Ukraine at D+474: Seven towns retaken in Ukraine's counteroffensive.
N2K logoJun 13, 2023

Russian missile strikes against civilian targets continue as Ukraine makes slow progress in its counteroffensive. CosmicEnergy malware deemed no "immediate threat." Ukraine's Cyber Police take down a bot farm.

Ukraine at D+474: Seven towns retaken in Ukraine's counteroffensive.

Ukrainian forces claim to have retaken seven towns in Donetsk and Zaporizhzhia during the counteroffensive. The Washington Post calls the gains "modest but politically significant territorial advances."

Russian missiles hit Kryvyi Rih early this morning, striking apartment blocks and killing at least ten civilians, the AP reports. Kryvyi Rih, a central Ukrainian city of no military significance, is President Zelenskyy's hometown.

Russian milbloggers are saying, according to the Telegraph, that Major General Sergei Goryachev, chief of staff of Russia's 35th Combined Arms Army, died yesterday in a Ukrainian missile strike during fighting near Vremivka in southern Donetsk. The region has been the site of a major Ukrainian offensive.

The Wagner Group may have refused to sign a contract with Russia's Ministry of Defense, but some Chechen warlords have done so, lending some formal status to the employment of their private armies in Ukraine.

Iran assumes a larger role as a drone supplier to Russia.

"In recent months, Russia has highly likely worked to ensure its long-term, high-volume supply of one-way-attack uncrewed aerial vehicles (OWA-UAVs)," the UK's Ministry of Defence wrote in this morning's situation report. "By supplying these weapons, Iran continues to breach UN Security Council Resolution 2231. Russia has likely moved from receiving small deliveries of Iranian OWA-UAVs by air transport, to larger consignments by ship from Iran via the Caspian Sea. This ‘International North-South Transit Corridor’ has assumed much more importance since the invasion. It allows Russia to access Asian markets - including arms transfers - in ways it hopes are less vulnerable to international sanctions. Russia is also working to start domestic production of OWA-UAVs, almost certainly with Iranian assistance. Russia is highly likely investing in OWA-UAVs because it provides Russia with a relatively cheap long-range strike capability at a time when it has expended a large proportion of its cruise missile stocks in Ukraine.

An update on CosmicEnergy: it’s "not an immediate threat."

Researchers at Mandiant in last May announced their discovery of new malware that seemed designed to disrupt electrical distribution and associated critical infrastructure. Mandiant, which called the malware “CosmicEnergy,” was cautious in its assessment. The version the researchers obtained, for one thing, lacked a built-in discovery capability. Mandiant said that CosmicEnergy may in fact have been a Russian red teaming tool used in exercises to simulate an electric infrastructure attack, but the discovery was significant enough to place operators on alert for a possible campaign against vulnerable OT networks.

On Monday, however, Dragos released its own research into and assessment of CosmicEnergy. Their conclusion is far less alarmist than some earlier evaluations of the malware had been. CosmicEnergy is not, they’ve determined, related to either Industroyer or CrashOverride, which threat actors had deployed in the wild. The researchers say, “After analyzing COSMICENERGY, Dragos concluded that it is not an immediate risk to OT environments. The primary purpose of COSMICENERGY appears to have been for training scenarios rather than for deployment in real-world environments. There is currently no evidence to suggest that an adversary is actively deploying COSMICENERGY.” 

Ukraine's Cyber Police shut down a pro-Russian bot farm.

Ukraine's Cyber Police on Monday announced the arrest of three bot-farmers who were operating from a garage in the west-central Ukrainian city of Vinnytsia. They were engaged in automated disinformation, distributed through inauthentic accounts they ran in the Russian interest. Their motivation may have been more financial than ideological, as they received payment in Russian rubles, presumably from Russian paymasters. The Record reports that the three men who operated the bot farm created about five-hundred bogus accounts each day, used them to distribute pro-Russian propaganda and disinformation, and received the equivalent of about $13,500 each month. The rubles (at present a prohibited currency in Ukraine) were laundered through illicit (in Ukraine) payment services like WebMoney and PerfectMoney, then converted to cryptocurrencies and loaded onto bank cards.

According to the Cyber Police, "Bot accounts in social networks were used to discredit the Defense Forces of Ukraine, to justify the armed aggression of the Russian Federation, to form public opinion among Ukrainians in the interests of the enemy, and to destabilize the socio-political situation in the country." There was also some direct criminal activity, Ukrainian authorities say. "Fake accounts have also been used to commit fraudulent activities on trading platforms." Should the three men arrested be found guilty, they could each face up to fifteen years in prison.