Ukraine at D+530: Both sides in the war look for internal threats.
N2K logoAug 8, 2023

A missile and artillery war continues across a slowly changing front. Ukrainian hacktivist auxiliaries hit a Moscow bureau. An open-source RAT is deployed against Ukrainian government agencies by unknown actors. And sensor data from Chernobyl appears to have been manipulated, possibly in a cyber operation, last year.

Ukraine at D+530: Both sides in the war look for internal threats.

As they have for months, Russian drone and missile strikes hit Ukrainian cities, killing civilians in the course of attacking nonmilitary targets. According to the AP, at least seven died Monday night in a strike against the eastern city of Pokrovsk. Two Iskander missiles hit an apartment block in the city center within forty minutes of one another. The timing led Ukraine to accuse Russia of seeking to kill rescue workers and first responders, the better to deter other such workers in future attacks.

An essay in the Telegraph argues that Ukrainian attacks against Russian Black Sea shipping may represent a deliberate threat to Russia's economy, which depends upon the export of oil, carried largely by tankers from ports like Novorossiysk.

Belarus has begun military exercises near its border with Poland and Lithuania, the AP reports.

Russia's National Guard is upgraded.

The UK's Ministry of Defence in this morning's situation report discusses the increased importance of the Russian National Guard in maintaining the security of the regime. "On 4 August 2023, President Putin signed into law a measure which will allow Rosgvardia, the Russian National Guard, to be equipped with heavy weaponry. A sprawling organisation of up to 200,000 frontline personnel, Rosgvardia was created in its modern form in 2016 and is led by Putin’s former bodyguard Viktor Zolotov. The decision to strengthen the force follows the abortive Wagner mutiny of June 2023.

"Despite Zolotov’s claim that his force performed ‘excellently’ during the mutiny, there is no evidence that Rosgvardia carried out any effective action against Wagner: exactly the sort of internal security threat it was designed to repress. With Zolotov previously suggesting that heavy equipment should include artillery and attack helicopters, the move suggests that the Kremlin is doubling down on resourcing Rosgvardia as one of the key organisations to ensure regime security."

Perceived weakness frays the Russian social contract.

Concerns about the possibility of disorder aren't idle or unmotivated. The Wagner Group mutiny, a long essay in Foreign Affairs argues, was "unprecedented," and is part of a shift in perception of the strength, effectiveness, and permanence of President Putin's regime. That regime is highly personalized, and the person of Vladimir Putin has been its linchpin. "In the wake of the rebellion, it has become much harder for the Kremlin to project an aura of unflappable control and political competence." While the Russian social contract has traded political and civil liberty for stability, that contract may be fraying as the war comes home in the form of high casualties, bad news from the front, and both drone strikes and diversionary raids inside Russia proper. "There are signs that Russians, despite their increased support for state institutions, are becoming much more ambivalent about the country’s authorities. They are beginning to doubt the ability of the political class to fulfill its responsibilities."

The dissatisfaction and fear troubling both ordinary Russians and the country's elites does not represent a liberalizing tendency, rather the opposite. Dissatisfaction is most prominent among the ultras, the hard-war nationalists, and their star seems to be in the ascendant. Should the regime be replaced or revised out of recognition, its successor is more likely to resemble a military dictatorship than a parliamentary democracy. As insecurity grows, popular fears of a disloyal fifth column have grown as well. (Ukraine also has its concerns with internal security, but those concerns tend to manifest themselves in conventional counterespionage operations, with some additional close and hostile attention to the Russian Orthodox Church.)

Russian elites, generally not only wealthier but also far better-informed than the population at large, are bound to the regime by more than nationalist sentiment. Foreign Affairs sees evidence that they see themselves as so complicit with the invasion that a Russian defeat is likely to prompt calls that they be brought to justice for crimes against peace and war crimes. Prosecution of such crimes before the International Criminal Court remains a real possibility, particularly in the event of a decisive Russian defeat. The US, which has not had a close relationship with the ICC, is now providing extensive support to the investigation of war crimes in conjunction with the Court.

Not explicitly mentioned in the Foreign Affairs piece or the British MoD's assessment is the further significance of upgrades to the National Guard. The Rosgvardia is not merely a deterrent to internal unrest. It also represents an alternative locus of military power, a rival and thus a potential check to the army.

Ukrainian hacktivist auxiliaries hit Russian websites.

Radio Free Europe | Radio Liberty reports that a Ukrainian hacktivist group calling itself "sudo RM-RF" claimed in its Telegram channel to have compromised the site of MosgorBTI, Moscow's property registration bureau. sudo RM-RF has been heard from before, surfacing in reports of a cyberattack against the Skolkovo Foundation in 2022. The group said that its goal was collection, specifically "information about state officials, politicians, military, and special services officers who support the Ukraine war." That information, sudo RM-RF said, "had been handed to Ukraine's defense forces." They also claimed to have destroyed data and "infrastructure." Their claims were made not only in Telegram, but on the MosgorBTI website sudo RM-RF defaced. (Some reports called the compromised site an "engineering service website," probably because the data MosgotBTI holds includes building plans and technical diagrams.)

Unidentified threat group deploys an open-source RAT against Ukrainian government sites.

UAC-0154, a threat group whose provenance and allegiance is unclear, the Record reports, has used the open source tool MerlinAgent as the phish hook in a campaign against Ukrainian government sites. MerlinAgent is a post-exploit command-and-control tool, that is, a remote-access Trojan (RAT), intended for use in legitimate research and testing, but like many such products, it's a dual-use item. CERT-UA says that the typical phishbait in the current campaign has been a document named "INTERNAL CYBER THREAT.chm." The sender misrepresents itself as acting on behalf of CERT-UA, and uses the email address cert-ua@ukr [dot] net. The campaign seems to be cyberespionage, but attribution is unclear. MerlinAgent is widely available, and the threat actor, UAC-0154, hasn't been clearly associated with any government.

Radiation sensor reports from Chernobyl may have been manipulated.

Citing research by Ruben Santamarta, scheduled to be presented in full at Black Hat this Thursday, WIRED reports that radiation sensor data from the Chernobyl exclusion area may have been manipulated during the Russian Army's brief occupation of Chernobyl during February and March of 2022. The sensors showed troubling but inexplicable spikes in radiation levels. Those reports appear to have been bogus, the data possibly manipulated by a cyberattack. The published abstract of Santamarta's talk says, "Evidence confirms that the radiation levels depicted by a very specific set of real-time radiation maps, which during those days were consulted by millions of people and also consumed as a single source of information by media outlets and official entities, did not correspond to the actual physical conditions of the Chernobyl Exclusion Zone." If the data were indeed manipulated in a cyberattack, that's troubling: corruption of sensor data in industrial systems would represent a major safety issue for many sectors, and for the public at large.