Ukraine at D+648: Cyberespionage from your besties?
the cyberwire logoDec 4, 2023

Ukraine's SSSCIP gets a new chief, and Russian defense industries are targeted by foreign intelligence services. Who those services might be are unknown, but circumstantially they look a little like people from Shanghai or Pyongyang.

Ukraine at D+648: Cyberespionage from your besties?

Ukrainian President Volodymyr Zelensky and Ukrainian Commander-in-Chief General Valerii Zaluzhnyi said on Thursday that Ukrainian forces intend to strengthen their fortifications in all critical sectors, the Institute for the Study of War (ISW) reports. These include the Kupyansk-Lyman line, oblasts in northern and western Ukraine, the Kherson Oblast, and especially the Avdiivka and Marinka regions and other areas of Donetsk Oblast.

Deep in the Russian rear area Ukraine's GUR sabotaged a second train along the Siberian rail line connecting Russia with China.

Bad weather over the weekend continued to impede both sides' operations along the whole front. Ukrainian sources say the weather hasn't affected Russian artillery fire, but, oddly, Russian milbloggers are writing that high winds are preventing Russian forces from firing artillery. This is difficult to credit, since artillery is as close to an all-weather weapon as anything in any army's inventory, so either the milbloggers don't know what they're talking about, or there are some deep and curious problems with Russian gunnery.

Russian milbloggers continue to complain of command mismanagement at the front. They're also showing a new awareness of the OPSEC challenges posed by soldiers with smartphones. As the ISW describes a representative post, "One Russian milblogger responded to this post and claimed that neither warnings nor 'detailed lectures' on the dangers of using WhatsApp and SMS systems in combat areas appear to affect Russian soldiers’ communication habits." (In fairness to the Russian army, even better trained and disciplined forces struggle with this new security problem. But the problem seems particularly acute for an army that's short of effective noncommissioned officers.)

Overcoming air defense systems.

Conventional close support aviation has for the most part been a non-factor in the war so far, as both sides have relied on drones. On Sunday the UK's Ministry of Defence (MoD) discussed the challenges air defense systems have posed for both sides' air forces. "The efforts of both Russia and Ukraine to overcome their adversary’s ground-based air defence systems continue to be one of the most important contests of the war. On the Russian side, the SA-15 Tor short-range surface-to-air missile system (SAM) is playing a critical and largely effective role. With a maximum range of 15 km, the SA-15 is operated by the Russian army air defence units and is designed to protect the front line of ground troops. This is in contrast with other short-range systems, such as SA-22 Pantsir, which are operated by Russian Aerospace Forces and typically protects command nodes, longer range SAMs, and air bases. Effectively acting as the front line of Russia’s elaborate air defence network in Ukraine, the SA-15 is currently particularly utilised to counter Ukrainian uncrewed aerial vehicle operations. One of the key limitations of the system in the current war is likely the endurance of its crew. With an established allocation of only three personnel to each system, maintaining a high state of alert for extended periods is highly likely proving an extreme test of endurance."

President Putin's decree on troop strength.

Russian President Vladimir Putin signed a decree on December 1 increasing the official end strength of the Russian military from 2.039 million personnel to 2.209 million personnel and total Russian combat personnel from 1.15 million to 1.32 million. Moscow represented the increase as a response to the ongoing Ukrainian threat, but the decree may represent more accounting drill than an increased mobilization. It represents an increase of 170,000 Russian combat personnel over the President August 25th decree, but it seems to be a formal statement of actual increases as opposed to a directive for immediate further mobilization. The ISW explains: "Ongoing widespread crypto-mobilization efforts (such as volunteer recruitment and the coercion of migrants into the Russian military), partial mobilization, the number of Russian personnel concluding military service, and Russian casualties in Ukraine plausibly account for a net 170,000-combat personnel increase between August 25, 2022, and December 1, 2023."

NATO estimates that Russian forces have 300,000 casualties (killed and wounded personnel) in Ukraine since the start of Russia’s full-scale invasion of Ukraine in February 2022. Putin’s December 1, 2023 decree is thus likely establishing 2.209 million personnel as the new official end strength rather than ordering a significant new increase in the total size of the Russian military.

The UK's MoD elaborated on the casualty estimates this morning. "Between 24 February 2022 and November 2023, official Russian MoD forces likely suffered between 180,000 and 240,000 personnel wounded and approximately 50,000 killed. Wagner Group mercenaries likely suffered approximately 40,000 wounded and 20,000 killed. Therefore, overall, the Russian side has likely suffered around 220,000-280,000 wounded and approximately 70,000 killed. This gives an estimated range of between 290,000 and 350,000 total Russian combatant casualties. The median of the estimate range is 320,000 total Russian combatant casualties." Casualties are notoriously difficult to estimate, as the UK's MoD acknowledge, especially in a force not given to clarity in its reporting. "Even amongst Russian officials there is likely a low level of understanding about total casualty figures because of a long-established culture of dishonest reporting within the military."

Russian homefront discontents.

Desertion rates among Russian troops appear to have spiked in October, Radio Free Europe | Radio Liberty reports, as it became clear that deployment to the front will effectively be for the duration of the war.

The Russian Ministry of Defense continues to sidestep full mobilization (the ISW calls Moscow's policy one of "crypto-mobilization recruitment schemes" that will seek to rely on inducements to attract contract soldiers).

Moscow isn't letting homefront discontent over indefinite mobilization go unanswered. "The Russian authorities are likely attempting to quash public dissent by wives of deployed Russian soldiers, including by attempting to pay them off and discrediting them online. This follows small scale protests in Moscow in November 2023," the UK's MoD reported Saturday morning. "Research by independent Russia media outlets and comments by protesting wives themselves suggest that, in recent weeks, the authorities have likely offered increased cash payments to families in return for them refraining from protest. On 27 November 2023, one prominent online group for soldiers’ wives published a manifesto against ‘indefinite mobilisation’. On around 31 November 2023, the group was pinned with a ‘fake’ warning label – likely at the instigation of pro-Kremlin actors. The authorities are likely particularly sensitive to any protests related to those citizens mobilised in September 2022, who have now been at the front line for over a year."

XDSpy reported to be phishing the Russian defense sector.

Russian cybersecurity company F.A.C.C.T. reported last week that XDSpy has been conducting phishing attacks against a Russian metallurgical firm and a company specializing in the development of ballistic missiles. The phishing emails misrepresented themselves as originating from a nuclear weapons design institute. The Record summarizes what's known about XDSpy, which isn't much. The group is known to have been active since at least 2011, and it's believed to be state-directed. ESET, which tracked XDSpy closely until the company lost access to Russia and Belarus after Russia's invasion of Ukraine, says that the cyberespionage group doesn't have a particularly sophisticated toolkit, but that its operations security is excellent. That security has prevented attribution of XDSpy to any government, but the group's interests seem focused on Eastern Europe, including Russian and the Balkans. The Record doesn't offer any attribution either, but it does observe that most of the recent cyberespionage against Russia has originated with North Korea and China. Those two governments have been principally interested in theft of technical information, and that seems to be XDSpy's goal as well.

Ukraine's SSSCIP gets a new chief.

President Zelenskyy has appointed Yury Mironenko as the head of the State Service for Special Communications and Information Protection (SSSCIP). He replaces Yurii Shchyhol, who, with his deputy, Victor Zhora, were relieved and arrested on charges of embezzlement in the course of software procurements made between 2020 and 2022.

Russia fails to gain a seat on the OPCW Executive Council.

Russia last week failed to gain reelection to the Executive Council of the Organization for the Prohibition of Chemical Weapons (OPCW). Bloomberg describes Moscow's diplomatic lobbying campaign, which was heavily committed to disinformation. A Foreign Ministry memorandum laid out the Kremlin's talking points, which argued, inter alia, that the OPCW was at risk of becoming a tool of Anglo-Saxon power, and that the US had provided Ukraine with toxic chemicals which Ukrainian mercenaries and other bad actors intended to use in "provocations." The first point is at least arguable, if tendentious, the second an obvious lie.

Failure to win reelection is said to be a source of disappointment and frustration to Russia's Foreign Ministry, which is conducting a post mortem into why its influence campaign fell flat. Bloomberg summarizes the problem, as seen from the Kremlin: "The vote underscores Moscow’s waning influence in international organizations as a result of its February 2022 invasion of Ukraine and is indicative of how few friends it has in some of these bodies, despite intense lobbying efforts. Russia has been suspended from the Council of Europe, the UN Human Rights Council and the global anti-money laundering group Financial Action Task Force. On Friday, the country failed to win reelection to the governing council of the International Maritime Organization."

GRU campaign exploits Outlook vulnerability to gain access to sensitive email accounts.

Microsoft Security this morning reported that the GRU threat group it tracks as Forest Blizzard (and formerly as Strontium) is "actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers." Organizationally, Forest Blizzard (whose activity other firms call "Fancy Bear") is linked to Forest Blizzard to Unit 26165 of Russia’s military intelligence service, the GRU. Microsoft worked with Poland's Cyber Command (DKWOC) to contain and counter this hostile activity. CVE-2023-23397 is a privilege escalation vulnerability. Microsoft urges users to ensure that Outlook and Exchange are up-to-date: the vulnerability has been patched in current versions.

It's worth noting, in the light of Russia's failure to gain reelection to the OPCW, that Unit 26165 was the organization active against the OPCW's systems when that international body was investigating GRU assassination attempts (and collateral murder) using Novichok nerve agent in 2018.