Ukraine at D+391: Attribution ambiguity.
N2K logoMar 22, 2023

A new, unattributed APT seems active in Russian occupied territories. A Russian proposal for new cyberspace norms.

Ukraine at D+391: Attribution ambiguity.

The UK's Ministry of Defence (MoD) reports this morning that Ukrainian forces have made local gains around Bakhmut. "Over recent days Ukrainian forces initiated a local counterattack to the west of the Donetsk Oblast town of Bakhmut, which is likely to relieve pressure on the threatened H-32 supply route. Fighting continues around the town centre and the Ukrainian defence remains at risk from envelopment from the north and south. However, there is a realistic possibility that the Russian assault on the town is losing the limited momentum it had obtained, partially because some Russian MoD units have been reallocated to other sectors."

Report: a new APT is active in Russian-occupied sections of Ukraine.

Kaspersky reported yesterday that it had discovered a new advanced persistent threat (APT) operating against "government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions." The attacks begin with phishing emails whose payload is carried in malicious attached Word files that purport to be government documents. Once the phish hook is set, it installs the PowerMagic backdoor and then the CommonMagic framework. Kaspersky says the campaign is thus far unattributed. "So far, we have found no direct links between the samples and data used in this campaign and any previously known actors. However, the campaign is still active, and our investigation continues. So, we believe that further discoveries may reveal additional information about this malware and the threat actor behind it." The organizations, government and otherwise, that Kaspersky refers to in its report appear to be Russian occupation and separatist organizations, and thus the suggestion would be that the APT is acting either for Ukraine or at least against Russian interests, but Kaspersky (a Russian company) carefully avoids either claim. Circumstantially, the campaign's purpose seems to be cyberespionage.

Someone claiming to be a Russian patriot claims responsibility for the D.C. Health Link attack.

Make of it what you will, but someone using the nom-de-hack "Denfur" has claimed, to CyberScoop, that he is a Russian patriot who breached D.C. Health Link and obtained the personal data of many of the systems' users, including members of the US Congress. It was, Denfur said, “was an idea born out of Russian patriotism.” The self-proclaimed attacker said he breached the healthcare service by simple google-dorking, and not through any more exotic approach. When asked by CyberScoop to provide proof of Russian nationality, Denfur told the publication they'd simply have to take his word for it. CyberScoop is properly reticent in its story, and Denfur's claims should be at best regarded as not proven.

Russia proposes a UN Convention on International Information Security.

The Council on Foreign Relations describes and assesses a proposal for an international information security convention Russia has brought before the United Nations Open-Ended Working Group on Security of and in the Use of Information and Communications Technologies (OEWG). The Council evaluates the Russian proposal as both disingenuous and authoritarian in motivation. "Russia aims to legitimize extensive domestic surveillance to bolster regime security and crack down on dissent." The proposal's omissions are, the Council says, equally significant. "It is not just about what the document contains, but also what is left out. There is no mention of the applicability of international human rights law, explicit mention of the normative framework of responsible state behavior, the threat of ransomware and the active role of multistakeholders." Many other nations (the Council mentions Sweden, South Korea, Colombia, Austria, and the United States) regard international law as already providing adequate coverage to activities in cyberspace, requiring only clarification, not replacement. Finally, the Council tasks Russia with bad faith. "The Russian concept note calls for sovereign equality, the territorial integrity of states and noninterference in the internal affairs of others through propaganda and other means. Considering Russia’s countless cyber operations against Ukraine and its trolling activities abroad this is pure hypocrisy."