltStrike, Meterpreter, AnchorMail, the eponymous Trickbot, Emotet, IcedID, and "ITG23’s Tron, Hexa, or Forest crypters."

Establishing identity conditions for threat groups is notoriously difficult. They're protean, shifting, and their name is usually Legion. The Washington Post, for one, takes particular notice of some Conti veterans, either current gang members or alumni, who seem to be working for Trickbot.

Russian influence operations target France, Germany, Poland, and Turkey.

Russian influence operations are now concentrating, the Voice of America reports, citing research by Recorded Future, on opening fissures in NATO. Moscow's concentrating its efforts on what it perceives as high-payoff targets in France and Germany (whose governments are widely perceived as softer in their support for Ukraine than are NATO's more easterly members, like the Baltic states and Poland, and its non-Continental members, like the UK, Canada, and the US), Poland (which shares a border and a complicated history with Ukraine), and Turkey (which controls access to the Black Sea). The efforts are very much in the Russian style, entropic and aimed at confusion as opposed to persuasion.

Cozy Bear sighting.

CobaltStrike is often mentioned in dispatches as a penetration testing tool that threat actors often turn to malign use. Other such tools are also susceptible to abuse. Palo Alto Networks' Unit 42 reports that Cozy Bear, generally regarded as a unit of Russia's SVR, is deploying Brute Ratel C4, a pentesting tool in use since December 2020, in a range of cyberespionage campaigns. Unit 42 doesn't formally attribute the campaign to Cozy Bear or even Russia, but it does offer circumstantial evidence that points in that direction:

"This unique sample was packaged in a manner consistent with known APT29 techniques and their recent campaigns, which leveraged well-known cloud storage and online collaboration applications. Specifically, this sample was packaged as a self-contained ISO. Included in the ISO was a Windows shortcut (LNK) file, a malicious payload DLL and a legitimate copy of Microsoft OneDrive Updater. Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking. However, while packaging techniques alone are not enough to definitively attribute this sample to APT29, these techniques demonstrate that users of the tool are now applying nation-state tradecraft to deploy BRc4.".

Sanctions and diplomacy: Mr. Lavrov goes to Bali.

The G20 are gathering in Indonesia for their summit, which will be, inter alia, Russian Foreign Minister Lavrov's first opportunity to meet a skeptical international audience since Russia invaded Ukraine. He prefaced his visit with some crocodile tears for a mutually beneficial international order, an order he called upon other nations to respect. But of course Russia's relationship status with the civilized world is complicated, as a dating site might put it. “The world is evolving in a complicated manner,” the Guardian quotes Mr. Lavrov as explaining. The international order he has in mind would seem to be one designed to advance the interests of regional hegemons. Mr. Lavrov's temporary friend of convenience (it's complicated), Chinese foreign ministry spokesperson Zhao Lijian, spoke more bluntly but along the same lines this week at a Beijing media availability, snorting that the “so-called rules-based international order is actually a family rule made by a handful of countries to serve the US self-interest,” which is one way of looking at it.

One of the lessons the US and UK think China is learning from Russia's war against Ukraine is the importance of preparing to ride out global economic sanctions. The Washington Post reports that US FBI Director Wray yesterday said, in the course of delivering a joint warning with his UK counterpart of Chinese economic espionage, that China “is drawing all sorts of lessons from what’s happening with Russia and its unprovoked invasion of Ukraine. And you should, too. We’ve seen China looking for ways to insulate their economy against potential sanctions, trying to cushion themselves from harm if they do anything to draw the ire of the international behavior. In our world, we call that kind of behavior a clue.”

Chinese APTs target Russian organizations in a cyberespionage effort.

SentinetLabs reports noticeably increased Chinese cyberespionage activity directed against Russian targets. In this SentinelLabs independently confirms recent reports by Ukraine's CERT of Beijing's interest in its sometime friends in Moscow. (The relationship, again, is complicated.) "On June 22nd 2022, CERT-UA publicly released Alert #4860, which contains a collection of documents built with the Royal Road malicious document builder, themed around Russian government interests," the report says. "SentinelLabs has conducted further analysis of CERT-UA’s findings and has identified supplemental Chinese threat activity." And of course a de facto alliance or, better, collaboration of convienence against common adversaries in no way obviates the need for mutually suspicious partners to collect against one another. "China’s recent intelligence objectives against Russia can be observed in multiple campaigns following the invasion of Ukraine, such as ScarabMustang Panda, ‘Space Pirates’, and now the findings here. ​​Our analysis indicates this is a separate Chinese campaign, but specific actor attribution is unclear at this time."

It's a phishing expedition. The report concludes, "We assess with high confidence that the Royal Road-built malicious documents, delivered malware, and associated infrastructure are attributable to Chinese threat actors. Based on our observations, there’s been a continued effort to target Russian organizations by this cluster through well-known attack methods– the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organizations. Overall, the objectives of these attacks appear espionage-related, but the broader context remains unavailable from our standpoint of external visibility."

NATO's rapid cyber response capability.

An Atlantic Council piece on last week's NATO summit in Madrid puts Russian cyber operations and the need to counter them in the context of larger Russian ambitions. "This is big," the essay says. "For anyone with even a passing interest in transatlantic security and foreign policy, this year’s NATO Strategic Concept is a must-read. Understanding the interrelated challenge to the international order, all thirty allies signed on to this document, which identifies not only Russia, but also China, as potential threats." It goes on to quote the summit's report:

“'Authoritarian actors,' the document writes, 'challenge our interests, values and democratic way of life. They are investing in sophisticated conventional, nuclear and missile capabilities, with little transparency or regard for international norms and commitments. Strategic competitors test our resilience and seek to exploit the openness, interconnectedness and digitalisation of our nations. They interfere in our democratic processes and institutions and target the security of our citizens through hybrid tactics, both directly and through proxies. They conduct malicious activities in cyberspace and space, promote disinformation campaigns, instrumentalise migration, manipulate energy supplies and employ economic coercion. These actors are also at the forefront of a deliberate effort to undermine multilateral norms and institutions and promote authoritarian models of governance.'”

And a project to develop an Alliance rapid cyber response capability is intended to address this challenge. Benny Czarny, Founder and CEO of OPSWAT, sent us some comments on the implications of NATO's plans:

“Globally, we have seen the increasing use of cyber warfare and nation-state attacks as a military strategy. Additionally, there have been increased geopolitical pressures from Russia on North Atlantic regions in response to its attacks on Ukraine, including cyberattacks. Earlier this spring, China and Russia 'announced' their alliance and conveyed the partnership has "no limits,” hence why the west has been defining its response to the growing China-Russia threat. 

"One impact of the NATO rapid cyber response initiative is increased military collaboration with industry (public-private partnership) and across member nations, improving threat detection and response capabilities. The increasing reliance on technology and expanded adoption of cyber in military strategies to disrupt, damage, or destroy critical infrastructure directly impacts a nation’s ability to defend itself. NATO’s extension from just threat detection to a rapid cyber response clears the path for offensive cyber strategies if necessary and offers a 360-degree approach to defense. 

"This NATO initiative is significant because it simply codifies member nations’ commitment to cyber responses, and offers broader collaboration across alliance nations to minimize damage, proactively 'hunt' threats, and potentially take offensive measures to minimize the impact of attacks. It also presents an expanded and unified front as a deterrent to attacks against member nations’ governments, businesses, and citizens.”